Merge branch 'release/20120103000001' into stable

Author: jcran

data/armitage/armitage.jar

@@ -1,6 +1,41 @@
 Armitage Changelog
 ==================
 
+30 Dec 11 - last release of the year?
+---------
+- Hosts -> Clear Database now clears the sessions and clients tables 
+- Fixed a bug preventing dynamic workspace port/session filter from 
+  working on a fresh database. This was a fun one. This only affected 
+  folks with a completely fresh database and because Hosts -> Clear 
+  Database didn't clear everything, this went unnoticed until now.
+- Added various reverse shell payloads to payload helper dialog.
+- Added file chooser helper for SigningCert and SigningKey options.
+- Added hack to return correct route info when setting up pivoting through
+  Java meterpreter.
+- Armitage now posts a note to the event log when a user starts a browser 
+  exploit or a server module.
+- Armitage now supports dragging and dropping a module onto a host in graph
+  and table view. This action opens the module launcher configured to work
+  with that host.
+- Drastically rewrote MSF Scans. MSF Scans now intelligently builds a list
+  of ports to scan based on what Metasploit can do. After an initial port
+  scan, MSF Scans runs discovery modules against relevant hosts. As a bonus
+  you will see all of the output of these scans. 
+- Enhanced the Windows heuristic used to guess which OS image to display
+- The deconfliction server throttle is now less draconian about how long it
+  throttles a call.
+- Armitage no longer posts to the event log from the UI thread (this will
+  prevent the UI from blocking in some cases)
+- Command shell now handles interaction with d-server in a separate thread
+  from the UI thread. This will prevent UI blocking in some cases.
+- Added Ping Sweep... option for non-Windows meterpreter sessions. Now Java
+  meterpreter users have a quick host discovery option.
+- Change Host OS option now matches new Metasploit database schema.
+- Deconfliction server now sets LHOST to the IP address you provided. Also,
+  Armitage clients do not overwrite LHOST once it is set.
+- Interacting with a shell in team mode no longer blocks UI to communicate
+  with d-server.
+
 12 Dec 11
 ---------
 - Armitage teaming mode now downloads the resulting file for any fileformat

data/armitage/whatsnew.txt

@@ -19,7 +19,6 @@ def db
 	end
 
 	def myworkspace
-		return @myworkspace if @myworkspace
 		@myworkspace = framework.db.find_workspace(self.workspace)
 	end
 

