Merge pull request #22 from rapid7/master

merging

Author: Pedro Ribeiro

Gemfile.lock

@@ -16,7 +16,7 @@ PATH
       packetfu (= 1.1.11)
       railties
       rb-readline-r7
-      recog (= 2.0.6)
+      recog (= 2.0.14)
       robots
       rubyzip (~> 1.1)
       sqlite3
@@ -25,7 +25,7 @@ PATH
       activerecord (>= 4.0.9, < 4.1.0)
       metasploit-credential (= 1.0.1)
       metasploit-framework (= 4.11.4)
-      metasploit_data_models (= 1.2.5)
+      metasploit_data_models (= 1.2.7)
       pg (>= 0.11)
     metasploit-framework-pcap (4.11.4)
       metasploit-framework (= 4.11.4)
@@ -126,7 +126,7 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (1.0.15)
-    metasploit_data_models (1.2.5)
+    metasploit_data_models (1.2.7)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       arel-helpers
@@ -178,7 +178,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
     rb-readline-r7 (0.5.2.0)
-    recog (2.0.6)
+    recog (2.0.14)
       nokogiri
     redcarpet (3.2.3)
     rkelly-remix (0.0.6)

lib/msf/core/auxiliary/udp_scanner.rb

@@ -86,7 +86,7 @@ def scanner_spoof_send(data, ip, port, srcip, num_packets=1)
     p.recalc
     print_status("Sending #{num_packets} packet(s) to #{ip} from #{srcip}")
     1.upto(num_packets) do |x|
-      capture_sendto(p, ip)
+      break unless capture_sendto(p, ip)
     end
     close_pcap
   end

lib/msf/core/db_manager/exploit_attempt.rb

@@ -153,6 +153,8 @@ def do_report_failure_or_success(opts)
         attempt_info[:vuln_id] = vuln.id
         vuln.vuln_attempts.create(attempt_info)
 
+        create_match_result_for_vuln(vuln,opts)
+
         # Correct the vuln's associated service if necessary
         if svc and vuln.service_id.nil?
           vuln.service = svc
@@ -176,4 +178,59 @@ def do_report_failure_or_success(opts)
     }
 
   end
+
+  # Create a MetasploitDataModels::AutomaticExploitation::Match result for the given vuln
+  # @option opts [Integer] :run_id
+  # @return [void]
+  def create_match_result_for_vuln(vuln, opts)
+    run = MetasploitDataModels::AutomaticExploitation::Run.where(id:opts[:run_id]).last
+
+    if run.present?
+      match = MetasploitDataModels::AutomaticExploitation::Match.by_run_and_vuln(run,vuln).last
+
+      # If no match found in the current run
+      unless match.present?
+        # Create match if the vuln has the data we need to create a match
+        match = create_match_for_vuln(vuln,opts.merge(run:run))
+      end
+
+      create_match_result(opts.merge(match:match,run:run)) if match.present?
+    end
+  end
+
+  # Create a MetasploitDataModels::AutomaticExploitation::Match result with a success or failure state
+  # @option opts [MetasploitDataModels::AutomaticExploitation::Match] :match
+  # @option opts [MetasploitDataModels::AutomaticExploitation::Run] :run
+  # @return [void]
+  def create_match_result(opts)
+    if opts[:session_id]
+      state =  MetasploitDataModels::AutomaticExploitation::MatchResult::SUCCEEDED
+    else
+      state =  MetasploitDataModels::AutomaticExploitation::MatchResult::FAILED
+    end
+
+    MetasploitDataModels::AutomaticExploitation::MatchResult.create!(
+      match: opts[:match],
+      run: opts[:run],
+      state: state
+    )
+  end
+
+  # Create a MetasploitDataModels::AutomaticExploitation::Match for the given vuln
+  # @option vuln [Mdm::Vuln] :vuln
+  # @option opts [Mdm::Workspace] :workspace
+  # @option opts [String] :username
+  # @return [ MetasploitDataModels::AutomaticExploitation::Match, MetasploitDataModels::AutomaticExploitation::Run]
+  def create_match_for_vuln(vuln,opts)
+    wspace  = opts[:workspace] || workspace
+    run     = opts[:run]
+    module_fullname  = opts[:module]
+
+    run.match_set.create_match_for_vuln(
+      vuln,
+      workspace: wspace,
+      module_fullname: module_fullname
+    )
+  end
+
 end

lib/msf/core/db_manager/session.rb

@@ -91,18 +91,10 @@ def report_session(opts)
 
     wspace = s.workspace
 
-    if session
-      if session.exploit.user_data_is_match?
-        MetasploitDataModels::AutomaticExploitation::MatchResult.create!(
-          match: session.exploit.user_data[:match],
-          run: session.exploit.user_data[:run],
-          state: MetasploitDataModels::AutomaticExploitation::MatchResult::SUCCEEDED,
-        )
-        infer_vuln_from_session(session, wspace)
-      elsif session.via_exploit
-        # This is a live session, we know the host is vulnerable to something.
-        infer_vuln_from_session(session, wspace)
-      end
+
+    if session and session.via_exploit
+      # This is a live session, we know the host is vulnerable to something.
+      infer_vuln_from_session(session, wspace)
     end
 
