Armitage 01.23.13

This update to Armitage adds the ability to assign labels to hosts
and create dynamic workspaces based on these labs. This update also
adds helpers to configure USERNAME/PASSWORD options and EXE::Custom
and EXE::Template. Several bugs were fixed as well.

Author: rsmudge

data/armitage/armitage.jar

@@ -1,6 +1,32 @@
 Armitage Changelog
 ==================
 
+23 Jan 13 (tested against msf 16351)
+---------
+- Added helpers to set EXE::Custom and EXE::Template options.
+- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
+- Cleaned up Armitage -> SOCKS Proxy job management code. The code to
+  check if a proxy server is up was deadlock prone. Removed it.
+- Starting SOCKS Proxy module now opens a tab displaying the module
+  start process. An event is posted to the event log too.
+- Created an option helper to select credentials for SMBUser, SMBPass, 
+  USERNAME, and PASSWORD. 
+- Added a feature to label hosts. A label will show up in its own column
+  in table view or below all info in graph view. Any team member may
+  change a label through [host] -> host -> Set Label. You may also use
+  dynamic workspaces to show hosts with certain labels attached.
+- Fixed bad things happening when connecting Armitage to 'localhost' and
+  not '127.0.0.1'.
+- Screenshots and Webcam shots are now centered in their tab.
+- Added an alternate .bat file to start msfrpcd on Windows in the
+  Metasploit 4.5 installer's environment.
+- Added a color-style for [!] warning messages
+
+Cortana Updates (for scripters)
+--------
+- &handler function now works as advertised.
+- Cortana now avoids use of core.setg
+
 4 Jan 13 (tested against msf 16252)
 --------
 - Added a helper to set REXE option

data/armitage/cortana.jar

@@ -16,6 +16,8 @@
 			depend="yes"
 			debug="true"
 			optimize="yes"
+			target="1.6"
+			source="1.6"
 			includeantruntime="fuckno"
 		>
 		       <classpath path="./lib/jgraphx.jar;./lib/sleep.jar;./lib/msgpack-0.5.1-devel.jar;./lib/postgresql-9.1-901.jdbc4.jar" />

data/armitage/whatsnew.txt

@@ -3,7 +3,7 @@
 		<center><h1>Armitage 1.45</h1></center>
 
 		<p>An attack management tool for Metasploit&reg;
-		<br />Release: 4 Jan 13</p>
+		<br />Release: 23 Jan 13</p>
 		<br />
 		<p>Developed by:</p>
 

external/source/armitage/build.xml

@@ -4,6 +4,7 @@
 ^msf  (.*?)\((.*?)\) >		\umsf\u  $1(\c4$2\o) >
 ^\[\*\] (.*)			\cC[*]\o $1
 ^\[\+\] (.*)			\c9[+]\o $1
+^\[\!\] (.*)			\c8[!]\o $1
 ^\[\-\] (.*)			\c4[-]\o $1
 ^       =\[ (.*)		       =[\c7 $1
 ^(=[=\s]+)			\cE$1

external/source/armitage/resources/about.html

@@ -0,0 +1,12 @@
+@echo off
+set BASE=$$BASE$$..\..\
+cd "%BASE%"
+set PATH=%BASE%ruby\bin;%BASE%java\bin;%BASE%tools;%BASE%nmap;%BASE%postgresql\bin;%PATH%
+IF NOT EXIST "%BASE%java" GOTO NO_JAVA
+set JAVA_HOME="%BASE%java"
+:NO_JAVA
+set MSF_DATABASE_CONFIG="%BASE%apps\pro\ui\config\database.yml"
+set MSF_BUNDLE_GEMS=0
+set BUNDLE_GEMFILE=%BASE%apps\pro\ui\Gemfile
+cd "%BASE%apps\pro\msf3"
+rubyw msfrpcd -a 127.0.0.1 -U $$USER$$ -P $$PASS$$ -S -f -p $$PORT$$

external/source/armitage/resources/msfconsole.style

@@ -42,8 +42,13 @@ sub c_client {
 sub setupHandlers {
 	find_job("Exploit: multi/handler", {
 		if ($1 == -1) {
+			# set LPORT for the user...
+			local('$c');
+			$c = call($client, "console.allocate")['id'];
+			call($client, "console.write", $c, "setg LPORT " . randomPort() . "\n");
+			call($client, "console.release", $c);
+
 			# setup a handler for meterpreter
-			call($client, "core.setg", "LPORT", randomPort());
 			call($client, "module.execute", "exploit", "multi/handler", %(
 				PAYLOAD => "windows/meterpreter/reverse_tcp",
 				LHOST => "0.0.0.0",
@@ -55,7 +60,7 @@ sub setupHandlers {
 
 sub main {
 	global('$client $mclient');
-	local('%r $exception');
+	local('%r $exception $lhost $temp $c');
 
 	setField(^msf.MeterpreterSession, DEFAULT_WAIT => 20000L);
 
