Merge branch 'master' into bug/MSP-11592/blank-password-failure

Author: David Maloney

.rubocop.yml

@@ -8,7 +8,7 @@
 
 # inherit_from: .rubocop_todo.yml
 
-Style/ClassLength:
+Metrics/ClassLength:
   Description: 'Most Metasploit modules are quite large. This is ok.'
   Enabled: true
   Exclude:
@@ -25,14 +25,14 @@ Style/Encoding:
   Description: 'We prefer binary to UTF-8.'
   EnforcedStyle: 'when_needed'
 
-Style/LineLength:
+Metrics/LineLength:
   Description: >-
                   Metasploit modules often pattern match against very
                   long strings when identifying targets.
   Enabled: true
   Max: 180
 
-Style/MethodLength:
+Metrics/MethodLength:
   Enabled: true
   Description: >-
                   While the style guide suggests 10 lines, exploit definitions
@@ -44,6 +44,11 @@ Style/MethodLength:
 Style/Encoding:
   Enabled: false
 
+# %q() is super useful for long strings split over multiple lines and
+# is very common in module constructors for things like descriptions
+Style/UnneededPercentQ:
+  Enabled: false
+
 Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'

Gemfile.lock

@@ -22,7 +22,7 @@ PATH
       tzinfo
     metasploit-framework-db (4.10.1.pre.dev)
       activerecord (< 4.0.0)
-      metasploit-credential (~> 0.13.0)
+      metasploit-credential (~> 0.12.0)
       metasploit-framework (= 4.10.1.pre.dev)
       metasploit_data_models (~> 0.21.1)
       pg (>= 0.11)
@@ -112,7 +112,7 @@ GEM
     metasploit-concern (0.3.0)
       activesupport (~> 3.0, >= 3.0.0)
       railties (< 4.0.0)
-    metasploit-credential (0.13.1)
+    metasploit-credential (0.12.0)
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.28.0)
       metasploit_data_models (~> 0.21.0)
@@ -135,12 +135,12 @@ GEM
     meterpreter_bins (0.0.10)
     method_source (0.8.2)
     mime-types (1.25.1)
-    mini_portile (0.6.1)
+    mini_portile (0.6.0)
     msgpack (0.5.9)
     multi_json (1.0.4)
     network_interface (0.0.1)
-    nokogiri (1.6.4.1)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.3.1)
+      mini_portile (= 0.6.0)
     packetfu (1.1.9)
     pcaprub (0.11.3)
     pg (0.17.1)
@@ -175,7 +175,7 @@ GEM
     rb-readline (0.5.1)
     rdoc (3.12.2)
       json (~> 1.4)
-    recog (1.0.5)
+    recog (1.0.0)
       nokogiri
     redcarpet (3.1.2)
     rkelly-remix (0.0.6)
@@ -207,7 +207,7 @@ GEM
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
     slop (3.6.0)
-    sprockets (2.2.3)
+    sprockets (2.2.2)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
@@ -219,7 +219,7 @@ GEM
     treetop (1.4.15)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.42)
+    tzinfo (0.3.41)
     xpath (2.0.0)
       nokogiri (~> 1.3)
     yard (0.8.7.4)

data/logos/metasploit-trail.txt

@@ -0,0 +1,41 @@
+%clr
+%mag     .~+P``````-o+:.                                      -o+:.%clr
+%mag.+oooyysyyssyyssyddh++os-`````                        ```````````````          `%clr
+%mag+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o%clr
+%mag++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy%clr
+%mag--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///%clr
+%mag                                `...............`              `...-/////...`%clr
+%clr
+%clr
+%whi                                  .::::::::::-.                     .::::::-%clr
+%whi                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo%clr
+%whi                                 :Nm-/NMMMMMMMMMMMMM%blu$$%whiNMMMMm%blu&&%whiMMMMMMMMMMMMMMy%clr
+%whi                                 .sm/`-yMMMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMMMh`%clr
+%whi                                  -Nd`  :MMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMMh`%clr
+%whi                                   -Nh` .yMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMm/%clr
+%whi    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMm/%clr
+%whi      .yNmMMh%dred//%whi+syysso-``````       -mh` :MMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMd%clr
+%whi    .shMMMMN%dred//%whidmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/%clr
+%whi    `///omh%dred//%whidMMMMMMMMMMMMMMMN/%dred:::::/+ooso--/ydh//+s+/ossssso:--syN///os:%clr
+%whi          /MMMMMMMMMMMMMMMMMMd.     %dred`/++-.-yy/%whi...%dredosydh/-+oo:-`o//%whi...%dredoyodh+%clr
+%whi          -hMMmssddd+:dMMmNMMh.     %dred`.-=mmk.%whi//^^^\\%dred.^^`:++:^^o:%whi//^^^\\%dred`::%clr
+%whi          .sMMmo.    -dMd--:mN/`           %whi||--X--||%clr          %dred%whi||--X--||%clr
+%whi........../yddy/:...+hmo-...hdd:............%whi\\=v=//%clr............%dred%whi\\=v=//%clr.........
+%grn================================================================================%clr
+%grn=====================%whi+--------------------------------+%grn=========================%clr
+%grn=====================%whi| Session one died of dysentery. |%grn=========================%clr
+%grn=====================%whi+--------------------------------+%grn=========================%clr
+%grn================================================================================%clr
+%clr
+%clr                     %grnPress ENTER to size up the situation%clr
+%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
+%clr
+%clr                        %whiPress SPACE BAR to continue%clr
+%clr

