Merge branch 'upstream' into staging/rails-4.0

Conflicts:
	Gemfile.lock

Author: darkbushido

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (= 1.0.0.pre.rails.pre.4.0)
       metasploit-model (= 1.0.0.pre.rails.pre.4.0)
-      meterpreter_bins (= 0.0.22)
+      metasploit-payloads (= 0.0.3)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -122,6 +122,7 @@ GEM
     metasploit-model (1.0.0.pre.rails.pre.4.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
+    metasploit-payloads (0.0.3)
     metasploit_data_models (1.0.0.pre.rails.pre.4.0b)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
@@ -132,7 +133,6 @@ GEM
       postgres_ext
       railties (>= 4.0.9, < 4.1.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.22)
     method_source (0.8.2)
     mime-types (2.4.3)
     mini_portile (0.6.2)

data/meterpreter/ext_server_networkpug.lso

@@ -0,0 +1,135 @@
+
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      class ManageEngineDesktopCentral < HTTP
+
+        DEFAULT_PORT  = 8020
+        PRIVATE_TYPES = [ :password ]
+        LOGIN_STATUS  = Metasploit::Model::Login::Status # Shorter name
+
+
+        # Checks if the target is ManageEngine Dekstop Central.
+        #
+        # @return [Boolean] TrueClass if target is MSP, otherwise FalseClass
+        def check_setup
+          login_uri = normalize_uri("#{uri}/configurations.do")
+          res = send_request({'uri' => login_uri})
+
+          if res && res.body.include?('ManageEngine Desktop Central')
+            return true
+          end
+
+          false
+        end
+
+
+        # Returns the latest sid from MSP
+        #
+        # @param [Rex::Proto::Http::Response] 
+        # @return [String] The session ID for MSP
+        def get_sid(res)
+          cookies = res.get_cookies
+          sid = cookies.scan(/(DCJSESSIONID=\w+);*/).flatten[0] || ''
+          sid
+        end
+
+
+
+        # Returns the hidden inputs
+        #
+        # @param [Rex::Proto::Http::Response]
+        # @return [Hash] Input fields
+        def get_hidden_inputs(res)
+          found_inputs = {}
+          res.body.scan(/(<input type="hidden" .+>)/).flatten.each do |input|
+            name  = input.scan(/name="(\w+)"/).flatten[0] || ''
+            value = input.scan(/value="([\w\.\-]+)"/).flatten[0] || ''
+            found_inputs[name] = value
+          end
+          found_inputs
+        end
+
+
+        # Returns all the items needed to login
+        #
+        # @return [Hash] Login items
+        def get_required_login_items
+          items = {}
+          login_uri = normalize_uri("#{uri}/configurations.do")
+          res = send_request({'uri' => login_uri})
+          return items unless res
+          items.merge!({'sid' => get_sid(res)})
+          items.merge!(get_hidden_inputs(res))
+          items
+        end
+
+
+        # Actually doing the login. Called by #attempt_login
+        #
+        # @param username [String] The username to try
+        # @param password [String] The password to try
+        # @return [Hash]
+        #   * :status [Metasploit::Model::Login::Status]
+        #   * :proof [String] the HTTP response body
+        def get_login_state(username, password)
+          login_uri = normalize_uri("#{uri}/j_security_check")
+          login_items = get_required_login_items
+
+          res = send_request({
+            'uri' => login_uri,
+            'method' => 'POST',
+            'cookie' => login_items['sid'],
+            'vars_post' => {
+              'j_username' => username,
+              'j_password' => password,
+              'Button' => 'Sign+in',
+              'buildNum' => login_items['buildNum'],
+              'clearCacheBuildNum' => login_items['clearCacheBuildNum']
+            }
+          })
+
+          unless res
+            return {:status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s}
+          end
+
+          if res.code == 302
+            return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.to_s}
+          end
+
+          {:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s}
+        end
+
+
+        # Attempts to login to MSP.
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential,
+            status: LOGIN_STATUS::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            protocol: 'tcp'
+          }
+
+          begin
+            result_opts.merge!(get_login_state(credential.public, credential.private))
+          rescue ::Rex::ConnectionError => e
+            # Something went wrong during login. 'e' knows what's up.
+            result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
+          end
+
+          Result.new(result_opts)
+        end
+
+      end
+    end
+  end
+end
+

data/meterpreter/ext_server_sniffer.lso

@@ -527,6 +527,8 @@ def self.dump_sessions(framework, opts={})
     indent = opts[:indent] || DefaultIndent
     col = opts[:col] || DefaultColumnWrap
 
+    return dump_sessions_verbose(framework, opts) if verbose
+
     columns =
       [
         'Id',
@@ -535,9 +537,6 @@ def self.dump_sessions(framework, opts={})
         'Connection'
       ]
 
-    columns << 'Via' if verbose
-    columns << 'PayloadId' if verbose
-
     tbl = Rex::Ui::Text::Table.new(
       'Indent'  => indent,
       'Header'  => "Active sessions",
@@ -554,12 +553,7 @@ def self.dump_sessions(framework, opts={})
 
       row = [ session.sid.to_s, session.type.to_s, sinfo, session.tunnel_to_s + " (#{session.session_host})" ]
       if session.respond_to? :platform
-        row[1] += " " + session.platform
-      end
-
-      if verbose
-        row << session.via_exploit.to_s
-        row << session.payload_uuid.to_s
+        row[1] << (" " + session.platform)
       end
 
       tbl << row
@@ -568,6 +562,59 @@ def self.dump_sessions(framework, opts={})
     return framework.sessions.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active sessions.\n"
   end
 
