Merge pull request #662 from rsmudge/armitage

Armitage 08.02.12 - adds Cortana scripting technology.
rapid7 · Aug 2, 2012 · fac4ba2 · fac4ba2
2 parents 227d0db + 32ee126
commit fac4ba2
Show file tree

Hide file tree

Showing 78 changed files with 6,764 additions and 148 deletions.
diff --git a/data/armitage/armitage.jar b/data/armitage/armitage.jar
diff --git a/data/armitage/cortana.jar b/data/armitage/cortana.jar
diff --git a/data/armitage/whatsnew.txt b/data/armitage/whatsnew.txt
@@ -1,6 +1,26 @@
 Armitage Changelog
 ==================
 
+2 Aug 12 (tested again msf r15698)
+--------
+- Armitage now reports vulnerability module and descriptions 
+  properly (again) when exporting data. Had to update to match a
+  change to the db schema.
+- Pass-the-Hash and Login dialogs now stay open if you press 
+  shift while clicking Launch. This convention is pretty universal
+  to Armitage.
+- Team server now buffers all of its outgoing data. I've also 
+  disabled SO_NODELAY. This will greatly improve team server latency
+  on congested networks without impacting responsiveness otherwise.
+- Added Cortana, a DARPA funded scripting technology, into Armitage.
+  There's a lot of fun to be had here.
+- Armitage now queues messages to destroy a console rather than
+  spinning up a new thread for each closed console.
+- Rendering of icons for hosts now happens outside of UI thread.
+- Increased timeout for meterpreter read command
+- Armitage now detects a corrupt module cache and attempts to clear
+  it so it can be rebuilt. 
+
 5 Jul 12
 --------
 - Login -> psexec now sets a different LPORT for each host it's

diff --git a/external/source/armitage/build.xml b/external/source/armitage/build.xml
@@ -27,12 +27,28 @@
 		<unzip src="lib/jgraphx.jar" dest="bin" />
 		<unzip src="lib/msgpack-0.5.1-devel.jar" dest="bin" />
 		<unzip src="lib/postgresql-9.1-901.jdbc4.jar" dest="bin" />
-
+                <copy todir="bin/scripts">
+                        <fileset dir="scripts" />
+                </copy>
+                <copy todir="bin/scripts-cortana">
+                        <fileset dir="scripts-cortana" />
+                </copy>
+
+                <copy todir="bin/resources">
+                        <fileset dir="resources" />
+                </copy>
+
 		<jar destfile="armitage.jar" basedir="bin" includes="**/*">
 			<manifest>
 				<attribute name="Main-Class" value="armitage.ArmitageMain" />
 			</manifest>
 		</jar>
+
+		<jar destfile="cortana.jar" basedir="bin" includes="**/*">
+			<manifest>
+				<attribute name="Main-Class" value="cortana.Main" />
+			</manifest>
+		</jar>
 	</target>
 
 	<target name="clean" description="clean up" >

diff --git a/external/source/armitage/resources/about.html b/external/source/armitage/resources/about.html
@@ -1,9 +1,9 @@
 <html>
 	<body>	
-		<center><h1>Armitage 1.44-dev</h1></center>
+		<center><h1>Armitage 1.44</h1></center>
 
 		<p>An attack management tool for Metasploit&reg;
-		<br />Release: 5 Jul 12</p>
+		<br />Release: 2 Aug 12</p>
 		<br />
 		<p>Developed by:</p>
 

diff --git a/external/source/armitage/scripts-cortana/cortanadb.sl b/external/source/armitage/scripts-cortana/cortanadb.sl
@@ -0,0 +1,95 @@
+# This file is part of a stand-alone script environment that connects Cortana to 
+# Metasploit, Armitage, and a postgresql database. It's a little complicated and
+# twisty turny in here. Here are the rough steps:
+#
+# 1. Connect to the database (&main)
+# 2. setup the default reverse handler (&setupHandlers)
+# 3. check for the collaboration server (&checkForCollaborationServer)
+# 4. setup collaboration (&setup_collaboration)
+# 5. call armitage.skip to push the event log pointer to the very end.
+# 6. send a flag back to the Cortana load that we're ready ([$loader passObject: ...])
+#
+# If any of these steps fails, Cortana will exit with a hopefully helpful error
+# message.
+
+debug(7 | 34);
+
+import msf.*;
+import armitage.*;
+import console.*;
+import ssl.*;
+
+# create an RPC client for talking to the deconfliction server.
+sub c_client {
+	# run this thing in its own thread to avoid really stupid deadlock situations
+	local('$handle');
+	$handle = [[new SecureSocket: $1, int($2), $null] client];
+	return wait(fork({
+		local('$client');
+		$client = newInstance(^RpcConnection, lambda({
+			writeObject($handle, @_);
+			[[$handle getOutputStream] flush];
+			return readObject($handle);
+		}, \$handle));
+		return [new RpcAsync: $client];
+	}, \$handle));
+}
+
+# this function sets up a default meterpreter reverse handler on a random port. Better tha
+# requiring the user to connect a client to make this happen. This function also fires the
+# loader ready function which tells the script loader that this script is done processing
+# and this Cortana container may continue loading and executing other scripts.
+sub setupHandlers {
+	find_job("Exploit: multi/handler", {
+		if ($1 == -1) {
+			# setup a handler for meterpreter
+			call($client, "core.setg", "LPORT", randomPort());
+			call($client, "module.execute", "exploit", "multi/handler", %(
+				PAYLOAD => "windows/meterpreter/reverse_tcp",
+				LHOST => "0.0.0.0",
+				ExitOnSession => "false"
+			));
+		}
+	});
+}
+
+sub main {
+	global('$client $mclient');
+	local('%r $exception');
+
+	setField(^msf.MeterpreterSession, DEFAULT_WAIT => 20000L);
+
+	try {
+		# connect our first thread...
+		$mclient = c_client($host, $port);
+
+		# connect our second thread with an empty nickname
+		$client = c_client($host, $port);
+	}
+	catch $exception {
+		println("Could not connect to $host $+ : $+ $port ( $+ $exception $+ )");
+		[System exit: 0];
+	}
+
+	# setup first thread...
+	%r = call($mclient, "armitage.validate", $user, $pass, $nick, "armitage", 120326);
+	if (%r["error"] eq "1") {
+		println(%r['message']);
+		[System exit: 0];
+	}
+
+	# setup second thread.
+        %r = call($client, "armitage.validate", $user, $pass, $null, "armitage", 120326);
+
+	# pass some objects back yo.
+	[$loader passObjects: $client, $mclient];
+
+	# don't make previous messages available...
+	call($mclient, "armitage.skip");
+
+	# do some other setup stuff...
+	setupBaseDirectory();
+	setupHandlers();
+}
+
+invoke(&main);