Merge remote-tracking branch 'rapid7/master'

Starting fresh.

Author: veritysr

lib/msf/core/exploit/exe.rb

@@ -70,7 +70,7 @@ def generate_payload_exe_service(opts = {})
 		pl = opts[:code]
 		pl ||= payload.encoded
 
-		if opts[:arch] and opts[:arch] == ARCH_X64
+		if opts[:arch] and (opts[:arch] == ARCH_X64 or opts[:arch] == ARCH_X86_64)
 			exe = Msf::Util::EXE.to_win64pe_service(framework, pl, opts)
 		else
 			exe = Msf::Util::EXE.to_win32pe_service(framework, pl, opts)
@@ -89,7 +89,7 @@ def generate_payload_dll(opts = {})
 		pl = opts[:code]
 		pl ||= payload.encoded
 
-		if opts[:arch] and opts[:arch] == ARCH_X64
+		if opts[:arch] and (opts[:arch] == ARCH_X64 or opts[:arch] == ARCH_X86_64)
 			dll = Msf::Util::EXE.to_win64pe_dll(framework, pl, opts)
 		else
 			dll = Msf::Util::EXE.to_win32pe_dll(framework, pl, opts)

lib/msf/core/exploit/http/server.rb

@@ -36,6 +36,9 @@ def initialize(info = {})
 			], Exploit::Remote::HttpServer
 		)
 
+		# Used to keep track of resources added to the service manager by
+		# this module. see #add_resource and #cleanup
+		@my_resources = []
 		@service_path = nil
 	end
 
@@ -202,6 +205,39 @@ def start_service(opts = {})
 		add_resource(uopts)
 	end
 
+	# Set {#on_request_uri} to handle the given +uri+ in addition to the one
+	# specified by the user in URIPATH.
+	#
+	# @note This MUST be called from {#primer} so that the service has been set
+	# up but we have not yet entered the listen/accept loop.
+	#
+	# @param uri [String] The resource URI that should be handled by
+	#   {#on_request_uri}.
+	# @return [void]
+	def hardcoded_uripath(uri)
+		proc = Proc.new do |cli, req|
+			on_request_uri(cli, req)
+		end
+
+		vprint_status("Adding hardcoded uri #{uri}")
+		begin
+			add_resource({'Path' => uri, 'Proc' => proc})
+		rescue RuntimeError => e
+			print_error("This module requires a hardcoded uri at #{uri}. Can't run while other modules are using it.")
+			raise e
+		end
+	end
+
+	# Take care of removing any resources that we created
+	def cleanup
+		# Must dup here because remove_resource modifies @my_resources
+		@my_resources.dup.each do |resource|
+			remove_resource(resource)
+		end
+
+		super
+	end
+
 	#
 	# Return a Hash containing a best guess at the actual browser and operating
 	# system versions, based on the User-Agent header.
@@ -358,9 +394,16 @@ def report_user_agent(address, request, client_opts={})
 	# NOTE: Calling #add_resource will change the results of subsequent calls
 	# to #get_resource!
 	#
+	# @return (see Rex::Service#add_resource)
 	def add_resource(opts)
 		@service_path = opts['Path']
-		service.add_resource(opts['Path'], opts)
+		res = service.add_resource(opts['Path'], opts)
+
+		# This has to go *after* the call to service.add_resource in case
+		# the service manager doesn't like it for some reason and raises.
+		@my_resources.push(opts['Path'])
+
+		res
 	end
 
 	#
@@ -455,7 +498,11 @@ def srvhost_addr
 	# Removes a URI resource.
 	#
 	def remove_resource(name)
-		service.remove_resource(name)
+		# Guard against removing resources added by other modules
+		if @my_resources.include?(name)
+			@my_resources.delete(name)
+			service.remove_resource(name)
+		end
 	end
 
 	#

lib/msf/core/module/reference.rb

@@ -96,6 +96,8 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
 			self.site = 'http://www.osvdb.org/' + in_ctx_val.to_s
 		elsif (in_ctx_id == 'CVE')
 			self.site = "http://cvedetails.com/cve/#{in_ctx_val.to_s}/"
+		elsif (in_ctx_id == 'CWE')
+			self.site = "http://cwe.mitre.org/data/definitions/#{in_ctx_val.to_s}.html"
 		elsif (in_ctx_id == 'BID')
 			self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s
 		elsif (in_ctx_id == 'MSB')

lib/msf/core/option_container.rb

@@ -173,6 +173,7 @@ def normalize(value)
 
 	def valid?(value=self.value)
 		value = normalize(value)
+    return false unless value.kind_of?(String) or value.kind_of?(NilClass)
 		return false if empty_required_value?(value)
 		return super
 	end
@@ -263,6 +264,7 @@ def type
 
 	def valid?(value=self.value)
 		return false if empty_required_value?(value)
+    return true if value.nil? and !required?
 
