Merge branch 'rapid7/master' into goliath

Author: jbarnett-r7

.gitignore

@@ -93,3 +93,7 @@ docker-compose.local*
 # Ignore python bytecode
 *.pyc
 rspec.failures
+
+
+#Ignore any base disk store files
+db/modules_metadata_base.pstore

CONTRIBUTING.md

@@ -45,8 +45,8 @@ and Metasploit's [Common Coding Mistakes].
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
-* **Do** [reference associated issues] in your pull request description
-* **Do** write [release notes] once a pull request is landed
+* **Do** [reference associated issues] in your pull request description.
+* **Do** write [release notes] once a pull request is landed.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 
@@ -58,8 +58,8 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
   - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
 * **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
-* **Do** include instructions on how to setup the vulnerable environment or software
-* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs
+* **Do** include instructions on how to setup the vulnerable environment or software.
+* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
 
 
 

CURRENT.md

@@ -0,0 +1,20 @@
+Active Metasploit 5 development will sometimes push aggressive changes.
+Integrations with 3rd-party tools, as well as general usage, may change quickly
+from day to day. Some of the steps for dealing with major changes will be
+documented here. We will continue to maintain the Metasploit 4.x branch until
+Metasploit 5.0 is released.
+
+**2018/01/17 - [internal] module cache reworked to not store metadata in PostgreSQL**
+
+Metasploit no longer stores module metadata in a PostgreSQL database, instead
+storing it in a cache file in your local ~/.msf4 config directory. This has a
+number of advantages:
+
+ * Fast searches whether you have the database enabled or not (no more slow search mode)
+ * Faster load time for msfconsole, the cache loads more quickly
+ * Private module data is not uploaded to a shared database, no collisions
+ * Adding or deleting modules no longer displays file-not-found error messages on start in msfconsole
+ * Reduced memory consumption
+
+Code that reads directly from the Metasploit database for module data will need
+to use the new module search API.

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.32)
+    metasploit-framework (5.0.0)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -18,7 +18,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.23)
+      metasploit-payloads (= 1.3.25)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.3.3)
       mqtt
@@ -183,14 +183,14 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.23)
-    metasploit_data_models (2.0.15)
+    metasploit-payloads (1.3.25)
+    metasploit_data_models (2.0.16)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
       metasploit-concern
       metasploit-model
-      pg
+      pg (= 0.20.0)
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
@@ -205,7 +205,7 @@ GEM
     nessus_rest (0.1.6)
     net-ssh (4.2.0)
     network_interface (0.0.2)
-    nexpose (7.1.1)
+    nexpose (7.2.0)
     nokogiri (1.8.1)
       mini_portile2 (~> 2.3.0)
     octokit (4.8.0)

data/logos/under-construction-v5.txt

@@ -0,0 +1,25 @@
+%clr%red               .;lxO0KXXXK0Oxl:.
+           ,o0WMMMMMMMMMMMMMMMMMMKd,
+        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
+      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
+    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
+   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
+  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
+ oMMMMMMMMMMx.                    dMMMMMMMMMMx
+.WMMMMMMMMM:                       :MMMMMMMMMM,
+xMMMMMMMMMo                         lMMMMMMMMMO
+NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
+MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
+NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
+xMMMMMMMMMd                        ,0MMMMMMMMMMK;
+.WMMMMMMMMMc                         'OMMMMMM0,
+ lMMMMMMMMMMk.                         .kMMO'
+  dMMMMMMMMMMWd'                         ..
+   cWMMMMMMMMMMMNxc'.%clr%whi                ##########%clr
+%red    .0MMMMMMMMMMMMMMMMWc%clr%whi            #+#    #+#%clr
+%red      ;0MMMMMMMMMMMMMMMo.%clr%whi          +:+%clr
+%red        .dNMMMMMMMMMMMMo%clr          +%whi#+%clr+:++#+
+%red           'oOWMMMMMMMMo%clr                +:+
+%red               .,cdkO0K;%clr        :+:    :+:                                
+                                :::::::+:
+           %whiMetasploit%clr %yelUnder Construction%clr

