Merge branch 'rapid7' into bug/wrong-file_changed-argument

Author: egypt

lib/msf/core/db_manager.rb

@@ -588,8 +588,8 @@ def search_modules(search_string, inclusive=false)
 					where_v << [ xv, xv ]
 				when 'os','platform'
 					xv = "%#{kv}%"
-					where_q << ' ( module_targets.name ILIKE ? ) '
-					where_v << [ xv ]
+					where_q << ' (  module_platforms.name ILIKE ? OR module_targets.name ILIKE ? ) '
+					where_v << [ xv, xv ]
 				when 'port'
 					# TODO
 				when 'type'

lib/msf/core/exploit/winrm.rb

@@ -8,31 +8,24 @@
 
 module Msf
 module Exploit::Remote::WinRM
-
 	include Exploit::Remote::NTLM::Client
 	include Exploit::Remote::HttpClient
-
 	#
 	# Constants
 	#
 	NTLM_CRYPT ||= Rex::Proto::NTLM::Crypt
 	NTLM_CONST ||= Rex::Proto::NTLM::Constants
 	NTLM_UTILS ||= Rex::Proto::NTLM::Utils
 	NTLM_XCEPT ||= Rex::Proto::NTLM::Exceptions
-
 	def initialize(info = {})
 		super
 		register_options(
 			[
-				Opt::RHOST,
 				Opt::RPORT(5985),
-				OptString.new('VHOST', [ false, "HTTP server virtual host" ]),
-				OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]),
-				OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
 				OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentification', 'WORKSTATION']),
 				OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]),
 				OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]),
-				OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ])
+				OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ]),
 			], self.class
 		)
 
@@ -45,18 +38,15 @@ def winrm_poke(timeout = 20)
 			'uri' => datastore['URI'],
 			'data' => Rex::Text.rand_text_alpha(8)
 		}
-
-		c     = connect(opts)
-		to    = opts[:timeout] || timeout
+		c = connect(opts)
+		to = opts[:timeout] || timeout
 		ctype = "application/soap+xml;charset=UTF-8"
-
 		resp, c = send_request_cgi(opts.merge({
-			'uri'    => opts['uri'],
+			'uri' => opts['uri'],
 			'method' => 'POST',
-			'ctype'  => ctype,
-			'data'   => opts['data']
+			'ctype'     => ctype,
+			'data'        => opts['data']
 		}), to)
-
 		return resp
 	end
 
@@ -71,34 +61,29 @@ def parse_auth_methods(resp)
 
 	def winrm_run_cmd(cmd, timeout=20)
 		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
-
 		if resp.code == 401
 			print_error "Login failure! Recheck supplied credentials."
 			return resp .code
 		end
-
 		unless resp.code == 200
 			print_error "Got unexpected response: \n #{resp.to_s}"
 			retval == resp.code || 0
 			return retval
 		end
-
 		shell_id = winrm_get_shell_id(resp)
 		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
 		cmd_id = winrm_get_cmd_id(resp)
 		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
 		streams = winrm_get_cmd_streams(resp)
 		resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout)
 		resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id))
-
 		return streams
 	end
 
 	def winrm_wql_msg(wql)
 		action = winrm_uri_action("wql")
 		contents = winrm_header(action) + winrm_wql_body(wql)
 		msg = winrm_envelope(contents)
-
 		return msg
 	end
 
@@ -108,7 +93,6 @@ def winrm_open_shell_msg
 		header_data = action + options
 		contents = winrm_header(header_data) + winrm_open_shell_body
 		msg = winrm_envelope(contents)
-
 		return msg
 	end
 
@@ -119,7 +103,6 @@ def winrm_cmd_msg(cmd,shell_id)
 		header_data = action + options + selectors
 		contents = winrm_header(header_data) + winrm_cmd_body(cmd)
 		msg = winrm_envelope(contents)
-
 		return msg
 	end
 
@@ -129,7 +112,6 @@ def winrm_cmd_recv_msg(shell_id,cmd_id)
 		header_data = action +  selectors
 		contents = winrm_header(header_data) + winrm_cmd_recv_body(cmd_id)
 		msg = winrm_envelope(contents)
-
 		return msg
 	end
 
@@ -139,7 +121,6 @@ def winrm_terminate_cmd_msg(shell_id,cmd_id)
 		header_data = action +  selectors
 		contents = winrm_header(header_data) + winrm_terminate_cmd_body(cmd_id)
 		msg = winrm_envelope(contents)
-
 		return msg
 	end
 
@@ -149,7 +130,6 @@ def winrm_delete_shell_msg(shell_id)
 		header_data = action +  selectors
 		contents = winrm_header(header_data) + winrm_empty_body
 		msg = winrm_envelope(contents)
-
 		return msg
 	end
 
@@ -159,28 +139,23 @@ def parse_wql_response(response)
 		rows =[]
 		rxml = REXML::Document.new(xml).root
 		items = rxml.elements["///w:Items"]
-
 		items.elements.to_a("///w:XmlFragment").each do |node|
 			row_data = []
-
 			node.elements.to_a.each do |sub_node|
 				columns << sub_node.name
 				row_data << sub_node.text
 			end
-
 			rows << row_data
 		end
-
+		columns.uniq!
 		response_data = Rex::Ui::Text::Table.new(
 			'Header'    => "#{datastore['WQL']} (#{rhost})",
 			'Indent'    => 1,
-			'Columns'   => columns.uniq!
+			'Columns'   => columns
 		)
-
 		rows.each do |row|
 			response_data << row
 		end
-
 		return response_data
 	end
 
