Merge pull request #4 from rapid7/master

merge

Author: Pedro Ribeiro

Gemfile

@@ -8,9 +8,9 @@ group :db do
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'
 
   # Metasploit::Credential database models
-  gem 'metasploit-credential', '~> 0.10.1'
+  gem 'metasploit-credential', '~> 0.12.0'
   # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.20.1'
+  gem 'metasploit_data_models', '~> 0.21.1'
   # Needed for module caching in Mdm::ModuleDetails
   gem 'pg', '>= 0.11'
 end
@@ -39,7 +39,7 @@ group :development, :test do
   gem 'rspec', '>= 2.12', '< 3.0.0'
   # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
   # environment is development
-  gem 'rspec-rails' , '>= 2.12', '< 3.0.0' 
+  gem 'rspec-rails' , '>= 2.12', '< 3.0.0'
 end
 
 group :pcap do

Gemfile.lock

@@ -5,15 +5,16 @@ PATH
       actionpack (< 4.0.0)
       activesupport (>= 3.0.0, < 4.0.0)
       bcrypt
-      jsobfu (~> 0.1.7)
+      jsobfu (~> 0.2.0)
       json
-      metasploit-concern (~> 0.2.1)
-      metasploit-model (~> 0.27.1)
+      metasploit-concern (~> 0.3.0)
+      metasploit-model (~> 0.28.0)
       meterpreter_bins (= 0.0.7)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
       railties
+      recog (~> 1.0)
       robots
       rubyzip (~> 1.1)
       sqlite3
@@ -91,34 +92,35 @@ GEM
     hike (1.2.3)
     i18n (0.6.11)
     journey (1.0.4)
-    jsobfu (0.1.7)
+    jsobfu (0.2.1)
       rkelly-remix (= 0.0.6)
     json (1.8.1)
     mail (2.5.4)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
-    metasploit-concern (0.2.1)
+    metasploit-concern (0.3.0)
       activesupport (~> 3.0, >= 3.0.0)
       railties (< 4.0.0)
-    metasploit-credential (0.10.1)
-      metasploit-concern (~> 0.2.1)
-      metasploit-model (~> 0.27.0)
-      metasploit_data_models (~> 0.20.0)
+    metasploit-credential (0.12.0)
+      metasploit-concern (~> 0.3.0)
+      metasploit-model (~> 0.28.0)
+      metasploit_data_models (~> 0.21.0)
       pg
       railties (< 4.0.0)
       rubyntlm
       rubyzip (~> 1.1)
-    metasploit-model (0.27.1)
+    metasploit-model (0.28.0)
       activesupport
       railties (< 4.0.0)
-    metasploit_data_models (0.20.1)
+    metasploit_data_models (0.21.1)
       activerecord (>= 3.2.13, < 4.0.0)
       activesupport
       arel-helpers
-      metasploit-concern (~> 0.2.1)
-      metasploit-model (~> 0.27.0)
+      metasploit-concern (~> 0.3.0)
+      metasploit-model (~> 0.28.0)
       pg
       railties (< 4.0.0)
+      recog (~> 1.0)
     meterpreter_bins (0.0.7)
     method_source (0.8.2)
     mime-types (1.25.1)
@@ -161,6 +163,8 @@ GEM
     rake (10.3.2)
     rdoc (3.12.2)
       json (~> 1.4)
+    recog (1.0.0)
+      nokogiri
     redcarpet (3.1.2)
     rkelly-remix (0.0.6)
     robots (0.10.1)
@@ -218,9 +222,9 @@ DEPENDENCIES
   factory_girl (>= 4.1.0)
   factory_girl_rails
   fivemat (= 1.2.1)
-  metasploit-credential (~> 0.10.1)
+  metasploit-credential (~> 0.12.0)
   metasploit-framework!
-  metasploit_data_models (~> 0.20.1)
+  metasploit_data_models (~> 0.21.1)
   network_interface (~> 0.0.1)
   pcaprub
   pg (>= 0.11)

data/js/detect/os.js

@@ -472,10 +472,14 @@ class RTATTR(ctypes.Structure):
 ERROR_CONNECTION_ERROR = 10000
 