db/modules_metadata_base.pstore

@@ -0,0 +1,110 @@
+## Intro
+
+From the `bootparamd(8)` man page:
+
+> bootparamd is a server process that provides information to diskless clients necessary for booting. It consults the /etc/bootparams file to find the information it needs.
+
+The module documented within will allow a tester to disclose the NIS
+domain name from a server running `bootparamd`. After knowing the domain
+name, the tester can follow up with `auxiliary/gather/nis_ypserv_map` to
+dump a map from a compatible NIS server (running as `ypserv`).
+
+## Setup
+
+Set up NIS as per <https://help.ubuntu.com/community/SettingUpNISHowTo>.
+If the link is down, you can find it via the Wayback Machine.
+
+After that is done, install `bootparamd` however your OS provides it.
+
+Make sure you add a client to the `bootparams` file, which is usually at
+`/etc/bootparams`.
+
+Here is an example `bootparams` file (courtesy of
+[@bcoles](https://github.com/bcoles)):
+
+```
+clientname root=nfsserver:/export/clientname/root
+```
+
+You can read the `bootparams(5)` man page for more info.
+
+Lastly, the client should be added to `/etc/hosts` if it isn't already
+resolvable.
+
+## Options
+
+**PROTOCOL**
+
+Set this to either TCP or UDP. UDP is the default due to `bootparamd`.
+
+**CLIENT**
+
+Set this to the address of a client in the target's `bootparams` file.
+Usually this is a host within the same network range as the target.
+
+**XDRTimeout**
+
+Set this to the timeout in seconds for XDR decoding of the response.
+
+## Usage
+
+```
+msf > use auxiliary/gather/nis_bootparamd_domain
+msf auxiliary(gather/nis_bootparamd_domain) > set rhost 192.168.33.10
+rhost => 192.168.33.10
+msf auxiliary(gather/nis_bootparamd_domain) > set client 192.168.33.10
+client => 192.168.33.10
+msf auxiliary(gather/nis_bootparamd_domain) > run
+
+[+] 192.168.33.10:111 - NIS domain name for host ubuntu-xenial (192.168.33.10) is gesellschaft
+[*] Auxiliary module execution completed
+msf auxiliary(gather/nis_bootparamd_domain) >
+```
+
+After disclosing the domain name, you can use
+`auxiliary/gather/nis_ypserv_map` to dump a map from a compatible NIS
+server.
+
+```
+msf auxiliary(gather/nis_bootparamd_domain) > use auxiliary/gather/nis_ypserv_map
+msf auxiliary(gather/nis_ypserv_map) > set rhost 192.168.33.10
+rhost => 192.168.33.10
+msf auxiliary(gather/nis_ypserv_map) > set domain gesellschaft
+domain => gesellschaft
+msf auxiliary(gather/nis_ypserv_map) > run
+
+[+] 192.168.33.10:111 - Dumping map passwd.byname on domain gesellschaft:
+list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ubuntu:$6$LXFAVGTO$yiCXi1KjLynOrapuhJE7tKnvdwknDMKiKM7Z8ZB19ht6CHmsS.CbUTm8q0cy5fFHEqA.Sg4Acl.0UtY.Y0JNE1:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+games:*:5:60:games:/usr/games:/usr/sbin/nologin
+news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
+lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+sys:*:3:3:sys:/dev:/usr/sbin/nologin
+backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
+uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
+bin:*:2:2:bin:/bin:/usr/sbin/nologin
+gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+sync:*:4:65534:sync:/bin:/bin/sync
+systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+uuidd:*:108:112::/run/uuidd:/bin/false
+dnsmasq:*:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
+root:*:0:0:root:/root:/bin/bash
+sshd:*:110:65534::/var/run/sshd:/usr/sbin/nologin
+systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+messagebus:*:107:111::/var/run/dbus:/bin/false
+_apt:*:105:65534::/nonexistent:/bin/false
+mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
+syslog:*:104:108::/home/syslog:/bin/false
+daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+pollinate:*:111:1::/var/cache/pollinate:/bin/false
+www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
+proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
+lxd:*:106:65534::/var/lib/lxd/:/bin/false
+
+[*] Auxiliary module execution completed
+msf auxiliary(gather/nis_ypserv_map) >
+```

documentation/modules/auxiliary/gather/nis_bootparamd_domain.md

@@ -1,8 +1,17 @@
 ## Vulnerable Application
 
-[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 and v10.0.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerabilities are caused by improper bounds checking of the request path in HTTP GET requests and username value via HTTP POST requests sent to the built-in web server, respectively. This module has been tested successfully on Windows 7 SP1. The vulnerable applications are available for download at [Sync Breeze Enterprise v9.4.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe) and [Sync Breeze Enterprise v10.0.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe).
+[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28, v10.0.28, and v10.1.16
+are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker
+to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerabilities
+are caused by improper bounds checking of the request path in HTTP GET requests and username value
+via HTTP POST requests sent to the built-in web server, respectively.
+
+This module has been tested successfully on Windows 7 SP1. The vulnerable applications are available
+for download at [Sync Breeze Enterprise v9.4.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe)
+and [Sync Breeze Enterprise v10.0.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe).
 
 ## Verification Steps
+
   1. Install a vulnerable Sync Breeze Enterprise
   2. Start `Sync Breeze Enterprise` service
   3. Start `Sync Breeze Enterprise` client application