From 12cb3b4d3e645ec5b13b103f94d64368891e92d3 Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 5 Oct 2018 03:32:40 -0500 Subject: [PATCH] Land #10750, formatting and AKA reference fixes --- .../scanner/http/apache_mod_cgi_bash_env.rb | 5 +- .../linux/http/axis_srv_parhand_rce.rb | 56 +++++------ .../linux/http/hp_van_sdn_cmd_inject.rb | 42 ++++---- .../fileformat/ghostscript_failed_restore.rb | 20 ++-- .../unix/fileformat/imagemagick_delegate.rb | 6 +- .../unix/webapp/drupal_drupalgeddon2.rb | 98 +++++++++---------- .../windows/smb/ms17_010_eternalblue_win8.py | 2 +- 7 files changed, 110 insertions(+), 119 deletions(-) diff --git a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb index 6df8e11fa4..4e17c90277 100644 --- a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb +++ b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb @@ -40,10 +40,7 @@ class MetasploitModule < Msf::Auxiliary ], 'DisclosureDate' => 'Sep 24 2014', 'License' => MSF_LICENSE, - 'Notes' => - { - 'AKA' => ['Shellshock'] - } + 'Notes' => {'AKA' => ['Shellshock']} )) register_options([ diff --git a/modules/exploits/linux/http/axis_srv_parhand_rce.rb b/modules/exploits/linux/http/axis_srv_parhand_rce.rb index bbd7aa9ab0..10caf872b8 100644 --- a/modules/exploits/linux/http/axis_srv_parhand_rce.rb +++ b/modules/exploits/linux/http/axis_srv_parhand_rce.rb @@ -12,12 +12,12 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Axis Network Camera .srv to parhand RCE', - 'Description' => %q{ + 'Name' => 'Axis Network Camera .srv to parhand RCE', + 'Description' => %q{ This module exploits an auth bypass in .srv functionality and a command injection in parhand to execute code as the root user. }, - 'Author' => [ + 'Author' => [ 'Or Peles', # Vulnerability discovery (VDOO) 'wvu', # Metasploit module 'sinn3r', # Metasploit module @@ -28,46 +28,46 @@ class MetasploitModule < Msf::Exploit::Remote 'Chris Lee', # Metasploit module 'Cale Black' # Metasploit module ], - 'References' => [ + 'References' => [ ['CVE', '2018-10660'], ['CVE', '2018-10661'], ['CVE', '2018-10662'], ['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'], ['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf'] ], - 'DisclosureDate' => 'Jun 18 2018', - 'License' => MSF_LICENSE, - 'Platform' => ['unix', 'linux'], - 'Arch' => [ARCH_CMD, ARCH_ARMLE], - 'Privileged' => true, - 'Targets' => [ + 'DisclosureDate' => 'Jun 18 2018', + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_ARMLE], + 'Privileged' => true, + 'Targets' => [ ['Unix In-Memory', - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Type' => :unix_memory, - 'Payload' => { - 'BadChars' => ' ', - 'Encoder' => 'cmd/ifs', - 'Compat' => { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'netcat-e' + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'Payload' => { + 'BadChars' => ' ', + 'Encoder' => 'cmd/ifs', + 'Compat' => { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'netcat-e' } }, - 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' } ], ['Linux Dropper', - 'Platform' => 'linux', - 'Arch' => ARCH_ARMLE, - 'Type' => :linux_dropper, - 'DefaultOptions' => { - 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' + 'Platform' => 'linux', + 'Arch' => ARCH_ARMLE, + 'Type' => :linux_dropper, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' } ] ], - 'DefaultTarget' => 1, - 'DefaultOptions' => {'WfsDelay' => 10} + 'DefaultTarget' => 1, + 'DefaultOptions' => {'WfsDelay' => 10} )) end diff --git a/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb b/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb index 736b394820..a537ac195b 100644 --- a/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb +++ b/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb @@ -16,8 +16,8 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'HP VAN SDN Controller Root Command Injection', - 'Description' => %q{ + 'Name' => 'HP VAN SDN Controller Root Command Injection', + 'Description' => %q{ This module exploits a hardcoded service token or default credentials in HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root. @@ -27,36 +27,36 @@ class MetasploitModule < Msf::Exploit::Remote If the service token option TOKEN is blank, USERNAME and PASSWORD will be used for authentication. An additional login request will be sent. }, - 'Author' => [ + 'Author' => [ 'Matt Bergin', # Vulnerability discovery and Python exploit 'wvu' # Metasploit module and additional ~research~ ], - 'References' => [ + 'References' => [ ['EDB', '44951'], ['URL', 'https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt'] ], - 'DisclosureDate' => 'Jun 25 2018', - 'License' => MSF_LICENSE, - 'Platform' => ['unix', 'linux'], - 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], - 'Privileged' => true, - 'Targets' => [ + 'DisclosureDate' => 'Jun 25 2018', + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'Privileged' => true, + 'Targets' => [ ['Unix In-Memory', - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Type' => :unix_memory, - 'Payload' => {'BadChars' => ' '}, - 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'} + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'Payload' => {'BadChars' => ' '}, + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'} ], ['Linux Dropper', - 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_X64], - 'Type' => :linux_dropper, - 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'} + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :linux_dropper, + 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'} ] ], - 'DefaultTarget' => 0, - 'DefaultOptions' => {'RPORT' => 8081, 'SSL' => true} + 'DefaultTarget' => 0, + 'DefaultOptions' => {'RPORT' => 8081, 'SSL' => true} )) register_options([ diff --git a/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb b/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb index 3e3ffcdd13..df9f35e139 100644 --- a/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb +++ b/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb @@ -45,20 +45,20 @@ class MetasploitModule < Msf::Exploit 'Privileged' => false, 'Targets' => [ ['Unix (In-Memory)', - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Type' => :unix_memory, - 'Payload' => {'Space' => 4089, 'DisableNops' => true} # 4096 total + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'Payload' => {'Space' => 4089, 'DisableNops' => true} # 4096 total ], ['PowerShell (In-Memory)', - 'Platform' => 'win', - 'Arch' => [ARCH_X86, ARCH_X64], - 'Type' => :psh_memory + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :psh_memory ], ['Linux (Dropper)', - 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_X64], - 'Type' => :linux_dropper + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :linux_dropper ] ], 'DefaultTarget' => 0 diff --git a/modules/exploits/unix/fileformat/imagemagick_delegate.rb b/modules/exploits/unix/fileformat/imagemagick_delegate.rb index 735b899458..f1319594e6 100644 --- a/modules/exploits/unix/fileformat/imagemagick_delegate.rb +++ b/modules/exploits/unix/fileformat/imagemagick_delegate.rb @@ -47,8 +47,7 @@ class MetasploitModule < Msf::Exploit %w{URL https://seclists.org/oss-sec/2016/q3/682}, %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab}, %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}, - %w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}, - %w{AKA ImageTragick} + %w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669} ], 'DisclosureDate' => 'May 3 2016', 'License' => MSF_LICENSE, @@ -63,7 +62,8 @@ class MetasploitModule < Msf::Exploit ['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg ['PS file', template: 'msf.ps'] # PoC from taviso ], - 'DefaultTarget' => 0 + 'DefaultTarget' => 0, + 'Notes' => {'AKA' => ['ImageTragick']} )) register_options([ diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 7aa30b2488..aa5dd2461a 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -34,7 +34,7 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'], ['URL', 'https://github.com/a2u/CVE-2018-7600'], ['URL', 'https://github.com/nixawk/labs/issues/19'], - ['URL', 'https://github.com/FireFart/CVE-2018-7600'], + ['URL', 'https://github.com/FireFart/CVE-2018-7600'] ], 'DisclosureDate' => 'Mar 28 2018', 'License' => MSF_LICENSE, @@ -47,89 +47,83 @@ class MetasploitModule < Msf::Exploit::Remote # Automatic targets (PHP, cmd/unix, native) # ['Automatic (PHP In-Memory)', - 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Type' => :php_memory + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Type' => :php_memory ], ['Automatic (PHP Dropper)', - 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Type' => :php_dropper + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Type' => :php_dropper ], ['Automatic (Unix In-Memory)', - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Type' => :unix_memory + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory ], ['Automatic (Linux Dropper)', - 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_X64], - 'Type' => :linux_dropper + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :linux_dropper ], # # Drupal 7.x targets (PHP, cmd/unix, native) # ['Drupal 7.x (PHP In-Memory)', - 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('7'), - 'Type' => :php_memory + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Version' => Gem::Version.new('7'), + 'Type' => :php_memory ], ['Drupal 7.x (PHP Dropper)', - 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('7'), - 'Type' => :php_dropper + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Version' => Gem::Version.new('7'), + 'Type' => :php_dropper ], ['Drupal 7.x (Unix In-Memory)', - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Version' => Gem::Version.new('7'), - 'Type' => :unix_memory + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Version' => Gem::Version.new('7'), + 'Type' => :unix_memory ], ['Drupal 7.x (Linux Dropper)', - 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_X64], - 'Version' => Gem::Version.new('7'), - 'Type' => :linux_dropper + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Version' => Gem::Version.new('7'), + 'Type' => :linux_dropper ], # # Drupal 8.x targets (PHP, cmd/unix, native) # ['Drupal 8.x (PHP In-Memory)', - 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('8'), - 'Type' => :php_memory + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Version' => Gem::Version.new('8'), + 'Type' => :php_memory ], ['Drupal 8.x (PHP Dropper)', - 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('8'), - 'Type' => :php_dropper + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Version' => Gem::Version.new('8'), + 'Type' => :php_dropper ], ['Drupal 8.x (Unix In-Memory)', - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Version' => Gem::Version.new('8'), - 'Type' => :unix_memory + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Version' => Gem::Version.new('8'), + 'Type' => :unix_memory ], ['Drupal 8.x (Linux Dropper)', - 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_X64], - 'Version' => Gem::Version.new('8'), - 'Type' => :linux_dropper + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Version' => Gem::Version.new('8'), + 'Type' => :linux_dropper ] ], 'DefaultTarget' => 0, # Automatic (PHP In-Memory) 'DefaultOptions' => {'WfsDelay' => 2}, - 'Notes' => - { - 'AKA' => [ - 'SA-CORE-2018-002', - 'Drupalgeddon 2' - ] - } + 'Notes' => {'AKA' => ['SA-CORE-2018-002', 'Drupalgeddon 2']} )) register_options([ diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py b/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py index c4bd48cbb9..a008d88346 100755 --- a/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py +++ b/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py @@ -94,7 +94,7 @@ metadata = { 'SMBPass': {'type': 'string', 'description': '(Optional) The password for the specified username', 'required': False, 'default': ''} }, 'notes': { - 'AKA': ['ETERNALBLUE'] + 'AKA': ['ETERNALBLUE'] } }