 # Windows Constants
-GAA_FLAG_SKIP_ANYCAST    = 0x0002
-GAA_FLAG_SKIP_MULTICAST  = 0x0004
-GAA_FLAG_INCLUDE_PREFIX  = 0x0010
-GAA_FLAG_SKIP_DNS_SERVER = 0x0080
+GAA_FLAG_SKIP_ANYCAST             = 0x0002
+GAA_FLAG_SKIP_MULTICAST           = 0x0004
+GAA_FLAG_INCLUDE_PREFIX           = 0x0010
+GAA_FLAG_SKIP_DNS_SERVER          = 0x0080
+PROCESS_TERMINATE                 = 0x0001
+PROCESS_VM_READ                   = 0x0010
+PROCESS_QUERY_INFORMATION         = 0x0400
+PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
 
 WIN_AF_INET  = 2
 WIN_AF_INET6 = 23
@@ -666,12 +670,11 @@ def stdapi_sys_config_sysinfo(request, response):
 
 @meterpreter.register_function
 def stdapi_sys_process_close(request, response):
-	proc_h_id = packet_get_tlv(request, TLV_TYPE_PROCESS_HANDLE)
+	proc_h_id = packet_get_tlv(request, TLV_TYPE_HANDLE)
 	if not proc_h_id:
 		return ERROR_SUCCESS, response
 	proc_h_id = proc_h_id['value']
-	proc_h = meterpreter.channels[proc_h_id]
-	proc_h.kill()
+	del meterpreter.processes[proc_h_id]
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
@@ -720,6 +723,23 @@ def stdapi_sys_process_getpid(request, response):
 	response += tlv_pack(TLV_TYPE_PID, os.getpid())
 	return ERROR_SUCCESS, response
 
+@meterpreter.register_function
+def stdapi_sys_process_kill(request, response):
+	for pid in packet_enum_tlvs(request, TLV_TYPE_PID):
+		pid = pid['value']
+		if has_windll:
+			k32 = ctypes.windll.kernel32
+			proc_h = k32.OpenProcess(PROCESS_TERMINATE, False, pid)
+			if not proc_h:
+				return ERROR_FAILURE, response
+			if not k32.TerminateProcess(proc_h, 0):
+				return ERROR_FAILURE, response
+		elif hasattr(os, 'kill'):
+			os.kill(pid, 9)
+		else:
+			return ERROR_FAILURE, response
+	return ERROR_SUCCESS, response
+
 def stdapi_sys_process_get_processes_via_proc(request, response):
 	for pid in os.listdir('/proc'):
 		pgroup = bytes()
@@ -772,9 +792,6 @@ def stdapi_sys_process_get_processes_via_ps(request, response):
 
 def stdapi_sys_process_get_processes_via_windll(request, response):
 	TH32CS_SNAPPROCESS = 2
-	PROCESS_QUERY_INFORMATION = 0x0400
-	PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
-	PROCESS_VM_READ = 0x10
 	TOKEN_QUERY = 0x0008
 	TokenUser = 1
 	k32 = ctypes.windll.kernel32

data/meterpreter/ext_server_stdapi.py

@@ -332,7 +332,6 @@ def run(self):
 				response = self.create_response(request)
 				self.socket.send(response)
 			else:
-				channels_for_removal = []
 				# iterate over the keys because self.channels could be modified if one is closed
 				channel_ids = list(self.channels.keys())
 				for channel_id in channel_ids:

data/meterpreter/meterpreter.py

@@ -29,7 +29,7 @@ class Metasploit4 < Msf::Exploit::Remote
     :ua_minver  => "8.0",
     :ua_maxver  => "10.0",
     :javascript => true,
-    :os_name    => OperatingSystems::WINDOWS,
+    :os_name    => OperatingSystems::Match::WINDOWS,
     :rank       => NormalRanking
   })
 
@@ -85,6 +85,8 @@ def get_target(agent)
       os_name = 'Windows 7'
     when '6.2'
       os_name = 'Windows 8'
+    when '6.3'
+      os_name = 'Windows 8.1'      
     end
 
     targets.each do |t|

documentation/samples/modules/exploits/ie_browser.rb

@@ -0,0 +1,3 @@
+Metasploit completion definitions for zsh. The directory containing the
+completion files needs to be added to the ```$fpath``` environment variable,
+this is usually done in the ```~/.zshrc``` file.