data/meterpreter/ext_server_stdapi.py

@@ -215,6 +215,9 @@ class SYSTEM_INFO(ctypes.Structure):
 			("wProcessorLevel", ctypes.c_uint16),
 			("wProcessorRevision", ctypes.c_uint16)]
 
+	class TOKEN_USER(ctypes.Structure):
+		_fields_ = [("User", SID_AND_ATTRIBUTES)]
+
 	#
 	# Linux Structures
 	#
@@ -364,6 +367,7 @@ class RTATTR(ctypes.Structure):
 TLV_TYPE_OS_NAME               = TLV_META_TYPE_STRING  | 1041
 TLV_TYPE_USER_NAME             = TLV_META_TYPE_STRING  | 1042
 TLV_TYPE_ARCHITECTURE          = TLV_META_TYPE_STRING  | 1043
+TLV_TYPE_SID                   = TLV_META_TYPE_STRING  | 1045
 
 ##
 # Environment
@@ -525,6 +529,36 @@ def get_stat_buffer(path):
 	st_buf += struct.pack('<II', blksize, blocks)
 	return st_buf
 
+def get_token_user(handle):
+	TOKEN_QUERY = 0x0008
+	TokenUser = 1
+	advapi32 = ctypes.windll.advapi32
+	advapi32.OpenProcessToken.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_void_p)]
+
+	token_handle = ctypes.c_void_p()
+	if not advapi32.OpenProcessToken(handle, TOKEN_QUERY, ctypes.byref(token_handle)):
+		return None
+	token_user_buffer = (ctypes.c_byte * 4096)()
+	dw_returned = ctypes.c_uint32()
+	result = advapi32.GetTokenInformation(token_handle, TokenUser, ctypes.byref(token_user_buffer), ctypes.sizeof(token_user_buffer), ctypes.byref(dw_returned))
+	ctypes.windll.kernel32.CloseHandle(token_handle)
+	if not result:
+		return None
+	return cstruct_unpack(TOKEN_USER, token_user_buffer)
+
+def get_username_from_token(token_user):
+	user = (ctypes.c_char * 512)()
+	domain = (ctypes.c_char * 512)()
+	user_len = ctypes.c_uint32()
+	user_len.value = ctypes.sizeof(user)
+	domain_len = ctypes.c_uint32()
+	domain_len.value = ctypes.sizeof(domain)
+	use = ctypes.c_ulong()
+	use.value = 0
+	if not ctypes.windll.advapi32.LookupAccountSidA(None, token_user.User.Sid, user, ctypes.byref(user_len), domain, ctypes.byref(domain_len), ctypes.byref(use)):
+		return None
+	return str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(user))
+
 def netlink_request(req_type):
 	import select
 	# See RFC 3549
@@ -632,11 +666,6 @@ def channel_open_stdapi_net_tcp_server(request, response):
 	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
 	return ERROR_SUCCESS, response
 
-@meterpreter.register_function
-def stdapi_sys_config_getuid(request, response):
-	response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser())
-	return ERROR_SUCCESS, response
-
 @meterpreter.register_function
 def stdapi_sys_config_getenv(request, response):
 	for env_var in packet_enum_tlvs(request, TLV_TYPE_ENV_VARIABLE):
@@ -649,6 +678,32 @@ def stdapi_sys_config_getenv(request, response):
 			response += tlv_pack(TLV_TYPE_ENV_GROUP, pgroup)
 	return ERROR_SUCCESS, response
 
