Revert "Merge master"

This reverts commit 2056ff6.

Author: mbuck-r7

data/exploits/CVE-2014-0980.pui

@@ -145,7 +145,7 @@ download_more:
   test eax,eax           ; download failed? (optional?)
   jz failure
 
-  mov ax, word ptr [edi]
+  mov rax, [rdi]
   add rbx, rax           ; buffer += bytes_received
 
   test rax,rax           ; optional?

data/meterpreter/ext_server_networkpug.lso

@@ -42,7 +42,7 @@ def initialize(info = {})
                            [
                              true,
                              'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',
-                             '8.8.8.8']),
+                             'www.metasploit.com']),
             OptPort.new('GATEWAY_PROBE_PORT',
                         [
                           false,
@@ -143,6 +143,7 @@ def close_pcap
         return unless self.capture
         self.capture     = nil
         self.arp_capture = nil
+        GC.start()
       end
 
       def capture_extract_ies(raw)
@@ -162,15 +163,26 @@ def capture_extract_ies(raw)
       end
 
       #
-      # Loop through each packet
+      # This monstrosity works around a series of bugs in the interrupt
+      # signal handling of Ruby 1.9
       #
       def each_packet
         return unless capture
-        @capture_count ||= 0
-        capture.each do |pkt|
-          yield(pkt)
-          @capture_count += 1
+        begin
+          @capture_count = 0
+          reader         = framework.threads.spawn("PcapReceiver", false) do
+            capture.each do |pkt|
+              yield(pkt)
+              @capture_count += 1
+            end
+          end
+          reader.join
+        rescue ::Exception
+          raise $!
+        ensure
+          reader.kill if reader.alive?
         end
+
         @capture_count
       end
 
@@ -230,9 +242,10 @@ def inject_pcap(pcap_file, filter=nil, delay = 0, pcap=self.capture)
           pcap.inject(pkt)
           Rex.sleep((delay * 1.0)/1000)
         end
+        GC.start
       end
 
-      # capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
+      # Capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
       # a payload and a destination address. To send to the broadcast address, set bcast
       # to true (this will guarantee that packets will be sent even if ARP doesn't work
       # out).
@@ -249,20 +262,24 @@ def capture_sendto(payload="", dhost=nil, bcast=false, dev=nil)
 
       # The return value either be a PacketFu::Packet object, or nil
       def inject_reply(proto=:udp, pcap=self.capture)
-        # Defaults to ~2 seconds
-        to = (datastore['TIMEOUT'] * 4) / 1000.0
-        raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" if not pcap
-        begin
-          ::Timeout.timeout(to) do
-            pcap.each do |r|
-              packet = PacketFu::Packet.parse(r)
-              next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
-              return packet
+        reply = nil
+        to    = (datastore['TIMEOUT'] || 500).to_f / 1000.0
+        if not pcap
+          raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
+        else
+          begin
+            ::Timeout.timeout(to) do
+              pcap.each do |r|
+                packet = PacketFu::Packet.parse(r)
+                next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
+                reply = packet
+                break
+              end
             end
+          rescue ::Timeout::Error
           end
-        rescue ::Timeout::Error
         end
-       nil
+        return reply
       end
 
       # This ascertains the correct Ethernet addresses one should use to
@@ -311,19 +328,20 @@ def probe_gateway(addr)
         end
 