external/zsh/README.md

@@ -0,0 +1,39 @@
+#compdef msfconsole
+# ------------------------------------------------------------------------------
+# License
+# -------
+# This file is part of the Metasploit Framework and is released under the MSF
+# License, please see the COPYING file for more details.
+#
+# ------------------------------------------------------------------------------
+# Description
+# -----------
+#
+#  Completion script for the Metasploit Framework's msfconsole command
+#  (http://www.metasploit.com/).
+#
+# ------------------------------------------------------------------------------
+# Authors
+# -------
+#
+#  * Spencer McIntyre
+#
+# ------------------------------------------------------------------------------
+
+_arguments \
+  {-a,--ask}"[Ask before exiting Metasploit or accept 'exit -y']" \
+  "-c[Load the specified configuration file]:configuration file:_files" \
+  {-d,--defanged}"[Execute the console as defanged]" \
+  {-E,--environment}"[Specify the database environment to load from the configuration]:environment:(production development)" \
+  {-h,--help}"[Show help text]" \
+  {-L,--real-readline}"[Use the system Readline library instead of RbReadline]" \
+  {-M,--migration-path}"[Specify a directory containing additional DB migrations]:directory:_files -/" \
+  {-m,--module-path}"[Specifies an additional module search path]:search path:_files -/" \
+  {-n,--no-database}"[Disable database support]" \
+  {-o,--output}"[Output to the specified file]:output file" \
+  {-p,--plugin}"[Load a plugin on startup]:plugin file:_files" \
+  {-q,--quiet}"[Do not print the banner on start up]" \
+  {-r,--resource}"[Execute the specified resource file]:resource file:_files" \
+  {-v,--version}"[Show version]" \
+  {-x,--execute-command}"[Execute the specified string as console commands]:commands" \
+  {-y,--yaml}"[Specify a YAML file containing database settings]:yaml file:_files"

external/zsh/_msfconsole

@@ -0,0 +1,82 @@
+#compdef msfencode
+# ------------------------------------------------------------------------------
+# License
+# -------
+# This file is part of the Metasploit Framework and is released under the MSF
+# License, please see the COPYING file for more details.
+#
+# ------------------------------------------------------------------------------
+# Description
+# -----------
+#
+#  Completion script for the Metasploit Framework's msfencode command
+#  (http://www.metasploit.com/).
+#
+# ------------------------------------------------------------------------------
+# Authors
+# -------
+#
+#  * Spencer McIntyre
+#
+# ------------------------------------------------------------------------------
+
+_msfencode_encoders_list=(
+  'cmd/generic_sh'
+  'cmd/ifs'
+  'cmd/powershell_base64'
+  'cmd/printf_php_mq'
+  'generic/eicar'
+  'generic/none'
+  'mipsbe/byte_xori'
+  'mipsbe/longxor'
+  'mipsle/byte_xori'
+  'mipsle/longxor'
+  'php/base64'
+  'ppc/longxor'
+  'ppc/longxor_tag'
+  'sparc/longxor_tag'
+  'x64/xor'
+  'x86/add_sub'
+  'x86/alpha_mixed'
+  'x86/alpha_upper'
+  'x86/avoid_underscore_tolower'
+  'x86/avoid_utf8_tolower'
+  'x86/bloxor'
+  'x86/call4_dword_xor'
+  'x86/context_cpuid'
+  'x86/context_stat'
+  'x86/context_time'
+  'x86/countdown'
+  'x86/fnstenv_mov'
+  'x86/jmp_call_additive'
+  'x86/nonalpha'
+  'x86/nonupper'
+  'x86/opt_sub'
+  'x86/shikata_ga_nai'
+  'x86/single_static_bit'
+  'x86/unicode_mixed'
+  'x86/unicode_upper'
+)
+
+_msfencode_encoder() {
+  _describe -t encoders 'available encoders' _msfencode_encoders_list || compadd "$@"
+}
+
+_arguments \
+  "-a[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
+  "-b[The list of characters to avoid, example: '\x00\xff']:bad characters" \
+  "-c[The number of times to encode the data]:times" \
+  "-d[Specify the directory in which to look for EXE templates]:template file:_files -/" \
+  "-e[The encoder to use]:encoder:_msfencode_encoder" \
+  "-h[Help banner]" \
+  "-i[Encode the contents of the supplied file path]:input file:_files" \
+  "-k[Keep template working; run payload in new thread (use with -x)]" \
+  "-l[List available encoders]" \
+  "-m[Specifies an additional module search path]:module path:_files -/" \
+  "-n[Dump encoder information]" \
+  "-o[The output file]:output file" \
+  "-p[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
+  "-s[The maximum size of the encoded data]:maximum size" \
+  "-t[The output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
+  "-v[Increase verbosity]" \
+  "-x[Specify an alternate executable template]:template file:_files"