infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update modules with RelatedModules and realign

master
William Vu 2019-04-24 11:34:42 -05:00
parent 0ad5dca9fa
commit 94994aa519
3 changed files with 58 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
View File

@ -16,49 +16,52 @@ class MetasploitModule < Msf::Exploit
def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Failed Restore Command Execution',
'Description' => %q{
'Name' => 'Ghostscript Failed Restore Command Execution',
'Description' => %q{
This module exploits a -dSAFER bypass in Ghostscript to execute
arbitrary commands by handling a failed restore (grestore) in
PostScript to disable LockSafetyParams and avoid invalidaccess.
This vulnerability is reachable via libraries such as ImageMagick.
},
'Author' => [
'Author' => [
'Tavis Ormandy', # Vuln discovery and exploit
'wvu' # Metasploit module
],
'References' => [
'References' => [
['CVE', '2018-16509'],
['URL', 'https://seclists.org/oss-sec/2018/q3/142'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1640']
],
'DisclosureDate' => '2018-08-21',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
'DisclosureDate' => '2018-08-21',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {'Space' => 4089, 'DisableNops' => true} # 4096 total
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'Space' => 4089, # 4096 total
'DisableNops' => true
}
],
['PowerShell (In-Memory)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
],
['Linux (Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
]
],
'DefaultTarget' => 0,
'Notes' => {
'RELATED' => [
'DefaultTarget' => 0,
'Notes' => {
'RelatedModules' => [
'exploit/unix/fileformat/ghostscript_type_confusion',
'exploit/unix/fileformat/imagemagick_delegate'
]

32
modules/exploits/unix/fileformat/ghostscript_type_confusion.rb
View File

@ -10,39 +10,39 @@ class MetasploitModule < Msf::Exploit
def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
'Description' => %q{
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
'Description' => %q{
This module exploits a type confusion vulnerability in Ghostscript that can
be exploited to obtain arbitrary command execution. This vulnerability affects
Ghostscript versions 9.21 and earlier and can be exploited through libraries
such as ImageMagick and Pillow.
},
'Author' => [
'Author' => [
'Atlassian Security Team', # Vulnerability discovery
'hdm' # Metasploit module
],
'References' => [
'References' => [
%w{CVE 2017-8291},
%w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
%w{URL https://seclists.org/oss-sec/2017/q2/148},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3}
],
'DisclosureDate' => 'Apr 27 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c)(" # ", ', \, (, and )
'DisclosureDate' => 'Apr 27 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c)(" # ", ', \, (, and )
},
'Targets' => [
'Targets' => [
['EPS file', template: 'msf.eps']
],
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ghostbutt'],
'RELATED' => [
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ghostbutt'],
'RelatedModules' => [
'exploit/multi/fileformat/ghostscript_failed_restore',
'exploit/unix/fileformat/imagemagick_delegate'
]

32
modules/exploits/unix/fileformat/imagemagick_delegate.rb
View File

@ -10,8 +10,8 @@ class MetasploitModule < Msf::Exploit
def initialize(info = {})
super(update_info(info,
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
'Description' => %q{
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
'Description' => %q{
This module exploits a shell command injection in the way "delegates"
(commands for converting files) are processed in ImageMagick versions
<= 7.0.1-0 and <= 6.9.3-9 (legacy).
@ -28,14 +28,14 @@ class MetasploitModule < Msf::Exploit
If USE_POPEN is set to true, a |-prefixed command will be used for the
exploit. No delegates are involved in this exploitation.
},
'Author' => [
'Author' => [
'stewie', # Vulnerability discovery
'Nikolay Ermishkin', # Vulnerability discovery
'Tavis Ormandy', # Vulnerability discovery
'wvu', # Metasploit module
'hdm' # Metasploit module
],
'References' => [
'References' => [
%w{CVE 2016-3714},
%w{CVE 2016-7976},
%w{URL https://imagetragick.com/},
@ -45,23 +45,23 @@ class MetasploitModule < Msf::Exploit
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},
%w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}
],
'DisclosureDate' => '2016-05-03',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c" # ", ', and \
'DisclosureDate' => '2016-05-03',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c" # ", ', and \
},
'Targets' => [
'Targets' => [
['SVG file', template: 'msf.svg'], # convert msf.png msf.svg
['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg
['PS file', template: 'msf.ps'] # PoC from taviso
],
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ImageTragick'],
'RELATED' => [
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ImageTragick'],
'RelatedModules' => [
'exploit/unix/fileformat/ghostscript_type_confusion',
'exploit/multi/fileformat/ghostscript_failed_restore'
]