lib/msf/core/auxiliary/report.rb

@@ -0,0 +1,201 @@
+require 'msf/core/post/windows/services'
+
+
+module Msf
+class Post
+module Windows
+
+module ShadowCopy
+	include Msf::Post::Windows::WindowsServices
+
+
+	def get_vss_device(id)
+		result = get_sc_param(id,'DeviceObject')
+	end
+
+	def vss_list
+		ids = vss_get_ids
+		shadow_copies = []
+		ids.each do |id|
+			print_status "Getting data for Shadow Copy #{id} (This may take a minute)"
+			shadow_copies << get_sc_details("\"#{id}\"")
+		end
+		return shadow_copies
+	end
+
+	def vss_get_ids
+		result = wmicexec('shadowcopy get id')
+		ids = result.scan(/\{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\}/)
+		return ids
+	end
+
+	def vss_get_storage
+		storage={}
+		storage['AllocatedSpace'] = vss_get_storage_param('AllocatedSpace')
+		storage['MaxSpace'] = vss_get_storage_param('MaxSpace')
+		storage['UsedSpace'] = vss_get_storage_param('UsedSpace')
+		return storage
+	end
+
+	def get_sc_details(id)
+		shadowcopy={}
+		shadowcopy['ID'] = id
+		shadowcopy['ClientAccessible'] = get_sc_param(id,'ClientAccessible')
+		shadowcopy['Count'] = get_sc_param(id,'Count')
+		shadowcopy['DeviceObject'] = get_sc_param(id,'DeviceObject')
+		shadowcopy['Differential'] = get_sc_param(id,'Differential')
+		shadowcopy['ExposedLocally'] = get_sc_param(id,'ExposedLocally')
+		shadowcopy['ExposedName'] = get_sc_param(id,'ExposedName')
+		shadowcopy['ExposedRemotely'] = get_sc_param(id,'ExposedRemotely')
+		shadowcopy['HardwareAssisted'] = get_sc_param(id,'HardwareAssisted')
+		shadowcopy['Imported'] = get_sc_param(id,'Imported')
+		shadowcopy['NoAutoRelease'] = get_sc_param(id,'NoAutoRelease')
+		shadowcopy['NotSurfaced'] = get_sc_param(id,'Notsurfaced')
+		shadowcopy['NoWriters'] = get_sc_param(id,'NoWriters')
+		shadowcopy['OriginiatingMachine'] = get_sc_param(id,'OriginatingMachine')
+		shadowcopy['Persistent'] = get_sc_param(id,'Persistent')
+		shadowcopy['Plex'] = get_sc_param(id,'Plex')
+		shadowcopy['ProviderID'] = get_sc_param(id,'ProviderID')
+		shadowcopy['ServiceMachine'] = get_sc_param(id,'ServiceMachine')
+		shadowcopy['SetID'] = get_sc_param(id,'SetID')
+		shadowcopy['State'] = get_sc_param(id,'State')
+		shadowcopy['Transportable'] = get_sc_param(id,'Transportable')
+		shadowcopy['VolumeName'] = get_sc_param(id,'VolumeName')
+		return shadowcopy
+	end
+
+	def get_sc_param(id,param_name)
+		result = wmicexec("shadowcopy where(id=#{id}) get #{param_name}")
+		result.gsub!(param_name,'')
+		result.gsub!(/\s/,'')
+	end
+
+	def vss_get_storage_param(param_name)
+		result = wmicexec("shadowstorage get #{param_name}")
+		result.gsub!(param_name,'')
+		result.gsub!(/\s/,'')
+	end
+
+	def vss_set_storage(bytes)
+		result = wmicexec("shadowstorage set MaxSpace=\"#{bytes}\"")
+		if result.include?("success")
+			return true
+		else
+			return false
+		end
+	end
+
+	def create_shadowcopy(volume)
+		result = wmicexec("shadowcopy call create \"ClientAccessible\", \"#{volume}\"")
+		retval = result.match(/ReturnValue = (\d)/)
+		case retval[1].to_i
+		when 0
+			print_status("ShadowCopy created successfully")
+			sc_id = result.match(/ShadowID = ("\{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\}")/)
+			return sc_id[1]
+		when 1
+			print_error("Access Denied")
+		when 2
+			print_error("Invalid Argument")
+		when 3
+			print_error("Specified volume not found")
+		when 4
+			print_error("Specified volume not supported")
+		when 5
+			print_error("Unsupported shadow copy context")
+		when 6
+			print_error("Insufficient Storage")
+		when 7
+			print_error("Volume is in use")
+		when 8 
+			print_error("Maximum number of shadow copies reached")
+		when 9
+			print_error("Another shadow copy operation is already in progress")
+		when 10
+			print_error("Shadow copy provider vetoed the operation")
+		when 11
+			print_error("Shadow copy provider not registered")
+		when 12
+			print_error("Shadow copy provider failure")
+		else
+			print_error("Unknown error")
+		end
+		return nil
+	end
+
+	def start_vss
+		vss_state = wmicexec('Service where(name="VSS") get state')
+		if vss_state=~ /Running/
+			print_status("Volume Shadow Copy service is running.")
+		else
+			print_status("Volume Shadow Copy service not running. Starting it now...")
+			begin
+				ss_result = service_start("VSS")
+				case ss_result 
+				when 0
+					print_status("Volume Shadow Copy started successfully.")
+				when 1
+					print_error("Volume Shadow Copy already running.")
+				when 2
+					print_error("Volume Shadow Copy is disabled.")
+					print_status("Attempting to re-enable...")
+					service_change_startup("VSS","manual")
+					ss_result = service_start("VSS")
+					if ss_result == 0
+						return true
+					else
+						return false
+					end
+				end
+			rescue
+				print_error("Insufficient Privs to start service!")
+				return false
+			end
+		end
+		return true
+	end
+
+	def wmicexec(wmiccmd)
+		tmpout = ''
+		session.response_timeout=120
+		begin
+			tmp = session.fs.file.expand_path("%TEMP%")
+			wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
+			r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmiccmd}", nil, {'Hidden' => true})
+			sleep(2)
+			#Making sure that wmic finishes before executing next wmic command
+			prog2check = "wmic.exe"
+			found = 0
+			while found == 0
+				session.sys.process.get_processes().each do |x|
+					found =1
+					if prog2check == (x['name'].downcase)
+						sleep(0.5)
+						found = 0
+					end
+				end
+			end
+			r.close
+
+			# Read the output file of the wmic commands
+			wmioutfile = session.fs.file.new(wmicfl, "rb")
+			until wmioutfile.eof?
+				tmpout << wmioutfile.read
+			end
+			wmioutfile.close
+		rescue ::Exception => e
+			print_error("Error running WMIC commands: #{e.class} #{e}")
+		end
+		# We delete the file with the wmic command output.
+		c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
+		c.close
+		tmpout.gsub!(/[^[:print:]]/,'') #scrub out garbage 
+		return tmpout
+	end
+
+
+end
+end
+end
+end
+

