Merge branch 'upstream/master' into clipboard_monitor

Conflicts:
	lib/rex/post/meterpreter/extensions/extapi/tlv.rb

Author: OJ

lib/msf/base/sessions/meterpreter.rb

@@ -303,52 +303,20 @@ def load_session_info()
         safe_info.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")
         self.info = safe_info
 
-        # Enumerate network interfaces to detect IP
-        ifaces   = self.net.config.get_interfaces().flatten rescue []
-        routes   = self.net.config.get_routes().flatten rescue []
-        shost    = self.session_host
-
-        # Try to match our visible IP to a real interface
-        # TODO: Deal with IPv6 addresses
-        found    = !!(ifaces.find {|i| i.addrs.find {|a| a == shost } })
-        nhost    = nil
-        hobj     = nil
-
-        if Rex::Socket.is_ipv4?(shost) and not found
-
-          # Try to find an interface with a default route
-          default_routes = routes.select{ |r| r.subnet == "0.0.0.0" || r.subnet == "::" }
-          default_routes.each do |r|
-            ifaces.each do |i|
-              bits = Rex::Socket.net2bitmask( i.netmask ) rescue 32
-              rang = Rex::Socket::RangeWalker.new( "#{i.ip}/#{bits}" ) rescue nil
-              if rang and rang.include?( r.gateway )
-                nhost = i.ip
-                break
-              end
-            end
-            break if nhost
-          end
+        hobj = nil
 
-          # Find the first non-loopback address
-          if not nhost
-            iface = ifaces.select{|i| i.ip != "127.0.0.1" and i.ip != "::1" }
-            if iface.length > 0
-              nhost = iface.first.ip
-            end
-          end
-        end
+        nhost = find_internet_connected_address
 
+        original_session_host = self.session_host
         # If we found a better IP address for this session, change it up
         # only handle cases where the DB is not connected here
-        if  not (framework.db and framework.db.active)
+        if !(framework.db && framework.db.active)
           self.session_host = nhost
         end
 
-
         # The rest of this requires a database, so bail if it's not
         # there
-        return if not (framework.db and framework.db.active)
+        return if !(framework.db && framework.db.active)
 
         ::ActiveRecord::Base.connection_pool.with_connection {
           wspace = framework.db.find_workspace(workspace)
@@ -384,18 +352,18 @@ def load_session_info()
           if nhost
             framework.db.report_note({
               :type      => "host.nat.server",
-              :host      => shost,
+              :host      => original_session_host,
               :workspace => wspace,
               :data      => { :info   => "This device is acting as a NAT gateway for #{nhost}", :client => nhost },
               :update    => :unique_data
             })
-            framework.db.report_host(:host => shost, :purpose => 'firewall' )
+            framework.db.report_host(:host => original_session_host, :purpose => 'firewall' )
 
             framework.db.report_note({
               :type      => "host.nat.client",
               :host      => nhost,
               :workspace => wspace,
-              :data      => { :info => "This device is traversing NAT gateway #{shost}", :server => shost },
+              :data      => { :info => "This device is traversing NAT gateway #{original_session_host}", :server => original_session_host },
               :update    => :unique_data
             })
             framework.db.report_host(:host => nhost, :purpose => 'client' )
@@ -470,6 +438,60 @@ def create(param)
 
   attr_accessor :rstream # :nodoc:
 