+  # Dumps the list of active sessions in verbose mode
+  #
+  # @param framework [Msf::Framework] the framework to dump.
+  # @param opts [Hash] the options to dump with.
+  # @option opts :session_ids [Array] the list of sessions to dump (no
+  #   effect).
+  # @return [String] the formatted list of sessions.
+  def self.dump_sessions_verbose(framework, opts={})
+    ids = (opts[:session_ids] || framework.sessions.keys).sort
+
+    out = "Active sessions\n" +
+          "===============\n\n"
+
+    if framework.sessions.length == 0
+      out << "No active sessions.\n"
+      return out
+    end
+
+    framework.sessions.each_sorted do |k|
+      session = framework.sessions[k]
+
+      sess_info    = session.info.to_s
+      sess_id      = session.sid.to_s
+      sess_tunnel  = session.tunnel_to_s + " (#{session.session_host})"
+      sess_via     = session.via_exploit.to_s
+      sess_type    = session.type.to_s
+      sess_uuid    = session.payload_uuid.to_s
+      sess_checkin = "<none>"
+      sess_machine_id = session.machine_id.to_s
+
+      if session.respond_to? :platform
+        sess_type << (" " + session.platform)
+      end
+
+      if session.respond_to?(:last_checkin) && session.last_checkin
+        sess_checkin = "#{(Time.now.to_i - session.last_checkin.to_i)}s ago @ #{session.last_checkin.to_s}"
+      end
+
+      out << "  Session ID: #{sess_id}\n"
+      out << "        Type: #{sess_type}\n"
+      out << "        Info: #{sess_info}\n"
+      out << "      Tunnel: #{sess_tunnel}\n"
+      out << "         Via: #{sess_via}\n"
+      out << "        UUID: #{sess_uuid}\n"
+      out << "   MachineID: #{sess_machine_id}\n"
+      out << "     CheckIn: #{sess_checkin}\n"
+      out << "\n"
+    end
+
+    out << "\n"
+    return out
+  end
+
   # Dumps the list of running jobs.
   #
   # @param framework [Msf::Framework] the framework.

data/meterpreter/ext_server_stdapi.lso

@@ -255,9 +255,10 @@ def reset_ui
   def kill
     begin
       cleanup_meterpreter
-      self.sock.close
+      self.sock.close if self.sock
     rescue ::Exception
     end
+    # deregister will actually trigger another cleanup
     framework.sessions.deregister(self)
   end
 
@@ -298,6 +299,24 @@ def load_priv()
     console.disable_output = original
   end
 
+  #
+  # Validate session information by checking for a machine_id response
+  #
+  def is_valid_session?(timeout=10)
+    return true if self.machine_id
+
+    begin
+      self.machine_id = self.core.machine_id(timeout)
+      return true
+    rescue ::Rex::Post::Meterpreter::RequestError
+      # This meterpreter doesn't support core_machine_id
+      return true
+    rescue ::Exception => e
+      dlog("Session #{self.sid} did not respond to validation request #{e.class}: #{e}")
+    end
+    false
+  end
+
   #
   # Populate the session information.
   #
@@ -448,6 +467,7 @@ def create(param)
   attr_accessor :binary_suffix
   attr_accessor :console # :nodoc:
   attr_accessor :skip_ssl
+  attr_accessor :skip_cleanup
   attr_accessor :target_id
 
 protected

data/meterpreter/msflinker_linux_x86.bin

@@ -12,11 +12,17 @@ def initialize(info = {})
     register_advanced_options(
       [
         OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
+        OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
         OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
         OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
         OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
-        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"])
+        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
+        OptBool.new('StagerCloseListenSocket', [false, "Close the listen socket in the stager", false]),
+        OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
+        OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
+        OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),
+        OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', Rex::Post::Meterpreter::ClientCore::TIMEOUT_COMMS])
       ], self.class)
   end
 
@@ -35,43 +41,49 @@ def on_session(session)
 
     session.init_ui(self.user_input, self.user_output)
 
-    if (datastore['AutoLoadStdapi'] == true)
+    valid = true
 
-      session.load_stdapi
-
-      if datastore['AutoSystemInfo']
-        session.load_session_info
+    if datastore['AutoVerifySession'] == true
+      if not session.is_valid_session?
+        print_error("Meterpreter session #{session.sid} is not valid and will be closed")
+        valid = false
       end
+    end
+
+    if valid
+
+      if datastore['AutoLoadStdapi'] == true
+
+        session.load_stdapi
+
+        if datastore['AutoSystemInfo']
+          session.load_session_info
+        end
 
-=begin
-      admin = false
-      begin
-        ::Timeout.timeout(30) do
-          if session.railgun and session.railgun.shell32.IsUserAnAdmin()["return"] == true
-            admin = true
-            session.info += " (ADMIN)"
-          end
+        if session.platform =~ /win32|win64/i
+          session.load_priv rescue nil
         end
-      rescue ::Exception
       end
-=end
-      if session.platform =~ /win32|win64/i
-        session.load_priv rescue nil
+
+      if session.platform =~ /android/i
+        if datastore['AutoLoadAndroid']
+          session.load_android
+        end
       end
-    end
 
-    if session.platform =~ /android/i
-      if datastore['AutoLoadAndroid']
-        session.load_android
+      [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
+        if (datastore[key].empty? == false)
+          args = Shellwords.shellwords( datastore[key] )
+          print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
+          session.execute_script(args.shift, *args)
+        end
       end
     end
 
-    [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
-      if (datastore[key].empty? == false)
-        args = Shellwords.shellwords( datastore[key] )
-        print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
-        session.execute_script(args.shift, *args)
-      end
+    # Terminate the session without cleanup if it did not validate
+    if not valid
+      session.skip_cleanup = true
+      session.kill
     end
 
     }