infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #11769, make sure Notes fields show up in `info`

master
Brent Cook 2019-04-24 13:01:07 -05:00
parent e7f82610d3 ce39b929b2
commit 470255cb2b
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
6 changed files with 109 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
lib/msf/base/serializer/readable_text.rb
View File

@ -286,8 +286,8 @@ class ReadableText
# References
output << dump_references(mod, indent)
# AKA
output << dump_aka(mod, indent)
# Notes
output << dump_notes(mod, indent)
return output
@ -341,8 +341,8 @@ class ReadableText
# References
output << dump_references(mod, indent)
# AKA
output << dump_aka(mod, indent)
# Notes
output << dump_notes(mod, indent)
return output
end
@ -401,8 +401,8 @@ class ReadableText
# References
output << dump_references(mod, indent)
# AKA
output << dump_aka(mod, indent)
# Notes
output << dump_notes(mod, indent)
return output
end
@ -668,19 +668,42 @@ class ReadableText
output
end
# Dumps the aka names associated with the supplied module.
# Dumps the notes associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_aka(mod, indent = '')
def self.dump_notes(mod, indent = '')
output = ''
if mod.notes['AKA'].present?
output << "AKA:\n"
mod.notes.each do |name, val|
next unless val.present?
mod.notes['AKA'].each do |aka_name|
output << indent + aka_name + "\n"
case name
when 'AKA'
output << "Also known as:\n"
val.each { |aka| output << "#{indent}#{aka}\n" }
when 'NOCVE'
output << "CVE not available:\n" \
"#{indent}#{val}\n"
when 'RelatedModules'
output << "Related modules:\n"
val.each { |related| output << "#{indent}#{related}\n" }
when 'Stability', 'SideEffects', 'Reliability'
# Handled by dump_traits
next
else
output << "#{name}:\n"
case val
when Array
val.each { |v| output << "#{indent}#{v}\n" }
when Hash
val.each { |k, v| output << "#{indent}#{k}: #{v}\n" }
else
# Display the raw note
output << "#{indent}#{val}\n"
end
end
output << "\n"

4
modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
View File

@ -59,10 +59,10 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultTarget' => 1,
'Notes' => {
'NOCVE' => 'Patched in 2.00.8643 without vendor disclosure',
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK],
'Reliablity' => [REPEATABLE_SESSION],
'NOCVE' => 'Patched in 2.00.8643'
'Reliability' => [REPEATABLE_SESSION]
}
))

58
modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
View File

@ -16,52 +16,56 @@ class MetasploitModule < Msf::Exploit
def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Failed Restore Command Execution',
'Description' => %q{
'Name' => 'Ghostscript Failed Restore Command Execution',
'Description' => %q{
This module exploits a -dSAFER bypass in Ghostscript to execute
arbitrary commands by handling a failed restore (grestore) in
PostScript to disable LockSafetyParams and avoid invalidaccess.
This vulnerability is reachable via libraries such as ImageMagick,
and this module provides the latest vector for Ghostscript.
For previous Ghostscript vectors, please see the following modules:
exploit/unix/fileformat/ghostscript_type_confusion
exploit/unix/fileformat/imagemagick_delegate
This vulnerability is reachable via libraries such as ImageMagick.
},
'Author' => [
'Author' => [
'Tavis Ormandy', # Vuln discovery and exploit
'wvu' # Metasploit module
],
'References' => [
'References' => [
['CVE', '2018-16509'],
['URL', 'https://seclists.org/oss-sec/2018/q3/142'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1640']
],
'DisclosureDate' => '2018-08-21',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
'DisclosureDate' => '2018-08-21',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {'Space' => 4089, 'DisableNops' => true} # 4096 total
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'Space' => 4089, # 4096 total
'DisableNops' => true
}
],
['PowerShell (In-Memory)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
],
['Linux (Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
]
],
'DefaultTarget' => 0
'DefaultTarget' => 0,
'Notes' => {
'RelatedModules' => [
'exploit/unix/fileformat/ghostscript_type_confusion',
'exploit/unix/fileformat/imagemagick_delegate'
]
}
))
register_options([