@@ -81,8 +86,24 @@ sub main {
 	# setup second thread.
         %r = call($client, "armitage.validate", $user, $pass, $null, "armitage", 120326);
 
+	# resolve lhost..
+	$c = call($client, "console.allocate")['id'];
+	call($client, "console.write", $c, "setg LHOST\n");
+	while ($lhost eq "") {
+		$temp = call($client, "console.read", $c)['data'];
+		if (["$temp" startsWith: "LHOST => "]) {
+			$lhost = substr(["$temp" trim], 9);
+		}
+		else {
+			# this shouldn't happen because having LHOST set is a precondition
+			# for Cortana to connect to a team server.
+			sleep(1000);
+		}
+	}
+	call($client, "console.release", $c);
+
 	# pass some objects back yo.
-	[$loader passObjects: $client, $mclient];
+	[$loader passObjects: $client, $mclient, $lhost];
 
 	# don't make previous messages available...
 	call($mclient, "armitage.skip");

external/source/armitage/resources/msfrpcd_new.bat

@@ -9,7 +9,7 @@ import msf.*;
 
 # setg("varname", "value")
 sub setg {
-	call_async("core.setg", $1, $2);
+	cmd_safe("setg $1 $2");
 }
 
 sub readg {
@@ -335,14 +335,22 @@ sub multi_handler {
 }
 
 sub handler {
-	local('%o $3');
-	if ($3) {
-		%o = copy($3);
-	}
+	local('%o $3 $key $value');
 
-	%o['PAYLOAD'] = "payload/ $+ $1";
+	# default options
+	%o['PAYLOAD'] = $1;
 	%o['LPORT']   = $2;
+	%o['DisablePayloadHandler'] = 'false';
+	%o['ExitOnSession']         = 'false';
+
+	# let the user override anything
+	if ($3) {
+		foreach $key => $value ($3) {
+			%o[$key] = $value;
+		}
+	}
 
+	# make sure LHOST is correct
 	if ('LHOST' !in %o) {
 		if ("*http*" iswm $1) {
 			%o['LHOST']   = lhost();
@@ -352,6 +360,7 @@ sub handler {
 		}
 	}
 
+	# let's do it...
 	return launch('exploit', 'multi/handler', %o);
 }
 

external/source/armitage/scripts-cortana/cortanadb.sl

@@ -59,7 +59,7 @@ sub showHost {
 		else if ("*XP*" iswm $match || "*2003*" iswm $match || "*.NET*" iswm $match) {
 			push(@overlay, 'resources/windowsxp.png');
 		}
-		else if ("*8*" iswm $match) {
+		else if ("*8*" iswm $match && "*2008*" !iswm $match) {
 			push(@overlay, 'resources/windows8.png');
 		}
 		else {
@@ -139,7 +139,7 @@ sub _connectToMetasploit {
 	$progress = [new ProgressMonitor: $null, "Connecting to $1 $+ : $+ $2", "first try... wish me luck.", 0, 100];
 
 	# keep track of whether we're connected to a local or remote Metasploit instance. This will affect what we expose.
-	$REMOTE = iff($1 eq "127.0.0.1", $null, 1);
+	$REMOTE = iff($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost", $null, 1);
 
 	$flag = 10;
 	while ($flag) {
@@ -160,7 +160,7 @@ sub _connectToMetasploit {
 			}
 
 			# connecting locally? go to Metasploit directly...
-			if ($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost") {
+			if ($REMOTE is $null) {
 				$client = [new MsgRpcImpl: $3, $4, $1, long($2), $null, $debug];
 				$aclient = [new RpcAsync: $client];
 				$mclient = $client;
@@ -239,10 +239,6 @@ sub _connectToMetasploit {
 		[$progress setNote: "Connected: ..."];
 		[$progress setProgress: 60];
 
-		if (!$REMOTE && %MSF_GLOBAL['ARMITAGE_TEAM'] eq '1') {
-			showErrorAndQuit("Do not connect to 127.0.0.1 when\nrunning a team server.");
-		}
-
 		dispatchEvent(&postSetup);
 	}, \$progress));
 }