sempervictus
diff --git a/‎Gemfile.lock
Lines changed: 4 additions & 4 deletions b/‎Gemfile.lock
Lines changed: 4 additions & 4 deletions
diff --git a/‎db/schema.rb
Lines changed: 4 additions & 1 deletion b/‎db/schema.rb
Lines changed: 4 additions & 1 deletion
diff --git a/‎lib/metasploit/framework/credential.rb
Lines changed: 3 additions & 1 deletion b/‎lib/metasploit/framework/credential.rb
Lines changed: 3 additions & 1 deletion
diff --git a/‎lib/msf/core/auxiliary/auth_brute.rb
Lines changed: 0 additions & 1 deletion b/‎lib/msf/core/auxiliary/auth_brute.rb
Lines changed: 0 additions & 1 deletion
diff --git a/‎lib/msf/core/auxiliary/report.rb
Lines changed: 13 additions & 4 deletions b/‎lib/msf/core/auxiliary/report.rb
Lines changed: 13 additions & 4 deletions
diff --git a/‎lib/msf/core/db_manager/import.rb
Lines changed: 2 additions & 0 deletions b/‎lib/msf/core/db_manager/import.rb
Lines changed: 2 additions & 0 deletions
diff --git a/‎lib/msf/core/payload_generator.rb
Lines changed: 46 additions & 17 deletions b/‎lib/msf/core/payload_generator.rb
Lines changed: 46 additions & 17 deletions
diff --git a/‎lib/msf/ui/console/command_dispatcher/db.rb
Lines changed: 2 additions & 2 deletions b/‎lib/msf/ui/console/command_dispatcher/db.rb
Lines changed: 2 additions & 2 deletions
diff --git a/‎lib/msf/util/exe.rb
Lines changed: 12 additions & 10 deletions b/‎lib/msf/util/exe.rb
Lines changed: 12 additions & 10 deletions
diff --git a/‎lib/rex/payloads/meterpreter/config.rb
Lines changed: 5 additions & 5 deletions b/‎lib/rex/payloads/meterpreter/config.rb
Lines changed: 5 additions & 5 deletions
@@ -124,7 +124,7 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (0.0.7)
-    metasploit_data_models (1.0.1)
+    metasploit_data_models (1.1.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       arel-helpers
@@ -146,7 +146,7 @@ GEM
       mini_portile (~> 0.6.0)
     packetfu (1.1.9)
     pcaprub (0.12.0)
-    pg (0.18.1)
+    pg (0.18.2)
     pg_array_parser (0.0.9)
     postgres_ext (2.4.1)
       activerecord (>= 4.0.0)
@@ -156,7 +156,7 @@ GEM
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
-    rack (1.5.2)
+    rack (1.5.3)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.0.13)
@@ -222,7 +222,7 @@ GEM
     thread_safe (0.3.5)
     tilt (1.4.1)
     timecop (0.7.3)
-    tzinfo (0.3.43)
+    tzinfo (0.3.44)
     xpath (2.0.0)
       nokogiri (~> 1.3)
     yard (0.8.7.6)
 
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20150421211719) do
+ActiveRecord::Schema.define(version: 20150514182921) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -684,9 +684,12 @@
     t.datetime "exploited_at"
     t.integer  "vuln_detail_count",                default: 0
     t.integer  "vuln_attempt_count",               default: 0
+    t.integer  "origin_id"
+    t.string   "origin_type"
   end
 
   add_index "vulns", ["name"], name: "index_vulns_on_name", using: :btree
+  add_index "vulns", ["origin_id"], name: "index_vulns_on_origin_id", using: :btree
 
   create_table "vulns_refs", force: true do |t|
     t.integer "ref_id"
 
@@ -75,8 +75,10 @@ def inspect
       def to_s
         if realm && realm_key == Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
           "#{self.realm}\\#{self.public}:#{self.private}"
-        else
+        elsif self.private
           "#{self.public}:#{self.private}#{at_realm}"
+        else
+          self.public
         end
       end
 
 
@@ -566,7 +566,6 @@ def print_brute(opts={})
     else
       level = opts[:level].to_s.strip
     end
-
     host_ip = opts[:ip] || opts[:rhost] || opts[:host] || (rhost rescue nil) || datastore['RHOST']
     host_port = opts[:port] || opts[:rport] || (rport rescue nil) || datastore['RPORT']
     msg = opts[:msg] || opts[:message] || opts[:legacy_msg]
 
@@ -12,34 +12,43 @@ module Auxiliary::Report
 
   optionally_include_metasploit_credential_creation
 
+  def db_warning_given?
+    if @warning_issued
+      true
+    else
+      @warning_issued = true
+      false
+    end
+  end
+
   def create_cracked_credential(opts={})
     if active_db?
       super(opts)
-    else
+    elsif !db_warning_given?
       vprint_warning('No active DB -- Credential data will not be saved!')
     end
   end
 
   def create_credential(opts={})
     if active_db?
       super(opts)
-    else
+    elsif !db_warning_given?
       vprint_warning('No active DB -- Credential data will not be saved!')
     end
   end
 
   def create_credential_login(opts={})
     if active_db?
       super(opts)
-    else
+    elsif !db_warning_given?
       vprint_warning('No active DB -- Credential data will not be saved!')
     end
   end
 
   def invalidate_login(opts={})
     if active_db?
       super(opts)
-    else
+    elsif !db_warning_given?
       vprint_warning('No active DB -- Credential data will not be saved!')
     end
   end
 