+  # Rummage through this host's routes and interfaces looking for an
+  # address that it uses to talk to the internet.
+  #
+  # @see Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config#get_interfaces
+  # @see Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config#get_routes
+  # @return [String] The address from which this host reaches the
+  #   internet, as ASCII. e.g.: "192.168.100.156"
+  def find_internet_connected_address
+
+    ifaces = self.net.config.get_interfaces().flatten rescue []
+    routes = self.net.config.get_routes().flatten rescue []
+
+    # Try to match our visible IP to a real interface
+    found = !!(ifaces.find { |i| i.addrs.find { |a| a == session_host } })
+    nhost = nil
+
+    # If the host has no address that matches what we see, then one of
+    # us is behind NAT so we have to look harder.
+    if !found
+      # Grab all routes to the internet
+      default_routes = routes.select { |r| r.subnet == "0.0.0.0" || r.subnet == "::" }
+
+      default_routes.each do |route|
+        # Now try to find an interface whose network includes this
+        # Route's gateway, which means it's the one the host uses to get
+        # to the interweb.
+        ifaces.each do |i|
+          # Try all the addresses this interface has configured
+          addr_and_mask = i.addrs.zip(i.netmasks).find do |addr, netmask|
+            bits = Rex::Socket.net2bitmask( netmask )
+            range = Rex::Socket::RangeWalker.new("#{addr}/#{bits}") rescue nil
+
+            !!(range && range.valid? && range.include?(route.gateway))
+          end
+          if addr_and_mask
+            nhost = addr_and_mask[0]
+            break
+          end
+        end
+        break if nhost
+      end
+
+      if !nhost
+        # Find the first non-loopback address
+        non_loopback = ifaces.find { |i| i.ip != "127.0.0.1" && i.ip != "::1" }
+        if non_loopback
+          nhost = non_loopback.ip
+        end
+      end
+    end
+
+    nhost
+  end
+
 end
 
 end

lib/msf/core/db.rb

@@ -5631,19 +5631,19 @@ def find_qualys_asset_vuln_refs(doc)
 
   # Pull out vulnerabilities that have at least one matching
   # ref -- many "vulns" are not vulns, just audit information.
-  def find_qualys_asset_vulns(host,wspace,hobj,vuln_refs,&block)
+  def find_qualys_asset_vulns(host,wspace,hobj,vuln_refs,task_id,&block)
     host.elements.each("VULN_INFO_LIST/VULN_INFO") do |vi|
       next unless vi.elements["QID"]
       vi.elements.each("QID") do |qid|
         next if vuln_refs[qid.text].nil? || vuln_refs[qid.text].empty?
-        handle_qualys(wspace, hobj, nil, nil, qid.text, nil, vuln_refs[qid.text], nil,nil, args[:task])
+        handle_qualys(wspace, hobj, nil, nil, qid.text, nil, vuln_refs[qid.text], nil, nil, task_id)
       end
     end
   end
 
   # Takes QID numbers and finds the discovered services in
   # a qualys_asset_xml.
-  def find_qualys_asset_ports(i,host,wspace,hobj)
+  def find_qualys_asset_ports(i,host,wspace,hobj,task_id)
     return unless (i == 82023 || i == 82004)
     proto = i == 82023 ? 'tcp' : 'udp'
     qid = host.elements["VULN_INFO_LIST/VULN_INFO/QID[@id='qid_#{i}']"]
@@ -5656,7 +5656,7 @@ def find_qualys_asset_ports(i,host,wspace,hobj)
         else
           name = match[2].strip
         end
-        handle_qualys(wspace, hobj, match[0].to_s, proto, 0, nil, nil, name, nil, args[:task])
+        handle_qualys(wspace, hobj, match[0].to_s, proto, 0, nil, nil, name, nil, task_id)
       end
     end
   end
@@ -5700,11 +5700,11 @@ def import_qualys_asset_xml(args={}, &block)
       end
 
       # Report open ports.
-      find_qualys_asset_ports(82023,host,wspace,hobj) # TCP
-      find_qualys_asset_ports(82004,host,wspace,hobj) # UDP
+      find_qualys_asset_ports(82023,host,wspace,hobj, args[:task]) # TCP
+      find_qualys_asset_ports(82004,host,wspace,hobj, args[:task]) # UDP
 