         begin
-          to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
+          to = (datastore['TIMEOUT'] || 1500).to_f / 1000.0
           ::Timeout.timeout(to) do
-            loop do
-              my_packet = inject_reply(:udp, self.arp_capture)
-              next unless my_packet
-              next unless my_packet.payload == secret
-              dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
-              src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
-              return [dst_mac, src_mac]
+            while (my_packet = inject_reply(:udp, self.arp_capture))
+              if my_packet.payload == secret
+                dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
+                src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
+                return [dst_mac, src_mac]
+              else
+                next
+              end
             end
           end
         rescue ::Timeout::Error
-          # Well, that didn't work (this is common on networks where there's no gateway, like
+          # Well, that didn't work (this common on networks where there's no gatway, like
           # VMWare network interfaces. We'll need to use a fake source hardware address.
           self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
         end
@@ -336,31 +354,26 @@ def arp(target_ip=nil)
         return self.arp_cache[:gateway] unless should_arp? target_ip
         source_ip = Rex::Socket.source_address(target_ip)
         raise RuntimeError, "Could not access the capture process." unless self.arp_capture
-
         p = arp_packet(target_ip, source_ip)
-
-        # Try up to 3 times to get an ARP response
-        1.upto(3) do
-          inject_eth(:eth_type  => 0x0806,
-            :payload   => p,
-            :pcap      => self.arp_capture,
-            :eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
-          )
-          begin
-            to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
-            ::Timeout.timeout(to) do
-              loop do
-                my_packet = inject_reply(:arp, self.arp_capture)
-                next unless my_packet
-                next unless my_packet.arp_saddr_ip == target_ip
+        inject_eth(:eth_type  => 0x0806,
+          :payload   => p,
+          :pcap      => self.arp_capture,
+          :eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
+        )
+        begin
+          to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
+          ::Timeout.timeout(to) do
+            while (my_packet = inject_reply(:arp, self.arp_capture))
+              if my_packet.arp_saddr_ip == target_ip
                 self.arp_cache[target_ip] = my_packet.eth_saddr
                 return self.arp_cache[target_ip]
+              else
+                next
               end
             end
-          rescue ::Timeout::Error
           end
+        rescue ::Timeout::Error
         end
-        nil
       end
 
       # Creates a full ARP packet, mainly for use with inject_eth()

data/meterpreter/ext_server_sniffer.lso

@@ -76,6 +76,7 @@ def close_icmp_pcap()
 
     return if not @ipv6_icmp6_capture
     @ipv6_icmp6_capture = nil
+    GC.start()
   end
 
   #

data/meterpreter/ext_server_stdapi.lso

@@ -256,11 +256,11 @@ def send_new_stage
       :expiration     => datastore['SessionExpirationTimeout'],
       :comm_timeout   => datastore['SessionCommunicationTimeout'],
       :ua             => datastore['MeterpreterUserAgent'],
-      :proxy_host     => datastore['PayloadProxyHost'],
-      :proxy_port     => datastore['PayloadProxyPort'],
-      :proxy_type     => datastore['PayloadProxyType'],
-      :proxy_user     => datastore['PayloadProxyUser'],
-      :proxy_pass     => datastore['PayloadProxyPass']
+      :proxyhost      => datastore['PROXYHOST'],
+      :proxyport      => datastore['PROXYPORT'],
+      :proxy_type     => datastore['PROXY_TYPE'],
+      :proxy_username => datastore['PROXY_USERNAME'],
+      :proxy_password => datastore['PROXY_PASSWORD']
 
     blob = encode_stage(blob)
 

data/meterpreter/msflinker_linux_x86.bin

@@ -58,25 +58,33 @@ def initialize(info = {})
       ], Msf::Handler::ReverseHttp)
   end
 
+  # Toggle for IPv4 vs IPv6 mode
+  #
+  def ipv6?
+    Rex::Socket.is_ipv6?(datastore['LHOST'])
+  end
+
   # Determine where to bind the server
   #
   # @return [String]
   def listener_address
-    if datastore['ReverseListenerBindAddress'].to_s == ""
-      bindaddr = Rex::Socket.is_ipv6?(datastore['LHOST']) ? '::' : '0.0.0.0'
+    if datastore['ReverseListenerBindAddress'].to_s.empty?
+      bindaddr = (ipv6?) ? '::' : '0.0.0.0'
     else
       bindaddr = datastore['ReverseListenerBindAddress']
     end
 
     bindaddr
   end
 
-  # Return a URI suitable for placing in a payload
-  #
   # @return [String] A URI of the form +scheme://host:port/+
   def listener_uri
-    uri_host = Rex::Socket.is_ipv6?(listener_address) ? "[#{listener_address}]" : listener_address
-    "#{scheme}://#{uri_host}:#{datastore['LPORT']}/"
+    if ipv6?
+      listen_host = "[#{listener_address}]"
+    else
+      listen_host = listener_address
+    end
+    "#{scheme}://#{listen_host}:#{datastore['LPORT']}/"
   end
 
