Merge branch 'master' into feature/MSP-11147/thread-leak-detection

MSP-11147

Author: limhoff-r7

.gitignore

@@ -7,6 +7,12 @@ Gemfile.local.lock
 .sublime-project
 # RVM control file, keep this to avoid backdooring Metasploit
 .rvmrc
+# Allow for a local choice of (unsupported / semi-supported) ruby versions
+# See PR #4136 for usage, but example usage for rvm:
+#   rvm --create --versions-conf use 2.1.4@metasploit-framework
+# Because rbenv doesn't use .versions.conf, to achieve this same functionality, run:
+#   rbenv shell 2.1.4
+.versions.conf
 # YARD cache directory
 .yardoc
 # Mac OS X files

.rubocop.yml

@@ -8,7 +8,7 @@
 
 # inherit_from: .rubocop_todo.yml
 
-Style/ClassLength:
+Metrics/ClassLength:
   Description: 'Most Metasploit modules are quite large. This is ok.'
   Enabled: true
   Exclude:
@@ -25,14 +25,14 @@ Style/Encoding:
   Description: 'We prefer binary to UTF-8.'
   EnforcedStyle: 'when_needed'
 
-Style/LineLength:
+Metrics/LineLength:
   Description: >-
                   Metasploit modules often pattern match against very
                   long strings when identifying targets.
   Enabled: true
   Max: 180
 
-Style/MethodLength:
+Metrics/MethodLength:
   Enabled: true
   Description: >-
                   While the style guide suggests 10 lines, exploit definitions
@@ -44,6 +44,11 @@ Style/MethodLength:
 Style/Encoding:
   Enabled: false
 
+# %q() is super useful for long strings split over multiple lines and
+# is very common in module constructors for things like descriptions
+Style/UnneededPercentQ:
+  Enabled: false
+
 Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'

CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+# Next Release
+* Enhancements
+ * [#4045](https://github.com/rapid7/metasploit-framework/pull/4045): Reorganize Msf::Module into submodule of related methods to reduce file size and allow for easier understanding of functionality - [@limhoff-r7](https://github.com/limhoff-r7)
+* Bug Fixes
+* Deprecations
+* Incompatible Changes

Gemfile

@@ -1,20 +1,10 @@
 source 'https://rubygems.org'
 # Add default group gems to `metasploit-framework.gemspec`:
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
-gemspec
-
-gem 'rb-readline', require: false
+gemspec name: 'metasploit-framework'
 
 group :db do
-  # Needed for Msf::DbManager
-  gem 'activerecord', '>= 3.0.0', '< 4.0.0'
-
-  # Metasploit::Credential database models
-  gem 'metasploit-credential', '~> 0.12.0'
-  # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.21.1'
-  # Needed for module caching in Mdm::ModuleDetails
-  gem 'pg', '>= 0.11'
+  gemspec name: 'metasploit-framework-db'
 end
 
 group :development do
@@ -45,9 +35,7 @@ group :development, :test do
 end
 
 group :pcap do
-  gem 'network_interface', '~> 0.0.1'
-  # For sniffer and raw socket modules
-  gem 'pcaprub'
+  gemspec name: 'metasploit-framework-pcap'
 end
 
 group :test do

Gemfile.lock

@@ -20,6 +20,16 @@ PATH
       rubyzip (~> 1.1)
       sqlite3
       tzinfo
+    metasploit-framework-db (4.10.1.pre.dev)
+      activerecord (< 4.0.0)
+      metasploit-credential (~> 0.13.0)
+      metasploit-framework (= 4.10.1.pre.dev)
+      metasploit_data_models (~> 0.21.1)
+      pg (>= 0.11)
+    metasploit-framework-pcap (4.10.1.pre.dev)
+      metasploit-framework (= 4.10.1.pre.dev)
+      network_interface (~> 0.0.1)
+      pcaprub
 