     s
@@ -158,6 +150,7 @@ def infer_vuln_from_session(session, wspace)
         username: session.username,
         vuln: vuln,
         workspace: wspace,
+        run_id: session.exploit.user_data.try(:[], :run_id)
       }
 
       framework.db.report_exploit_success(attempt_info)

lib/msf/core/exploit.rb

@@ -1270,7 +1270,8 @@ def report_failure
       :fail_detail => self.fail_detail,
       :target_name => self.target.name,
       :username    => self.owner,
-      :refs        => self.references
+      :refs        => self.references,
+      :run_id      => self.datastore['RUN_ID']
     }
 
     if self.datastore['RHOST'] and self.options['RHOST']
@@ -1284,15 +1285,6 @@ def report_failure
       end
     end
 
-    if user_data_is_match?
-      MetasploitDataModels::AutomaticExploitation::MatchResult.create!(
-        match: user_data[:match],
-        run: user_data[:run],
-        state: MetasploitDataModels::AutomaticExploitation::MatchResult::FAILED,
-      )
-    end
-
-
     framework.db.report_exploit_failure(info)
   end
 

lib/msf/core/exploit/capture.rb

@@ -232,17 +232,24 @@ def inject_pcap(pcap_file, filter=nil, delay = 0, pcap=self.capture)
         end
       end
 
-      # capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
-      # a payload and a destination address. To send to the broadcast address, set bcast
-      # to true (this will guarantee that packets will be sent even if ARP doesn't work
-      # out).
+      # Sends a payload to a given target using the pcap capture interface
+      #
+      # == Parameters:
+      # payload:: The payload String to send
+      # dhost:: the destination host to send to
+      # bcast:: set to `true` to send to the broadcast address if necessary
+      # dev:: the name of the network interface to send the payload on
+      #
+      # == Returns:
+      # The number of bytes sent iff the payload was successfully sent/injected.  `false` otherwise
       def capture_sendto(payload="", dhost=nil, bcast=false, dev=nil)
         raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" unless self.capture
         raise RuntimeError, "Must specify a host to sendto" unless dhost
         dev              ||= datastore['INTERFACE']
         dst_mac, src_mac = lookup_eth(dhost, dev)
         if dst_mac == nil and not bcast
-          raise RuntimeError, 'Unable to determine the destination MAC and bcast is false'
+          vprint_error("Unable to determine the destination MAC for #{dhost} on #{dev} and bcast is false")
+          return false
         end
         inject_eth(:payload => payload, :eth_daddr => dst_mac, :eth_saddr => src_mac)
       end

lib/msf/core/exploit_driver.rb

@@ -210,6 +210,7 @@ def job_run_proc(ctx)
         # Wait for session, but don't wait long.
         delay = 0.01
       end
+
       exploit.handle_exception e
     end
 

lib/msf/core/module.rb

@@ -59,10 +59,6 @@ class Module
   # datastore, consumed by #replicant to allow clean override of MSF module methods.
   REPLICANT_EXTENSION_DS_KEY = 'ReplicantExtensions'
 
-  # The set of keys in {#user_data} that make {#user_data_is_match?} return
-  # true
-  MATCH_KEYS = Set.new([ :match, :match_set, :run ])
-
   # Make include public so we can runtime extend
   public_class_method :include
 
@@ -295,13 +291,6 @@ def fail_with(reason, msg=nil)
     raise RuntimeError, "#{reason.to_s}: #{msg}"
   end
 
-  # Whether {#user_data} contains everything necessary to make a
-  # `MetasploitDataModels::AutomaticExploitation::MatchResult`
-  #
-  # @return [bool]
-  def user_data_is_match?
-    user_data.kind_of?(Hash) && Set.new(user_data.keys).superset?(MATCH_KEYS)
-  end
 
   ##
   #
@@ -347,7 +336,6 @@ def self.cached?
   # {Msf::Simple::Auxiliary#run_simple} for correlating where modules came
   # from.
   #
-  # @see #user_data_is_match?
   attr_accessor :user_data
 
   protected

lib/msf/core/module/platform.rb

@@ -524,4 +524,12 @@ class Firefox < Msf::Module::Platform
     Rank = 100
     Alias = "firefox"
   end
+
+  #
+  # Mainframe
+  #
+  class Mainframe < Msf::Module::Platform
+    Rank = 100
+    Alias = "mainframe"
+  end
 end

lib/msf/core/payload.rb

@@ -30,6 +30,7 @@ class Payload < Msf::Module
   require 'msf/core/payload/java'
   require 'msf/core/payload/dalvik'
   require 'msf/core/payload/firefox'
+  require 'msf/core/payload/mainframe'
 
   ##
   #