The HTTP client mixin provides a #send_request_cgi method which
forcibly disconnects the client after receiving a response. This
terminates certain types of resulting sessions which depend on the
connection from the client to maintain a subprocess housing the
shell invocation.
Provide a disconnect boolean option to #send_request_cgi which
is checked in the disconnect(c) call after receiving the response.
Testing:
Locally tested on in-house exploit module written for disclosure
report.
TODO:
Discuss possibility of implementing fully asynchronous methods
like #send_request_cgi_async which won't bother getting a response
for cases such as the module mentioned above which is a command
injection via unfiltered POST var.
ftp.rb was doing a shutdown without a close on data
(not command) sockets. This can cause CLOSE_WAIT
for extended periods in certain circumstances-ending
only when msf itself is closed.
This change allows for redirects to be followed in wordpress_helper_get_plugin_upload_nonce
Redirect is from:
/wp-admin/plugin-install.php
to
/wp-admin/network/plugin-install.php
Internally wrapped lines of powershell built by :cmd_psh_payload
in the Rex namespace require being able to place wrapping quotes
in different logical places for :generate_psh_command_line and
:run_hidden_psh methods. Using single quotes in the Arguments
parameter of the hidden PSH runner and double quotes after the
-Command flag maintains allows us to wrap the outer command in
double quotes, while properly ecaping and wrapping the arguments
parameter for PSH execution in single quotes.
This isn't ideal, in a perfect world we'd be escaping all nested
quotes and escape chars of any type valid for PSH. However, that
would require more manual testing than anyone has time for (now).
Implement removal of comspec and use of the noninteractive option
in powershell payloads.
This is the Msf side of #6 for rex-powershell.
Testing:
In-house testing on 2016 standard edition and win10, 201707 revs.
To round out implementation of a simple path for users to access
HttpClient like Open or Net::HTTP, create :request_url method which
takes a single URL parameter, uses :request_opts_from_url to build
the request configuration for Rex::Proto::Http::Client, executes
a GET request with it, and disconnects the client unless keepalive
is specified as the second parameter to :request_url.
Example usage of functionality is implemented in http_pdf_authors.
To address the complexity which comes with the flexibility offered
by Rex::Proto::Http::Client and its Msf mixin descendant, a simple
process needs to be implemented for issuing a request using only
the URL string in order to provide ease of access to users who may
not have the time to study how these clients work in detail.
Implement :request_opts_from_url in Msf's HttpClient mixin such as
to extract the options required for :send_request_* from a URL
string passed into the method. This approach reduces HTTP requests
in the mixin to `send_request_raw(request_opts_from_url(url))` when
`url` is just a string.
Implement this approach in the http_pdf_authors gather module to
further reduce infrastructure complexity around the simple need to
acquire PDF files via HTTP/S.
Testing:
Local to this module only, and in Pry of course. Seems to work...
Allow retrieval of '*' from stored static entries for spoofing
all domains to any IP using wildcard names. Replace the wildcard
response with the name submitted to the search in the response.
Fix improper checks in DNS::Packet for Resolv objects from decode
to encode.
Misc cleanup for records not responding to :address, convenience
methods, and packet structure.
Advanced options are now camel cased
Use :blank? on datastore options instead of serial checks for :nil?
and :empty?
Rex::Proto::DNS::Server :on_client_data updated to ask the tcp_sock
to close this client if it exists in the rescue clause.
Create Rex::Proto::DNS::Packet and Packet::Raw to allow common
parsing, validation, and raw data operations across both Rex and
Msf namespaces.
The modules contain class methods and do not need to be mixed in
to use their functionality Packet.method is enough, and reduces GC
strain since new objects are not constantly being instantiated, and
these modules contain no internal state.
Clean up UDP socket leak from Rex::Proto::DNS::Server under certain
conditions.
Create Msf::Exploit::DNS::Common mixin to provide descendants with
access to Packet and the hostname Regex.
-----
Testing:
Tested running the RC provided in the pull request
Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
Rex::IO::StreamServer provides consistent methods and accessors
for TcpServer type consumers, but includes logic for client actions
which are not relevant in a datagram context - connect and
disconnect actions, as well as any notion of stateful session
persistence (the clients queue) do not apply in this paradigm.
Implement a Rex::IO::GramServer mixin which provides common methods
for dispatching requests and sending responses. Defines the same
callback structure for procs as used in the StreamServer, though
utilizing dispatch_request_proc and send_response_proc with client
and data parameters for efficient interception of execution flow
when dealing with stateless comms.
Rewire Rex::Proto::DNS server to use instance variables along the
same convention as other modules, implement the GramServer mixin,
and minor misc cleanup.
-----
Change calling conventions in Rex::Proto::DNS::Server to match
other components.
Clean up the Msf::Exploit::DNS namespace with generic server
interfaces.
Fix the advanged options naming convention - as hdm pointed out,
evasion options use the '::' separator, advanced options use "_".
-----
Testing:
Basic functional tests in Pry for now.
Exploit::Remote::TcpServer contains functionality required by the
hybrid Udp/Tcp Exploit::Remote::DNS::Server. In order to avoid
having to maintain a set of compatible methods across the transport
implementations, create a new mixin "above" the TcpServer to handle
common socket operations - Exploit::Remote::SocketServer.
Copy Exploit::Remote::TcpServer to Exploit::Remote::SocketServer.
Remove common code from Exploit::Remote::TcpServer, remove TCP/SSL
specific code from Exploit::Remote::SocketServer. Require and
include Exploit::Remote::SocketServer in Exploit::Remote::TcpServer
Testing:
Basic testing using the telnet capture server which utilzies the
modified Exploit::Remote::TcpServer mixin:
```
use auxiliary/server/capture/telnet
(2016-02-28)15:23 (S:0 J:0)msf auxiliary(telnet) > exploit
[*] Auxiliary module execution completed
(2016-02-28)15:23 (S:0 J:1)msf auxiliary(telnet) >
[*] [2016.02.28-15:23:39] Listening on 0.0.0.0:23...
[*] [2016.02.28-15:23:39] Server started.
[*] [2016.02.28-15:23:48] TELNET LOGIN 127.0.0.1:60408 jack / jill
Interrupt: use the 'exit' command to quit
```
The add_static_hosts method used old interfaces and had not been
tested prior.
Address the interfaces, functionally check the logic, and add the
method into start_service to automatically process the static
hosts entries set in the DS.
William Vu