       # Report vulns
-      find_qualys_asset_vulns(host,wspace,hobj,vuln_refs,&block)
+      find_qualys_asset_vulns(host,wspace,hobj,vuln_refs, args[:task],&block)
 
     end # host
 

lib/msf/core/exploit.rb

@@ -65,33 +65,41 @@ module CompatDefaults
   ##
   #
   # The various check codes that can be returned from the ``check'' routine.
+  # Please read the following wiki to learn how these codes are used:
+  # https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-check()-method
   #
   ##
   module CheckCode
 
     #
-    # Can't tell if the target is exploitable or not.
+    # Can't tell if the target is exploitable or not. This is recommended if the module fails to
+    # retrieve enough information from the target machine, such as due to a timeout.
     #
     Unknown     = [ 'unknown', "Cannot reliably check exploitability."]
 
     #
-    # The target is safe and is therefore not exploitable.
+    # The target is safe and is therefore not exploitable. This is recommended after the check
+    # fails to trigger the vulnerability, or even detect the service.
     #
     Safe        = [ 'safe', "The target is not exploitable." ]
 
     #
-    # The target is running the service in question but may not be
-    # exploitable.
+    # The target is running the service in question, but the check fails to determine whether
+    # the target is vulnerable or not.
     #
     Detected    = [ 'detected', "The target service is running, but could not be validated." ]
 
     #
-    # The target appears to be vulnerable.
+    # The target appears to be vulnerable. This is recommended if the vulnerability is determined
+    # based on passive reconnaissance. For example: version, banner grabbing, or having the resource
+    # that's known to be vulnerable.
     #
     Appears     = [ 'appears', "The target appears to be vulnerable." ]
 
     #
-    # The target is vulnerable.
+    # The target is vulnerable. Only used if the check is able to actually take advantage of the
+    # bug, and obtain hard evidence. For example: executing a command on the target machine, and
+    # retrieve the output.
     #
     Vulnerable  = [ 'vulnerable', "The target is vulnerable." ]
 

lib/msf/core/exploit/http/client.rb

@@ -187,14 +187,14 @@ def connect(opts={})
       'uri_fake_end'           => datastore['HTTP::uri_fake_end'],
       'uri_fake_params_start'  => datastore['HTTP::uri_fake_params_start'],
       'header_folding'         => datastore['HTTP::header_folding'],
-      'usentlm2_session' => datastore['NTLM::UseNTLM2_session'],
-      'use_ntlmv2'       => datastore['NTLM::UseNTLMv2'],
-      'send_lm'         => datastore['NTLM::SendLM'],
-      'send_ntlm'       => datastore['NTLM::SendNTLM'],
-      'SendSPN'  => datastore['NTLM::SendSPN'],
-      'UseLMKey' => datastore['NTLM::UseLMKey'],
-      'domain' => datastore['DOMAIN'],
-      'DigestAuthIIS' => datastore['DigestAuthIIS']
+      'usentlm2_session'       => datastore['NTLM::UseNTLM2_session'],
+      'use_ntlmv2'             => datastore['NTLM::UseNTLMv2'],
+      'send_lm'                => datastore['NTLM::SendLM'],
+      'send_ntlm'              => datastore['NTLM::SendNTLM'],
+      'SendSPN'                => datastore['NTLM::SendSPN'],
+      'UseLMKey'               => datastore['NTLM::UseLMKey'],
+      'domain'                 => datastore['DOMAIN'],
+      'DigestAuthIIS'          => datastore['DigestAuthIIS']
     )
 
     # If this connection is global, persist it

lib/msf/core/exploit/http/server.rb

@@ -181,7 +181,8 @@ def start_service(opts = {})
         'MsfExploit' => self,
       },
       opts['Comm'],
-      datastore['SSLCert']
+      datastore['SSLCert'],
+      datastore['SSLCompression']
     )
 
     self.service.server_name = datastore['HTTP::server_name']
@@ -200,6 +201,13 @@ def start_service(opts = {})
 
     proto = (datastore["SSL"] ? "https" : "http")
 
