-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 199956b
Showing
8,996 changed files
with
1,532,307 additions
and
0 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Contributing to Metasploit | ||
|
|
||
| ## Reporting Bugs | ||
|
|
||
| If you would like to report a bug, please take a look at [our Redmine | ||
| issue | ||
| tracker](https://dev.metasploit.com/redmine/projects/framework/issues?query_id=420) | ||
| -- your bug may already have been reported there! Simply [searching](https://dev.metasploit.com/redmine/projects/framework/search) for some appropriate keywords may save everyone a lot of hassle. | ||
|
|
||
| If your bug is new and you'd like to report it you will need to | ||
| [register | ||
| first](https://dev.metasploit.com/redmine/account/register). Don't | ||
| worry, it's easy and fun and takes about 30 seconds. | ||
|
|
||
| When you file a bug report, please include your **steps to reproduce**, | ||
| full copy-pastes of Ruby stack traces, and any relevant details about | ||
| your environment. Without repro steps, your bug will likely be closed. | ||
| With repro steps, your bugs will likely be fixed. | ||
|
|
||
| ## Contributing Metasploit Modules | ||
|
|
||
| If you have an exploit that you'd like to contribute to the Metasploit | ||
| Framework, please familiarize yourself with the | ||
| **[HACKING](https://github.com/rapid7/metasploit-framework/blob/master/HACKING)** | ||
| document in the | ||
| Metasploit-Framework repository. There are many mysteries revealed in | ||
| HACKING concerning code style and content. | ||
|
|
||
| [Pull requests](https://github.com/rapid7/metasploit-framework/pulls) | ||
| should corellate with modules at a 1:1 ratio | ||
| -- there is rarely a good reason to have two, three, or ten modules on | ||
| one pull request, as this dramatically increases the review time | ||
| required to land (commit) any of those modules. | ||
|
|
||
| Pull requests tend to be very collaborative for Metasploit -- do not be | ||
| surprised if your pull request to rapid7/metasploit-framework triggers a | ||
| pull request back to your own fork. In this way, we can isolate working | ||
| changes before landing your PR to the Metasploit master branch. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| Copyright (C) 2006-2013, Rapid7 Inc. | ||
| All rights reserved. | ||
|
|
||
| Redistribution and use in source and binary forms, with or without modification, | ||
| are permitted provided that the following conditions are met: | ||
|
|
||
| * Redistributions of source code must retain the above copyright notice, | ||
| this list of conditions and the following disclaimer. | ||
|
|
||
| * Redistributions in binary form must reproduce the above copyright notice, | ||
| this list of conditions and the following disclaimer in the documentation | ||
| and/or other materials provided with the distribution. | ||
|
|
||
| * Neither the name of Rapid7 LLC nor the names of its contributors | ||
| may be used to endorse or promote products derived from this software | ||
| without specific prior written permission. | ||
|
|
||
| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND | ||
| ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
| WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
| DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR | ||
| ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
| (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON | ||
| ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
| SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
|
|
||
| ================================================================================ | ||
|
|
||
| The Metasploit Framework is provided under the 3-clause BSD license above. | ||
|
|
||
| The copyright on this package is held by Rapid7 LLC. | ||