 GEM
   remote: https://rubygems.org/
@@ -102,7 +112,7 @@ GEM
     metasploit-concern (0.3.0)
       activesupport (~> 3.0, >= 3.0.0)
       railties (< 4.0.0)
-    metasploit-credential (0.12.0)
+    metasploit-credential (0.13.2)
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.28.0)
       metasploit_data_models (~> 0.21.0)
@@ -125,12 +135,12 @@ GEM
     meterpreter_bins (0.0.10)
     method_source (0.8.2)
     mime-types (1.25.1)
-    mini_portile (0.6.0)
+    mini_portile (0.6.1)
     msgpack (0.5.9)
     multi_json (1.0.4)
     network_interface (0.0.1)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.4.1)
+      mini_portile (~> 0.6.0)
     packetfu (1.1.9)
     pcaprub (0.11.3)
     pg (0.17.1)
@@ -165,7 +175,7 @@ GEM
     rb-readline (0.5.1)
     rdoc (3.12.2)
       json (~> 1.4)
-    recog (1.0.0)
+    recog (1.0.5)
       nokogiri
     redcarpet (3.1.2)
     rkelly-remix (0.0.6)
@@ -197,7 +207,7 @@ GEM
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
     slop (3.6.0)
-    sprockets (2.2.2)
+    sprockets (2.2.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
@@ -209,7 +219,7 @@ GEM
     treetop (1.4.15)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.41)
+    tzinfo (0.3.42)
     xpath (2.0.0)
       nokogiri (~> 1.3)
     yard (0.8.7.4)
@@ -218,21 +228,16 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  activerecord (>= 3.0.0, < 4.0.0)
   aruba
   cucumber-rails
   factory_girl (>= 4.1.0)
   factory_girl_rails
   fivemat (= 1.2.1)
-  metasploit-credential (~> 0.12.0)
   metasploit-framework!
-  metasploit_data_models (~> 0.21.1)
-  network_interface (~> 0.0.1)
-  pcaprub
-  pg (>= 0.11)
+  metasploit-framework-db!
+  metasploit-framework-pcap!
   pry
   rake (>= 10.0.0)
-  rb-readline
   redcarpet
   rspec (>= 2.12, < 3.0.0)
   rspec-rails (>= 2.12, < 3.0.0)

data/exploits/CVE-2010-1240/template.pdf

@@ -0,0 +1,41 @@
+%clr
+%mag     .~+P``````-o+:.                                      -o+:.%clr
+%mag.+oooyysyyssyyssyddh++os-`````                        ```````````````          `%clr
+%mag+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o%clr
+%mag++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy%clr
+%mag--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///%clr
+%mag                                `...............`              `...-/////...`%clr
+%clr
+%clr
+%whi                                  .::::::::::-.                     .::::::-%clr
+%whi                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo%clr
+%whi                                 :Nm-/NMMMMMMMMMMMMM%blu$$%whiNMMMMm%blu&&%whiMMMMMMMMMMMMMMy%clr
+%whi                                 .sm/`-yMMMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMMMh`%clr
+%whi                                  -Nd`  :MMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMMh`%clr
+%whi                                   -Nh` .yMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMm/%clr
+%whi    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMm/%clr
+%whi      .yNmMMh%dred//%whi+syysso-``````       -mh` :MMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMd%clr
+%whi    .shMMMMN%dred//%whidmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/%clr
+%whi    `///omh%dred//%whidMMMMMMMMMMMMMMMN/%dred:::::/+ooso--/ydh//+s+/ossssso:--syN///os:%clr
+%whi          /MMMMMMMMMMMMMMMMMMd.     %dred`/++-.-yy/%whi...%dredosydh/-+oo:-`o//%whi...%dredoyodh+%clr
+%whi          -hMMmssddd+:dMMmNMMh.     %dred`.-=mmk.%whi//^^^\\%dred.^^`:++:^^o:%whi//^^^\\%dred`::%clr
+%whi          .sMMmo.    -dMd--:mN/`           %whi||--X--||%clr          %dred%whi||--X--||%clr
+%whi........../yddy/:...+hmo-...hdd:............%whi\\=v=//%clr............%dred%whi\\=v=//%clr.........
+%grn================================================================================%clr
+%grn=====================%whi+--------------------------------+%grn=========================%clr
+%grn=====================%whi| Session one died of dysentery. |%grn=========================%clr
+%grn=====================%whi+--------------------------------+%grn=========================%clr
+%grn================================================================================%clr
+%clr
+%clr                     %grnPress ENTER to size up the situation%clr
+%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%clr
+%clr                        %whiPress SPACE BAR to continue%clr
+%clr