@@ -197,17 +172,14 @@ def winrm_get_cmd_id(response)
 	def winrm_get_cmd_streams(response)
 		streams = {
 			'stdout' => '',
-			'stderr' => '',
+			'stderr'   => '',
 		}
-
 		xml = response.body
 		rxml = REXML::Document.new(xml).root
-
 		rxml.elements.to_a("//rsp:Stream").each do |node|
 			next if node.text.nil?
 			streams[node.attributes['Name']] << Rex::Text.base64_decode(node.text)
 		end
-
 		return streams
 	end
 
@@ -222,25 +194,20 @@ def send_request_ntlm(data, timeout = 20)
 			'username' => datastore['USERNAME'],
 			'password' => datastore['PASSWORD']
 		}
-
-		ntlm_options =
-			{
-				:signing          => false,
-				:usentlm2_session => datastore['NTLM::UseNTLM2_session'],
-				:use_ntlmv2       => datastore['NTLM::UseNTLMv2'],
-				:send_lm          => datastore['NTLM::SendLM'],
-				:send_ntlm        => datastore['NTLM::SendNTLM']
-			}
-
+		ntlm_options = {
+				:signing    => false,
+				:usentlm2_session   => datastore['NTLM::UseNTLM2_session'],
+				:use_ntlmv2     => datastore['NTLM::UseNTLMv2'],
+				:send_lm    => datastore['NTLM::SendLM'],
+				:send_ntlm    => datastore['NTLM::SendNTLM']
+				}
 		ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options)
 		workstation_name =  Rex::Text.rand_text_alpha(rand(8)+1)
 		domain_name = datastore['DOMAIN']
 		ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name,
 			workstation_name,
 			ntlmssp_flags))
-
 		to = opts[:timeout] || timeout
-
 		begin
 			c = connect(opts)
 			ctype = "application/soap+xml;charset=UTF-8"
@@ -251,14 +218,11 @@ def send_request_ntlm(data, timeout = 20)
 				'ctype'     => ctype,
 				'headers' => { 'Authorization' => ntlm_message_1},
 				'data'        => opts['data']
-			}))
-
+				}))
 			resp = c.send_recv(r, to)
-
 			unless resp.kind_of? Rex::Proto::Http::Response
 				return [nil,nil]
 			end
-
 			return [nil,nil] if resp.code == 404
 			return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate']
 			# Get the challenge and craft the response
@@ -293,7 +257,6 @@ def send_request_ntlm(data, timeout = 20)
 			ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'],
 				resp_lm, resp_ntlm, '', ntlmssp_flags)
 			ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3)
-
 			# Send the response
 			r = c.request_cgi(opts.merge({
 				'uri' => opts['uri'],
@@ -302,13 +265,10 @@ def send_request_ntlm(data, timeout = 20)
 				'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"},
 				'data'        => opts['data']
 				}))
-
 			resp = c.send_recv(r, to, true)
-
 			unless resp.kind_of? Rex::Proto::Http::Response
 				return [nil,nil]
 			end
-
 			return [nil,nil] if resp.code == 404
 			return [resp,c]
 		rescue ::Errno::EPIPE, ::Timeout::Error
@@ -324,25 +284,20 @@ def target_url
 		if rport == 5986 or datastore['SSL']
 			proto = "https"
 		end
-
 		if datastore['VHOST']
 			return  "#{proto}://#{datastore ['VHOST']}:#{rport}#{@uri.to_s}"
 		else
 			return "#{proto}://#{rhost}:#{rport}#{@uri.to_s}"
 		end
 	end
 
-
-
 	private
 
 	def winrm_option_set(options)
 		xml = "<w:OptionSet>"
-
 		options.each do |option_pair|
 			xml << winrm_option(*option_pair)
 		end
-
 		xml << "</w:OptionSet>"
 		return xml
 	end
@@ -353,11 +308,9 @@ def winrm_option(name,value)
 
 	def winrm_selector_set(selectors)
 		xml = "<w:SelectorSet>"
-
 		selectors.each do |selector_pair|
 			xml << winrm_selector(*selector_pair)
 		end
-
 		xml << "</w:SelectorSet>"
 		return xml
 	end

lib/rex/text.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'digest/md5'
+require 'digest/sha1'
 require 'stringio'
 
 begin
@@ -812,6 +813,20 @@ def self.md5(str)
 		Digest::MD5.hexdigest(str)
 	end
 
+	#
+	# Raw SHA1 digest of the supplied string
+	#
+	def self.sha1_raw(str)
+		Digest::SHA1.digest(str)
+	end
+
+	#
+	# Hexidecimal SHA1 digest of the supplied string
+	#
+	def self.sha1(str)
+		Digest::SHA1.hexdigest(str)
+	end
+
 	#
 	# Convert hex-encoded characters to literals.
 	# Example: "AA\\x42CC" becomes "AABCC"

modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb

@@ -135,8 +135,8 @@ def run
 		sunrpc_destroy
 
 	rescue ::Rex::Proto::SunRPC::RPCTimeout
-		print_status 'Warning: ' + $!
-		print_status 'Exploit may or may not have succeeded.'
+		print_warning 'Warning: ' + $!
+		print_warning 'Exploit may or may not have succeeded.'
 	end