|
|
||
| This license does not apply to several components within the Metasploit | ||
| Framework source tree. For more details see the LICENSE file. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| source 'http://rubygems.org' | ||
|
|
||
| # Need 3+ for ActiveSupport::Concern | ||
| gem 'activesupport', '>= 3.0.0' | ||
| # Needed for some admin modules (scrutinizer_add_user.rb) | ||
| gem 'json' | ||
| # Needed by msfgui and other rpc components | ||
| gem 'msgpack' | ||
| # Needed by anemone crawler | ||
| gem 'nokogiri' | ||
| # Needed by anemone crawler | ||
| gem 'robots' | ||
|
|
||
| group :db do | ||
| # Needed for Msf::DbManager | ||
| gem 'activerecord' | ||
| # Database models shared between framework and Pro. | ||
| gem 'metasploit_data_models', '~> 0.14.3' | ||
| # Needed for module caching in Mdm::ModuleDetails | ||
| gem 'pg', '>= 0.11' | ||
| end | ||
|
|
||
| group :pcap do | ||
| # For sniffer and raw socket modules | ||
| gem 'pcaprub' | ||
| end | ||
|
|
||
| group :development do | ||
| # Markdown formatting for yard | ||
| gem 'redcarpet' | ||
| # generating documentation | ||
| gem 'yard' | ||
| end | ||
|
|
||
| group :development, :test do | ||
| # supplies factories for producing model instance for specs | ||
| # Version 4.1.0 or newer is needed to support generate calls without the | ||
| # 'FactoryGirl.' in factory definitions syntax. | ||
| gem 'factory_girl', '>= 4.1.0' | ||
| # running documentation generation tasks and rspec tasks | ||
| gem 'rake' | ||
| end | ||
|
|
||
| group :test do | ||
| # Removes records from database created during tests. Can't use rspec-rails' | ||
| # transactional fixtures because multiple connections are in use so | ||
| # transactions won't work. | ||
| gem 'database_cleaner' | ||
| # testing framework | ||
| gem 'rspec', '>= 2.12' | ||
| # add matchers from shoulda, such as query_the_database, which is useful for | ||
| # testing that the Msf::DBManager activation is respected. | ||
| gem 'shoulda-matchers' | ||
| # code coverage for tests | ||
| # any version newer than 0.5.4 gives an Encoding error when trying to read the source files. | ||
| gem 'simplecov', '0.5.4', :require => false | ||
| # Manipulate Time.now in specs | ||
| gem 'timecop' | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| GEM | ||
| remote: http://rubygems.org/ | ||
| specs: | ||
| activemodel (3.2.13) | ||
| activesupport (= 3.2.13) | ||
| builder (~> 3.0.0) | ||
| activerecord (3.2.13) | ||
| activemodel (= 3.2.13) | ||
| activesupport (= 3.2.13) | ||
| arel (~> 3.0.2) | ||
| tzinfo (~> 0.3.29) | ||
| activesupport (3.2.13) | ||
| i18n (= 0.6.1) | ||
| multi_json (~> 1.0) | ||
| arel (3.0.2) | ||
| bourne (1.4.0) | ||
| mocha (~> 0.13.2) | ||
| builder (3.0.4) | ||
| database_cleaner (0.9.1) | ||
| diff-lcs (1.2.2) | ||
| factory_girl (4.2.0) | ||
| activesupport (>= 3.0.0) | ||
| i18n (0.6.1) | ||
| json (1.7.7) | ||
| metaclass (0.0.1) | ||
| metasploit_data_models (0.14.3) | ||
| activerecord (>= 3.2.13) | ||
| activesupport | ||
| pg | ||
| mocha (0.13.3) | ||
| metaclass (~> 0.0.1) | ||
| msgpack (0.5.4) | ||
| multi_json (1.0.4) | ||
| nokogiri (1.5.9) | ||
| pcaprub (0.11.3) | ||
| pg (0.15.1) | ||
| rake (10.0.4) | ||
| redcarpet (2.2.2) | ||
| robots (0.10.1) | ||
| rspec (2.13.0) | ||
| rspec-core (~> 2.13.0) | ||
| rspec-expectations (~> 2.13.0) | ||
| rspec-mocks (~> 2.13.0) | ||
| rspec-core (2.13.1) | ||
| rspec-expectations (2.13.0) | ||
| diff-lcs (>= 1.1.3, < 2.0) | ||
| rspec-mocks (2.13.0) | ||
| shoulda-matchers (1.5.2) | ||
| activesupport (>= 3.0.0) | ||
| bourne (~> 1.3) | ||
| simplecov (0.5.4) | ||
| multi_json (~> 1.0.3) | ||
| simplecov-html (~> 0.5.3) | ||
| simplecov-html (0.5.3) | ||
| timecop (0.6.1) | ||
| tzinfo (0.3.37) | ||
| yard (0.8.5.2) | ||
|
|
||
| PLATFORMS | ||
| ruby | ||
|
|
||