data/logos/metasploit-trail.txt

@@ -215,6 +215,9 @@ class SYSTEM_INFO(ctypes.Structure):
 			("wProcessorLevel", ctypes.c_uint16),
 			("wProcessorRevision", ctypes.c_uint16)]
 
+	class TOKEN_USER(ctypes.Structure):
+		_fields_ = [("User", SID_AND_ATTRIBUTES)]
+
 	#
 	# Linux Structures
 	#
@@ -364,6 +367,7 @@ class RTATTR(ctypes.Structure):
 TLV_TYPE_OS_NAME               = TLV_META_TYPE_STRING  | 1041
 TLV_TYPE_USER_NAME             = TLV_META_TYPE_STRING  | 1042
 TLV_TYPE_ARCHITECTURE          = TLV_META_TYPE_STRING  | 1043
+TLV_TYPE_SID                   = TLV_META_TYPE_STRING  | 1045
 
 ##
 # Environment
@@ -525,6 +529,36 @@ def get_stat_buffer(path):
 	st_buf += struct.pack('<II', blksize, blocks)
 	return st_buf
 
+def get_token_user(handle):
+	TOKEN_QUERY = 0x0008
+	TokenUser = 1
+	advapi32 = ctypes.windll.advapi32
+	advapi32.OpenProcessToken.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_void_p)]
+
+	token_handle = ctypes.c_void_p()
+	if not advapi32.OpenProcessToken(handle, TOKEN_QUERY, ctypes.byref(token_handle)):
+		return None
+	token_user_buffer = (ctypes.c_byte * 4096)()
+	dw_returned = ctypes.c_uint32()
+	result = advapi32.GetTokenInformation(token_handle, TokenUser, ctypes.byref(token_user_buffer), ctypes.sizeof(token_user_buffer), ctypes.byref(dw_returned))
+	ctypes.windll.kernel32.CloseHandle(token_handle)
+	if not result:
+		return None
+	return cstruct_unpack(TOKEN_USER, token_user_buffer)
+
+def get_username_from_token(token_user):
+	user = (ctypes.c_char * 512)()
+	domain = (ctypes.c_char * 512)()
+	user_len = ctypes.c_uint32()
+	user_len.value = ctypes.sizeof(user)
+	domain_len = ctypes.c_uint32()
+	domain_len.value = ctypes.sizeof(domain)
+	use = ctypes.c_ulong()
+	use.value = 0
+	if not ctypes.windll.advapi32.LookupAccountSidA(None, token_user.User.Sid, user, ctypes.byref(user_len), domain, ctypes.byref(domain_len), ctypes.byref(use)):
+		return None
+	return str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(user))
+
 def netlink_request(req_type):
 	import select
 	# See RFC 3549
@@ -632,11 +666,6 @@ def channel_open_stdapi_net_tcp_server(request, response):
 	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
 	return ERROR_SUCCESS, response
 
-@meterpreter.register_function
-def stdapi_sys_config_getuid(request, response):
-	response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser())
-	return ERROR_SUCCESS, response
-
 @meterpreter.register_function
 def stdapi_sys_config_getenv(request, response):
 	for env_var in packet_enum_tlvs(request, TLV_TYPE_ENV_VARIABLE):
@@ -649,6 +678,32 @@ def stdapi_sys_config_getenv(request, response):
 			response += tlv_pack(TLV_TYPE_ENV_GROUP, pgroup)
 	return ERROR_SUCCESS, response
 