37
modules/exploits/unix/fileformat/ghostscript_type_confusion.rb
View File

@ -10,41 +10,42 @@ class MetasploitModule < Msf::Exploit
def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
'Description' => %q{
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
'Description' => %q{
This module exploits a type confusion vulnerability in Ghostscript that can
be exploited to obtain arbitrary command execution. This vulnerability affects
Ghostscript versions 9.21 and earlier and can be exploited through libraries
such as ImageMagick and Pillow.
For more recent Ghostscript vectors, please see the following modules:
exploit/multi/fileformat/ghostscript_failed_restore
},
'Author' => [
'Author' => [
'Atlassian Security Team', # Vulnerability discovery
'hdm' # Metasploit module
],
'References' => [
'References' => [
%w{CVE 2017-8291},
%w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
%w{URL https://seclists.org/oss-sec/2017/q2/148},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3}
],
'DisclosureDate' => 'Apr 27 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c)(" # ", ', \, (, and )
'DisclosureDate' => 'Apr 27 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c)(" # ", ', \, (, and )
},
'Targets' => [
'Targets' => [
['EPS file', template: 'msf.eps']
],
'DefaultTarget' => 0,
'Notes' => {
'AKA' => [ 'ghostbutt' ]
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ghostbutt'],
'RelatedModules' => [
'exploit/multi/fileformat/ghostscript_failed_restore',
'exploit/unix/fileformat/imagemagick_delegate'
]
}
))

38
modules/exploits/unix/fileformat/imagemagick_delegate.rb
View File

@ -10,8 +10,8 @@ class MetasploitModule < Msf::Exploit
def initialize(info = {})
super(update_info(info,
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
'Description' => %q{
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
'Description' => %q{
This module exploits a shell command injection in the way "delegates"
(commands for converting files) are processed in ImageMagick versions
<= 7.0.1-0 and <= 6.9.3-9 (legacy).
@ -25,21 +25,17 @@ class MetasploitModule < Msf::Exploit
Ghostscript versions 9.18 and later are affected. This target is
provided as is and will not be updated to track additional vulns.
For more recent Ghostscript vectors, please see the following modules:
exploit/multi/fileformat/ghostscript_failed_restore
exploit/unix/fileformat/ghostscript_type_confusion
If USE_POPEN is set to true, a |-prefixed command will be used for the
exploit. No delegates are involved in this exploitation.
},
'Author' => [
'Author' => [
'stewie', # Vulnerability discovery
'Nikolay Ermishkin', # Vulnerability discovery
'Tavis Ormandy', # Vulnerability discovery
'wvu', # Metasploit module
'hdm' # Metasploit module
],
'References' => [
'References' => [
%w{CVE 2016-3714},
%w{CVE 2016-7976},
%w{URL https://imagetragick.com/},
@ -49,21 +45,27 @@ class MetasploitModule < Msf::Exploit
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},
%w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}
],
'DisclosureDate' => '2016-05-03',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c" # ", ', and \
'DisclosureDate' => '2016-05-03',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c" # ", ', and \
},
'Targets' => [
'Targets' => [
['SVG file', template: 'msf.svg'], # convert msf.png msf.svg
['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg
['PS file', template: 'msf.ps'] # PoC from taviso
],
'DefaultTarget' => 0,
'Notes' => {'AKA' => ['ImageTragick']}
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ImageTragick'],
'RelatedModules' => [
'exploit/unix/fileformat/ghostscript_type_confusion',
'exploit/multi/fileformat/ghostscript_failed_restore'
]
}
))
register_options([

4
modules/exploits/unix/webapp/drupal_restws_unserialize.rb
View File

@ -67,10 +67,10 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['SA-CORE-2019-003'],
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliablity' => [UNRELIABLE_SESSION], # When using the GET method
'AKA' => ['SA-CORE-2019-003']
'Reliability' => [UNRELIABLE_SESSION] # When using the GET method
}
))