| DEPENDENCIES | ||
| activerecord | ||
| activesupport (>= 3.0.0) | ||
| database_cleaner | ||
| factory_girl (>= 4.1.0) | ||
| json | ||
| metasploit_data_models (~> 0.14.3) | ||
| msgpack | ||
| nokogiri | ||
| pcaprub | ||
| pg (>= 0.11) | ||
| rake | ||
| redcarpet | ||
| robots | ||
| rspec (>= 2.12) | ||
| shoulda-matchers | ||
| simplecov (= 0.5.4) | ||
| timecop | ||
| yard |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,151 @@ | ||
| # $Id$ | ||
|
|
||
| This file contains some brief instructions on contributing to the | ||
| Metasploit Framework. | ||
|
|
||
| Code Style | ||
| ========== | ||
|
|
||
| In order to maintain consistency and readability, we ask that you | ||
| adhere to the following style guidelines: | ||
|
|
||
| - Hard tabs, not spaces | ||
| - Try to keep your lines under 100 columns (assuming four-space tabs) | ||
| - do; end instead of {} for a block | ||
| - Always use str[0,1] instead of str[0] | ||
| (This avoids a known ruby 1.8/1.9 incompatibility.) | ||
| - Method names should always be lower_case and words separated by "_" | ||
| - Variable names should be lower case with words separated by "_" | ||
| - Don't depend on any external gems or libraries without talking to | ||
| todb to resolve packaging and licensing issues | ||
|
|
||
| You can use the the "./tools/msftidy.rb" script to do some rudimentary | ||
| checking for various violations. | ||
|
|
||
|
|
||
| Code No-Nos | ||
| =========== | ||
|
|
||
| 1. Don't print to standard output. Doing so means that users of | ||
| interfaces other than msfconsole, such as msfrpc and msfgui, won't see | ||
| your output. You can use print_line to accomplish the same thing as | ||
| puts. | ||
|
|
||
| 2. Don't read from standard input, doing so will make your code | ||
| lock up the entire module when called from other interfaces. If you | ||
| need user input, you can either register an option or expose an | ||
| interactive session type specific for the type of exploit. | ||
|
|
||
| 3. Don't use "sleep". It has been known to cause issues with | ||
| multi-threaded programs on various platforms. Instead, we use | ||
| "select(nil, nil, nil, <time>)" throughout the framework. We have | ||
| found this works around the underlying issue. | ||
|
|
||
| 4. Always use Rex sockets, not ruby sockets. This includes | ||
| third-party libraries such as Net::Http. There are several very good | ||
| reasons for this rule. First, the framework doesn't get notified on | ||
| the creation of ruby sockets and won't know how to clean them up in | ||
| case your module raises an exception without cleaning up after itself. | ||
| Secondly, non-Rex sockets do not know about routes and therefore can't | ||
| be used through a meterpreter tunnel. Lastly, regular sockets miss | ||
| out on msf's proxy and SSL features. Msf includes many protocols | ||
| already implemented with Rex and if the protocol you need is missing, | ||
| porting another library to use them is straight-forward. See our | ||
| Net::SSH modifications in lib/net/ssh/ for an example. | ||
|
|
||
| 5. When opening an IO stream, always force binary with "b" mode (or | ||
| using IO#binmode). This not only helps keep Windows and non-Windows | ||
| runtime environments consistent with each other, but also guarantees | ||
| that files will be treated as ASCII-8BIT instead of UTF-8. | ||
|
|
||
| 6. Don't use String#[] for a single character. This returns a Fixnum in | ||
| ruby 1.8 and a String in 1.9, so it's safer to use the following idiom: | ||
| str[idx,1] | ||
| which always returns a String. If you need the ASCII byte, unpack it like | ||
| so: | ||
| str[idx,1].unpack("C")[0] | ||
|
|
||
| 7. Whenever possible, avoid using '+' or '+=' to concatenate strings. | ||
| The '<<' operator is significantly faster. The difference will become | ||