+@meterpreter.register_function_windll
+def stdapi_sys_config_getsid(request, response):
+	token = get_token_user(ctypes.windll.kernel32.GetCurrentProcess())
+	if not token:
+		return ERROR_FAILURE, response
+	sid_str = ctypes.c_char_p()
+	if not ctypes.windll.advapi32.ConvertSidToStringSidA(token.User.Sid, ctypes.byref(sid_str)):
+		return ERROR_FAILURE, response
+	sid_str = str(ctypes.string_at(sid_str))
+	response += tlv_pack(TLV_TYPE_SID, sid_str)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_config_getuid(request, response):
+	if has_windll:
+		token = get_token_user(ctypes.windll.kernel32.GetCurrentProcess())
+		if not token:
+			return ERROR_FAILURE, response
+		username = get_username_from_token(token)
+		if not username:
+			return ERROR_FAILURE, response
+	else:
+		username = getpass.getuser()
+	response += tlv_pack(TLV_TYPE_USER_NAME, username)
+	return ERROR_SUCCESS, response
+
 @meterpreter.register_function
 def stdapi_sys_config_sysinfo(request, response):
 	uname_info = platform.uname()
@@ -821,26 +876,10 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 			exe_path = ctypes.string_at(exe_path)
 		else:
 			exe_path = ''
-		complete_username = ''
-		tkn_h = ctypes.c_long()
-		tkn_len = ctypes.c_uint32()
-		if ctypes.windll.advapi32.OpenProcessToken(proc_h, TOKEN_QUERY, ctypes.byref(tkn_h)):
-			ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, None, 0, ctypes.byref(tkn_len))
-			buf = (ctypes.c_ubyte * tkn_len.value)()
-			if ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, ctypes.byref(buf), ctypes.sizeof(buf), ctypes.byref(tkn_len)):
-				user_tkn = SID_AND_ATTRIBUTES()
-				ctypes.memmove(ctypes.byref(user_tkn), buf, ctypes.sizeof(user_tkn))
-				username = (ctypes.c_char * 512)()
-				domain = (ctypes.c_char * 512)()
-				u_len = ctypes.c_uint32()
-				u_len.value = ctypes.sizeof(username)
-				d_len = ctypes.c_uint32()
-				d_len.value = ctypes.sizeof(domain)
-				use = ctypes.c_ulong()
-				use.value = 0
-				ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
-				complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username))
-			k32.CloseHandle(tkn_h)
+		process_username = ''
+		process_token_user = get_token_user(proc_h)
+		if process_token_user:
+			process_username = get_username_from_token(process_token_user) or ''
 		parch = windll_GetNativeSystemInfo()
 		is_wow64 = ctypes.c_ubyte()
 		is_wow64.value = 0
@@ -851,7 +890,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 		pgroup  = bytes()
 		pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
 		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
-		pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, process_username)
 		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, pe32.szExeFile)
 		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, exe_path)
 		pgroup += tlv_pack(TLV_TYPE_PROCESS_ARCH, parch)

lib/msf/core/auxiliary/scanner.rb

@@ -59,9 +59,15 @@ def run
   @tl = []
 
   #
-  # Sanity check threading on different platforms
+  # Sanity check threading given different conditions
   #
 
+  if datastore['CPORT'].to_i != 0 && threads_max > 1
+    print_error("Warning: A maximum of one thread is possible when a source port is set (CPORT)")
+    print_error("Thread count has been adjusted to 1")
+    threads_max = 1
+  end
+
   if(Rex::Compat.is_windows)
     if(threads_max > 16)
       print_error("Warning: The Windows platform cannot reliably support more than 16 threads")
@@ -241,10 +247,10 @@ def scanner_progress
 
 def scanner_show_progress
   pct = scanner_progress
-  if(pct >= (@range_percent + @show_percent))
+  if pct >= (@range_percent + @show_percent)
     @range_percent = @range_percent + @show_percent
     tdlen = @range_count.to_s.length
-    print_status("Scanned #{"%.#{tdlen}d" % @range_done} of #{@range_count} hosts (#{"%.3d" % pct.to_i}% complete)")
+    print_status(sprintf("Scanned %#{tdlen}d of %d hosts (%d%% complete)", @range_done, @range_count, pct))
   end
 end