+@meterpreter.register_function_windll
+def stdapi_sys_config_getsid(request, response):
+	token = get_token_user(ctypes.windll.kernel32.GetCurrentProcess())
+	if not token:
+		return ERROR_FAILURE, response
+	sid_str = ctypes.c_char_p()
+	if not ctypes.windll.advapi32.ConvertSidToStringSidA(token.User.Sid, ctypes.byref(sid_str)):
+		return ERROR_FAILURE, response
+	sid_str = str(ctypes.string_at(sid_str))
+	response += tlv_pack(TLV_TYPE_SID, sid_str)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_config_getuid(request, response):
+	if has_windll:
+		token = get_token_user(ctypes.windll.kernel32.GetCurrentProcess())
+		if not token:
+			return ERROR_FAILURE, response
+		username = get_username_from_token(token)
+		if not username:
+			return ERROR_FAILURE, response
+	else:
+		username = getpass.getuser()
+	response += tlv_pack(TLV_TYPE_USER_NAME, username)
+	return ERROR_SUCCESS, response
+
 @meterpreter.register_function
 def stdapi_sys_config_sysinfo(request, response):
 	uname_info = platform.uname()
@@ -821,26 +876,10 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 			exe_path = ctypes.string_at(exe_path)
 		else:
 			exe_path = ''
-		complete_username = ''
-		tkn_h = ctypes.c_long()
-		tkn_len = ctypes.c_uint32()
-		if ctypes.windll.advapi32.OpenProcessToken(proc_h, TOKEN_QUERY, ctypes.byref(tkn_h)):
-			ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, None, 0, ctypes.byref(tkn_len))
-			buf = (ctypes.c_ubyte * tkn_len.value)()
-			if ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, ctypes.byref(buf), ctypes.sizeof(buf), ctypes.byref(tkn_len)):
-				user_tkn = SID_AND_ATTRIBUTES()
-				ctypes.memmove(ctypes.byref(user_tkn), buf, ctypes.sizeof(user_tkn))
-				username = (ctypes.c_char * 512)()
-				domain = (ctypes.c_char * 512)()
-				u_len = ctypes.c_uint32()
-				u_len.value = ctypes.sizeof(username)
-				d_len = ctypes.c_uint32()
-				d_len.value = ctypes.sizeof(domain)
-				use = ctypes.c_ulong()
-				use.value = 0
-				ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
-				complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username))
-			k32.CloseHandle(tkn_h)
+		process_username = ''
+		process_token_user = get_token_user(proc_h)
+		if process_token_user:
+			process_username = get_username_from_token(process_token_user) or ''
 		parch = windll_GetNativeSystemInfo()
 		is_wow64 = ctypes.c_ubyte()
 		is_wow64.value = 0
@@ -851,7 +890,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 		pgroup  = bytes()
 		pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
 		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
-		pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, process_username)
 		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, pe32.szExeFile)
 		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, exe_path)
 		pgroup += tlv_pack(TLV_TYPE_PROCESS_ARCH, parch)

data/meterpreter/ext_server_stdapi.py

@@ -80,13 +80,18 @@ def self.optionally_include_metasploit_credential_creation(including_module)
       # @return [void]
       def self.optionally_require_metasploit_db_gem_engines
         optionally(
-          'metasploit/credential/engine',
-          'metasploit-credential not in the bundle',
-        )
+            'metasploit/credential',
+            'metasploit-credential not in the bundle',
+        ) do
+          require 'metasploit/credential/engine'
+        end
+
         optionally(
-          'metasploit_data_models/engine',
-          'metaspoit_data_models not in the bundle'
-        )
+          'metasploit_data_models',
+          'metasploit_data_models not in the bundle'
+        ) do
+          require 'metasploit_data_models/engine'
+        end
       end
 
       #