lib/msf/core/post/windows/shadowcopy.rb

@@ -71,7 +71,7 @@ def call(meth, *args)
 			resp = MessagePack.unpack(res.body)
 
 			if resp and resp.kind_of?(::Hash) and resp['error'] == true
-				raise Msf::RPC::ServerException.new(res.code, resp['error_message'] || resp['error_string'], resp['error_class'], resp['error_backtrace'])
+				raise Msf::RPC::ServerException.new(resp['error_code'] || res.code, resp['error_message'] || resp['error_string'], resp['error_class'], resp['error_backtrace'])
 			end
 
 			return resp

lib/msf/core/rpc/v10/client.rb

@@ -88,6 +88,9 @@ def commands
 			"kill"     => "Kill a job",
 			"load"     => "Load a framework plugin",
 			"loadpath" => "Searches for and loads modules from a path",
+			"popm"     => "Pops the latest module off of the module stack and makes it active",
+			"pushm"    => "Pushes the active or list of modules onto the module stack",
+			"previous" => "Sets the previously loaded module as the current module",
 			"quit"     => "Exit the console",
 			"resource" => "Run the commands stored in a file",
 			"makerc"   => "Save commands entered since start to a file",
@@ -118,6 +121,8 @@ def initialize(driver)
 
 		@dscache = {}
 		@cache_payloads = nil
+		@previous_module = nil
+		@module_name_stack = []
 	end
 
 	#
@@ -2127,8 +2132,9 @@ def cmd_use(*args)
 				return false
 		end
 
-		# If there's currently an active module, go back
+		# If there's currently an active module, enqueque it and go back
 		if (active_module)
+			@previous_module = active_module
 			cmd_back()
 		end
 
@@ -2153,6 +2159,94 @@ def cmd_use(*args)
 		driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true)
 	end
 
+	#
+	# Command to take to the previously active module
+	#
+	def cmd_previous()
+		if @previous_module
+			self.cmd_use(@previous_module.fullname)
+		else
+			print_error("There isn't a previous module at the moment")
+		end
+	end
+
+	#
+	# Help for the 'previous' command
+	#
+	def cmd_previous_help
+		print_line "Usage: previous"
+		print_line
+		print_line "Set the previously loaded module as the current module"
+		print_line
+	end
+	
+	#
+	# Command to enqueque a module on the module stack
+	#
+	def cmd_pushm(*args)
+		# could check if each argument is a valid module, but for now let them hang themselves
+		if args.count > 0
+			args.each do |arg|
+				@module_name_stack.push(arg)
+				# Note new modules are appended to the array and are only module (full)names
+			end
+		else #then just push the active module 
+			if active_module
+				#print_status "Pushing the active module"
+				@module_name_stack.push(active_module.fullname)
+			else
+				print_error("There isn't an active module and you didn't specify a module to push")
+				return self.cmd_pushm_help
+			end
+		end
+	end
+	
+	#
+	# Help for the 'pushm' command
+	#
+	def cmd_pushm_help
+		print_line "Usage: pushm [module1 [,module2, module3...]]"
+		print_line
+		print_line "push current active module or specified modules onto the module stack"
+		print_line
+	end
+	
+	#
+	# Command to dequeque a module from the module stack
+	#
+	def cmd_popm(*args)
+		if (args.count > 1 or not args[0].respond_to?("to_i"))
+			return self.cmd_popm_help
+		elsif args.count == 1
+			# then pop 'n' items off the stack, but don't change the active module
+			if args[0].to_i >= @module_name_stack.count
+				# in case they pass in a number >= the length of @module_name_stack
+				@module_name_stack = []
+				print_status("The module stack is empty")
+			else
+				@module_name_stack.pop[args[0]]
+			end
+		else #then just pop the array and make that the active module
+			pop = @module_name_stack.pop
+			if pop
+				return self.cmd_use(pop)
+			else
+				print_error("There isn't anything to pop, the module stack is empty")
+			end
+		end
+	end
+
+	#
+	# Help for the 'popm' command
+	#
+	def cmd_popm_help
+		print_line "Usage: popm [n]"
+		print_line
+		print_line "pop the latest module off of the module stack and make it the active module"
+		print_line "or pop n modules off the stack, but don't change the active module"
+		print_line
+	end
+
 	#
 	# Tab completion for the use command
 	#