 		(value and self.enums.include?(value.to_s))
 	end
@@ -330,10 +332,17 @@ def type
 
 	def valid?(value)
 		return false if empty_required_value?(value)
+    return false unless value.kind_of?(String) or value.kind_of?(NilClass)
 
 		if (value != nil and value.empty? == false)
 			begin
-				::Rex::Socket.getaddress(value, true)
+				getaddr_result = ::Rex::Socket.getaddress(value, true)
+        # Covers a wierdcase where an incomplete ipv4 address will have it's
+        # missing octets filled in  with 0's. (e.g 192.168 become 192.0.0.168)
+        # which does not feel like a legit behaviour
+        if value =~ /^\d{1,3}(\.\d{1,3}){1,3}$/
+          return false unless value =~ Rex::Socket::MATCH_IPV4
+        end
 			rescue
 				return false
 			end
@@ -354,6 +363,7 @@ def type
 	end
 
 	def normalize(value)
+    return nil unless value.kind_of?(String)
 		if (value =~ /^file:(.*)/)
 			path = $1
 			return false if not File.exists?(path) or File.directory?(path)
@@ -373,9 +383,12 @@ def normalize(value)
 
 	def valid?(value)
 		return false if empty_required_value?(value)
+    return false unless value.kind_of?(String) or value.kind_of?(NilClass)
 
 		if (value != nil and value.empty? == false)
-			walker = Rex::Socket::RangeWalker.new(normalize(value))
+      normalized = normalize(value)
+      return false if normalized.nil?
+			walker = Rex::Socket::RangeWalker.new(normalized)
 			if (not walker or not walker.valid?)
 				return false
 			end
@@ -474,7 +487,7 @@ def valid?(value)
 			Regexp.compile(value)
 
 			return true
-		rescue RegexpError
+		rescue RegexpError, TypeError
 			return false
 		end
 	end

lib/msf/util/exe.rb

@@ -412,11 +412,9 @@ def self.to_win32pe_old(framework, code, opts={})
 			pe = fd.read(fd.stat.size)
 		}
 
-		if(payload.length < 2048)
+		if(payload.length <= 2048)
 			payload << Rex::Text.rand_text(2048-payload.length)
-		end
-
-		if(payload.length > 2048)
+		else
 			raise RuntimeError, "The EXE generator now has a max size of 2048 bytes, please fix the calling module"
 		end
 
@@ -461,7 +459,12 @@ def self.to_win32pe_exe_sub(framework, code, opts={})
 
 		bo = pe.index('PAYLOAD:')
 		raise RuntimeError, "Invalid Win32 PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
-		pe[bo, 8192] = [code].pack("a8192")
+
+		if (code.length <= 4096)
+			pe[bo, code.length] = [code].pack("a*")
+		else
+			raise RuntimeError, "The EXE generator now has a max size of 4096 bytes, please fix the calling module"
+		end
 
 		return pe
 	end
@@ -479,7 +482,12 @@ def self.to_win64pe(framework, code, opts={})
 
 		bo = pe.index('PAYLOAD:')
 		raise RuntimeError, "Invalid Win64 PE EXE template: missing \"PAYLOAD:\" tag" if not bo
-		pe[bo, code.length] = code
+
+		if (code.length <= 4096)
+			pe[bo, code.length] = [code].pack("a*")
+		else
+			raise RuntimeError, "The EXE generator now has a max size of 4096 bytes, please fix the calling module"
+		end
 
 		return pe
 	end
@@ -498,7 +506,12 @@ def self.to_win32pe_service(framework, code, opts={})
 
 		bo = pe.index('PAYLOAD:')
 		raise RuntimeError, "Invalid Win32 PE Service EXE template: missing \"PAYLOAD:\" tag" if not bo
-		pe[bo, 8192] = [code].pack("a8192")
+
+		if (code.length <= 8192)
+			pe[bo, code.length] = [code].pack("a*")
+		else
+			raise RuntimeError, "The EXE generator now has a max size of 8192 bytes, please fix the calling module"
+		end
 
 		if name
 			bo = pe.index('SERVICENAME')
@@ -527,7 +540,12 @@ def self.to_win64pe_service(framework, code, opts={})
 
 		bo = pe.index('PAYLOAD:')
 		raise RuntimeError, "Invalid Win64 PE Service EXE template: missing \"PAYLOAD:\" tag" if not bo
-		pe[bo, 8192] = [code].pack("a8192")
+
+		if (code.length <= 8192)
+			pe[bo, code.length] = [code].pack("a*")
+		else
+			raise RuntimeError, "The EXE generator now has a max size of 8192 bytes, please fix the calling module"
+		end
 
 		if name
 			bo = pe.index('SERVICENAME')
@@ -554,7 +572,12 @@ def self.to_win32pe_dll(framework, code, opts={})
 
 		bo = pe.index('PAYLOAD:')
 		raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
-		pe[bo, 8192] = [code].pack("a8192")
+
+		if (code.length <= 2048)
+			pe[bo, code.length] = [code].pack("a*")
+		else
+			raise RuntimeError, "The EXE generator now has a max size of 2048 bytes, please fix the calling module"
+		end
 
