From c22865fb714af9d84f8690871f0f002496d1d363 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 5 Feb 2015 01:41:35 -0600 Subject: [PATCH 1/8] Fix nexpose_xxe_file_read datastore --- modules/auxiliary/admin/http/nexpose_xxe_file_read.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb index 90b921aae4..c55a974bc0 100644 --- a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb +++ b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb @@ -74,7 +74,7 @@ class Metasploit4 < Msf::Auxiliary xml = '' - xml << '' + xml << %Q{} xml << ']>' xml << ' Date: Thu, 5 Feb 2015 01:55:37 -0600 Subject: [PATCH 3/8] Fix zabbix_script_exec datastore --- modules/exploits/multi/http/zabbix_script_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/zabbix_script_exec.rb b/modules/exploits/multi/http/zabbix_script_exec.rb index 697e2ba2e7..2fa72b9dfe 100644 --- a/modules/exploits/multi/http/zabbix_script_exec.rb +++ b/modules/exploits/multi/http/zabbix_script_exec.rb @@ -79,7 +79,7 @@ class Metasploit4 < Msf::Exploit::Remote req = c.request_cgi({ 'method' => 'POST', 'uri' => '/zabbix/', - 'data' => 'request=&name=' << datastore['USERNAME'] << '&password=' << datastore['PASSWORD'] << '&enter=Sign+in' + 'data' => "request=&name=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}&enter=Sign+in" }) login = c.send_recv(req.to_s.sub("Host:", "Host: " << datastore["RHOST"])) From 148ffaf55fabc56045ae6c79755c95894ea0ea40 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 5 Feb 2015 01:58:49 -0600 Subject: [PATCH 4/8] Fix real_arcade_installerdlg datastore --- modules/exploits/windows/browser/real_arcade_installerdlg.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/real_arcade_installerdlg.rb b/modules/exploits/windows/browser/real_arcade_installerdlg.rb index 2245784998..c2afc67f27 100644 --- a/modules/exploits/windows/browser/real_arcade_installerdlg.rb +++ b/modules/exploits/windows/browser/real_arcade_installerdlg.rb @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote # Payload's URL payload_src = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] - payload_src << ":" << datastore['SRVPORT'] << get_resource() + "/" + @payload_name + ".exe" + payload_src << ":#{datastore['SRVPORT']}#{get_resource}/#{@payload_name}.exe" # Create the stager (download + execute payload) stager_name = rand_text_alpha(6) + ".vbs" From a12d1244b9ec359d52fad5fb34d33038e039422d Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 5 Feb 2015 02:00:48 -0600 Subject: [PATCH 5/8] Fix zenworks_helplauncher_exec datastore --- modules/exploits/windows/browser/zenworks_helplauncher_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb b/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb index f319496cb4..6e66961670 100644 --- a/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb +++ b/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb @@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote # Payload's URL payload_src = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] - payload_src << ":" << datastore['SRVPORT'] << get_resource() + "/" + @payload_name + ".exe" + payload_src << ":#{datastore['SRVPORT']}#{get_resource}/#{@payload_name}.exe" # Create the stager (download + execute payload) stager = build_vbs(payload_src) From b43522a2b8e3db12207150c3ac0d92fb71ef49b3 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 5 Feb 2015 02:02:52 -0600 Subject: [PATCH 6/8] Fix scadapro_cmdexe datastore --- modules/exploits/windows/scada/scadapro_cmdexe.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/scada/scadapro_cmdexe.rb b/modules/exploits/windows/scada/scadapro_cmdexe.rb index fe99df9652..4a8e6d2e04 100644 --- a/modules/exploits/windows/scada/scadapro_cmdexe.rb +++ b/modules/exploits/windows/scada/scadapro_cmdexe.rb @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote end payload_src = lhost - payload_src << ":" << datastore['SRVPORT'] << datastore['URIPATH'] << @payload_name << ".exe" + payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe" stager_name = rand_text_alpha(6) + ".vbs" stager = build_vbs(payload_src, stager_name) From 3e0ce4a955a2f6c398856fea5c634f381e2eb9f0 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 5 Feb 2015 20:36:25 -0600 Subject: [PATCH 7/8] Fix datastore mangling with instance variables See rapid7/metasploit-framework #4709 --- modules/auxiliary/fuzzers/dns/dns_fuzzer.rb | 32 +++++++++++++++------ 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb b/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb index 88f66ce53f..44c1ac390b 100644 --- a/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb +++ b/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb @@ -40,11 +40,11 @@ class Metasploit3 < Msf::Auxiliary OptBool.new('DNSSEC', [ false, "Add DNSsec to each question (UDP payload size, EDNS0, ...)",false]), OptBool.new('TRAILINGNUL', [ false, "NUL byte terminate DNS names",true]), OptBool.new('RAWPADDING', [ false, "Generate totally random data from STARTSIZE to ENDSIZE",false]), - OptString.new('OPCODE', [ false, "Comma separated list of opcodes to fuzz.",'' ]), + OptString.new('OPCODE', [ false, "Comma separated list of opcodes to fuzz. Leave empty to fuzz all fields.",'' ]), # OPCODE accepted values: QUERY,IQUERY,STATUS,UNASSIGNED,NOTIFY,UPDATE - OptString.new('CLASS', [ false, "Comma separated list of classes to fuzz.",'' ]), + OptString.new('CLASS', [ false, "Comma separated list of classes to fuzz. Leave empty to fuzz all fields.",'' ]), # CLASS accepted values: IN,CH,HS,NONE,ANY - OptString.new('RR', [ false, "Comma separated list of requests to fuzz.",'' ]) + OptString.new('RR', [ false, "Comma separated list of requests to fuzz. Leave empty to fuzz all fields.",'' ]) # RR accepted values: A,CNAME,MX,PTR,TXT,AAAA,HINFO,SOA,NS,WKS,RRSIG,DNSKEY,DS,NSEC,NSEC3,NSEC3PARAM # RR accepted values: AFSDB,ISDN,RP,RT,X25,PX,SRV,NAPTR,MD,MF,MB,MG,MR,NULL,MINFO,NSAP,NSAP-PTR,SIG # RR accepted values: KEY,GPOS,LOC,NXT,EID,NIMLOC,ATMA,KX,CERT,A6,DNAME,SINK,OPT,APL,SSHFP,IPSECKEY @@ -329,6 +329,20 @@ class Metasploit3 < Msf::Auxiliary end end + def fix_variables + @fuzz_opcode = datastore['OPCODE'] || "QUERY,IQUERY,STATUS,UNASSIGNED,NOTIFY,UPDATE" + @fuzz_class = datastore['CLASS'] || "IN,CH,HS,NONE,ANY" + @fuzz_rr = datastore['RR'] || "" << + "A,NS,MD,MF,CNAME,SOA,MB,MG,MR,NULL,WKS,PTR," << + "HINFO,MINFO,MX,TXT,RP,AFSDB,X25,ISDN,RT," << + "NSAP,NSAP-PTR,SIG,KEY,PX,GPOS,AAAA,LOC,NXT," << + "EID,NIMLOC,SRV,ATMA,NAPTR,KX,CERT,A6,DNAME," << + "SINK,OPT,APL,DS,SSHFP,IPSECKEY,RRSIG,NSEC," << + "DNSKEY,DHCID,NSEC3,NSEC3PARAM,HIP,NINFO,RKEY," << + "TALINK,SPF,UINFO,UID,GID,UNSPEC,TKEY,TSIG," << + "IXFR,AXFR,MAILA,MAILB,*,TA,DLV,RESERVED" + end + def run_host(ip) msg = "#{ip}:#{rhost} - DNS -" begin @@ -347,6 +361,8 @@ class Metasploit3 < Msf::Auxiliary errorhdr = datastore['ERRORHDR'] trailingnul = datastore['TRAILINGNUL'] + fix_variables + if !dns_alive(@underlayerProtocol) then return false end print_status("#{msg} Fuzzing DNS server, this may take a while.") @@ -360,7 +376,7 @@ class Metasploit3 < Msf::Auxiliary if @domain == nil print_status("DNS Fuzzer: DOMAIN could be set for health check but not mandatory.") end - nsopcode=datastore['OPCODE'].split(",") + nsopcode=@fuzz_opcode.split(",") opcode = setup_opcode(nsopcode) opcode.unpack("n*").each do |dnsOpcode| 1.upto(iter) do @@ -393,11 +409,11 @@ class Metasploit3 < Msf::Auxiliary nsclass << req[:class] nsentry << req[:name] end - nsopcode=datastore['OPCODE'].split(",") + nsopcode=@fuzz_opcode.split(",") else - nsreq=datastore['RR'].split(",") - nsopcode=datastore['OPCODE'].split(",") - nsclass=datastore['CLASS'].split(",") + nsreq=@fuzz_rr.split(",") + nsopcode=@fuzz_opcode.split(",") + nsclass=@fuzz_class.split(",") begin classns = setup_nsclass(nsclass) raise ArgumentError, "Invalid CLASS: #{nsclass.inspect}" unless classns From 7e649a919c4c2d20305901c9bdf9622ab749a7e2 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 5 Feb 2015 21:00:54 -0600 Subject: [PATCH 8/8] This version will actually work. --- modules/auxiliary/fuzzers/dns/dns_fuzzer.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb b/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb index 44c1ac390b..1972f99d76 100644 --- a/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb +++ b/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb @@ -330,10 +330,9 @@ class Metasploit3 < Msf::Auxiliary end def fix_variables - @fuzz_opcode = datastore['OPCODE'] || "QUERY,IQUERY,STATUS,UNASSIGNED,NOTIFY,UPDATE" - @fuzz_class = datastore['CLASS'] || "IN,CH,HS,NONE,ANY" - @fuzz_rr = datastore['RR'] || "" << - "A,NS,MD,MF,CNAME,SOA,MB,MG,MR,NULL,WKS,PTR," << + @fuzz_opcode = datastore['OPCODE'].blank? ? "QUERY,IQUERY,STATUS,UNASSIGNED,NOTIFY,UPDATE" : datastore['OPCODE'] + @fuzz_class = datastore['CLASS'].blank? ? "IN,CH,HS,NONE,ANY" : datastore['CLASS'] + fuzz_rr_queries = "A,NS,MD,MF,CNAME,SOA,MB,MG,MR,NULL,WKS,PTR," << "HINFO,MINFO,MX,TXT,RP,AFSDB,X25,ISDN,RT," << "NSAP,NSAP-PTR,SIG,KEY,PX,GPOS,AAAA,LOC,NXT," << "EID,NIMLOC,SRV,ATMA,NAPTR,KX,CERT,A6,DNAME," << @@ -341,6 +340,7 @@ class Metasploit3 < Msf::Auxiliary "DNSKEY,DHCID,NSEC3,NSEC3PARAM,HIP,NINFO,RKEY," << "TALINK,SPF,UINFO,UID,GID,UNSPEC,TKEY,TSIG," << "IXFR,AXFR,MAILA,MAILB,*,TA,DLV,RESERVED" + @fuzz_rr = datastore['RR'].blank ? fuzz_rr_queries : datastore['RR'] end def run_host(ip)