+    # SSLCompression may or may not actually be available. For example, on
+    # Ubuntu, it's disabled by default, unless the correct environment
+    # variable is set. See https://github.com/rapid7/metasploit-framework/pull/2666
+    if proto == "https" and datastore['SSLCompression']
+      print_status("Intentionally using insecure SSL compression. Your operating system might not respect this!")
+    end
+
     print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
 
     if (opts['ServerHost'] == '0.0.0.0')

lib/msf/core/exploit/tcp.rb

@@ -98,15 +98,15 @@ def connect(global = true, opts={})
     end
 
     nsock = Rex::Socket::Tcp.create(
-      'PeerHost'  =>  opts['RHOST'] || rhost,
-      'PeerPort'  => (opts['RPORT'] || rport).to_i,
-      'LocalHost' =>  opts['CHOST'] || chost || "0.0.0.0",
-      'LocalPort' => (opts['CPORT'] || cport || 0).to_i,
-      'SSL'       =>  dossl,
-      'SSLVersion'=>  opts['SSLVersion'] || ssl_version,
-      'Proxies'   => proxies,
-      'Timeout'   => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
-      'Context'   =>
+      'PeerHost'   =>  opts['RHOST'] || rhost,
+      'PeerPort'   => (opts['RPORT'] || rport).to_i,
+      'LocalHost'  =>  opts['CHOST'] || chost || "0.0.0.0",
+      'LocalPort'  => (opts['CPORT'] || cport || 0).to_i,
+      'SSL'        =>  dossl,
+      'SSLVersion' =>  opts['SSLVersion'] || ssl_version,
+      'Proxies'    => proxies,
+      'Timeout'    => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
+      'Context'    =>
         {
           'Msf'        => framework,
           'MsfExploit' => self,
@@ -300,6 +300,7 @@ def initialize(info = {})
     register_advanced_options(
       [
         OptString.new('ListenerComm', [ false, 'The specific communication channel to use for this service']),
+        OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ])
       ], Msf::Exploit::Remote::TcpServer)
 
     register_evasion_options(
@@ -379,6 +380,7 @@ def start_service(*args)
         'LocalPort' => srvport,
         'SSL'       => ssl,
         'SSLCert'   => ssl_cert,
+        'SSLCompression' => opts['SSLCompression'] || ssl_compression,
         'Comm'      => comm,
         'Context'   =>
           {
@@ -464,6 +466,11 @@ def ssl_cert
     datastore['SSLCert']
   end
 
+  # @return [Bool] enable SSL/TLS-level compression
+  def ssl_compression
+    datastore['SSLCompression']
+  end
+
   #
   # Re-generates the payload, substituting the current RHOST and RPORT with
   # the supplied client host and port from the socket.

lib/msf/core/post/windows.rb

@@ -1,6 +1,7 @@
 
 module Msf::Post::Windows
   require 'msf/core/post/windows/error'
+  require 'msf/core/post/windows/extapi'
   require 'msf/core/post/windows/accounts'
   require 'msf/core/post/windows/cli_parse'
   require 'msf/core/post/windows/eventlog'
@@ -13,4 +14,5 @@ module Msf::Post::Windows
   require 'msf/core/post/windows/services'
   require 'msf/core/post/windows/shadowcopy'
   require 'msf/core/post/windows/user_profiles'
+  require 'msf/core/post/windows/ldap'
 end

lib/msf/core/post/windows/extapi.rb

@@ -0,0 +1,25 @@
+# -*- coding: binary -*-
+
+module Msf
+class Post
+module Windows
+
+module ExtAPI
+
+  def load_extapi
+    if session.extapi
+      return true
+    else
+      begin
+        return session.core.use("extapi")
+      rescue Errno::ENOENT
+        print_error("Unable to load Extended API.")
+        return false
+      end
+    end
+  end
+
+end # ExtAPI
+end # Windows
+end # Post
+end # Msf