 		# optional mutex
 		mt = pe.index('MUTEX!!!')
@@ -575,7 +598,12 @@ def self.to_win64pe_dll(framework, code, opts={})
 
 		bo = pe.index('PAYLOAD:')
 		raise RuntimeError, "Invalid Win64 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
-		pe[bo, 8192] = [code].pack("a8192")
+
+		if (code.length <= 2048)
+			pe[bo, code.length] = [code].pack("a*")
+		else
+			raise RuntimeError, "The EXE generator now has a max size of 2048 bytes, please fix the calling module"
+		end
 
 		# optional mutex
 		mt = pe.index('MUTEX!!!')

lib/rex/compat.rb

@@ -131,9 +131,11 @@ def self.open_browser(url='http://metasploit.com/')
 		# Search through the PATH variable (if it exists) and chose a browser
 		# We are making an assumption about the nature of "PATH" so tread lightly
 		if defined? ENV['PATH']
-			# "sensible-browser" opens the "default" browser in Ubuntu and others, so try that first
-			#  but also provide fallbacks
-			['sensible-browser', 'firefox', 'opera', 'chromium-browser', 'konqueror'].each do |browser|
+			# "xdg-open" is more general than "sensible-browser" and can be useful for lots of
+			# file types -- text files, pcaps, or URLs. It's nearly always
+			# going to use the application the user is expecting. If we're not
+			# on something Debian-based, fall back to likely browsers.
+			['xdg-open', 'sensible-browser', 'firefox', 'firefox-bin', 'opera', 'konqueror', 'chromium-browser'].each do |browser|
 				ENV['PATH'].split(':').each do |path|
 					# Does the browser exists?
 					if File.exists?("#{path}/#{browser}")
@@ -143,9 +145,6 @@ def self.open_browser(url='http://metasploit.com/')
 				end
 			end
 		end
-
-		# If nothing else worked, default to firefox
-		system("firefox #{url} &")
 	end
 end
 

lib/rex/exploitation/javascriptosdetect.js

@@ -45,6 +45,13 @@ window.os_detect.getVersion = function(){
 	var version = "";
 	var unknown_fingerprint = null;
 
+	var css_is_valid = function(prop, propCamelCase, css) {
+		if (!document.createElement) return false;
+		var d = document.createElement('div');
+		d.setAttribute('style', prop+": "+css+";")
+		return d.style[propCamelCase] === css;
+	}
+
 	//--
 	// Client
 	//--
@@ -179,24 +186,56 @@ window.os_detect.getVersion = function(){
 		if (!ua_version || 0 == ua_version.length) {
 			ua_is_lying = true;
 		}
-	} else if (!document.all && navigator.taintEnabled) {
+	} else if (!document.all && navigator.taintEnabled ||
+	            'MozBlobBuilder' in window) {
 		// Use taintEnabled to identify FF since other recent browsers
 		// implement window.getComputedStyle now.  For some reason, checking for
 		// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
 		// isn't IE first.
-		//
+
+		// Also check MozBlobBuilder because FF 9.0.1 does not support taintEnabled
+
 		// Then this is a Gecko derivative, assume Firefox since that's the
 		// only one we have sploits for.  We may need to revisit this in the
 		// future.  This works for multi/browser/mozilla_compareto against
 		// Firefox and Mozilla, so it's probably good enough for now.
 		ua_name = clients_ff;
 		// Thanks to developer.mozilla.org "Firefox for developers" series for most
 		// of these.
-		if ('mozConnection' in navigator) {
+		// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
+		if ('HTMLTimeElement' in window) {
+			ua_version = '22.0'
+		} else if ('createElement' in document &&
+		           document.createElement('main') &&
+		           document.createElement('main').constructor === window['HTMLElement']) {
+			ua_version = '21.0'
+		} else if ('imul' in Math) {
+			ua_version = '20.0'
+		} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
+			ua_version = '19.0'
+		} else if ('devicePixelRatio' in window) {
+			ua_version = '18.0'
+		} else if ('createElement' in document &&
+		           document.createElement('iframe') &&
+		           'sandbox' in document.createElement('iframe')) {
+			ua_version = '17.0'
+		} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
+			ua_version = '16.0'
+		} else if ('HTMLSourceElement' in window && 
+		           HTMLSourceElement.prototype &&
+		           'media' in HTMLSourceElement.prototype) {
+			ua_version = '15.0'
+		} else if ('mozRequestPointerLock' in document.body) {
+			ua_version = '14.0'
+		} else if ('Map' in window) {
+			ua_version = "13.0"
+		} else if ('mozConnection' in navigator) {
 			ua_version = "12.0";
 		} else if ('mozVibrate' in navigator) {
 			ua_version = "11.0";
-		} else if ('mozCancelFullScreen' in document) {
+		} else if (css_is_valid('-moz-backface-visibility', 'MozBackfaceVisibility', 'hidden')) {
+			ua_version = "10.0";
+		} else if ('doNotTrack' in navigator) {
 			ua_version = "9.0";
 		} else if ('insertAdjacentHTML' in document.body) {
 			ua_version = "8.0";
@@ -221,7 +260,6 @@ window.os_detect.getVersion = function(){
 		} else {
 			ua_version = "1";
 		}
-
 		if (navigator.oscpu != navigator.platform) {
 			ua_is_lying = true;
 		}