@@ -129,6 +129,8 @@ def import_file(args={}, &block)
       end
     end
 
+    # Override REXML's expansion text limit to 50k (default: 10240 bytes)
+    REXML::Security.entity_expansion_text_limit = 51200
 
     if block
       import(args.merge(:data => data)) { |type,data| yield type,data }
 
@@ -61,9 +61,15 @@ class PayloadGenerator
     # @!attribute  platform
     #   @return [String] The platform to build the payload for
     attr_accessor :platform
+    # @!attribute  smallest
+    #   @return [Boolean] Whether or not to find the smallest possible output
+    attr_accessor :smallest
     # @!attribute  space
     #   @return [Fixnum] The maximum size in bytes of the payload
     attr_accessor :space
+    # @!attribute  encoder_space
+    #   @return [Fixnum] The maximum size in bytes of the encoded payload
+    attr_accessor :encoder_space
     # @!attribute  stdin
     #   @return [String] The raw bytes of a payload taken from STDIN
     attr_accessor :stdin
@@ -85,12 +91,14 @@ class PayloadGenerator
     # @option opts [String] :badchars (see #badchars)
     # @option opts [String] :template (see #template)
     # @option opts [Fixnum] :space (see #space)
+    # @option opts [Fixnum] :encoder_space (see #encoder_space)
     # @option opts [Fixnum] :nops (see #nops)
     # @option opts [String] :add_code (see #add_code)
     # @option opts [Boolean] :keep (see #keep)
     # @option opts [Hash] :datastore (see #datastore)
     # @option opts [Msf::Framework] :framework (see #framework)
     # @option opts [Boolean] :cli (see #cli)
+    # @option opts [Boolean] :smallest (see #smallest)
     # @raise [KeyError] if framework is not provided in the options hash
     def initialize(opts={})
       @add_code   = opts.fetch(:add_code, '')
@@ -109,11 +117,20 @@ def initialize(opts={})
       @stdin      = opts.fetch(:stdin, nil)
       @template   = opts.fetch(:template, '')
       @var_name   = opts.fetch(:var_name, 'buf')
+      @smallest   = opts.fetch(:smallest, false)
+      @encoder_space = opts.fetch(:encoder_space, @space)
 
       @framework  = opts.fetch(:framework)
 
       raise ArgumentError, "Invalid Payload Selected" unless payload_is_valid?
       raise ArgumentError, "Invalid Format Selected" unless format_is_valid?
+
+      # In smallest mode, override the payload @space & @encoder_space settings
+      if @smallest
+        @space = 0
+        @encoder_space = 1.gigabyte
+      end
+
     end
 
     # This method takes the shellcode generated so far and adds shellcode from
@@ -194,24 +211,36 @@ def encode_payload(shellcode)
       encoder_list = get_encoders
       if encoder_list.empty?
         cli_print "No encoder or badchars specified, outputting raw payload"
-        shellcode
-      else
-        cli_print "Found #{encoder_list.count} compatible encoders"
-        encoder_list.each do |encoder_mod|
-          cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
-          begin
-            encoder_mod.available_space = @space
-            return run_encoder(encoder_mod, shellcode.dup)
-          rescue ::Msf::EncoderSpaceViolation => e
-            cli_print "#{encoder_mod.refname} failed with #{e.message}"
-            next
-          rescue ::Msf::EncodingError => e
-            cli_print "#{encoder_mod.refname} failed with #{e.message}"
-            next
-          end
+        return shellcode
+      end
+
+      results = {}
+
+      cli_print "Found #{encoder_list.count} compatible encoders"
+      encoder_list.each do |encoder_mod|
+        cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
+        begin
+          encoder_mod.available_space = @encoder_space unless @smallest
+          results[encoder_mod.refname] = run_encoder(encoder_mod, shellcode.dup)
+          break unless @smallest
+        rescue ::Msf::EncoderSpaceViolation => e
+          cli_print "#{encoder_mod.refname} failed with #{e.message}"
+          next
+        rescue ::Msf::EncodingError => e
+          cli_print "#{encoder_mod.refname} failed with #{e.message}"
+          next
         end
+      end
+
+      if results.keys.length == 0
         raise ::Msf::EncodingError, "No Encoder Succeeded"
       end
+
+      # Return the shortest encoding of the payload
+      chosen_encoder = results.keys.sort{|a,b| results[a].length <=> results[b].length}.first
+      cli_print "#{chosen_encoder} chosen with final size #{results[chosen_encoder].length}"
+
+      results[chosen_encoder]
     end
 