| even more apparent when doing string manipulation in a loop. The | ||
| following table approximates the underlying implementation: | ||
| Ruby Pseudo-C | ||
| ----------- ---------------- | ||
| a = b + c a = malloc(b.len+c.len+1); | ||
| strcpy(a, b); | ||
| memcpy(a+b.len, c, c.len); | ||
| a[b.len + c.len] = '\0'; | ||
| a = b a = b; | ||
| a << c a = realloc(a, a.len+c.len+1); | ||
| memcpy(a+a.len, c, c.len); | ||
| a[a.len + c.len] = '\0'; | ||
| Note that the original value of 'b' is lost in the second case. Care | ||
| must be taken to duplicate strings that you do not want to modify. | ||
|
|
||
| 8. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's | ||
| excellent slide show at <http://slideshow.rubyforge.org/ruby19.html> | ||
| for an overview of common and not-so-common Ruby version related gotchas. | ||
|
|
||
| 9. Never, ever use $global variables. This applies to modules, mixins, | ||
| and libraries. If you need a "global" within a specific class, you can | ||
| use @@class_variables, but most modules should use @instance variables | ||
| to store information between methods. | ||
|
|
||
| 10. Do not define CONSTANTS within individual modules. This can lead to | ||
| warning messages when the module is reloaded. Try to keep constants | ||
| inside libraries and mixins instead. | ||
|
|
||
|
|
||
| Creating New Modules | ||
| ==================== | ||
|
|
||
| When creating a new module, the simplest way to start is to copy | ||
| another module that uses the same protocol and modify it to your | ||
| needs. If you're creating an exploit module, generally you'll want | ||
| to edit the exploit() method. Auxiliary Scanner modules use one of | ||
| run_host(), run_range(), or run_batch() instead of exploit(). | ||
| Non-scanner aux modules use run(). | ||
|
|
||
|
|
||
| Submitting Your Code | ||
| ==================== | ||
|
|
||
| To get started with a Metasploit Framework source clone, simply: | ||
|
|
||
| - Fork rapid7/metasploit-framework to your GitHub account | ||
| - git clone git://github.com/YourName/metasploit-framework.git | ||
| - gem install bundler | ||
| - bundle install | ||
|
|
||
| More detailed documentation regarding the process for submitting new | ||
| modules via GitHub is documented here: | ||
|
|
||
| https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment | ||
|
|
||
| This describes the process of forking, editing, and generating a | ||
| pull request, and is the preferred method for bringing new modules | ||
| and framework enhancements to the attention of the core Metasploit | ||
| development team. Note that this process requires a GitHub account. | ||
|
|
||
| For Git commits, please adhere to 50/72 formatting: your commits should | ||
| start with a line 50 characters or less, followed by a blank line, | ||
| followed by one or more lines of explanatory text wrapped at at 72 | ||
| characters Pull requests with commits not formatted this way will | ||
| be rejected without review. | ||
|
|
||
| For modules, note that Author field is not automatic, and should be | ||
| filled in in the format of 'Your Name <user[at]domain.tld>' so future | ||
| developers can contact you with any questions. | ||
|
|
||
| Licensing | ||
| ========= | ||
| By submitting code contributions to the Metasploit Project it is | ||
| assumed that you are offering your code under the Metasploit License | ||
| or similar 3-clause BSD-compatible license. MIT and Ruby Licenses | ||
| are also fine. We specifically cannot include GPL code. LGPL code | ||
| is accepted on a case by case basis for libraries only and is never | ||
| accepted for modules. | ||
|
|
||
| When possible, such as aux and exploit modules, be sure to include | ||
| your license designation in the file in the appropriate place. | ||
|
|
Oops, something went wrong.