   # Return a URI suitable for placing in a payload.
@@ -150,7 +158,6 @@ def setup_handler
       'VirtualDirectory' => true)
 
     print_status("Started #{scheme.upcase} reverse handler on #{listener_uri}")
-    lookup_proxy_settings
   end
 
   #
@@ -168,45 +175,6 @@ def stop_handler
 
 protected
 
-  #
-  # Parses the proxy settings and returns a hash
-  #
-  def lookup_proxy_settings
-    info = {}
-    return @proxy_settings if @proxy_settings
-
-    if datastore['PayloadProxyHost'].to_s == ""
-      @proxy_settings = info
-      return @proxy_settings
-    end
-
-    info[:host] = datastore['PayloadProxyHost'].to_s
-    info[:port] = (datastore['PayloadProxyPort'] || 8080).to_i
-    info[:type] = datastore['PayloadProxyType'].to_s
-
-    uri_host = info[:host]
-
-    if Rex::Socket.is_ipv6?(uri_host)
-      uri_host = "[#{info[:host]}]"
-    end
-
-    info[:info] = "#{uri_host}:#{info[:port]}"
-
-    if info[:type] == "SOCKS"
-      info[:info] = "socks=#{info[:info]}"
-    else
-      info[:info] = "http://#{info[:info]}"
-      if datastore['PayloadProxyUser'].to_s != ""
-        info[:username] = datastore['PayloadProxyUser'].to_s
-      end
-      if datastore['PayloadProxyPass'].to_s != ""
-        info[:password] = datastore['PayloadProxyPass'].to_s
-      end
-    end
-
-    @proxy_settings = info
-  end
-
   #
   # Parses the HTTPS request
   #
@@ -236,8 +204,8 @@ def on_request(cli, req, obj)
         blob.sub!('HTTP_COMMUNICATION_TIMEOUT = 300', "HTTP_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
         blob.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(datastore['MeterpreterUserAgent'])}'")
 
-        unless datastore['PayloadProxyHost'].blank?
-          proxy_url = "http://#{datastore['PayloadProxyHost']||datastore['PROXYHOST']}:#{datastore['PayloadProxyPort']||datastore['PROXYPORT']}"
+        unless datastore['PROXYHOST'].blank?
+          proxy_url = "http://#{datastore['PROXYHOST']}:#{datastore['PROXYPORT']}"
           blob.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'")
         end
 
@@ -300,11 +268,11 @@ def on_request(cli, req, obj)
           :expiration     => datastore['SessionExpirationTimeout'],
           :comm_timeout   => datastore['SessionCommunicationTimeout'],
           :ua             => datastore['MeterpreterUserAgent'],
-          :proxy_host     => datastore['PayloadProxyHost'],
-          :proxy_port     => datastore['PayloadProxyPort'],
-          :proxy_type     => datastore['PayloadProxyType'],
-          :proxy_user     => datastore['PayloadProxyUser'],
-          :proxy_pass     => datastore['PayloadProxyPass']
+          :proxyhost      => datastore['PROXYHOST'],
+          :proxyport      => datastore['PROXYPORT'],
+          :proxy_type     => datastore['PROXY_TYPE'],
+          :proxy_username => datastore['PROXY_USERNAME'],
+          :proxy_password => datastore['PROXY_PASSWORD']
 
         resp.body = encode_stage(blob)