     # This returns a hash for the exe format generation of payloads
@@ -346,7 +375,7 @@ def get_encoders
           e.datastore.import_options_from_hash(datastore)
           encoders << e if e
         end
-        encoders.sort_by { |my_encoder| my_encoder.rank }.reverse
+        encoders.select{ |my_encoder| my_encoder.rank != ManualRanking }.sort_by { |my_encoder| my_encoder.rank }.reverse
       else
         encoders
       end
@@ -395,7 +424,7 @@ def run_encoder(encoder_module, shellcode)
       iterations.times do |x|
         shellcode = encoder_module.encode(shellcode.dup, badchars, nil, platform_list)
         cli_print "#{encoder_module.refname} succeeded with size #{shellcode.length} (iteration=#{x})"
-        if shellcode.length > space
+        if shellcode.length > encoder_space
           raise EncoderSpaceViolation, "encoder has made a buffer that is too big"
         end
       end
 
@@ -1270,8 +1270,8 @@ def cmd_notes(*args)
       end
     end
     if search_term
-      note_list.delete_if do |n|
-        !n.attribute_names.any? { |a| n[a.intern].to_s.match(search_term) }
+      note_list = note_list.select do |n|
+        n.attribute_names.any? { |a| n[a.intern].to_s.match(search_term) }
       end
     end
 
 
@@ -525,9 +525,6 @@ def self.to_win64pe(framework, code, opts = {})
       return injector.generate_pe
     end
 
-    #opts[:exe_type] = :exe_sub
-    #return exe_sub_method(code,opts)
-
     # Append a new section instead
     appender = Msf::Exe::SegmentAppender.new({
       :payload  => code,
@@ -549,9 +546,9 @@ def self.to_win64pe(framework, code, opts = {})
   #
   # @return [String] Windows Service PE file
   def self.to_win32pe_service(framework, code, opts = {})
+    set_template_default(opts, "template_x86_windows_svc.exe")
     if opts[:sub_method]
       # Allow the user to specify their own service EXE template
-      set_template_default(opts, "template_x86_windows_svc.exe")
       opts[:exe_type] = :service_exe
       return exe_sub_method(code,opts)
     else
@@ -591,26 +588,31 @@ def self.to_win32pe_service(framework, code, opts = {})
         "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
         "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
         "\x26\x07\xFF\xD5#{pushed_service_name}\x89\xE1" +
-        "\x8D\x85#{[svcmain_code_offset].pack('<I')}\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
+        "\x8D\x85#{[svcmain_code_offset].pack('I<')}\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
         "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
         "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
-        "#{[hash_code_offset].pack('<I') + pushed_service_name}\x89\xE1\x8D" +
-        "\x85#{[svcctrlhandler_code_offset].pack('<I')}\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
+        "#{[hash_code_offset].pack('I<') + pushed_service_name}\x89\xE1\x8D" +
+        "\x85#{[svcctrlhandler_code_offset].pack('I<')}\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
         "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
         "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
         "\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
         "\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
         "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
-        "\x40\x68\x00\x10\x00\x00\x68#{[code.length].pack('<I')}\x57\x51\x68\xAE\x87" +
+        "\x40\x68\x00\x10\x00\x00\x68#{[code.length].pack('I<')}\x57\x51\x68\xAE\x87" +
         "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
-        "#{[shellcode_code_offset].pack('<I')}\x54\x68#{[code.length].pack('<I')}" +
+        "#{[shellcode_code_offset].pack('I<')}\x54\x68#{[code.length].pack('I<')}" +
         "\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
         "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
         "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
         "\x51\x68\xC6\x96\x87\x52\xFF\xD5#{code_service_stopped}"
 
-      to_winpe_only(framework, code_service + code, opts)
+      # Append a new section to the template
+      Msf::Exe::SegmentAppender.new({
+        :payload  => code_service + code,
+        :template => opts[:template],
+        :arch     => :x86
+      }).generate_pe
     end
   end
 
 
@@ -39,7 +39,7 @@ def to_str(item, size)
   end
 
   def to_wchar_t(item, size)
-    to_ascii(item, size).unpack("C*").pack("v*")
+    to_ascii(item, size).unpack('C*').pack('v*')
   end
 
   def to_ascii(item, size)
@@ -57,7 +57,7 @@ def session_block(opts)
       uuid                # the UUID
     ]
 
-    session_data.pack("VVVA*")
+    session_data.pack('VVVA*')
   end
 
   def transport_block(opts)
@@ -117,7 +117,7 @@ def extension_block(ext_name, file_extension)
     ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{ext_name}",
                                                               file_extension))
 
-    extension_data = [ ext.length, ext ].pack("VA*")
+    extension_data = [ ext.length, ext ].pack('VA*')
   end
 
   def config_block
@@ -143,9 +143,9 @@ def config_block
 
     # terminate the extensions with a 0 size
     if is_x86?
-      config << [0].pack("V")
+      config << [0].pack('V')
     else
-      config << [0].pack("Q")
+      config << [0].pack('Q<')
     end
 
     # and we're done